List Security?An Evolution and an Imperative
By Harriet Heyman
The customer list is one of an organization's most valuable assets. Protecting this asset—from theft, fraud, misuse—has always been a concern. The answers on how to keep a list secure used to be easy; today they are hard.
Even the reference to this asset has changed from "list" to "database," suggesting a broader set of information to protect. And as we advanced from rudimentary customer lists— once maintained on index cards—to keypunch, data entry, data scanning and data capture through electronic means, the safeguards have had to be constantly updated.
Early List Security
When I entered the list business some 30 years ago, lists were delivered on Cheshire labels. It was unlikely anyone would re-key the entire list, so a second use or outright theft was improbable. Renters of these mail lists understood they could use the list only once (unless multi-use agreements were negotiated) and, as a safeguard, list managers or owners planted a few decoy names and addresses to assure the renter would not trespass. List rental agreements in contract form emerged to spell out what was—and was not—permissible.
But once merge/purge processing, magnetic tape and large list brokerage firms came onto the scene, list owners were challenged to create new measures to prevent unauthorized use. Decoy systems became more sophisticated, so seeds could not be easily identified.
Generally, service bureaus that performed merge/purge, hygiene and mail streaming were slow to develop data security measures. Eventually, vendors came to realize their special responsibility in handling customer lists for their clients and began early data security measures, such as logging receipt of magnetic tapes and keeping the tapes in a secure location. Typically, the tapes were used once for the campaign, and then erased or returned to the list manager.
As direct mail costs soared over the years, marketers responded with targeting tools to increase response rates and return on investment. Statistical models were developed to better target; demographic or psychographic data was appended to customer records, and lists were sent to vendors for enhancement—and often to other outside firms to build models. These vendors, too, developed data security measures to protect lists in their custody.