Into the Security Breach

May 01, 2005 9:30 PM  By

I probably won’t win any awards for originality when I tell you that identity theft is an enormous concern. The Federal Trade Commission (FTC) recently announced that it was the number-one fraud perpetrated against consumers — our customers! But clearly consumers aren’t the only ones who need to be concerned. Recent data security breaches at Bank of America, ChoicePoint, and LexisNexis have demonstrated that the individuals whose information was stolen are not the only victims. The companies involved have been dealt an enormous blow, one that extends to our entire industry. They have become the target of public and media ire, and executives of the victim companies have been called to testify before Congress.

These companies have helped their situations by dealing with the aftermath, notifying those affected, and helping authorities apprehend the criminals involved. But unfortunately the damage is done.

So by now you’re probably wondering, What does this have to do with me? It’s true that ChoicePoint, Bank of America, and LexisNexis were dealing with reference data (information about an individual that is not used for marketing purposes, such as a credit-card number), not marketing data. The companies apparently followed the law and had reasonable security procedures in place. In fact, those security procedures allowed them to identify the crimes and alert the authorities. But that’s precisely what’s so frightening about identity theft: It could happen to anyone, even the companies that do the “right thing.”

What can you do? A good place to start is by making sure your house is in order. Despite some high-profile cyber-breaches, identity theft remains a relatively low-tech crime. Thieves access victims’ information through fraud or by stealing data from someone they know. The perpetrator can be a “friend,” a family member, a co-worker, or an employee of a business the victim patronizes. This old-fashioned crime requires an equally low-tech defense: sound screening of those who have access to your data and careful monitoring of how, where, when, and why the information is accessed.

It’s not just employees you need to be concerned about. Vendors and business partners should also be considered. Don’t take for granted that others adhere to the same ethical standards and security practices that you do. Specify in contracts the security procedures you require to be followed. If you exchange lists, know who will be receiving them and how they will be used. Also, seed your lists so that you can continue to monitor their use down the road.

Now is also a good time to get a refresher course in Web security. Ask your inhouse security specialists the questions you would like to know as a consumer: What precautions are taken? How is site security monitored? Where is the database server hosted, and who has access to it? The answers can help you better understand your security environment and communicate with your customers about this vital issue.

You might want to consider establishing a formal policy that outlines how you contact your customers about their account details and other sensitive information. Make sure your customers know that you would never contact them via e-mail or phone to ask them to divulge passwords, PIN codes, or other personal details. This can safeguard them — and you — against “phishing” attacks, whereby a criminal uses your good name to con victims into revealing data to be used for identity theft.

Finally, put all security procedures in writing. Train your employees to follow those procedures, monitor your progress, and upgrade constantly.

Capitol Hill is doing more than just holding hearings on identity theft. Legislation concerning data security is very likely, although the exact course of action remains unclear.

One option would be a federal law similar to California’s Security Breach Information Act. That law requires companies to disclose incidents in which a California resident’s data has been compromised. Sen. Dianne Feinstein (D-CA) introduced a bill that mandates such disclosure nationally, as well as two like-minded bills. Feinstein’s second bill would establish an “express consent” system for companies that want to share consumer information. The third bill would prohibit the sale or display of Social Security numbers to the general public without individuals’ knowledge and consent.

Sen. Bill Nelson (D-FL) and Rep. Edward Markey (D-MA) have introduced companion bills directing the FTC to establish procedures for notification of security breaches, consumer access, and correction of data. These bills present issues for marketers. For one thing, if the information that needs to be corrected is from a public record source, marketers cannot make the correction. For another, these bills do not differentiate between reference data and marketing data, which means that a customer list is covered. If your list says I purchased an extra-large sweater and it was really a large sweater, under these laws I would have a right to correct it — incurring a huge expense for you with minimal gain.

I expect that we will also see bills that address the sales, rental, and exchange of Social Security numbers, the “holy grail” for identity thieves. Sen. Charles Schumer (D-NY), for one, has been vocal in supporting such legislation. You can also look for significant activity at the state level. Assemblies in Georgia, New Hampshire, New York, and Texas already have on the table notification bills modeled on the California law.

Legislation will come, and we must ensure that there is balance in resulting regulation, because the information needed to commit identity theft is the same that is needed to prevent it. For example, when a customer responds to an offer you sent using marketing data, you must use reference data to verify the customer’s identity. If legislation prevents you from accessing the reference data needed to authenticate customers, fraud and identity theft will increase.

Our colleagues in Europe are already experiencing this. European laws prohibit the use of a credit-card billing address for anything but sending a credit-card bill. In the U.S., marketers use billing addresses to verify customers’ identities. The result: Internet credit-card fraud is twice as great in Europe as it is in the U.S.

Gone are the days when data security was something that only the IT department had to worry about. Having and enforcing good data security policies and procedures is now, more than ever, essential to building lasting customer relationships — and that has everything to do with our business.


Jerry Cerasale is senior vice president for government affairs for the Direct Marketing Association in Washington.