After a number of isolated incidents that led to the exposure of personal information on thousands of people, data providers came under fire last year from news media, the federal government and disgruntled consumers.
In a highly publicized breach in 2004, ChoicePoint, a data provider with billions of data points on businesses and almost every adult in America, said some fake information requests led to the unauthorized access of information on more than 100,000 individuals. Last month, the Federal Trade Commission fined ChoicePoint $10 million, its largest-ever civil penalty, and demanded that ChoicePoint pay $5 million to help the data theft victims.
This case is only one in a growing list of security issues that have exposed the data of consumers. The Boston Globe and Worchester Telegram & Gazette, both owned by The New York Times Co., recently said they exposed the credit card data of 240,000 subscribers. The information, printed on routing slips, was mistakenly attached to 9,000 newspaper bundles, which then were sent to carriers and retailers.
In another example, tapes and disks containing confidential information on 365,000 former and current patients were stolen from Portland, OR-based Providence Home Services. The tapes and disks, which were stolen from an employee's car on Dec. 31, included Social Security numbers, clinical and demographic information, and, in some cases, financial data.
Incidents such as these often are cited as proof that better data security is needed. In fact, there has been a steady string of data security breaches — on average, 10 cases each month for the last year.
Congress is considering legislation that would allow the FTC to create and enforce rules for our industry. A proposed bill calls for requiring “information brokers to safeguard and protect the confidentiality of personally identifiable information, appropriate to the nature and type of information involved.”
Regulatory oversight would not be beneficial for our businesses or the consumers we ultimately serve. For consumers, it would mean a red-tape nightmare when trying to make any type of purchase, even for a simple activity such as applying for a credit card. For businesses, regulation would lead to more layers of required security and legal protections for the data that is the lifeblood of our direct marketing industry. This ultimately would result in a slowdown in turn-time processes to complete orders or purchases for our clients. Overall, the direct marketing industry should do what it takes to avoid the need for regulation in the first place.
Because consumer confidence is our industry's most valuable asset, what can we do to keep the public's trust?
The answer starts with responsibility. We must show skeptics we are dependable and committed to taking all the necessary steps to protect personally identifiable information.
There are already a number of tools and policies in place inside the industry. For example, the Direct Marketing Association, through its Privacy Promise, assures consumers that DMA members will follow specific practices to protect consumer privacy. Consumers who wish to receive fewer advertising solicitations can have their names removed from direct mail, phone and e-mail lists through DMA's Web site. This is a good example of self-regulation.
If a direct marketing company thinks it could be open to the loss or fraudulent use of its consumer data, a strategy for immediate response is necessary. Any company storing confidential, personal data should have a system in place to trace any theft attempts, as well as a contingency plan to collect computer-based evidence, should a theft occur, for use in any criminal or internal investigations. Some companies may even want to consult with outside agencies or experts to ensure they are well equipped to handle a security breach.
In general, direct marketing companies should be taking the following steps to make sure their data is secure:
· Do a complete analysis of your security program. As new threats arise, security programs should always be up to date.
· Regularly review your security plan. This will give you an opportunity to identify any vulnerability and to make repairs and changes when necessary.
· Develop a plan to deal with security breach. This plan should include how incidents will be reported and how they will be resolved.
· Keep in mind that there are already laws in place that protect financial and health related data that require organizations to protect the confidentiality of their clients. These laws should be understood and followed by all employees.
· Put consumers at ease by making them aware of the steps you are taking to protect their data.
Currently, data security laws aren't restrictive — and we can keep it that way. Our industry overall has an exemplary track record of keeping customer data safe and secure. However, self-policing is a necessity in an industry that has become so closely watched by consumers and lawmakers. To maintain public trust, we must continue to ensure consumers that their data is safe with us.