Data breaches are among the greatest threats to the value of an organization’s brand, especially when they expose customer and prospect data. This inevitably creates a negative public perception and damages an organization’s reputation. These increasingly common occurrences have affected industries from healthcare and public utilities to retail establishments, restaurants, and digital service providers.
In early September, Equifax became the most recent and most ironic target of sophisticated hacking. As one of the “big three” U.S. credit bureaus and a company that sells identity protection services, the data breach affected the personal information of 145.5 million consumers and included Social Security and driver’s license numbers.
Most reporting on data breaches focuses on credit card numbers but as we can see with Equifax, that's not all that is at stake. Consumers are still trying to understand how they may have been affected, and what they can do to protect their personal data.
In addition to facing short and long-term damage to their brand value, an organization’s day-to-day operations can be hobbled if internal systems must be shut down until the breach is contained. Between lost revenue and industry standing, organizations must take every action possible to protect their data.
There are three actions you can take to mitigate these risks:
- Understand and comply with information security laws in the US and European Union (EU).
- Take concrete steps to protect your sales and marketing data in-house.
- Require the same of your technology providers.
Data: How Do You Protect It?
The short answer is it depends on your location and business sector. Definitions are different in the US and the EU, as are the laws requiring how you handle and protect personal data. If your system collects or has access to Personally Identifiable Information (PII), then it is both covered by and at risk of not being in compliance with those laws.
The PII that is routinely collected by sales and marketing organizations generally includes an individual’s name, employer, phone number, email address, and mailing address. Depending on the offering, it may also include a date of birth and Social Security number. In the US, there is general agreement on what PII is, but some data, like health and financial information requires greater protections.
Contrast this to the EU, where regulations include a very specific and more far-reaching definition of PII. In the EU, PII or “personal data” is any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, personal email address, place of work, work email address, or a computer IP address. As long as anyone could use the data, alone or in combination, to identify a person, EU law requires companies to protect it.
In the EU, data protection is considered a fundamental right whereby the individual owns and has control over their personal information. Although this has been true since the mid-1990s, in May 2018, the GDPR will make these regulations consistent across all EU countries. It also rolls out some changes to support their citizens’ rights. For example, companies can no longer rely on only impenetrable legalese in their terms and conditions to gain people’s consent to use their data. And companies must make it easy for people to withdraw their consent.
If your company gathers any personal data from any person located in the EU, both you and your vendors must comply with these laws or face substantial fines.
Audits and Best Practices: Why Are They Important?
Sales and marketing organizations must ensure that any systems they purchase or develop for capturing and managing customer and prospect information are developed in an environment with solid data security policies, advanced IT development practices, and appropriate safeguards in place. Obtaining external audits is one of the best ways to be confident of proper data handling and compliance with pertinent regulations.
Over the last several years, the Service Organization Controls (SOC) 2 Report, also known as a SOC 2 audit has become widely used for this purpose. The SOC 2 report evaluates an organization’s information systems relative to system security, system availability, processing integrity, confidentiality, and privacy. The standards against which your systems are measured are issued by the Association of International Certified Professional Accountants (AICPA).
There are two levels or types of SOC 2 report:
SOC 2 Type 1. Determines that the policies, procedures and controls in place to protect PII, as described by the company, are adequate to meet criteria at time of audit. Essentially, a SOC 2 Type 1 audit says that system should be able to safeguard information, and serves as the foundation for a SOC 2 Type 2 audit.
SOC 2 Type 2. Goes beyond Type 1, conducting audits over time. The report issued by an objective third-party auditor gathers evidence that adequate controls and best practices are actually being employed over an extended period of time.
In addition to meeting AICPA standards, a SOC2 Type 2 report covers whether a company’s practices are adequate to meet client-specific requirements and the commitments vendors have made to their clients, which can include complying with EU regulations. Auditing your operations is the best way to reassure your customers that their data is safe with you. Conversely, you should contractually require that third party products must offer you the same protection.
Of the external audit reports available, SOC 2 Type 2 is meaningful and useful across many business sectors, and generally is adequate for use by sales and marketing leadership.Data: How Do You Protect It?
Perform due diligence when choosing a vendor that provides sales and marketing tools, or any system used to manage customer data. Don’t hesitate to request a copy of any external audits that have been performed, and ask them to commit to protect data at the level of EU regulations.
Some vendors post SOC 3 audit reports on their websites. This indicates they have undergone some type of SOC audit, and provides a very general summary of the findings. We recommend asking for the more detailed SOC 2 audit report to ensure they can address your concerns and provide adequate data protection.
Expect to sign a Non-Disclosure Agreement to obtain a full copy of the report. This gives you the ability to review the details of the auditor’s criteria, the vendor’s controls, and the auditor’s test results.
If you sell or market to prospects in the EU, it's important to review the security commitments you’ve made to those customers. Ask your vendors to include those requirements in your contract with them. This is especially important in 2018 when the GDPR will go into effect, with heavy fines prescribed for noncompliance.
As a solutions provider to sales and marketing organizations, ROI Selling recognizes the impact of a data breach on a business, and the importance and value of an external audit. Our ROI and value selling tools will comply with EU regulations or a subset of those regulations as they apply to our tools. Any other vendor you work with should be willing to provide the same protections.
When your sales and marketing technologies include valid controls, your customers can be confident in your efforts to protect their information. It may not be possible to fully prevent a breach, but it is possible to reduce your risk significantly and stay on the right side of the law and regulations. Having external proof of best practices and a sound operating environment distinguishes your organization from your competition, increases customer satisfaction, and can reduce the potential damage from a data breach. An audit is well worth the effort so you don’t become the next public relations casualty.