“Everyday Ethics” highlights key areas of the Guidelines for Ethical Business Practices and helps marketers understand how to apply the “rules” to their daily tasks and operations. This series is based on the guidelines and interviews from Senny Boone, DMA & DMANF general counsel, Sal Tripi, AVP, digital operations & compliance, Publishers Clearing House, and George Lawton, privacy officer, business risk & compliance, Deluxe Corporation.

Topic: Data Security and Protection

Guideline #37.5-6:  DATA BREACHES: Set up a data security breach readiness plan. Organizations should develop and maintain a data security breach readiness plan reasonable for the size and nature of the organization, their level of data collection, and type of data collected. If a data security breach occurs, immediately inform compliance or legal staff as identified in your data breach readiness plan. Organizations should, in the event of a security breach where there is a reasonable likelihood of material harm to consumers, inform those consumers who may be affected in the most expedient time practical (or as required by state laws) unless requested by legal authorities to delay such notification due to an ongoing criminal investigation.

Business Use Scenario: Every company, no matter how good its policy, has some vulnerability. A company should never think it’s above a data breach. Always have a well-maintained and dutifully published action plan in event of data breach. 

Functional Areas Who Care:

  • Marketing team
  • IT
  • CTO
  • Chief Privacy Officer
  • Legal counsel
  • Customer service team
  • Senior-level team
  • Consumers
  • Law firm
  • Law enforcement
  • In short, everyone

Expert View:  George Lawton, privacy officer, business risk & compliance, Deluxe Corporation, says, “A data security breach readiness plan involves ensuring that the people, processes, and technology are appropriately deployed and are at the ready. Of course you should strive to ensure that the right controls are in place so there’s no incident in the first place, but ave an incident response plan crafted to engage key resources and take appropriate action based on the circumstances in the event of a breach.  Remember to look both internally and externally for evolving threats and prepare accordingly.”


1)      Start the process by identifying who makes the plan, including IT, CTO, chief privacy officer, legal counsel, customer service team, and the senior-level team.

2)      Identify an outside law firm and the law enforcement you should go to in the event of the data emergency.

3)      Create an inventory of where the data resides within the organization, an inventory of security levels at each point, and an inventory of sensitivity levels stored at each level.

4)      Purge data that is no longer useful.

5)      Stay on top of the latest threats so you can enhance overall controls and procedures.

6)      Update and test the plan periodically.