One-to-one messaging is alive and thriving in both print and pixel-based marketing channels, and combining physical and digital marketing has been proven to increase response rates. To unlock this value, marketers are tapping into data they’ve never had available before and, more importantly, never before shared with marketing partners.
From that perspective, while the focus of security and compliance continues to be on personally identifiable information (PII), there is now much more valuable information being exchanged. We are beyond applying logic only to age, gender, state of residence, and whether or not one owns or rents a home. The programming logic required for high-performing, one-to-one messaging is based on much more personal attributes than those.
As a marketer, if you are sharing data with your partners to take advantage of advanced message segmentation and versioning, it is critical that you understand how your data is being managed and secured by your partners. It is time to go beyond checklist-based vendor-risk questionnaires and an annual site audit to validate physical security controls.
Your organization or a trusted third-party audit firm should be conducting a thorough audit of all partners with whom you share PII/PHI and other personal information. Sit down with your partners and have them demonstrate the controls that are in place to assure their answers on the questionnaire are supported.
Here are some five important security questions to ask and tasks to consider when auditing your partners:
- How long does your partner retain your data on their systems?
Does this match your company’s policy? Ask them about the process and tools they use to manage data retention. Is data securely destroyed when it is removed from the partners’ systems? If you have worked with them in the past, ask that they show you your historical files to prove there is nothing older than the stated retention policy.
- Is your data shared by your partner with other organizations (third parties) for any reason?
If so, ask to see their vendor risk management policy. Ensure their policy meets all of the security requirements that are mandated.
- Is your vendor storing your information in the cloud, and if so, how are they protecting it?
Is the cloud service physically located in another country? If you discover your vendor is using cloud services (SaaS, PaaS, IaaS) do you know if they have undergone a Cloud Risk Assessment? If they have, ask them to share those results. If they haven’t, you may want to conduct an independent Cloud Security Audit to ensure your information is protected.
- Can you tour the working areas of your partner’s facilities?
See if your partners are practicing a clear desk policy. (Are any of your marketing materials laying around with live data embedded?)
- Who works directly with your data?
Ask to speak with one or more of these employees. Ask questions to gauge their understanding of the security policies in place. Some questions might include: How are your materials labeled and managed? Do they understand the confidential nature of your data? How often does security awareness training occur?
Yes, conducting this type of in-depth review is time consuming and will likely incur some hard costs. However, the importance of getting into the weeds and making the investment to know the answers to these security questions cannot be overstated. Written policy is not enough. It is important your partners have an institutionalized security practice.
At IWCO Direct, we are confident you will see and feel the results of our security practice. Our practice was established more than 13 years ago and improves dramatically every day, month, and year. We have invested in the most stringent certifications (ISO 27001:2013, PCI, HIPAA, and HiTrust) to protect and secure our clients’ data and our own.
Come and visit us. We look forward to showing you how we will protect your critical data assets.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.