Safeguarding Customer Data

• 05/24/2000

Corporations, nonprofit organizations, and government agencies, typically gather "customer" information for a range of purposes. Analyzing this information provides insight into the attributes and characteristics of the people who make the continued existence of the organization possible. This information can be used to better understand how a company’s customers are using products and services, and how their needs change over time. This information can determine how to structure marketing campaigns to increase the effectiveness and reduce the costs.

Profile data is being increasingly used to deliver personalized service though customer touch points, such as Web sites and customer service centers. Click-stream analysis software, for example, allows companies to analyze an individual’s behavior on a Web site. This analysis enables the software to match behavior with a predefined profile, which can be used to generate a special offer or promotion for the user. Some companies also use syndicated Web profiles available from companies like Engage Technologies, which allow them to combine the active user’s profile with their activity on other Web sites. This allows the site to develop an more granular understanding of the users’ interests, especially if the user has entered identifying information into a registration form.

Given this power, it is incumbent on companies to recognize that they have a responsibility to protect and secure the integrity of personal customer data that they collect on their own or purchase from a third-party.

It’s in a company’s enlightened self-interest to do so. If a company develops a reputation for playing fast and loose with personal data, it’s unlikely that customers and prospects will be willing to reveal personal details in the future. If information falls into the wrong hands, the company may find itself subject to lawsuits instigated by individual consumers or investigations by the Better Business Bureau or government agencies. Another reason to protect and safeguard personal information, particularly credit card and Social Security numbers, is to reduce the possibility of identity theft, which is a growing problem in our increasingly wired society.

What are some of the things your company should do if it’s planning to collect customer data for marketing purposes? The first is to define a security policy and to clearly post it on your Web site. Your customers and prospects should know what you are planning to do with the data you collect. A corporate privacy notice could stipulate that the individual can expect to be notified of what personally identifiable information is collected, how the information is used, with whom the information may be shared, and how they can correct any inaccuracies in the information.

If you’re collecting personal information for an e-mail list, be sure to let the individual know that they can opt-out at any time, and make the procedure for doing that easy and simple. For example, the e-mail message should have instructions for how to remove the individual’s subscription, either by sending a reply message with an "unsubscribe" subject line or by accessing an opt-out form on a Web site.

Always use tools that encrypt personal data being transmitted over the Internet. Be sure to use Secure Sockets Layer whenever you obtain sensitive information from users over the Web, such as name, address, Social Security number, credit card number, or date of birth.

Finally, you should create and enforce internal policies and procedures that protect customer privacy. Only trusted employees who need information to perform a specific job should have access to personally identifiable information. Your employees should have password-protected screen savers so their terminals are secure when they leave their desks.

Ensure that the data are kept on servers in a secure environment, inside a locked room that can only be accessed with a valid employee badge and password. Make it a regular practice to remind employees through written notices and training classes about the importance of protecting customer data.

There are two Web sites with further information. TrustE (www.truste.org), a nonprofit organization that promotes the principles of disclosure and informed consent, has a model privacy statement that can be downloaded and used on your Web site. The BBBOnLine Web site (www.bbbonline.com/businesses/privacy ) is also a good source of information. --Robert Craig is vice president of strategic marketing at Viador Inc. (Burlington, Mass.), and a former director at the Hurwitz Group Inc. Contact him at robert.craig@viador.com.