Epsilon and Other Data Breaches Prompt OTA Action

The Online Trust Alliance (OTA) has announced what it is calling the “Security by design” framework and related guidelines in response to recent data breaches of email marketing firms Epsilon, Cheetah Mail, Silverpop, Return Path, and others who had customer data compromised.

“The OTA is reaching out to the email marketing community directly, to commit to updating now their security practices and to re-classify consumer email lists and related data as personal and private information,” a spokesperson for the OTA tells WebProNews.

For a little background, here is our coverage on the recent Epsilon incident, which affected customers of numerous big brands, including: US Bank, Capital One, JPMorgan Chase, Citigroup, Best Buy, Kroger, TiVo, Walgreen’s, Target, Disney, Robert Half, Brookstone, Home Shopping Network, and McKinsey & Company.

Epsilon is actually part of the OTA, along with DigiCert, Internet Identity, Intersections, Lashback, MarkMonitor, Message Systems, Microsoft, PayPal, Publishers Clearing House, PreferenceCentral, ReturnPath, Securnia, Symantec, TRUSTe, TrustSphere, and Verisign.

“As the OTA is briefing members of Congress, we are encouraged by the level of support from leading marketers and online brands,” the spokesperson said. “We have invited and are looking forward to several trade and lobbying groups to join this effort.”

The organization lays out five steps to “security by design” as follows:

1. Create a cross-functional security team headed by a chief security officer (or equivalent) as a single point of authority with security accountability.

2. Map the data workflows within your organization and vendors to identify points of vulnerability. Examine how you handle data, from collection and storage to transmission, usage and destruction. Define who should have access to the data, how and why.

3. Include security review milestones in the product development process, from concept development, functional specification development, design, testing and launch.

4. Audit your network infrastructure, mapping both internal and external facing sites and all points of connection. Implement processes to monitor your network and data assets to detect unauthorized access or unusual patterns of activity.

5. Develop an incident response plan and team. Include pre-defined action items and communication strategies that can be easily executed should a breach occur.

“The OTA believes we must work together, and make a commitment to make meaningful changes,” the spokesperson. “Failure to do so risks a global shift in legislation and consumer sentiment regarding privacy, data stewardship and ultimately trust, impacting the vitality of interactive marketers and advertising communities.”

The complete set of guidelines, which include, objectives, steps, and a big list of recommended practices, can be found here in PDF format.