Make Security a Top Priority
ChoicePoint, LexisNexis, DSW, Bank of America, Polo. As the list of companies that have fallen victim to data breaches grows, and consumers' confidence in the safety of their information wanes, data security legislation seems poised to make the move from speculation to reality. For The Direct Marketing Association (DMA), this national scrutiny brings to bear something it long has asserted: Data security is one of the most important responsibilities you have to your customers, your company and the direct marketing industry as a whole. "This is a top priority," states Jerry Cerasale, The DMA's senior vice president, government affairs. "Identity theft is awful; not only does it hurt our customers, it hurts our business as well."
Recently, Cerasale spoke with me about the possibility of Congressional action, the balance required to make legislation work, the importance of tackling security from every angle and what this all means for you.
TG: What aspects of data security will Congress focus on?
JC: Some form of security breach notification. If consumers' information has been compromised, or likely has been compromised, they will be told so that they can take actions to protect their identity. Our goal is to ensure that the trigger point for this notification is correct. This is important because we want to make sure that consumers are notified only when there really is the probability ... that the information can be used for identify theft. We want to avoid multiple notices being circulated, which would undermine consumer trust. And if consumers get numerous notices and nothing happens, they might ignore them.
The other thing Congress may look at is what kinds of information can be held ... and this is really a true balance. The information that can be used to steal your identity is the same information that can be used to prevent identity theft. So you have to make sure that there is a free flow of information on the back-end to try to prevent identity theft.
TG: What is The DMA's stance on this legislation, and what can mailers do to help shape the discussion?
JC: The DMA is in favor of a national security breach law. It makes sense, it's something that should be done. And we want it to be national because direct marketing is a national operation. Having each state set up different rules that might be just slightly different creates a real problem for nationwide marketers. We are working with Congress on that now.
Mailers, through all the associations they work with, should pay attention to what's going on. It's likely that The DMA, for example, will put out a call to action once we really get some legislation going. We aren't there yet ... but be ready to take some political action.
Mailers [must] have good security on any information they have on customers. And they have to ensure that anybody they deal with has that security as well. Make extra efforts to increase securityall kinds of security. I will use three examples that happened recently: With ChoicePoint, someone became a customer and defrauded ChoicePoint by lying about who they were. So, you have to know who you deal with. Bank of America lost tapes. So you have to have good physical security. And LexisNexis' customer database was hacked into. So you have to make sure you have good security from a technology standpoint. That will dramatically help consumer trust, and will help us in any kind of [congressional] action.
TG: What implications should mailers prepare for with regard to data sharing in the future?
JC: It looks like most people are not looking at sharing marketing information, such as, "Jerry Cerasale bought a red sweater from John Jones catalog with a VISA card." Sharing that kind of information is likely not going to be covered by the security laws. But you should increase your security for [it].
If you share information on credit card numbers ... you have to make sure that there is security wherever you send that information. That's the big change that is going to come out of this: the duty of marketers to know with whom they are sharing and conduct the due diligence to make sure that who you are sharing with has high security procedures in place.
TG: What advice would you offer to mailers as they assess their data practices?
JC: Review all [your] security procedures, and tell people you are doing that. Set up a security system, in writing, and train all your employees. Set up a procedure to know your customers. And talk about it. Tell them, "This is what we are doing to protect you." And, if there is a breach with your data, make efforts to assist customers who may have been harmed.