It’s ranked as one of the worst data breaches in history, as 40 million Target customers’ credit and debit card information was stolen at the peak of the 2013 holiday shopping season. In early January, Target then announced that 70 million more customers may have had their personal information, like addresses and phone numbers, compromised as well—information that can also assist crooks in identity theft.
Data security is top of mind and making headlines, and impacting even the biggest brands in the world. And in event marketing, where data collection is mission critical to most programs, there are a ton of standards and best practices in place behind the scenes designed to ensure that consumer data, however vulnerable, is collected, protected, delivered and ultimately, secured for its useful life.
This is a tricky landscape to navigate. Consumer privacy issues are growing, but at the same time, data automation is increasing. And consumers, they’re expecting more individualized messaging as a result of their gift of information. Brands are upping their demands for faster data collect and delivery, and at the same time, they’re upping their standards for security and compliance.
Here, we take a deep dive into the subject, thanks to insights from some of the industry’s leading partners, to form this set of guidelines to put your campaign in the data safety zone:
Specify That It’s Important. Make sure you kick off your strategic and creative concept with an RFP that clearly states your data security needs and standards your agency or technology providers will need to abide by (this is often listed in the RFP’s index). Winning partners should prove that they’re not just going to come in on price with great creative. “You have to be able to show that you can secure the most important part of output of this marketing investment, which is the data,” says Lu Nygen, director-applications development at AMCI.
Employ On-Site Security. It’s good practice to document the physical security site controls and processes that are in place on a year-to-year basis or following a site move, and consider cameras with recording capabilities at all access points to a venue. Devices should be kept with staff members at all times, or secured to a structure like a stand. Restrict access to devices with unique and frequently changing passwords, set a lockout system in place for failed access attempts, and consider establishing policies about organization and cleanliness of workspaces.
Collect It, and Move It. Internet access is ubiquitous at major venues, but when it’s not, most data is captured and stored locally on a device. If you can, upload your data to a cloud server in real-time. You want to get data off the device to avoid concerns over theft, or breakage—especially if your event is being run off multiple devices. Encryption is standard protocol, but there are different levels of encryption you should familiarize yourself with that are supported by different wireless structures—WPA2 being one of them, which is considered a high standard.
“At the highest level, there is dual encryption at work with data collection and delivery: the data is locked up in a safe and then it’s being driven in an armored car to its final destination,” says Mike Clow, vp-data and analytics at FISH Technologies. “Beyond that, it’s about setting processes in place and controlling access to the data and making sure that if the data is at rest. That it’s in an encrypted state that no one else can find the keys to crack into it.”
Keep Good Records. Many vendors are required to keep a log of who accessed what and when, and to adhere to retention policies requiring they keep those logs for at least a year, or, if there was a potential security issue on-site, for more than five years. Other examples of record keeping may include pre-notifications of when actions such as use of wireless access (encrypted, of course) to use their data, or when access to their data, in general, occurs.
Protect Yourself. Most event agencies recognize that they don’t own the data, and they don’t want to keep it longer than they have to for liability purposes. But it’s good practice to take out a data theft insurance policy, protecting you from damages should a breach occur—theft, whether physical or digital.
Curate What to Collect. Carefully craft what questions to ask or data to collect on-site based on specific objectives, so that you’re never dealing with more data than you actually need. Avoid collecting sensitive information like health-related data, or credit card numbers at a marketing event. Not only can this kind of data collect be perceived as intrusive to consumers, it also escalates the requirements needed for security and storage.
“That time you spend planning what you’re going to ask in the surveys saves you so much heartache in the end, because the last thing you want to be doing is talking to 10,000 consumers and you get all that information, and you try to get it into the CRM system and you realize, you don’t have a required piece of information to market to that person as a lead for follow-up,” says Clare Toledo, product marketing manager at eshots.
Limit Who Can See It. Set a process in place where only people who need the data are approved to access the data. Then, constantly update that access, removing people that no longer have a need, or maybe, are no longer working on that particular campaign. And with many experiential programs that are multi-month and involve multiple vendors and staffers, this is especially important. Momentum calls this its “leads-privilege” process.
Audit It. These are pretty standard, but smaller outfits should start getting in the habit. Audits often involve questions on the key data lifecycle in terms of acquisition, storage, use, sharing, archival and disposal. An audit can be internal, maybe by the agency’s IT department, but often, brands will conduct third-party audits to ensure that data has been scrubbed and that protocols agreed to between them and their agency are being properly executed.
Outsource Data Storage. Outsourcing data to Server Farms, which manage server infrastructure for hundreds of thousands of companies, is common practice. Security at Server Farms is extremely tight—often fingerprint protected. To gauge the credibility of a server facility, you can look for certain badges. One such badge—PCI compliance (Payment Card Industry Data Security Standard), means it’s met the industry standard for securing credit card data.
The 2014 Event Measurement Report