"If you're holding any customer information-any at all-such as names, addresses [or] buying habits, you're likely subject to one or more state and federal laws," said Michael Overly, a partner at the law firm Foley & Lardner, who specializes in e-business and information technology law.
A survey of U.S. Internet users conducted by the Pew Internet and American Life Project revealed that 91% of respondents have changed the way they use the Internet, 48% have stopped accessing Web sites that they fear could infect their systems with spyware and 81% no longer open e-mail attachments unless they're convinced they are safe.
"The lack of online trust has made it much more difficult to even reach out to existing customers through e-mail and the Web site," said Darrel Manuel, director of e-business solutions for jewelry manufacturer and distributor Stuller Inc.
Another potential minefield: privacy statements. During the past few years the Federal Trade Commission has gone after Microsoft Corp., Eli Lilly & Co., Gateway Learning and others for lax security efforts or for violating their own corporate privacy policies.
"Companies violate their own privacy statements all the time," Overly said. "And most companies that publish privacy polices for their Web sites don't realize that policy must also be followed throughout every channel."
Avivah Litan, a research VP at Gartner Inc., said 75% of 5,000 Internet users surveyed by the firm earlier this year reported that they're buying fewer items online because of security concerns.
Those fears and behavioral changes don't just affect consumers. "Business users are the same people being nailed personally by spyware, phishing and spam attacks," Litan said. "So that lack of trust to open e-mail attachments or to visit unknown sites will certainly carry over to their behavior at work, whether the e-mails are coming from unknown companies or even companies [with which they have] existing relationships."
Stuller's Manuel was surprised by the results the distributor received when it took steps to assure even existing customers that Stuller's e-commerce site was reasonably safe from hackers. "We didn't think security fears would have an impact on the use of our Web site because we already have strong ties with our customers," he said.
That assumption proved wrong following a test Stuller ran on its Web site this summer when the company displayed a security certification from ScanAlert Inc. ScanAlert performs a vulnerability scan on Stuller's e-commerce site each day to make sure the site is fully up to date with the latest patches needed to fill security holes that make hacker attacks possible.
If no vulnerabilities are found, a Hacker Safe certification mark is displayed that informs visitors that the site is secure. To test the certification's effectiveness, Manuel configured the service to only display the security certification to every other Stuller.com visitor. Manuel said he found an 11% increase in online transactions with visitors who saw the certification compared with those who didn't.
"The results surprised us. We certainly weren't expecting an increase," he said.
"People want to know that the sites they're using are secure," said Jonathan Penn, an analyst at Forrester Research. "It's not surprising that services like this help with conversion rates."
How well marketers secure their customer information and protect themselves from fraud is becoming a business differentiator, said Matt Leonard, director-information policy and privacy at Harte-Hanks Direct Marketing.
Technical solutions that aim to build online trust are also starting to surface. In late September, GeoTrust Inc. introduced TrustWatch Search, which helps Internet users determine the trustworthiness of Web sites. The TrustWatch browser toolbar displays a green "verified" symbol within Microsoft's Internet Explorer for Web sites that have been verified by a trusted third-party, such as GeoTrust or VeriSign. The icon turns yellow for sites that haven't been verified and red for sites known to be fraudulent.
Microsoft has reacted, too, adding an anti-phishing capability to Service Pack 2 for Office 2003. The new features automatically disable links within likely phishing e-mails to protect users from accessing spoofed Web sites.
Earlier this month, Experian launched Commercial Fraud Insight, a service designed to analyze business applications to screen multiple Experian data sources to spot potential indicators of fraud, such as a suspicious mailing address or phone number. The service scours Experian's credit information, business addresses, historical application information and the U.S. Treasury's Office of Foreign Asset Control's "Specially Designated Nationals and Blocked Persons" watch list.
Analysts estimate 20% to 30% of all commercial losses are due to some type of fraud. "It's also more profitable," said Carolyn Hardin-Levine, director of commercial fraud solutions at Experian. "Business fraud losses are three to 10 times larger than consumer fraud losses."
Among the security best practices experts recommend direct marketers adopt:
Continuously reviewing security practices.
Regularly running software vulnerability scans on their Web sites and internal systems.
Enforcing strict access to customer data.
In e-mail, providing clear sender identification and full disclosure about any software installations that track Internet usage.