Data privacy issues are making headlines more than ever, especially in email marketing after recent high profile breaches. Establishing a culture of self-regulation is crucial at this juncture, with pending privacy legislation like the bill recently introduced by Senators Kerry and McCain, which pertains to online tracking methods.
While searching for the answers ready for immediate practical implementation, I would like to share a few points from the Online Trust Alliance, who recently published Security by Design, a comprehensive plan for data stewardship. This and many excellent resources on email authentication can be found on the site, and I strongly recommend membership for all companies who handle consumer data.
Here are a few of the key takaways from the OTA:
Three Fundamental Truths All Organizations Should Embrace:
- The data you collect includes some form of PII
- If you collect data, you will experience a data loss incident at some point
- Data stewardship is everyone's responsibility
While these seem like simple facts, they make a strong case for preparedness for if and when data breaches occur within an organization. Data is and always will be vulnerable to human error or intentional hacking. However, by following the five steps from the OTA release below, you'll have a solid foundation and plan to combat data breaches:
Create a cross-functional security team headed by a chief security officer (or equivalent) as a single point of authority with security accountability.
Map the data workflows within your organization and vendors to identify points of vulnerability. Examine how you handle data, from collection and storage to transmission, usage and destruction. Define who should have access to the data, how and why.
Include security review milestones in the product development process, from concept development, functional specification development, design, testing and launch.
Audit your network infrastructure, mapping both internal and external facing sites and all points of connection. Implement processes to monitor your network and data assets to detect unauthorized access or unusual patterns of activity.
Develop an incident response plan and team. Include pre-defined action items and communication strategies that can be easily executed should a breach occur.
This checklist, more detailed specifics, and 20 questions every organization should ask internally can be found by downloading the original OTA guideline.