The recent headlines about email data breaches have rightly caused all of us to review our security procedures and policies. No system is perfectly secure, but there are steps to take in order to avoid a breach, as well as some defined next steps.
Email service providers (ESPs) are a favorite target of hackers. They actively work to penetrate and to gain access to ESPs’ customer databases. Protecting customers’ privacy and data is an ongoing process that requires constant review and collaboration between a marketer and its ESP. Here’s a list of tactics a marketer can do today to reduce the risk of an email data breach:
- Constrain email data to only what’s actually needed for email marketing. Don’t store customer data with your ESP that you don’t need for your email marketing program.
- Review customer data access policies and restrict access to only those employees who really need it. Take advantage of an ESP’s access-control features to ensure that only specific users have access privileges to download or view data.
- Shut down user accounts of departed employees.
- Encode or encrypt private customer data where possible. For example, if you use customer zip codes to determine the store that’s nearest them, consider replacing these with the nearest store’s ID.
- Place secret, hard-to-guess “honeypot” email addresses on your list, and monitor the email these receive. If these addresses begin to receive email from sources other than your brand, it could be an indication that your list may have been compromised. Contact your ESP immediately to request an audit of your account.
- Periodically review access logs provided by the ESP, particularly list-downloading activity.
Consider an email data breach an inevitability, rather than a possibility, and develop a response plan, including customer communications. If a breach does occur, follow these steps:
Gather all the facts from your ESP. You’ll need to know what data may have been compromised; what data definitely was compromised; exactly when the breach happened; and whether the attacker knows it is your brand’s data.
Put your communication plan into action. Contact your affected customers in a timely fashion. Tell those customers whose data (email addresses or personally-identifiable information) was compromised exactly what happened, to the best of your knowledge, and what are their potential risks. Be clear and concise. Customers may only read the first few lines of such alerts.
Remember that this will be a public communication accessible to everyone, including the press.
Post an FAQ on your website where customers and others can find more information, and update it as your investigation progresses.
Steve Webster is the chief strategy officer at iPost, an email service provider he cofounded in 1996.