In the direct marketing industry, we tend to think of customer data as an asset. After all, the more data we have, the more successful we can be in identifying consumer buying patterns, crafting the right campaigns, and making the sale.
However, in today's world of cyber crime, we need to start thinking of data as a potential liability as well. Looking at consumer data solely as an asset is naive and will almost certainly result in your business being exposed to more risk than is justified.
The threat When it comes to identity theft, the numbers are vast and growing. Nearly 10 million Americans had their identities stolen last year, according to the Federal Trade Commission. In 2003, identity theft cost consumers and businesses nearly $53 billion. The problem is not going away — identity theft is the fastest growing form of crime in America.
Any business that stores consumer data is a target for identity thieves. Recent high profile hacks have included ChoicePoint, CardSystems, LexisNexis, DSW, BJs, Lowes, Polo Ralph Lauren… the list goes on.
Costs of an incident. If consumer data is compromised, you will likely bear some or all of the following costs: forensic investigation and remediation, brand damage/lost revenue, fines, federal and state litigation and lawsuits from damaged parties.
The process goes something like this. Any incident will start with an investigation. If your database is compromised, you will need to determine the nature and extent of the compromise. The investigation may be handled internally or with the assistance of consultants. It may involve law enforcement. If credit or debit card information is involved, the card associations will insist on participation.
One purpose of the investigation will be to determine what records 'may' have been accessed. Regardless of the location of your headquarters or branches, under California's S.B. 1386, you have a duty to notify any California residents if their personal information may have been compromised. New York recently passed the Information Security Breach and Notification Act, which imposes a similar notification requirement.
These notification laws ensure that any incident will become news. For some businesses, brand damage and lost revenue is temporary and life returns to normal once the media moves on to the next story. For others, particularly those in the financial services industry, an incident can be fatal.
Fines can be an important consideration if you are storing credit card or debit card data. Visa, MasterCard, American Express and Discover have all endorsed the Payment Card Industry Data Security Standard that requires all entities that process, transmit, or store cardholder data to be compliant with the standard. If cardholder data is compromised and the investigation determines that you did not meet the PCI standard, the card associations will levy fines up to $500,000 per incident.
With regard to government litigation, the FTC has successfully sued five companies for “unfair or deceptive trade practices” for failure to operate in a manner consistent with their published information security policy. State cases are less prominent, but this is just a matter of time as more and more states pass privacy and security laws.
Finally, you may be exposed to civil liability from consumers and other parties injured by the breach. Class actions were filed against ChoicePoint and CardSystems in 2005, alleging consumer harm from the companies' inadequate data security practices. Further, if you store cardholder information, you may be sued by issuing banks that will seek restitution for the cost of monitoring or reissuing cards for the affected accounts. Damages can be up to $35 per card.
The answer. What can direct marketers do to reduce their liability? There are really only two answers: delete the data or enhance security controls. In some cases, deleting the data may not be as radical as it sounds. Identity thieves are generally looking for financial information or personal information that can be used to open new credit (e.g. Social Security numbers, date of birth, etc.). By deleting even a few such fields, you can significantly reduce the financial incentive for hackers.
For example, in one recent case, a hacker was selling credit card numbers without the CVV2 security codes for 66 cents apiece. With the security codes, the price increased to $4. Packaged with the cardholder's Social Security number and date of birth, the price increased tenfold to $40. So, if there is not a business case to keep this data, it should be deleted immediately. If there is a business case to keep the data, but only for 90 days, delete it after 90 days. If there is a business case for keeping aggregate data, delete the high-risk fields from individual records or better yet — delete the records.
Selective deletion can cost-effectively reduce liability, but many direct marketers will still need to retain sensitive data. In these cases, the best answer is to understand the risks associated with the data and ensure that cost-effective security controls to mitigate these risks are in place.
In most cases, risk can be reduced significantly without massive investments in technology. Do not assume that your IT department knows what data you are keeping and 'has it covered.' While that may be true in some instances, our experience is that IT often does not know what data is being stored and what the legal ramifications are if the data is compromised.
Given the very real threat of compromise and the costs associated with a single incident, proactive management of data storage risks is a business imperative.
