I've been trying to get the Direct Marketing Association -- the industry group that speaks for companies like Epsilon (Epsilon CEO Bryan Kennedy is a board member) -- to comment on the Epsilon incident and the long-running attacks on email service providers. Insiders know that Epsilon isn't the only company to be hacked in the past year, and I wonder if email marketers are really taking this seriously. To date, the DMA hasn't been willing to answer questions on this, but they did send me a copy of their ethics guidelines, noting that "our members are required to abide by information security guidelines."
What exactly are those guidelines? Well check 'em out. From page 21-22 of the DMA's 42-page Ethics Guidelines document.INFORMATION SECURITYArticle #37The protection of personally identifiable information is the responsibility of all marketers. Therefore, marketing companies should assume the following responsibilities to provide secure transactions for consumers and to protect databases containing consumers’ personally identifiable information against unauthorized access, alteration, or dissemination of data:• Marketers should establish information security policies and practices that assure the uninterrupted security of information systems.•Marketers should create and implement staff policies, procedures, training, and responsiveness measures to protect personally identifiable information handled in the everyday performance of duties.• Marketers should employ and routinely reassess protective physical safeguards and technological measures, including data retention, destruction, and deletion practices, in support of information security. •Marketers should contractually require all business partners and service providers that handle personally identifiable information to ensure that their policies, procedures, and practices maintain a level of security consistent with the marketer’s applicable information security policies.•Marketers should, in the event of a security breach where there is a reasonable likelihood of material harm to consumers, inform those consumers who may be affected as soon as reasonably practical, unless requested by legal authorities to delay such notification.
So in other words: Be safe. Be very safe.
Marketers are not information security professionals. But it's disturbing that in an industry under siege there seems to be no useful guidance for companies that really do want to improve their security. It's not even clear when these incidents should be disclosed: does stealing my name & email address create a "reasonable likelihood of material harm?" Some people would say yes; others would say not.
Maybe people are sharing information about the spear-phishing attacks for marketers behind closed doors and on private mailing lists. But maybe the industry is sticking its head in the sand and simply hoping the whole problem will blow over.
What do you think? If you're an email marketer concerned about Epsilon, drop me a line at firstname.lastname@example.org
I should add that the Online Trust Alliance has some good information on this topic.