Nuts & Bolts: Eye on Privacy
Right now, 38 states have consumer notification laws for data breaches. In addition, a handful of bills are making their way through Capitol Hill on the same topic.
Taken together, these laws and proposals have myriad combinations and permutations of what is considered a security incident, when to notify, how to notify and where to send notification. Generally, notifications can be made using a combination of online and offline methods, which may include e-mail, postal mail, Web site notice, call center and media.
For national marketers, the answer may be to encrypt data as a way to prevent exposure to the varying state and forthcoming national laws. Most states already have an encrypted data safe harbor, and the bills in Washington, D.C., also propose such a system. Basically, encryption obscures or scrambles data so that it can only be read with the use of a unique decoding “key.”
So, what happens when an organization suffers a security incident? Let’s say an unauthorized third party obtains access to 1 million unencrypted records being transferred to your organization. Let’s also say that you have to use the mail option in addition to other methods for consumer notification. At 31 cents per mail piece (presorted, First Class), the postage alone could add up to $310,000. Could your bottom line—or your brand image—handle this kind of expense?
Adding complexity to this already potentially costly exposure are differing definitions and combinations of data that legislators have seen fit to protect in 38 states. In two states, a mother’s maiden name is considered protected data when it is combined with first name (or initial), last name and Social Security number. In another state, physical addresses need to be protected.
And what about consumers? Should consumers in one state really be told they are being protected differently than consumers in another state? This is not exactly a recipe for customer satisfaction.
Encryption levels the playing field for consumers. They know to expect security in data transfers. Encryption also allows marketers and their IT staff to work on a common platform when it comes to partners, clients and vendors. Lastly, it carries the significant benefit of providing safe harbor from most state-level security laws and similar proposals currently being debated on Capitol Hill.
Encryption is less onerous than it sounds. In fact, there are even open-source license tools (such as GPG, FileZilla or Core FTP) that make it free to implement. What’s more, your organization may already have similar systems in place if it takes credit card payments online.
The leading marketing trade associations already have endorsed encryption as a way to keep personally identifiable data secure. The Direct Marketing Association, the Interactive Advertising Bureau and leaders in the field of privacy know this simple step not only is good for marketers, but it also is good for building up consumer confidence in a world that seems to have a data breach every other day.
Is encryption the only way to make your data transfers safer? No, there are additional policies and procedures—such as limiting the amount of data collected to what is mission-critical—which each organization should contemplate with its partners and vendors.
But encryption is a relatively easy-to-implement, low-cost technological tool that can protect your customers, your organization and your brand by limiting the unauthorized use of data.
Lou Mastria, CIPP, is chief privacy officer and vice president of public affairs at NextAction Corp., a Westminster, Colo.-based provider of cooperative data solutions for multichannel retailers. He can be reached at (908) 363-0983, or by e-mail at email@example.com.