Security Breaches: A PR Nightmare, Or Much Worse?

Who’s managing your security protocol?

The answer is: most company’s security responsibilities are either undefined or divided up between several departments, leaving plenty of room for costly mistakes or security breaches, a panel said during the Promotion Marketing Association’s annual legal conference held last week in Chicago.

Promotions, by their nature, can be a risky business and security breaches at any stage of development can prove to be costly. And the problems can escalate to invite customer complaints that can quickly lead to regulatory intervention.

“Just a simple breach can result in a regulatory review of what you’re doing,” said James Taylor, a partner with Loeb & Loeb. “Then you have a real problem.”

The threats to security can be internal or external, physical, moral or accidental. Whatever the cause, a legal infrastructure and processes should be in place to ensure the assets—from buildings to intellectual property—of the organization remain safe from these threats, Taylor and Duncan McCready, executive VP of the IC Group, Inc. said.

“There are certain things that you can implement from a legal perspective, but nothing is going to be a substitute for the processes in place to identify those threats,” Taylor said.

To start the process, organizations should assess the value of their assets and the existing risks to security. Some questions to consider would be:

• Are the information networks secured?
• Who has access to the information?
• Do your employees understand what information is confidential?
• Do your employees understand the security protocol and the consequences of breaking the rules. (McCready said the majority of threats are internal and moral.)
• Are the keys to proprietary and confidential information secured?
• What would happen if your competitors retrieved the information?
• How could competitors retrieve the information?
• What are the financial implications of a security breach?

“Most organizations would be surprised by the fact that at any given time up to 50% of a company’s intellectual property can be found in a company’s data network, either as e-mail or other digital communications without proper security protection,” McCready said.

Next, build a protocol by creating a sense of urgency and reversing the notion that security protocols are a cost center not a profit and growth enabler. The steps to build a successful program include three key areas: a survey, planning and implementing and tracking.

The survey requires a comprehensive review of the environment, the assets and objectives to mange identified security threats. Planning requires an evaluation of the current security systems formulated into a strategic plan with recommendations on how to avoid, monitor, transfer or mitigate the security threats. Implementing and tracking requires executing the plan and tracking and reporting on the success of the protocol.

“The key is to develop a program in baby steps,” McCready said. “Test and measure along the way to make sure what you’re implementing is working if something goes wrong.”

One key to a successful program is buy-in from senior management, who often need to be educated about the types of threats and the damage they can inflict on the business.

“I can not emphasis how critical that is,” McCready said of upper level buy-in.

A 2001 Federal Bureau of Investigation survey found that 85% of corporations surveyed had a security breach, 64% of those realized financial loses and 180 respondents gave statistics that totaled loses of more than $350 million, McCready said. And once management is on board, staff and all involved partners—advertising agencies, printers, law firms, interactive agencies, insurance companies—need to be educated.

Taylor said that companies that execute a higher number of promotions have a higher exposure to threats and that those that conduct only one or two campaigns per year may want to outsource the work to a reputable organization to lower their risk of a security breach.

“It’s not always as simple as it appears,” Taylor said. “Behind some very small promotions there can be some very big security breaches.”

The very department that may be the front line in defense against security breaches—Internet technology—is often the first to be cut when tough times hit. However, McCready cautions against turning loose the very department that may protect the organization.

“Never cut tech support,” he said. “[This department] is going to tell you whether your program is going sideways or not.”

Should disaster strike, Taylor and McCready offer the following advice.

Notify:

• Customer service

  • The insurance carrier

    • Co-promotion partners and other sponsors

      • Vendors and suppliers (promotion agency, credit card companies)

        • Customers

          • Government authorities (possibly)

        • In addition:

          • Address public relations

            • Engage in a comprehensive security review

              • Consider and manage the potential impact of local, state and federal

                regulatory intervention