Email marketers constantly discuss concepts like relevance, lifetime value, dynamic content, automation, and delivery. But what about the more mundane topics like data security? In the last few months, consumers have received a number of notifications explaining that security failures have compromised email addresses and provided third parties with potential access to digital identities.
When brands are asked about the importance of data security, all will explain how serious they take protecting subscribers’ personally identifiable information (PII). However, many seem to place security below the line when looking at their email program investment. Financial services firms seem to be the only exception to this rule. Underestimating the importance of data security within the email channel can be a huge liability. Now more than ever, email marketers must establish a level of trust with subscribers.
Email alternatives (the social web, mobile applications, and communities) are rampant, and consumers are constantly reconsidering the best way to interact with brands. Email marketers must also realize that most sophisticated programs use a material amount of PII in campaign execution. PII is defined as information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Email address alone is categorized as a digital identifier and considered PII. Add to that everything from browse behavior to transaction history, and an email database can quickly become home to significant amounts of PII.
Given the amount of press on the topic in recent months, it is critical for email marketers to take a close look at how data security, and the related trust between brand and subscriber, is prioritized within program management.
Email marketers (and the companies that support them) should not panic at the recent security issues facing the industry. In general, email marketers have done a good job protecting the subscription and preference data that forms the basis of the permission marketing channel. That said, with the renewed scrutiny that is bound to follow this week’s latest security breach in the Twitter-sphere, there are a few things that all brands should consider immediately.
Risk assessment: Like anything else, investment in security around email data should be based on the corresponding risks around data loss and illegal access. All brands, regardless of size, risk consumer mistrust and list attrition in the event of a data loss. This means that brands relying on email for top-line revenue must take data security seriously. In addition, large brands often find themselves susceptible to litigation as consumers and activists groups seek to take advantage of “deep pockets” via the courts. These companies should take extra precautions against data vulnerability. Finally, there are serious legal consequences to specific industries like financial services if PII is not kept safe. Companies in these industries should be extremely careful and in some cases consider insourcing as the most appropriate option.
Ask information technology for an audit. Most large firms in the United States and Europe take data security seriously. In fact, there are often individuals and entire departments tasked with keeping consumer information secure. These teams tend to focus on internal systems that are deployed within the corporation’s firewalls. Any new service or solution deployed internally for the business should be approved by the IT security teams. This is a double-edged sword. The additional scrutiny results in more secure data, but the price of increased security can be delayed time to market. This issue becomes very complex in the email marketing space as many brands leverage software-as-a-service offerings to create, deploy, and track email communications.
Email marketing owners within a brand should invite their internal IT teams to meet with their service providers and apply the same strict guidelines to the ESP as they do to internally-deployed technologies. To put a fine point on it, according to a survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA), 70 percent of compliance professionals feel that their organizations are well or very well prepared to fend off malicious hacker attacks; however, their confidence wanes significantly when assessing other data breach threats. For example, 41 percent felt it was very or somewhat likely that an accidental breach could occur by third-party vendors. Internal IT teams can help the email marketer and their vendors feel more secure.
Third-party audits. For those brands where compliance or other factors require a serious commitment to data security, they should consider investing in penetration testing (PEN testing) via third-party solution providers. Consulting firms like ISEC Partners will deliver resources and expertise that many brands do not have internally. These third parties can help in the solution design process, making sure that brands not only understand potential security weaknesses but also how to minimize them.
The simple fact is that all systems are susceptible to malicious attacks. As advanced email marketers, it is our responsibility to minimize the chances the “attackers” have when targeting our systems. In the wake of recent events, take a look at your email technology and the data it connects to and ask yourself to what degree system security was audited by your internal teams or third parties. If the answer is unclear, prioritize a security review today.