While investigators sort through just how thieves compromised about 40 million payment cards and the information about 70 million Target customers, businesses must use this latest breach as a reminder to reinforce their standards that ensure their data stays safe. As important, they must develop communications preparedness plans to alert customers of potential threats.
Target's been under fire from critics who say the retailer was slow to alert customers of the breach and did little to make amends. Last week, however, Target, in an attempt to apologize to customers and protect them from other potential scams, emailed customers this communication from Chairman and CEO Gregg Steinhafel.
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian'sÂ® ProtectMyIDÂ® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
- Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
- Delete texts immediately from numbers or names you don't recognize.
- Be wary of emails that ask for money or send you to suspicious websites. Don't click links within emails you don't recognize.
Target's email communication regarding this incident will never ask you to provide personal or sensitive information.
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.
Chairman, President and CEO
Given these statistics and the ordeal surrounding the Target breach (and now Neiman Marcus is coming under fire for a potential data breach), companies must work to ensure they have customer notification preparedness standards in place.
The Direct Marketing Association recommends businesses consider an information management program that addresses Data Minimization, Retention, Access, Use, Communication, Storage and Disposal. Senny Boone, Esq., senior vice president of Compliance for DMA, said this means companies should collect only what they need, explain to customers how their data will be used, and regularly clean and purge data to ensure accuracy, store data in a tested, secure manner, and dispose of paper and information in a secure manner. "It sounds logical in concept, but it won't happen unless every marketing organization takes a purposeful approach to privacy and data security," she said.
In an effort to encourage marketers to become data stewards in their organizations, the DMA is revising its DMA Guidelines for Ethical Business Practices. The revised guidelines are being presented for approval to the DMA Board of Directors at the end of January, and will be promoted to and shared with the full membership quickly thereafter. The organization asks members to:
- Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices versus company provided devices. These should be a dynamic and active set of guiding principles for the organization--in marketing and across the business. Organizations are asked to monitor and assess data security safeguards periodically.
- Provide data security training for relevant staff, including staff who use their own devices to perform their duties to prevent unauthorized access to the organization's data.
- Include contractual safeguards. Set up a data security breach readiness plan appropriate for the level of data collection. This should include periodic audits of data collection, an assessment of the information collected, a commitment to a data minimization plan and information priority classification scheme, including data destruction and purging, appropriate encryption and password security, and a crisis notification plan and early warning alerts for all stakeholders, including anyone personally affected by data breaches (unless barred due to pending law enforcement investigations).
According to the Ponemon Institute's "2013 Cost of a Data Breach Study," the average organizational cost of a data breach in the U.S. can total about $5.4 million. The study cites three root causes for attacks: malicious or criminal attacks, system glitches, or human factors.
Organizations collecting sensitive data should heed the DMA's new guidelines to ensure added data security measures are taken to protect such data online and via digital channels like email, mobile, and web/display.