DMA: Data and Marketing Association
Consumer Help

Information Security: Safeguarding Personal Data in Your Care

A Checklist of Information Security Procedures Based on Guidelines of the DMA
Produced in Cooperation with the Federal Trade Commission

Anti-virus software, firewalls, employee training, and plain common sense can go a long way to protect your customer database and to protect consumers from loss and identity theft. But if you leave the door open, allowing personally identifiable information to be stolen or altered, you have not done your job as a privacy and security officer. And, you have compromised the trust between you and your customer. Lose that trust, and consumers will deny you the information you need to build a good marketing relationship. There could be legal ramifications as well.

Security is a heavy responsibility, but it is not rocket science. There are steps you can take to minimize the risk of data loss.

Responding to a call to action from the Federal Trade Commission for all major trade associations to address the security of data, the Data & Marketing Association approved security guidelines for its members. All members must follow four specific ethical guidelines to keep information about consumers secure.

The DMA encourages you to follow this checklist. While these checklists are not necessarily exhaustive for your particular situation, they are useful guides to help you do the right thing for consumers and your company. FTC Mascot Dewie the Turtle is the safety and security symbol for consumers.

“If you don’t make respect for personal privacy and security of information a part of your corporate culture, I can assure you the FTC will be a part of your future.”

– Orson Swindle, FTC Commissioner

Step 1. Have a Security Policy.

Establish information security policies and practices to ensure the uninterrupted security of information systems.

For example, ask:


  1. Have a written security plan that addresses all areas of our operations?
  2. Have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?
  3. Understand our security policy and the reasons for it – at all levels of our operation?
  4. Have signed confidentiality agreements with all employees?
  5. Continually review our policies and practices?
  6. Spend enough money on security tools and staff to do the job right?
  7. Use outside specialists to review our security system, perform risk assessments and audits, and help with compliance?
  8. Have liability insurance to cover possible security breaches?
  9. Have a data recovery plan in case of a natural disaster? Do we test it periodically?
  10. Have a plan that outlines how to deal with security incidents or information compromises?
  11. Have a resolution system for disputes arising from security breaches or alleged misuse of personally identifiable information?
  12. Report cyber attacks to law enforcement agencies?

Step 2. Train and Supervise for Security.

Institute vigorous training and oversight of your designated security team. But dont stop there. Any other employee or contract worker with even occasional access to personally identifiable information must be trained and supervised.

For example, ask:


  1. Have a full-time, designated team to develop and implement information security throughout our organization?
  2. Does it have the resources and support it needs to do the job right?
  3. Have effective and up-to-date training tools?
  4. Conduct regular security audits and response exercises?
  5. Rank data by level of sensitivity and assign access rights accordingly?
  6. Conduct background checks on new hires who have access to medical, financial and other forms of sensitive data?
  7. Review security policies and responsibilities with new hires and periodically thereafter?
  8. Keep records of information accessed and regularly monitor those records for unusual activity?
  9. Adjust security passwords and other protocols promptly when employees leave?
  10. Make all employees aware of the penalties for security breaches?

Step 3. Use Available Technology to Guard Personal Data.

Written policies and training go far, but not far enough. Construct structural and technological walls to contain personal information and run tests to ensure that the system works. Make contingency plans.

For example, ask:


  1. Define our security needs and use technology that meets those needs, point by point, specification by specification?
  2. Include layers of complementary solutions to prevent and detect unauthorized use of information systems?
  3. Use the latest, updated virus protection?
  4. Respond quickly to security alerts from software vendors?
  5. Erect firewalls to safeguard personally identifiable information?
  6. Combine numbers and symbols in passwords and change them regularly?
  7. Use authentication or biometric measures, if appropriate, to verify user identity?
  8. Grant access to personal data only after the users identity has been positively authenticated?
  9. Test security for data in transit or in storage against pre-set specifications?
  10. Do we require software providers to pre-test software before release?
  11. Review audit logs for evidence of intrusions?
  12. Test for and correct known network and application vulnerabilities?
  13. Have a backup system in place to recover lost data and ensure uninterrupted continuity of information security?
  14. Have a system for shredding both paper and electronic data before dumping?

Step 4. Inform Data Suppliers and Business Partners of their Responsibilities to Meet Your Security Specifications.

The information chain is only as strong as its weakest link. Make sure that personal data in your care are tagged and fenced when they enter your database, while theyre in storage and once they leave. Permit no information transfers without informing business partners to meet your security standards.

For example, ask:


  1. Inform business partners of their responsibilities to meet specific security standards?
  2. Ask potential business partners about their security practices before we share any information?
  3. Enforce contracts by planting data decoys and monitoring information practices of business partners?
  4. Consider security ramifications before sharing data with business partners?
  5. Ensure that intended data use is clearly understood by all parties and fully meets ethical as well as technical guidelines?
  6. Avoid unusual or suspicious list requests?

Data & Marketing Association
225 Reinekers Lane
Suite 325
Alexandria, VA 22314
(202) 955-5030

Federal Trade Commission
6th & Pennsylvania Avenue, N.W.
Washington, DC 20580

Additional Resources

FTC Guide
Protecting Personal Information: A Guide for Businesses: ftc.gov/infosecurity.