Information Security Guidelines

The protection of personally identifiable information is the responsibility of all marketers. Therefore, marketing companies should assume the following responsibilities to provide secure transactions for consumers and to protect databases containing consumers' personally identifiable information against unauthorized access, alteration, or dissemination of data:

Marketers should establish information security policies and practices that assure the uninterrupted security of information systems.
Marketers should create and implement staff policies, procedures, training and responsiveness measures to protect personally identifiable information handled in the everyday performance of duties.
Marketers should employ and routinely reassess protective physical safeguards and technological measures in support of information security policies.
Marketers should inform all business partners and service providers that handle personally identifiable information of their responsibility to ensure that their policies, procedures and practices maintain a level of security consistent with the marketer's applicable information security policies.

Comment:

This guideline was developed for several reasons. Inasmuch as protecting privacy of personally identifiable information and maintaining security of information are closely intertwined, The DMA believed that it was important to specifically address the ethics of information security within the Guidelines for Ethical Business Practice. We also wanted to respond to challenges issued by the Federal Trade Commission and the Organization for Economic Cooperation and Development, which have been increasingly concerned with this issue globally, and have asked industry association leaders to be more involved in promoting security among industry members and encouraging them to factor security into the design of their systems. The DMA's guidelines are consistent with the OECD's revised security guidelines (see www.oecd.org.) (For more information on FTC business and consumer activities in this area that could be helpful to your company, check www.ftc.gov/infosecurity.
The ethics guidelines incorporate four main points that are baseline requirements for marketers:
1) creating policies for an overall "culture of security"
2) developing security standards and training employees
3) incorporating the use of appropriate technologies, and
4) informing business partners of their responsibilities to adhere to the same standards.
Without a corporate standard of security ethics and the proper training, structure and technologies, it would be difficult to reassure consumers of your intentions and ability to keep personally identifiable information secure.

Questions to Ask:

1) In regard to Establishing information security policies and practices:

Have you established an internal culture of security and its supporting infrastructure, including a formal written plan?
Do you believe all employees understand the importance of keeping information secure?
Do you maintain confidentiality statements signed by employees when they are hired?
Do you regularly review your information security policies and practices?
Does your company maintain an adequate budget for security tools?
Have you considered employing network security specialists to assess your policies and practices, perform risk assessments and audits, and assist your company with compliance?
Have you considered liability insurance coverage in case of any security breaches?
Have you created and tested a data recovery plan in case of a natural disaster?
Has your company established a dispute resolution plan in case of disputes arising out of security breaches or alleged misuse of personally identifiable information?
Do you report cyber attacks to law enforcement agencies?

2) In regard to Establishing staff policy and training measures:

Have you designated responsible staff to design written information security policies and practices and ensured their implementation throughout your company? Do you feel confident that you have sufficient full-time staff available for your security program?
Have you developed documentation and training materials to educate appropriate staff on the importance of information security and their responsibilities related to it?
Do you perform background checks as necessary before hiring employees who would handle sensitive information, such as financial or medical data, or data about children?
Do you verify employee qualifications regarding information technology, to avoid security breaches due to employees' lack of technological ability?
Do you review your information security policy with appropriate employees, as indicated by their position or function, promptly upon their being hired, and regularly thereafter?
Do you routinely audit your information security practices or systems (including when changes to the practices or systems are made) to assure accurate execution and to assess vulnerabilities? Do you revise your practices as necessary?
Have you decided what information is sensitive and who has access to such information? Have you established a process for classifying data, and appropriate levels of security for each data class?
Do you routinely monitor employee access to and use of personally identifiable information?
Have you set forth penalties for breaches of information security by employees and promptly implemented them upon discovery of any information security breach?
Upon termination of employees, do you ensure that appropriate processes are changed?

3) In regard to Employing technological measures to ensure security of consumer information:

Do you define information security specifications for all new technologies, products, and data uses, and for system developments?
Have you considered diverse or redundant solutions for high-risk systems?
Do you take steps to understand the security impact of any new technologies, products, or data uses?
Do you use current virus protection programs to protect information and do you update them regularly?
Do you pay attention to security "alerts" released by software vendors?
Do you employ firewalls to protect personally identifiable information?
Do you change passwords routinely and use passwords with multiple numbers and symbols?
Do you put into place authentication measures, as they are available, in order to verify personnel and consumer use and access to personally identifiable information?
Do you test information security systems to ensure that specifications are met and that data are secure in storage and in transit? Do you check with your software vendors to make sure they have tested their applications before public release?
Do you compile and review audit logs for attempted intrusions?
Are you able to identify potential security breaches before they occur? Do you use software patches as needed?
Have you created an incident recovery/back-up plan, including backup software and a secondary site to maintain data, in case of any breaches in your information security systems?
Have you put into place a system to eradicate data from equipment prior to disposal?

4) In regard to Informing business partners and vendors of their responsibility to ensure consistency with the marketer's own security policies:

Do you consider security ramifications before sharing networks with your business partners and vendors?
Do you assure yourself that you understand the nature of any intended use of a list and that the list does not violate any of the ethical guidelines?
Do you decoy and monitor the data practices of your business partners?
Do you take steps to avoid unusual or suspicious list requests?
Have you considered a sample notice to your business partners and vendors, for example: [Marketer's] security policies are set forth below. [Marketer] expects [partner/vendor] to ensure that its security policies are consistent with and do not compromise [Marketer's] protection of personally identifiable information in any way.