MPA – The Association of Magazine Media (formerly Magazine Publishers of America)

List Security

Magazine Publishers of America
Considerations and Suggestions for the Magazine Industry on List Security

Introduction

Magazine publishers are acutely aware of the importance of maintaining the security of their subscriber lists. Subscriber lists are among a magazine publisher's most valuable assets. When properly maintained and administered, subscriber lists enable the magazine publisher to communicate effectively and efficiently with its customer base and to enhance the relationship with their customer by delivering offers to those subscribers who are most likely to find such offers of interest. Conversely, when the security of a subscriber list is compromised, the magazine publisher suffers damage to its reputation and a loss of consumer confidence and trust.

Magazine publishers also recognize the important role that list security plays in protecting their subscribers' privacy interests. The Magazine Publishers of America ("MPA") has always been deeply committed to and supportive of industry self regulatory efforts to protect consumer privacy interests. To protect consumer privacy publishers should consider adopting appropriate measures and controls to protect the security of subscriber lists against unauthorized use. Without adequate security measures and controls in place, the potential exists for unscrupulous marketers to misappropriate such lists for fraudulent purposes which compromise the integrity of the publisher and the privacy of individual subscribers.

Developing processes and procedures for protecting list security is a complex and challenging task which does not lend itself to one easy or static solution. Differences in the way publishers manage, seed and process their lists may require different solutions and different safeguards. Industry experience, however, can be a valuable tool in identifying potential areas of vulnerability and sources of potential abuse. This document was created, relying in large part on actual industry experiences with list transactions, to assist magazine publishers in recognizing the various pressure points at which the potential for mistake or abuse may occur and to provide suggestions, considerations and strategies for managing those risks. The suggestions and considerations contained herein are not intended to be exhaustive and are likely to continue to evolve as industry practices and experiences change. For example, this document is intentionally focused on protecting the security of lists used primarily for direct mail marketing and telemarketing. While many of the principles set forth herein would apply equally to the protection of email marketing lists, as email marketing continues to grow and develop, it is likely that additional considerations unique to the protection of those lists will emerge as well. It is MPA's intention, therefore, that this document remain fluid and evolutionary in order to be of maximum relevance and use to our members.

1. Contractual Relationships
Magazine publishers should have written agreements with all parties with access to their subscriber list, confirming the authorized use of the list, the confidentiality and security obligations of such party with respect to the list and procedures for disposal of the list following the authorized use. Consideration should be given to including the following provisions in such agreements:

A provision indicating that the third party's business practices may be monitored or audited.

A provision confirming that the third party shall be responsible for the actions of their subcontractors.

A right of immediate termination in the event of a breach.

A provision requiring all of the third party's employees with access to the list to sign confidentiality agreements.

2. Physical Security of Lists and Employee Access.

Any facility where files of subscriber names are produced or maintained should be secured against unauthorized access. Specifically, all locations within such facilities at which subscriber lists are handled, such as the computer room, tape libraries, and shipping areas, should be secured. Access to these areas should be restricted, and there should be careful scrutiny of the individuals who have access to these areas.

A paper and/or online system for tracking the generation, selection, and transfer of subscriber list files should be implemented. Internal procedures for documenting and monitoring this process in real time should be developed, and compliance with the procedures should be carefully monitored. The process should include all internal transfer of files as well as a robust system for tracking external shipments or electronic transfers of files. If files are stored on a local area network, the transfer of files on the network should also be monitored.

All organizations having access to publishers' lists should be encouraged to conduct rigorous background checks of all employees and to implement procedures designed to preserve list confidentiality (e.g., employee non-disclosure agreements).

3. Security for List Order Receipt and File Release.

All list owners should consider monitoring requestors of subscriber list files and other file requests. Service bureaus, that often physically house the list, should closely adhere to any guidance provided by the publisher regarding authorized requestors.

Ordinary third party list rental requests typically come directly from list managers, and an order document containing information regarding the ultimate third party purchaser is generally associated with such orders. List requests from publishers' home offices, in contrast, often arrive more informally via an email or a memorandum. Publishers should consider developing an identification code or Purchase Order numbering system for their internal selections to facilitate tracking these files.

Certain marketing practices and techniques within the direct marketing and telemarketing arena have been prone to higher levels of consumer complaints and regulatory inquiries. List owners should routinely and carefully analyze their own consumer complaints, as such complaints can often be a valuable source of information regarding potential trouble spots or problem areas.

