August 1, 2008
By Jessica Tsai, Assistant Editor, CRM magazine

Maximum Security

They say there's safety in numbers' but, increasingly, it's the numbers (and other customer data) that need safekeeping. Infusionsoft, for example, a provider of marketing automation solutions, announced in June that its Web-based service has met the data security standard from the Payment Card Industry (PCI) Security Standards Council.

Marc Chesley, the company's vice president of development and technology, recalls that the attitude toward online transactions started shifting three to five years ago, when online banking became more reliable in the public's eyes. For Infusionsoft, the mission to be PCI-compliant started more recently, about 18 months ago: Planning took six months, and then a full year was spent completing the 12-step process. Chesley says that his company's efforts are part of a trend soon, he says, "every company will be required to be certified to retain [its] merchant retail status."

Data security can't be taken lightly. "When you recognize something as an asset, you do whatever it takes to protect it," says Thomas Redman, president of Navesink Consulting Group and author of Data Driven (Harvard Business Press, September 2008), a book about data quality as a strategic advantage. Many organizations, however, find that to be much easier said than done. Ask any individual whether security is important, Redman says, and you'll most certainly receive a chorus of consensus, but that unanimity often fails to extend to the organization. The responsibility gets juggled between the technology department and the executives and then pushed to the back burner.

Still, the responsibility for data security is typically a technological issue. Infusionsoft, which characterizes itself as "stubbornly small business," understands that, for the most part, security certification is simply not feasible on a small company's budget. Even when small businesses know security should be in place, "they don't know where to spend the money," Chesley says. "They just find an IT guy down the street." As the software provider, Infusionsoft's compliance extends to its customers' without any increase in cost. (The company says it's also working on becoming compliant with both Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, two particularly rigorous federal regulations.) For companies that haven't yet started on the path to PCI compliance, Chesley suggests that they start soon. The initial costs will invariably be less than the potential cost of a security breach, which can result in extravagant regulatory penalties' and catastrophic damage to customer retention.

Nevertheless, while the technology team can put up firewalls or set up passwords, the battle is only half-won if there aren't any corporate policies or regulations in place. Redman notes that security breaches making national news often aren"t caused by "some grand tech screw-up." Rather, it was because of people taking on false identities or being negligent with company property. (See sidebar, below: "A Pair of Non-Tech-Savvy Security Breaches.")

According to a 2008 study by the Pew Internet & American Life Project, 75 percent of users either agree or strongly agree that they do not like giving out their credit card or personal information online. Internet infrastructure service provider VeriSign recently announced some big-name customer wins' ones the company hopes will bring attention to developments in online security. Consumers can easily discern which sites are protected by the VeriSign Extended Validation Secure Sockets Layer when the navigation field turns green -- a feature that VeriSign reps say phishers attempting to create a faux site can't simulate. Online retailers Buy.com, Blue Nile, and Overtons.com are among more than 4,000 e-commerce sites that have joined a widespread initiative to protect consumers from phishing scams and create a safe online-shopping environment.

Unfortunately, while there are various solutions available, the laws delineating the intricacies of data security are far from defined, Redman says. "No one knows exactly what's right or wrong with privacy and security," he says. Suffice to say, the industry's playing it by ear. Redman quotes one industry pundit as saying, "Security will be to the Information Age what consumer protection was to the Industrial Age." Regardless of how data security policies are defined, Redman says he's confident it will be in favor of greater consumer protection.

Better security, however, doesn't have to mean weaker marketing. In fact, Redman says that as marketing gets more targeted, consumer information will be handled more strategically. More things go wrong when you attempt to blanket the entire market. "It doesn't mean you can't mine the data for insight," he says, citing companies such as Netflix that make recommendations based on aggregate consumer behaviors. "Just be respectful of your customers. It's too hard to get new ones."

SIDEBAR: A Pair of Non-Tech-Savvy Security Breaches
February 2005: Atlanta-based data aggregation company ChoicePoint reports that criminals masquerading as business officials have obtained the personal information of more than 163,000 consumers.
Penalty: $10 million in civil penalties, $10 million to settle a class-action lawsuit, $5 million for consumer redress, and stronger security policies and measures (www.privacyatchoicepoint.com).
May 2006: Two teenagers are arrested for stealing a laptop from the home of a U.S. Department of Veterans Affairs employee. The computer contains names, Social Security numbers, dates of birth, and in many cases phone numbers and addresses of an estimated 28.6 million veterans. The computer is later recovered and it?s determined that no data has been taken.
Penalty: Implemented a service to conduct security breach analysis to detect misuse. Class-action lawsuits have been filed.
Source: Privacy Rights Clearinghouse

Every month, CRM magazine covers the customer relationship management industry and beyond. To subscribe, please visit http://www.destinationcrm.com/subscribe/.