Time To Beef Up Security?

It couldn’t happen here. That was the common reaction across the direct marketing industry to the high profile data losses which so embarrassed the Government at the end of 2007. For a business which relies on personal data flowing between the key operational and execution points in the marketing chain, it seemed unthinkable that large databases could be allowed to go astray.

Which only goes to prove what short memories data practitioners really have. Last year started with the news that a marketer within Nationwide Building Society had taken home a laptop containing 11 million customer records. Following the theft of the computer, the bank was ultimately fine £1m by the Financial Services Authority.

Press those in the know and few would deny that the exposure of personal data in this way is by any means unusual. Data has to be moved around and it has to be worked on. Each of these stages opens up a vulnerability which at best can lead to human error and loss and at worst to exploitation by criminal elements.

Jon Cano-Lopez, managing director at Ai Data Intelligency, says honestly that, “we try to insist with clients that they treat data in a particular way, but sometimes it is not as secure as it should be. Some do just want to send data to us on a CD. We tell them not to”.

The reality is that a two-speed industry exists. Suppliers are moving fast to embrace the highest levels of security, but clients are often much slower to implement necessary measure. They routinely insist that their data services partners work to a higher standard than they themselves embrace.

“The gold standard is secure FTP. That is much better than physical media. And never, ever email.” Says Cano-Lopez, before adding that, “people do. I have seen instances of emails with Zipped files and password protection, but they send the password in the same email.”

Some clients sending data files by email think that using a separate message to provide the password is more secure. But if an intruder has gained access to an individual’s inbox, they will see both messages. Set against this is the tight security applied within database bureaux’ data centres. “Nobody can access any data at all unless they are working in our centre. Even I can’t access and upload files. The data keys are walled off and there is a secure firewall between me and the production sit,” he says.

The issue of access rights is one which is likely to cause a lot of argument across the data industry in the coming year. To keep personal data secure, it should only be available to a handful of individuals who need to carry out specific actions. That means marketers should not be able to download databases onto laptops, disks or portable hard drives for offsite access. That is contrary to the existing culture in which data flows freely and risks are not considered to be high.

Cano-Lopez argues that what is needed is a cash handling culture. “The Government’s problem is both good and bad for us. It is bad because the public becomes aware that we are sending their personal data around and consumers would have a heart attack if they knew. It is good for the industry that people are becoming aware of the issue.”

Solutions to the problem of sustaining data led marketing without exposing data controllers to risk do exist. If recent experiences do nothing else, they are likely to drive greater interest and adoption in new encryption and data management applications.

One of these is LogicBox, which was recently acquired by The Trading Floor. Its ListKnife solution was specifically developed to allow non-technical users to carry out counts and analyses on laptops without creating any risk of data losses.

“The application uses unique reference numbers, not actual names and addresses,” points out Stephen Church, head of business development at The Trading Floor and co-founder of Logicbox. “If you leave your laptop behind, the data remains secure.”

Moving onto systems like this is likely to become widespread on the client side as marketers catch up with what data services providers have been doing. “I’m used to it from working at Equifax where data security was critical. It would be a very naive client and an inconsiderate data services providers that did not bring the issues to attention,” he says.

Church acknowledges that physical media transfers are still a fact of life within the data industry. Disks are still routinely used to send databases to a supplier using courier services. These are assumed to be more secure than the regular mail, but they have just as much propensity for loss and theft, possibly more.

He doubts that it is likely that increased data security concerns will lead to the end of physical media. For databases containing multiple million records, secure FTP is not yet quick or reliable enough. Errors in the transfer could corrupt whole parcels of data and make processing significantly more complicated.

Critically, Church points out that the data industry is not usually dealing with bank account details and certainly never National Insurance numbers. That ought to be seen by consumers as a major reason for having greater trust in commercial data owners than they place in the public sector.

“You can’t say to HM Revenue & Customs that you will not provide them with the data they need or that you will stop dealing with them. But if I lose a client’s data, they would stop using us.” Says Church.

Many bureaux are aware of the vulnerable points in their business and also the limitations in the various methods of transferring data. Part of their proposition is the secure methods they can offer to ensure databases are moved without risk and without exposing either the consumers or the clients to potential loss.

“At Celerity, we always aim to go beyond government best-practice guidelines,” says managing director Jason Lark. “For example, data transfer to and from our clients happens over a multi protocol label switching network, in essence a UK-wide VPN that allows clients to connect directly to our network in a secure and controlled manner.”

The network offers three-tier encryption coding which gives extremely secure data transfers. However good the technology might be that is applied to data transfers, the major vulnerability remains the human factor.

Lark points out that, “finger print and iris recognition technologies are the way forward for data protection on the move. We currently use finger print recognition within our business and it’s an area we’re looking to develop”.

He notes that there is a reluctance among staff to accept iris recognition. This stems from fears about the potential long-term effects on the eye of being exposed to pure light sources. For those working most frequently with data, this could be a latent health problem.

What is not in doubt is the good faith that exists among database bureaux around data security. As Sue MacLure, head of marketing and business development at EHS Brann Discovery, says: “It is almost unbelievable our industry is having this conversation. Having dodgy data practices is like stealing money from grandma’s handbag – it’s unacceptable.”

She adds: “It is unlikely that the direct industry would commit bad data practice out of malice. Mistakes are probably made due to a deadly combination of time and cost pressures, naivety, and failure to take responsibility.”

Processes for keeping data secure take considerably longer than just copying a file onto a disk, zipping it and giving it password protection. Instead, the data has to be properly encrypted and the keys kept entirely separately from the file.

For secure FTP transfers, names and addresses are replaced with codes which are transmitted separately. All of that requires more attention and more time than marketers have been used to giving to their data.

“The industry’s offenders are probably seeing data handling as a process, rather than understanding what the data is, i.e, not just a list of records, but people, with characteristics, behaviours, spend patterns and history. Perhaps thinking of a dataset as a collection of personal diaries would give people the tendency to be a little more careful with how they dealt with it, “says MacLure.

Probably the greatest threat to the data industry is simply that of complacency. It is very easy when data management has become routine and risks seem remote to cut corners or fail to follow correct procedures. This is what is essentially happening every time a marketer loads a database onto a laptop.

What tends to increase security is any extra layer of regulation that might apply. In financial services, for example, there is much more awareness of the need to protect data and to ensure that all parties are compliant.

As Richard Webster, commercial director at DLG, notes: “For companies operating within the financial sector, there are APACS accreditations that can only be obtained with compliance to strict criteria and testing.”

But he adds: “For those operating in consumer data, there isn’t a benchmark at this moment in time. It is a case of businesses operating in accordance with codes of conduct and best practices – and within the Data Protection Act – a position which it is in our interests to evaluate.” That is a thought which many more in the industry are likely to share this year.

(Precision Marketing - 11th Jan 2008)