Minimizing the Risks of Data Storage

Share this content:
In the direct marketing industry, we tend to think of customer data as an asset. After all, the more data we have, the more successful we can be in identifying consumer buying patterns, crafting the right campaigns, and making the sale.

However, in today's world of cyber crime, we need to start thinking of data as a potential liability as well. Looking at consumer data solely as an asset is naive and will almost certainly result in your business being exposed to more risk than is justified.

The threat When it comes to identity theft, the numbers are vast and growing. Nearly 10 million Americans had their identities stolen last year, according to the Federal Trade Commission. In 2003, identity theft cost consumers and businesses nearly $53 billion. The problem is not going away -- identity theft is the fastest growing form of crime in America.

Any business that stores consumer data is a target for identity thieves. Recent high profile hacks have included ChoicePoint, CardSystems, LexisNexis, DSW, BJs, Lowes, Polo Ralph Lauren... the list goes on.

Costs of an incident. If consumer data is compromised, you will likely bear some or all of the following costs: forensic investigation and remediation, brand damage/lost revenue, fines, federal and state litigation and lawsuits from damaged parties.

The process goes something like this. Any incident will start with an investigation. If your database is compromised, you will need to determine the nature and extent of the compromise. The investigation may be handled internally or with the assistance of consultants. It may involve law enforcement. If credit or debit card information is involved, the card associations will insist on participation.

One purpose of the investigation will be to determine what records 'may' have been accessed. Regardless of the location of your headquarters or branches, under California's S.B. 1386, you have a duty to notify any California residents if their personal information may have been compromised. New York recently passed the Information Security Breach and Notification Act, which imposes a similar notification requirement.

These notification laws ensure that any incident will become news. For some businesses, brand damage and lost revenue is temporary and life returns to normal once the media moves on to the next story. For others, particularly those in the financial services industry, an incident can be fatal.

Fines can be an important consideration if you are storing credit card or debit card data. Visa, MasterCard, American Express and Discover have all endorsed the Payment Card Industry Data Security Standard that requires all entities that process, transmit, or store cardholder data to be compliant with the standard. If cardholder data is compromised and the investigation determines that you did not meet the PCI standard, the card associations will levy fines up to $500,000 per incident.

With regard to government litigation, the FTC has successfully sued five companies for "unfair or deceptive trade practices" for failure to operate in a manner consistent with their published information security policy. State cases are less prominent, but this is just a matter of time as more and more states pass privacy and security laws.

Finally, you may be exposed to civil liability from consumers and other parties injured by the breach. Class actions were filed against ChoicePoint and CardSystems in 2005, alleging consumer harm from the companies' inadequate data security practices. Further, if you store cardholder information, you may be sued by issuing banks that will seek restitution for the cost of monitoring or reissuing cards for the affected accounts. Damages can be up to $35 per card.

The answer. What can direct marketers do to reduce their liability? There are really only two answers: delete the data or enhance security controls. In some cases, deleting the data may not be as radical as it sounds. Identity thieves are generally looking for financial information or personal information that can be used to open new credit (e.g. Social Security numbers, date of birth, etc.). By deleting even a few such fields, you can significantly reduce the financial incentive for hackers.

For example, in one recent case, a hacker was selling credit card numbers without the CVV2 security codes for 66 cents apiece. With the security codes, the price increased to $4. Packaged with the cardholder's Social Security number and date of birth, the price increased tenfold to $40. So, if there is not a business case to keep this data, it should be deleted immediately. If there is a business case to keep the data, but only for 90 days, delete it after 90 days. If there is a business case for keeping aggregate data, delete the high-risk fields from individual records or better yet -- delete the records.

Selective deletion can cost-effectively reduce liability, but many direct marketers will still need to retain sensitive data. In these cases, the best answer is to understand the risks associated with the data and ensure that cost-effective security controls to mitigate these risks are in place.

In most cases, risk can be reduced significantly without massive investments in technology. Do not assume that your IT department knows what data you are keeping and 'has it covered.' While that may be true in some instances, our experience is that IT often does not know what data is being stored and what the legal ramifications are if the data is compromised.

Given the very real threat of compromise and the costs associated with a single incident, proactive management of data storage risks is a business imperative.


Next Article in Data/Analytics

Sign up to our newsletters

Company of the Week

We recently were named B2B Magazine's Direct Marketing Agency of the Year, and with good reason: We make real, measureable, positive change happen for our clients. A full-service agency founded in 1974, Bader Rutter expertly helps you get the right message to the right audience at the right time through the right channels. As we engage our clients' audiences along their journey, direct marketing (email, direct mail, phone, SMS) and behavioral marketing (SEM, retargeting, contextual) channels deliver information relevant to the needs of each stage. We are experts at implementing and leveraging marketing technologies such as CRM and marketing automation in order to synchronize sales and marketing communications. Our team of architects and activators plan, execute, measure and adjust in real time to ensure the strategy is working as needed and change things if it's not.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above