Join DMA

Information Security & Identity Theft

Information Security

Anti-virus software, firewalls, employee training, and plain common sense can go a long way to protect your customer database and to protect consumers from loss and identity theft. But if you leave the door open, allowing personally identifiable information to be stolen or altered, you have not done your job as a privacy and security officer. And, you have compromised the trust between you and your customer. Lose that trust, and consumers will deny you the information you need to build a good marketing relationship. There could be legal ramifications as well.

Have a Security Plan

Establish information security policies and practices to ensure the uninterrupted security of information systems. For example, ask:

  • Do we have a written security plan that addresses all areas of our operations?
  • Do we have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?
  • Do we continually review our policies and practices? And have outside specialists to review our security system, perform risk assessments and audits, and help with compliance?
  • Do we have a resolution system for disputes arising from security breaches or alleged misuse of personally identifiable information?

Train and Supervise for Security

Institute vigorous training and oversight of your designated security team. But dont stop there. Any other employee or contract worker with even occasional access to personally identifiable information must be trained and supervised. For example, ask:

  • Do we have a full-time, designated team to develop and implement information security throughout our organization? 
    • Do they have the resources and support they need to do the job right?
    • Do they have effective and up-to-date training tools?
    • Do they conduct regular security audits and response exercises?
  • Do we keep records of information access and regularly monitor those records for unusual activity?
  • Do we make sure all employees are aware of the penalties for security breaches?

Use Available Technology to Guard Personal Data

Written policies and training go far, but not far enough. Construct structural and technological walls to contain personal information and run tests to ensure that the system works. Make contingency plans. For example, ask:

  • Do we define our security needs and use technology that meets those needs, point by point, specification by specification
  • Do weInclude layers of complementary solutions to prevent and detect unauthorized use of information systems? 
  • Do we have a backup system in place to recover lost data and ensure uninterrupted continuity of information security?
  • Do we have a system for shredding both paper and electronic data before dumping?

Inform Data Suppliers and Business Partners of their Responsibilities to Meet Your Security Specifications

The information chain is only as strong as its weakest link. Make sure that personal data in your care are tagged and fenced when they enter your database, while theyre in storage and once they leave. Permit no information transfers without informing business partners to meet your security standards. For example, ask:

  • Do we inform business partners of their responsibilities to meet specific security standards?
  • Do we ask potential business partners about their security practices before we share any information?
  • Do we consider security ramifications before sharing data with business partners?

 

Identity Theft

Identity theft is a growing problem for consumers and businesses alike. As marketers, we have a responsibility to protect the personal data we collect against unauthorized or illegal use. Although the information used to commit fraud and identity theft is often stolen directly from the consumer (not from marketers), marketers can assist consumers by educating them on how to prevent and correct harm caused by identity theft.

Awareness is one of the most powerful tools in the fight against identity theft, and thats where you can play an important role: The more your customers know how to protect their identities and what to do if a problem occurs, the harder it is for identity thieves to commit their crimes.

Do What You Do Best!

The Direct Marketing Association is calling on all of our members to partner with us in this important public education effort.

As direct marketers, you already have a wealth of channels for reaching out to current and potential customers. We want you to do what you do best get this relevant and important message to people who need to hear it.

The people you reach will have a better understanding of how identity thieves work, how to reduce their risk of identity theft, and what to do if they suspect a problem. They will appreciate your leadership and assistance.

 

Additional Resources for DMA Members

Call Script Guide

This customizable guide, prepared by the DMA Committee on the Environment and Social Responsibility (CESR), can be used by call/contact centers to address consumer questions about suspicious emails, e-commerce shopping cart concerns and suspect websites. It also has a section devoted to script guides for use in the event of an actual identity theft situation, so that you can give your customers accurate, timely information to help protect themselves. A preamble for managers of customer service representatives sets the stage for dealing with customers in such a charged, confusing atmosphere.

Please review this guide closely, and share it with internal stakeholders including your own customer service and communications staffs and legal counsel. Feel free to adapt it for optimal internal use in your organization.