4. List Seeding/Salting/Decoying.

The practice of inserting names into a subscriber list for purposes of tracking the usage of the list is called "salting," "seeding," or "decoying" the list. Proper inclusion of salt names can allow a publisher to monitor usage of a list to ensure that the list is being used internally for the proper purpose (e.g., billing or renewal) or externally for the approved offer, that there is a one-time use of the list, and that there is no improper substitution of offers. Proper decoying may help reveal inappropriate list usage, and provide evidence of improper usage.

The following information gained through industry experience is designed to help maximize the effectiveness of the salting process:

Salt names should be unique.

Salt names should be traceable to the transaction that created them.

Salt names should be changed regularly.

Salt names should not be obvious as decoys to an observer.

Salt names should be of two types; those that are applied on all list selections and those that are applied only when a particular transaction is done. In this manner, salt names can be used to identify individual transactions, making it easier to track the source of the list.

Salt names should contain appropriately identifying information on the transaction included in a non-obvious manner.

Salt names should have information on transactions held in such a way that a normal merge/purge process will not strip off the salt record.

Salt names should be applied geographically throughout the country. In other words, all salts should not be placed into specific regional selects.

Salt names should be entirely confidential and specific to one publication/list.

Salt names should be applied to all lists, suppressions, list rental orders, and any other file that is produced. Including salts in a list is only productive if a robust tracking and monitoring system is used to provide reports on offers sent to salt addresses. Publishers should constantly monitor their salt reports and vigorously pursue apparent misuse of subscriber lists.
5. Pretransaction Considerations.

Magazine publishers and publishers' representatives should develop business processes that allow them to consider the following types of issues prior to engaging in a particular list sale or rental transaction:

Does the magazine publisher have a history of positive experiences with the service bureau or the broker involved in the project? ]

If the magazine publisher has not successfully done business with the potential list renter in the past, consider engaging in some of the following screening techniques:

Review the potential list renter's status with the Better Business Bureau.

Call directory assistance to determine if the potential list renter has a listed telephone number. While the sample offer presented by the potential ultimate list renter may list a phone number, that number often belongs to a third party market research company.

Obtain an independent financial report on the potential list renter, such as a Dun & Bradstreet report, to gain an understanding of the other businesses in which the company is engaged as well as the company's financial status.

Does the potential list renter's subscriber list selection make sense when viewed in light of the offer that will be made or is the list selection overly broad? For example, is the potential list renter requesting the names of consumers who subscribe to magazines for automotive enthusiasts, for working women, and for technology buffs? If so, is the offer one that is likely to appeal to all of those groups?

Call the number or visit the website listed on the potential renter's sample offer. If no number or a false number is provided, further investigation may be necessary.

Review the potential list renter's sample offer to see if the material terms are provided in it. For example, if a seminar is promoted, does the offer state seminar dates and locations? If merchandise is offered, does the offer clearly state product pricing and other material terms?
6. Potential Trigger Points.

Industry experience has shown that certain specific actions by a potential list renter may act as a harbinger of future improper conduct by that list renter. The following questions outline specific situations in which the magazine publisher or, where appropriate, its representative, may consider conducting an additional investigation of a potential list renter:

Is a particular list renter constantly switching to or using an unknown broker? In such situations, further investigation may be warranted.

Will the list order ship directly to a list renter or a broker rather than to a service bureau?

Does the list order not identify the service bureau that will be merging and purging the list, even though the broker or list renter insists that the list will be merge/purged?

Does the list order specify a narrow geographic selection with a non-direct mail sold source? Such facts suggest that the list renter might send the list to a telemarketing firm to append phone numbers.

Is the order a large volume test order, such as 25,000?
(f) Is the order a large volume test order that does not request a net name arrangement?
7. Responding to Potential Security Violations.
If misuse of a subscriber list is suspected, internal procedures should be in place to respond properly to the possible violation and legal counsel should be consulted.

One person within the organization should be accountable for efficiently and effectively responding to potential list security violations.

Appropriate notifications of the potential list misuse should be made.

In the event that mail fraud is suspected, consideration should be given as to whether regulatory authorities, such as postal inspectors or attorney generals, should be contacted.

If additional investigation reveals that a list security violation has occurred, the organization's security procedures and policies should be reevaluated in light of the breach.

No items were found.