Should You Be Concerned About the Security of Your Email List?

How secure is your email list? Does your privacy policy state how you will be using the email addresses you collect? Are your actions in line with the spirit as well as the letter of your privacy policy?

While these questions don’t go directly to the bottom-line performance of your list in the short term, they do have implications for your brand. Here’s a mini case study and some tips.

Last year there were a few high-profile data breaches in the email and online world. If you’re a small organization that doesn’t collect credit card data, you may not be concerned about the security of your email list. But you should be.

The U.S. is somewhat unique in its regulations around collecting and maintaining personal data. While other governing bodies, like Canada and the U.K., have broad laws that apply to all organizations that collect this type of data on people, the U.S. does not. It has COPPA, which covers collection and use of personal data from children, and there are industry-specific laws for the healthcare and financial services sectors, but no umbrella regulations.

Just because it’s not the law doesn’t mean that you shouldn’t have your own internal guidelines to protect the data on your email lists, even if you’re only collecting email addresses.

I was talking security with an email marketer recently and his response was that their database was hosted by a large, well-respected organization. That’s a good start, but that alone won’t ensure that you’re safe from a breach.

Whenever I sign up to receive email from an organization I “tag” the address I provide with a unique identifier, so that I know whom I’ve given it to. This is a luxury only those of us who own our own domain names can enjoy, but sometimes it’s very interesting to see who, other than the organization that garnered my opt-in, ends up sending to these addresses.

Case in point: the Republican National Committee (RNC). I opted in to receive email from the organization years ago. I have to admit that its emails had become “bacn” for me, meaning that while I remembered opting in, I had stopped opening the email it sent me. I was busy, I wasn’t getting that much valuable information from its missives, and outside of a presidential election year I just wasn’t that interested.

Earlier this month, though, I went to my inbox looking for political information and decided to search and find out what the RNC had been sending to me.

In the past 30 days, I had received 29 email messages to my RNC “tagged” address. That’s a lot (nearly one a day), but the more interesting thing was who was sending to this address – and who wasn’t.


Did you spot the omission? None of the emails I’d received over the past 30 days were from the RNC. When I looked back, the organization hadn’t sent anything to this address since April 2010. I don’t remember unsubscribing; maybe the RNC removed inactive email addresses from its list (which is a good thing to do).

But even through the RNC was no longer sending me messages, the tagged email I had given to the RNC was still generating a lot of traffic. Over 70 percent of it was from a group I’d never heard of, The Political Insider.

Looking at the email messages from The Political Insider, very few were actually political in nature. There was one newsletter that contained political articles aggregated from around the web. The other 20 messages (95 percent of those it sent) contained a standalone ad from a third party. Of those, 25 percent (five) were political in nature – and the other 75 percent (15) were what I would consider blatant spam (remember: spam is in the eye of the beholder). Here are some of the subject lines:

  • 15-Minutes Fights Holiday Belly Bulge for 3 Days?
  • Electricity Breakthrough – see shocking video
  • A Medical Conspiracy?
  • Shocking Video Reveals How to Learn a Foreign Language in just 10 Days (Same Method Purchased by FBI)
  • Will the Government Confiscate Our Gold?

So what happened? How did this organization take possession of an email address I gave to the RNC and start sending me spam?

I have no idea. The RNC’s website terms and conditions state: “Under no circumstances will the RNC sell your information to third parties or any commercial entities.” But it also says that it may share my information with “like-minded organizations committed to the principles or candidates of the Republican Party, Republican State Party organizations and local Republican groups.”

I take the RNC at its word. I imagine that the other groups sending to this email address probably fall into the latter category (although Bolling is the lieutenant governor of Virginia, a state I do not nor have ever lived in, so those messages are irrelevant to me), but what about The Political Insider?

Either the RNC shared my tagged address with The Political Insider without regard to or without fully vetting the content of the messages that would be sent, or my address was acquired by The Political Insider in some nefarious way.

Brands that are damaged by this situation: the RNC and The Political Insider. The former for not properly securing personal information I entrusted to it; the latter for sending an abundance of junk email with very minimal valuable or relevant information to my inbox.

As I mentioned above, protecting your email list doesn’t just have to do with having a secure host for your database. Here are some additional steps you can take:

  • Don’t turn your email list over to third parties; it’s fine to do a send to your list on another organization’s behalf, but it’s not a good idea to give that organization your list to do their own send.
  • Educate your employees on the importance of securing your list; make sure those with access to it safeguard their user IDs and passwords and are prepared to combat phishing emails and other malicious activity.
  • Include policies on use and abuse of your email list in your HR manual; make it clear that sharing your email list with third parties is a misuse of a company asset and that the repercussions of doing so will be serious.

Until next time,


Related reading

Flat business devices communication with cloud services isolated on the light blue background.