About Us Membership Resources OTA Members Login

Anti-Malvertising    l     Data Breach     l    DNSSEC    l     Email Authentication      I      EV SSL Certs     l      Botnets 


Security by Design Guidelines (PDF)        Press Release  

Few events can damage a company's brand and the trust of its customers more than a data incident, such as an external breach or the accidental loss and misuse of customer data.  As witnessed in recent months, cybercriminals have expanded their efforts, targeting the email and interactive messaging ecosystem with increased malice and precision.  Every brand and service provider, as well as others, in this ecosystem needs to understand the nature of these attacks, recognize their data assets are at risk and plan accordingly. Left unchecked, data incidents can trigger a meltdown in consumer trust, jeopardizing their privacy and personal data along with the viability of online communication and commerce.

As proposed by OTA, 'security by design' is a holistic framework predicated on the belief that all members of the messaging community have a stake in the preservation of consumer trust and that data stewardship is everyone's responsibility.  Further we believe that creating a culture of security is a critical industry priority as we move into an era of data-driven cross-channel communications and platforms.

OTA believes all businesses must take security and privacy seriously now, and not wait for government regulation to force our hand.  Effective self-regulation and transparency will enhance the vitality of our industry and advance the interests of all legitimate stakeholders, but its absence will have the opposite and significantly detrimental effect.

This document provides a security framework that every business and technical leader should carefully consider.  To aid in the development of a plan, a series of twenty questions are included to stimulate an internal review.  The data security best practices are presented as a starting point for security professionals and operations managers as they seek to assess their data and operational security requirements. 

To be successful, 'security by design' needs to be part of the culture of every organization and functional group.  Security is no longer an option and businesses need to accept three fundamental truths:

  1. The data you collect includes some form of personally identifiable information (PII) or "covered information"

  2. If you collect data you will experience a data loss incident at some point;

  3. Data stewardship is everyone's responsibility. 

Businesses that accept these "laws of data collection" and structure themselves accordingly will be better positioned to protect their customers and brands from harm.  

OTA has identified best practices to help businesses address the most common causes of loss.  Many of the guidelines may be regarded as "security 101", but they are often the very ones most often overlooked or not maintained.  While there is no silver bullet, the attached list provides recommendations that serve as a basis to develop an appropriate security program for those businesses that maintain consumer' data or messaging infrastructure.  When implemented they help to harden security defenses, help detect exploits, and develop effective plans to remediate data loss.  The majority can quickly be implemented to help protect the personal, business and financial data of all affected individuals.

The definition of private and personal data is rapidly evolving as the regulatory landscape has become increasingly complex.  Today we no longer compile files consisting solely of email addresses.  Through appends, data mining and other tools we now have comprehensive data files that include email addresses, which sometimes also serve as the match key.  Since service providers have little or no visibility in what data elements are being used or created, OTA recommends that both in-house marketers and service providers assume their lists include some PII or related covered information. 


Download the report Security by Design Guidelines






Revised October 1, 2013