It’s 4:30 AM... Do You Know If Your Customer Data Is Safe?
For several weeks now, data security has been a white-hot topic in the email marketing community. With the April 1 announcement by industry giant Epsilon that a security breach had occurred, corporate communications departments from Amazon to the Home Shopping Network to Walgreens were sent scrambling to understand the impact of the intrusion and how they must deal with it. Marketing executives second-guessed their marketing channels and partner relationships. Email service providers (ESPs) braced for the onslaught of inevitable questions from their customers like “are we secure?” and “can this happen to us?” Security hardware and software vendors rejoiced at the wonderful opportunity that had just fallen into their laps. And the average consumer was left scratching their head, wondering why Capital One was sending them replacement credit cards. But in the aftermath, the question that everyone seems to be asking is:
How can we be certain that this never, ever, EVER happens again?
The simple answer is we can’t. No matter what your email service provider tells you (or your bank, hotel, or florist), there is no absolute certainty when it comes to data security. Many corporate information service departments will — and they should. But the truth is that nothing is 100% secure. Even if you quadruple-double-secret-encrypted all your customer data and put it in a Brink’s safe guarded by a menacing looking Rottweiler, there’s always the chance that someone would come along with a decoder ring, a stethoscope, a few hair pins, and a raw t-bone steak. If we’ve learned anything from the Ocean’s Eleven movies, it’s that no security system is foolproof.
We understand that isn’t the most comforting thing to hear right now. As pharma marketers, we operate under a great deal of scrutiny, and patient privacy is always a very high concern. But if we know that there is a chance that our data could become compromised, why do we take the risk? And that’s the key question — is it worth the risk? We must first understand the risk and then carefully weigh it against our business objectives. If we believe that having a relationship with our customers is worthwhile, and that communicating with them is a necessary component of our relationship, then we must accept the risk that comes along with the retention of their contact information.
If we’re smart, we also have a decent contingency plan for what to do should a breach occur. Here are a few steps to consider when a breach occurs:
1. Understand the issue
In instances like this it is very important that you wait to react until you understand the details before passing along information to your customers or instructing them to take action. The only thing worse than no information, is bad information. What exactly is the nature of the breach, and how might it impact your customers? What information was compromised? Names, birth dates, physical addresses, Social Security numbers (SSN), others? Knowing what was exposed and the sensitivity of that information is critical in determining next steps. For example, we would react one way if full names, birth dates, and SSNs were exposed. But if the only exposure was email address, we’d probably recommend a different course of action.
2. Communicate with your customers
Your customers may not need to know all the details, but they certainly need to know how it impacts them. Will they need to contact other service providers? Should accounts be closed or passwords reset? Communicating with your customers, even just to reassure them that you are aware of an issue, goes a long way toward maintaining a trusted relationship.
When you communicate to them, be direct and clear. TD Ameritrade did well in communicating the issue to their clients by posting a message on their site, as well as sending an email notice to all their clients. They include a brief overview of the situation, how it may impact their clients, and directions on what to do and who to contact should the client believe they may have been impacted. GlaxoSmithKline also promptly alerted their customers, with an email outlining the scope of the issue and its impacts.
3. Step back and reevaluate
Once the smoke clears, a little bit of introspection can go a long way. Are there things you are doing that might lead to a similar occurrence? Are your business practices as tight as what you demand of your business partners? Are you with the right business partners? In any given email campaign, there are several different steps that involve customer data, and often times several different business partners have access to that data. Understanding the “chain of custody” and how that data is handed off from partner to partner is every bit as important as knowing how your data is stored. We’re not advocating a wholesale freeze on everything involving data, but a little homework and investigation is probably worthwhile.
Ultimately, we must understand the risks of collecting and retaining customer data, and weigh them against our business objectives. Most often we’ll find that with a few precautions and some discipline, we can achieve our marketing objectives without sacrificing data security.