What Retail Marketers Should Know About Data Security
April 11, 2007
Retailers Must Protect Customer Data, Customer Trust and Brand's Value
Irvine, California, April 11, 2007 - In the past year, large-scale customer data leaks in the retail industry have brought about heightened levels of scrutiny to the way in which retailers manage their customer data - or in many cases - do not. Just last month, a major retailer reported that tens of millions of customer records had been stolen from the company. The thefts though, did not happen overnight. The company had been subject to continued customer data loss for almost two years, before discovering the breach. According to analyst firm Gartner, this breach was the biggest card heist ever. It brought millions of consumers to their knees, forcing customers to close their credit accounts, check credit reports for suspicious entries, and caused unimaginable inconvenience.
At a time when retailers (and many other industries) face such extreme vulnerability in storing valuable customer data, SmartReply, the country's largest provider of mobile, voice, and loyalty communications for the retail industry, announced that it had exceeded the highest technology requirements in order to manage and protect customer data.
"In view of ongoing security breaches in protecting customer data in the retail industry, we engaged a global systems security company to pick apart every corner of our massive data operations network and infrastructure, and to attempt to hack into the system from all corners of the globe," said Tim Odell, Executive Director of Technology for the Irvine, California- based company. "After a month of random attacks and leaving nothing to chance, our security systems passed the many vigorous testing procedures, keeping to the highest standards possible." The result is that SmartReply is now the only retail voice and mobile marketing services provider to become PCI Certified.
Although infrastructure testing and hired hackers are commonplace in mission- critical operations like homeland security and financial services, those organizations are not immune to hackers and data theft either. In 2005, customer data theft added up to $54 billion in losses, according to the Federal Trade Commission.
"The unfortunate reality for the retail industry is that many marketing service providers are not doing enough to prevent security breaches, even though they may be handling their client's sensitive customer data," said Eric Holmen, President of SmartReply. "They're either afraid of what they'll find out, or they're intimidated by the cost. For SmartReply, it's a matter of ethical responsibility to our clients. We want to be absolutely sure that our clients' customer data is secure. Within the next year, it will be commonplace for the CEO and CIO to demand this kind of testing, and we're clearly leading the market with our higher standards."
The damage caused to companies by data compromise occurs on many levels. A study by the Ponemon Institute found that a single data breach can cost between $5 million to $50 million, averaging $140 per lost customer record. Then there is the loss of intangible assets, like loss of customer trust and erosion of brand value. Stock prices can also take a massive hit. Researchers at Emory University's Zymand School of Brand Science found that a company loses an average of 0.63% to 2.1% in stock price when a data breach is announced. In the past, marketers have been relaxed about data security, but many are now beginning to see this as a career-ending oversight and not an afterthought.
Another troubling statistic is the amount of data for voice and mobile technology being managed in a non-secure facility, or even overseas, where data security requirements are compromised and not under the oversight of the United States federal laws. According to Holmen, "Any time a retail company gives even the smallest amount of customer data to a third party, they need to cover the basics that we call the Marketing Data Security Promise."
These include:
- Keep it close to home. Make sure that your customer data never leaves United States soil and never touches a server outside of the country. No foreign transit of data, or removal of data out of U.S. federal jurisdiction. Data can pass over many other systems in-route and unbeknownst to the client or service provider, the data could be compromised.
- PCI DSS testing by a reputable firm. Short for Payment Card Industry Data Security Standard, PCI DSS was developed by the major credit card companies - VISA, MasterCard, Discover, American Express and JCB - as a guideline and industry standard test to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing card payments must be PCI compliant or they risk losing the ability to process credit card payments. SmartReply meets all PCI standards and guidelines.
- Penetration testing. This is a test conducted by hired hackers around the globe, as they attempt to break into your systems at random times, in subtle and aggressive means. It is an intense procedure but thoroughly necessary. "When we put our own systems through this kind of testing, we didn't know what they were going to do, or when," says SmartReply's Odell. "We were able to seamlessly continue operations through the tests, and never experienced an intrusion. Our systems proved to be very solid.
- Network facility site visits. Nothing beats a facility site visit to gauge firsthand how data is processed by your marketing providers. "Our network site has armed guards, requires pre-screening, man-traps, and biometric scans for entry. It's a very intimidating process to go through even for our staff, which makes it terrifying and impenetrable for a devious, would-be hacker," says Odell.
- People. A system is only as good as its people. Get your provider's organization chart with phone numbers, call a couple of people, and interview them. Remember that these people could be looking at your customer data. You have the right to know who they are, and it only takes 30 minutes. "For example, our executive director of technology, Tim Odell, comes with a background at the Federal Reserve," says Holmen. "We look for people that want to maintain the Fort Knox of data centers." A small operation with only a few people is a bad sign - they're probably doing what they can to get by and your customer data security is likely very low on their to-do list."
"I'm very proud of the SmartReply team - the test results confirm that we have been progressively delivering outstanding technology developments and protecting our client's data every step of the way," said Holmen.
SmartReply's highly secure technology can help retailers establish strong policies for protecting valuable customer data from the get go, before it becomes too late.
About SmartReplySmartReply's voice and mobile messaging solutions have created breakthrough-marketing results for leading retailers throughout the United States and Canada. As the only voice and mobile messaging company dedicated to meeting the unique marketing challenges and objectives of retail executives, SmartReply's clients now have the proven ability to increase store traffic, lower marketing cost and strengthen brand affinity. Because of this, SmartReply is the provider of choice for more than 80 major regional and national retailers. Headquartered in Irvine, California, more information for partners and clients can be found at
www.SmartReply.com or by calling (800)-785-6769.
# # #