Privacy Advisor

Constant Contact’s “Training Day”

June 1, 2013

By Angelique Carson, CIPP/US

Data breaches are on the rise. The number of data breaches in 2012 was reportedly double that of the previous year. The costs of cleaning up a data breach—both financial and in the loss of consumer trust—also continue to rise. As a result, more and more companies find themselves agreeing with Governo Attorney Nancy Kelly, who recently noted at an IAPP event that it costs less to take measures to prepare for the worst than to cover the fallout. This year, the IAPP is slated to administer more than double the amount of private trainings it did last year.

That’s why I found myself at Constant Contact, an online marketing company offering online survey and social media marketing, based in Waltham, MA. The company, recently recognized by Deloitte as one of the 500 fastest-growing companies in its genre, is not regulated by outside entities on privacy, but its director of standards and industry relations, Sam Silberman, recently led an effort to get some of his IT and security team privacy-smart.

“Inherently, we’re all concerned about our customers’ privacy and protecting their data,” Silberman said. “We haven’t had a lot of formal training in it, so, while everyone wants to make sure they’re doing the right thing, it’s really good to get some outside training to reinforce what we believe we already know.”

The IAPP recently held a private training for a handful of the company’s 1,100 employees. In a quiet room at the Constant Contact headquarters, participants sipped coffee and juice and put up with my hacking cough as the IAPP Privacy Faculty's Bob Siegel, CIPP/US, CIPP/IT, CIPM, led a CIPP/IT training.

Bob Seigel, CIPP/US, CIPP/IT, CIPM, leads a privacy certification training at Constant Contact in Waltham, MA.

Participants shared anecdotes and asked questions in an informal, laid-back classroom atmosphere. Siegel took participants through best practices on the development, engineering, deployment and auditing of IT products and services. Incorporating privacy into products at the design stage and the nuances of e-commerce personalization were topics that generated particular interest on this day. Examples of companies who’s practices landed them in hot water legally or otherwise prompted participants to weigh in on how the incident could have been avoided and share anecdotes on similar challenges.

“Don’t claim more anonymity than you can provide,” Siegel warned the room after sharing the story of a company accused of deceiving users with a privacy policy that promised just that. “It’s better to say a piece of data you’re using is “not identified” than “not identifiable.”

The participants will take a certification exam this summer. 

Silberman said having the company’s security and IT personnel looking at the requirements in data privacy and understanding the regulatory regimes gives them a better and bigger picture of how to ensure data privacy for Constant Contact’s customer base, which is a way to add value beyond just e-mail and social media fulfillment.

“As part of our culture, we value small business. We look upon it as our role to help them succeed. And part of that is making sure they follow all the rules and best practices when it comes to e-mail marketing and social media. And also, we want to guarantee their data is secure and we’re good custodians of their data,” Silberman said.

Silberman’s role is to reach out to industry to find standards, industry best practices, rules and regulations and bring those back to Constant Contact headquarters. He said the IAPP courses were a good fit for the company in terms of understanding data privacy worldwide and also how to apply best practices to CC’s decision making in the IT space.

Asked if the emphasis on proactive privacy efforts came from the c-suite or from the ground up, Silberman said it’s in the company’s DNA to do things right, and the brand seeks to be a thought-leader in protecting customer data.

“The trick is to see it as not just a regulatory value but that it helps an organization,” he said, adding that he hopes to certify additional employees as time and budget allow.

“The question really is about, do we need more training and resources applied toward privacy than we do today? That’s the balance that we’re trying to meet here,” said the head of the department of one. “Ideally, I’d like to expand such training to other parts of the organization, but that’s more of a grassroots need.”

Read more by Angelique Carson:
ZIP Codes: Are Courts Set To Protect Consumers from Marketing?
Researchers Publish Study of Indian Privacy Perceptions
Data protection Was Not a Game at London’s 2012 Olympics
Getting to know a Privacy Pro