Developing a data breach plan, part two

By Published on .

Last month, experts provided advice on how to initiate an effective data breach plan. This month, Dave Lewis, CMO of Message Systems, offers further guidance on how to establish an effective company plan. Unfortunately, the effects of a data breach often extend beyond a single company. Email service providers, ISPs, and database and marketing automation companies are often guilty by association, undermining the overall trust of the email marketing community, Lewis said. “There has to be a preservation of trust in the ecosystem. This underlines the importance of keeping personally identifiable information safe, including email addresses,” he said. Lewis advised marketers to follow these four steps to reduce their chances of experiencing a data breach.
  1. Pinpoint ownership of the data. It's easy for marketers to assume the IT or security department should be in charge of protecting customer data; but, Lewis said, that's a mistake. “This is absolutely a CMO issue,” he said. Everyone in marketing—from the CMO down to the marketing assistants—should understand how the data they control is an appealing target for spammers and phishers. In addition, they should understand the marketing department's role in its protection.
  2. Identify who touches your data. One of the ways to reduce the chances of data loss is to reduce the number of people who have access to and interact with the data. “You want to close down as many unauthorized [access] points as possible,” Lewis said. Your best bet is storing data in a way so it can't be copied or downloaded onto a memory stick or laptop, he said. (The IT department can help set this up.) You also want to make sure only a handful of people has the company's login information for any ESPs or marketing automation services and that those passwords and logins are changed when someone leaves the company for whatever reason. Finally, you should ask your third-party service provider: How are you protecting my data?
  3. Classify email addresses as personally identifiable information. People will be more careful with data if they understand the potential problems and issues a loss or theft from an email database can cause. “People think "email addresses aren't PII, so we don't need to give [them] that much security,' ” Lewis said. Changing the data's designation will move it under the auspices of the company's overall data security plan, which will also provide an understanding of what can potentially happen if email addresses are lost.
  4. Evaluate your internal technology with the help of IT or security. Every piece of in- and outbound mail should be scanned and evaluated to make sure it doesn't contain obvious or suspicious links or phishing. “There are two parts to each of those tech solutions: prevention and mitigation. You can't stop everything, but you must be able to spot it when your system is breeched,” Lewis said.
Most Popular
In this article: