Data Software: Security alert

"The fact that organisations such as the FSA are wading in shows that this is no longer just about complying with the Data Protection Act," says Sally Annereau, a data protection analyst at law firm Taylor Wessing. "The Information Commissioner would never be in a position to levy a fine like that. This will make all those responsible for data security sit up and take notice."

The reason for the size of the fine can perhaps be found in research conducted by Manchester Business School for GB Group, which suggests that identity theft is the UK's fastest-growing criminal activity, costing the UK economy about £1.7bn a year. With figures like these, it's not surprising that data security is one issue few direct marketers can't afford to ignore. Consumers are now more aware than ever before of the type of information they are giving out, and the potential issues and threats that can ensue from data abuse.

At the same time, suppliers are also facing demands from clients requesting increased levels of data protection and security audits. It seems the problem is not going to go away anytime soon, as Nationwide and its stolen laptop is just one in a long line of recent examples of data breaches (see box out, page 34).

So how secure is the data used in DM campaigns, and what is the industry doing to prevent further calamities? Rosemary Smith, managing director of RSA Direct, and chairwoman of the Direct Marketing Association, says the importance of data security cannot be overemphasised.

"It's a huge issue because of the impact it is having on individuals' willingness to give up their personal data - the oxygen of this industry," she says. "Without access to this, the result will be badly targeted marketing because we won't have the information we need to effectively target consumers."

Mark Howes, managing director of Axa Sun-Life Direct, says the company's approach is based on openness and trust.

"We instil in our customers the confidence that we are a reliable provider of the services we offer, and that we are going to treat their information with confidentiality," says Howes. "We are very hot on controls, standards and confidentiality around customer data, and we apply that to all our dealings with customers."

So much for existing customer data, but what about prospect data? Do basic names and addresses, with perhaps a bit of lifestyle data - typical of the cold, rented, mailing list - require a similar approach? According to Sachiko Scheuing, European chief privacy officer at Acxiom, it does. When Acxiom took over Claritas and Consodata, says Scheuing, it found that the two companies had not treated the data they dealt with as particularly sensitive.

"This type of data was traditionally seen as low risk, because it was list-rental data, just a lot of names and addresses," she says. Acxiom, though, had different ideas. "We were accustomed to higher security levels," adds Scheuing. "The reason we have data protection laws is that the regulators see privacy as a basic human right. Racial segregation is not tolerated as a basic human right. Data protection is considered to be on the same level."

Acxiom's approach to security is reflected in the fact that Scheuing is one of three regional chief privacy officers at the company, all reporting to global privacy officer Jennifer Barratt. So although Claritas and Consodata were compliant in data protection terms, the new owners raised the security bar considerably, to the extent of relocating from several offices, which Acxiom thought did not offer an adequate level of data security. A major upgrade was also carried out to all systems and there was a multi-million pound investment in a state-of-the-art European data centre.

"It involved changing the culture," says Scheuing. "This meant getting strong support from the senior management team and increasing employee awareness, which included mandatory computer-based training followed up by in-person training."

Open to abuse

Today, few will argue that there is a much greater degree of awareness for stringent data security measures than there was in the days when Acxiom was buying Claritas and Consodata.

Martin Doyle, chief executive of DQ Global, says he "can't think of a company" that would not request that a business, which is handling their customer data, sign a non-disclosure agreement. "In the past, it was something we offered and some people went for it and others didn't," says Doyle.

Ruaraidh Thomas, group managing director at Lateral Group, says clients have become much more detailed about the criteria their partners need to fulfil if they are going to store, host and manage their customer data.

"It's right that clients should be asking these sorts of questions," says Thomas. "We have IT security policies and procedures to make sure we are securing and protecting what is a valuable asset for the brands we work with. It's important that as a business, and as an industry, we do this."

The same types of demands are being made of suppliers in other sectors too. "There are all sorts of hoops we have to jump through before handling customer data," says Jonathan Bass, managing director of mobile marketing agency Incentivated. "Everything from questions about the security measures we have, through staff access to client data, and taking laptops down to Starbucks to work over a coffee."

Some businesses, by definition, leave themselves open to data theft. In the case of online business-to-business directory Yell.com, for example, how can the unscrupulous or ignorant use of its data without payment for it be stopped? Yell's approach was to hire outsourced list-seeding company, DQM Group and use specialist software (see box, page 36).

"The abuse of Yell.com data when we first started working with it was extraordinary," says DQM director Christine Andrews.

To identify the abuse, DQM placed fictitious names in various classifications, with the phone number routed through to DQM's compliance team.

"Nine times out of 10 sales companies are to blame," says Andrews. "Sometimes it's wholesale 'screenscraping' and sometimes it's ignorance, usually small local firms. Normally a warning letter is enough to stop it, but if abuse persists after two or three letters, there's no option but to go to court."

Independent verification

There is a point of reference for companies in the direct marketing industry looking to make their data secure: British Standard 7799, which covers data security. Address management software company QAS has this standard and says it is looking to adopt another one that has a greater focus on risk management.

