Part 1: Prevention
JP Morgan Chase, Anthem, Home Depot, Sony, Target. The list of companies suffering a data breach is long and includes some of the leading companies in the world. Even the U.S. government is on the list since both the Internal Revenue Service and the U.S. Military were hacked. The Ponemon Institute puts the “true cost” of a data breach at $217 per record to handle a data breach. That adds up quickly. So you can count on $217,000 for a breach impacting 1,000 records, a relatively small number as most of the data breaches that make the news involve far, far more records than 1,000. And of course, the more we hear about data breaches, the more we – and our customers – worry about them.
The bad news is that data breaches can happen to any organization, big or small; and yes, even to marketing research firms. The good news is that there are measures that you and your marketing research firm can take to minimize your risk of a data breach.
- Don’t stick your head in the sand and think that it can’t happen to you. Awareness of the issue and recognition of the problem is the first step to doing something about it.
- Knowledge of PII. Marketing research firms often have access to Personally identifiable information (PII), any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. PII can be sensitive or non-sensitive. Non-sensitive PII is information that can be easily gathered from public records, phone books, corporate directories and websites. Sensitive PII is information which, when disclosed, could result in harm to the individual whose privacy has been breached. Such information includes biometric information, medical information, personally identifiable financial information (PIFI) and unique identifiers such as passport or Social Security numbers. All PII, especially sensitive PII should be encrypted in transit and when data are being stored.
- Preventive Measures. Take an audit of your current data handling processes and make sure you address any vulnerability that you find. And don’t forget about archived and stored data, both in your network and in the “cloud”. Data breaches can occur with marketing research data that has lain dormant for years, only to be found by a random Google search. If it is not secure, assume it can be breached.
- Check Your Vendor’s Security. Whether you are working with a new vendor or one you have worked with for years, don’t assume anything. Make sure that you are comfortable with your vendor’s data security processes and policies. If you aren’t, have an open and frank discussion about addressing the issue. Remember: ignorance is not bliss and is also not an excuse for leaving data unsecure.
Some of the ways you and your marketing research partner can keep data safe are:
- Have written security procedures and make every employee aware of the need to maintain those procedures and to keep data security top of mind in all projects. Remember to update these procedures at least annually to keep them current.
- Have a firewall protecting your information technology infrastructure from outside breaches, constantly monitoring your systems.
- File transfers should only occur using a secure file transfer protocol. Email is not secure, so never send data files containing PII by email. If you or your vendors do not have a secure way to transfer files, get one set up yourself and insist that your vendor use it.
- Not only should everything be password-protected, but your marketing research partner should have a stated policy about updating passwords regularly.
- Personal software should never be used to conduct the marketing research company’s business. Often, personal software is not secure, especially if it is free. So, be sure that there is a written policy against the use of personal software in company business and that it is enforced.
- Never use a USB or thumb-drives to transfer data files. These drives are too easy to lose, and they are not secure. So the policy should always be no data on thumb drives.
- Data should be backed up regularly, and preferably offsite. Fires and natural disasters can happen, but this can also help prevent data breaches.
- If you or your vendor allows remote access to their network through a VPN, you should expect to need not one, but two passwords to make sure it is secure from unauthorized access.
- You and your vendors should have an appropriate policy for disposing of or archiving data files that are no longer needed.
Data security is a moving target, and we all struggle to keep up. Following these guidelines is not a guarantee that it won’t happen to you, but hopefully will help you be more aware and proactive about the issue, and help you react quickly if it does happen.
Next week, we’ll provide some guidelines on what to do if, despite your best efforts, you experience a data breach.