Industry Must Raise the Bar on SecurityIt's not surprising that our nation did not recognize the anniversary of the anthrax scare that dominated the headlines and much of the Direct Marketing Association's annual conference three years ago.
But perhaps our industry should have.
Those mailings cast a spotlight on mail security and related issues that has grown every year since. Recently, a rising number of consumer privacy, data security and mail-related flaps has made the news, widening the spotlight on the security practices of direct mailers, marketers and third-party suppliers. In a recent poll by the Society for Information Management, IT executives, chief information officers and CEOs ranked security technologies highest in importance to their businesses. And, with new data and privacy laws enacted in California and other states sure to follow, the issue has become paramount.
Yet, on the printing and production side of the industry - which collectively will process, produce and mail nearly 100 billion pieces of personalized mail this year - few standards exist to safeguard the processes, data, documents and other personal non-public information handled by third-party suppliers on behalf of clients.
For DMers, ensuring that production suppliers take measures to secure their mainframes, servers, production processes and data systems is only part of the picture.
If someone slipped in the back door of the plant and tampered with campaign materials or walked away with a tray of checks or other sensitive and dated material, that supplier's security protocols would clearly reflect its lack of preparedness. The alarming absence of direct mail industry guidelines also extends to the facility security, personnel policies and hiring practices of third-party suppliers, as well as their recovery plans for a power outage, natural disaster or unexpected business interruption.
It is tempting for some - on all sides of the issue - to turn a blind eye to this fact, particularly given the budget-sensitive environment in which we've all been operating. But doing so is shortsighted, especially if it's just for the sake of saving a dollar or two per thousand.
Until universal standards are set forth, direct marketing services providers must keep pace with the evolving security policies of an often diverse client base. This takes a committed effort as well as time and resources. However, the risks of ignoring the broader movement toward stronger protocols for mailers and database firms far outweigh the expense and liability they place on companies and their clients.
The financial services industry, for example, has seen sweeping reforms since the enactment of the Gramm-Leach-Bliley Act. The act is enforced by various federal and state agencies, and it mandates that third parties adhere to a strict set of security standards. The law outlines four areas that financial institutions (and others) must evaluate carefully when assessing third-party relationships, including financial strength and stability, premises security, data security and business continuity planning.
A financial institution whose third-party supplier violates the act may be subject to fines of up to $1 million and sanctions including termination of FDIC insurance and removal of key managers, directors and officers. The Federal Trade Commission can impose fines of up to $10,000 per violation of the act with respect to non-public personal information.
If the personal information of 1,000 consumers is released negligently, up to $10 million in fines could be assessed. Financial exposure notwithstanding, negative publicity resulting from a security breach on any level can hurt a company's reputation, not to mention its stock price.
Other industries, including healthcare, insurance and mortgage lending, have been equally affected by corporate governance and compliance standards mandated by HIPAA and Sarbanes-Oxley, for example. Within our own client base, we have seen the number of new security compliance officers and chief security executives increase significantly in the past two years as a result. These executives have a legal responsibility to their companies' shareholders to enforce certain standards and assume a great risk if their vendors are noncompliant.
Remember that the investment required to adhere to the stricter standards emerging in many sectors is not insignificant, and great disparities exist from supplier to supplier. But the provider side of the industry must take this responsibility seriously. It's our job to invest in and modify our security and workflow practices as warranted in order to protect clients and execute our duties as a strong partner.
If marketers have a responsibility to carry out the directives of their management and safeguard the interests of their shareholders, print/production providers have a responsibility to respond in an equally accountable fashion. Marketers must hold all third parties accountable to the same standards and be diligent in verifying compliance in every functional area.
Raising the bar on security practices across the board will only strengthen our industry and prepare us for greater growth and expansion ahead.