How Secure Is the Data in Your Rewards and Recognition Program? 5 Questions to Ask Your Vendor

When people think about data breaches big retailers like Target, where personal data of 70 million customers was affected, come to mind or more recently health insurer Anthem, where a data breach affected 80 million people and could cost the company $100 million.  But I’d like to suggest that when you think about your rewards and recognition program, you also think about the security of the data it contains.

When organizations are looking for a great rewards and recognition program, their focus is on employee engagement. This is understandable, given the positive impact an engaged workforce has on business goals. However, most rewards and recognition programs require some level of personally identifiable information (PII) to meet program requirements, such as mailing addresses for shipping gifts or issuing 1099s, and protecting that data should be a top priority.

In the incentive industry we take data security very seriously. We know that there are numerous places where a gap in security can happen: old systems that don’t send an alert of multiple failed attempts, failure to lock accounts after a designated number of access attempts, failure to safeguard data from unauthorized individuals, allowing simple passwords that are easy to break, or even lack of a computer security incident response plan.

If you’re in the process of vendor selection for your rewards and recognition program, or even if you already have a program in place, look at data security from every angle.

Here are steps you can take right now to make sure the data in your program is as secure as possible:

1. Put your vendor through a Security Due Diligence (SDD) that outlines their corporate and IT Policies related to data security, business continuity, and vendor risk management (ask about their vendor data sharing agreements and how vendor audits are handled).
2. Make certain your vendor is PCI and US-EU Safe Harbor compliant. PCI is a payment card industry standard that includes four levels of security, depending on the number of credit card transactions the company handles. PCI Compliant certificates are issued differently depending on compliance level, however most are issued by an approved scanning vendor (ASV) or an onsite-audit.  Global rewards and recognitions programs should ensure that the organization they choose is US-EU Safe Harbor compliant.  This will ensure that their data will receive adequate levels of protection when transmitted outside of the US.
3. Ask how they safeguard data from unauthorized individuals. How do they administer physical and logical controls? Your vendor should have access control levels across the organization that limit access to certain servers, certain folders, and certain files. (See: February 10, 2015, MIT Technology Review for the importance of access security controls.)
4. Assess how ready they are for any type of data security breach. What is their continuity plan, disaster recovery plan, and security communications plan? Are they promoting data security throughout the organization? If a security breach or disaster occurs, can your program still be operational and will your data be safe?
5. Do they continuously monitor their data security policies and if a change is needed, how long does it typically take to implement that change?

As more data is migrated to the cloud, where it will be accessible by multiple devices, businesses will need to put in place additional safeguards to protect customer data. By performing regular, comprehensive Security Due Diligence of your rewards and recognition program vendor, you will quickly know if those safeguards are in place.

Marketing Innovators International, Inc. is PCI and US-EU Safe Harbor Compliant