"The majority of customer data is handled at customer sites, but where we handle it internally, we take the process very seriously," says QAS IT manager Neil Johnson.

"We set up a restricted environment, so only a specified number of people can access it and at every layer it's managed on a multi-tier security approach, with rules at every access point."

Email service provider (ESP) e-Dialog was the first ESP to achieve a security certification (ISO 27001) and managing director Simone Barratt says that having independent verification of the integrity of its security processes and systems is becoming an increasingly important part of the new business process.

"As we talk to new prospects, the IT compliance and data governance people are playing a more important role in the procurement process," she says. "It is customers and consumers that are driving it, but that in turn drives the internal procurement process, which means it's incredibly important."

Despite such measures, however, some people think the public's nervousness about personal data has gone beyond the point of no return. David Green, business development director at GB Group, says that when he talks to companies in the business of collecting consumer data, he finds that consumers are becoming more protective about their personal details.

"The days of consumers filling in shopping surveys and letting their data be freely available are diminish- ing fast," says Green.

In response, GB Group has launched a service within its GBAccelerator product range that enables companies to capture customer details more quickly and accurately. The product incorporates software to verify the customer's postal address and landline phone number and checks that any email address given is valid. It also verifies that any mobile number given is a live number.

But what makes Green think consumers will part with this information in the first place? "The clients we are working with, especially in the financial services sector, tell us that if it's pitched to the customer in the right way, for example, as a way of getting hold of them quickly if necessary, consumers are happy," says Green. "Especially when it's a company they have a relationship with and feel they can trust." And one, presumably, that keeps a close eye on its laptops.

POWER POINTS

- The FSA recently fined Nationwide after an employee had their laptop stolen containing customer data

- Data security affects whether people are willing to give personal data

- Firms must sign a non-disclosure agreement

NEED TO KNOW

Data security disasters

Misuse of data is on the increase. In a survey carried out by Deloitte Touche Tohmatsu, more than three out of every four of the world's largest financial institutions experienced an external security breach during 2006.

Of the world's top 100 financial services companies that responded to the survey, 78 per cent confirmed a security breach from outside the organisation, up from 26 per cent in 2005. The survey also learned that almost half the companies experienced at least one internal breach, up from 35 per cent in 2005. And there's no shortage of examples of what can go wrong ...

- Visa and Mastercard: In April 2006 a UK-based online retailer caused a security breach that resulted in thousands of Visa and Mastercard holders having credit cards cancelled.

- Wanadoo: A technical error led to the ISP's customer account information being published online in May 2006.

- HSBC Bangalore: In June last year, a worker accessed confidential account information and passed it on to criminal associates in the UK, who went on to steal a total of £233,000 from UK customers.

- Nationwide Building Society: In August 2006, a laptop was stolen from the home of an employee of Nationwide. The laptop contained details of some 11 million Nationwide customers. The building society was recently fined £980,000 over the incident, but says it has not led to loss of money from customers' accounts.

- Second Life: The online "virtual world" suffered a security breach in September 2006, in which a malicious hacker broke into a database holding information about its 650,000 users. The database held names, addresses, passwords and encrypted credit card information. Second Life users were asked to reset their password.

- Channel 4: In October 2006, a man in India offered to sell credit card details of 200,000 people to a journalist fronting a Channel 4 investigation into data security.

- The Department of Work and Pensions: In February, it was revealed that as many as 26,000 letters containing pensioners' personal banking details were sent to the wrong address. The department said it would be able to trace all the letters involved and contact all concerned.

CASE STUDY: YELL

Brand: Yell

Brief: To combat data abuse

Supplier: Sentor

Business directory Yell UK's primary data assets are its Yellow Pages directory and the Yell.com website. Both contain details of some two million UK businesses. Yell obtains the basic phone number and address information from a variety of sources, and then contacts the businesses to ask if they want a discretionary three-line entry or if they want to pay for a more prominent listing.

"The process and the end result is our intellectual property (IP)," says Yell spokesman Jon Salmon. "We have enhanced the presence and profile for small businesses around the UK and we want consumers to use it for the purposes for which it was intended. We don't want people using it for telemarketing purposes or using specialist software to "screenscrape" the data because that's a breach of our IP. We also don't want our advertisers receiving unsolicited calls offering things they are not interested in."

The company's primary form of defence is traditional database seeding. By inserting dummy business details, which track back to third parties who front the dummy numbers, Yell can identify where its data is being abused. In the fight to protect its IP online, Yell has taken things a step further. Working with Swedish IT security company Sentor, it has developed software called ASSASSIN (Automated Assessment Anti-Scraping Surveillance Network) which alerts Yell to activity which looks like data scraping.

When data abuse is detected, through the dummy listings or ASSASSIN, Yell sends out warning letters that usually halt the activity. If not, the company turns to the law for help.

Salmon won't be drawn on the specifics of how many instances of data abuse the software has helped uncover, but says the company is "very pleased with what it has achieved."

"It's not a major issue, but for any company such as Yell, where data is at the heart of what we do, it's essential that we protect our asset," says Salmon.