Editor's note: Isaac Rogers is chief innovation officer at 20/20 Research, Nashville.
As research continues its digital evolution, research firms and their providers are sharing more and more massive amounts of confidential information online. In our zeal to utilize new capabilities to conduct research studies while reducing their time and cost, researchers often neglect to check the security protocols of their partners and suppliers.
Today, we have huge amounts of confidential client and respondent data being transferred across unknown and potentially insecure data infrastructure. And like the Titanic’s fateful meeting with the iceberg, one day our lack of attention to the security of that data could tear apart what we have built thus far.
There are a variety of steps researchers should take to better understand how their fieldwork and technology partners manage security. While it may seem like a massive challenge to properly scrutinize your suppliers, in reality there are a few basic steps even a “techno-novice” can take to choose the right suppliers for their critical projects.
Committed to security
Today’s researcher works with a variety of partners to execute even a relatively uncomplicated project. Recruiting firms, local focus group facilities, online platform providers and a host of other service providers all may collaborate at various points in the life of a project. And each of those suppliers either comes in contact with or produces the sensitive data in your project. So how can a researcher ensure their partners are committed to security?
Here are five simple questions you can ask of your fieldwork partner to better understand their awareness of and focus on the importance of data security. Most reliable vendors should be able to quickly and easily answer these questions by producing their existing documentation or credentials; if they can’t make this information readily available to you, it can be a sign they are ill-equipped to manage your project’s data – which could leave you and your clients exposed.
1. Can you provide me your data handling procedures, accreditations or compliance documents that would be applicable to this project?
A competent technology vendor or fieldwork partner should maintain up-to-date IT policies that govern data security and use. These policies will typically outline how their internal staff will store, access and use your data during the course of a typical project. Policies should exist for all aspects of their IT infrastructure and will detail the vendor’s methodologies and best practices. Some researchers might fear receiving a raft of documents in a highly technical language understood only by “software people,” but rest assured, these policies are typically written in plain English and easy to understand.
2. Have your IT policies ever been audited? Do you maintain certifications or compliances related to security?
Assuming your vendor maintains security documentation, you may want to ask if they have ever been audited or tested for compliance. Many high-quality suppliers maintain some level of HIPAA, PCI, ISO or other standards-based certificates and some vendors have even undergone external audits of their policies, which can be a good thing, proving their processes have been stress-tested. A quick conversation with your supplier’s IT management or security officer will give you some idea of their history with technology audits and security certifications.
3. How will my data (or my client’s data) be stored? How will it be transferred?
Competent technology partners or fieldwork suppliers maintain secure, encrypted solutions for data. Any vendor you work with should maintain an encrypted, secure file management system for storing your content. These types of systems ensure only the right people in that company can access your information internally. These systems are commonplace in today’s corporate environments and should not be optional for handling your critical information.
One of the most important components to look for should be a secure file transfer system. Your partners should have a way to send and receive files via a secure online portal or encrypted transfer solution. While these tools might seem complicated, they are actually very easy to use; no sophisticated technical skills should be required.
4. Who will be working on my data? Do you conduct IT security training?
Your supplier might have the best policies in the industry but if the project-level staff aren’t properly trained on data security, the fancy technology can fail. A good sign that your vendors take security seriously is regular IT security training for ALL employees. Many firms train new staff on IT policies and then conduct refresher courses once a year or more. This keeps the employees up-to-date on the current best practices.
If your research includes any kind of health care or pharmaceutical work, you might want to ask if they have ever trained on adverse event reporting. While this type of training isn’t quite as common, it’s a good indicator that your supplier has managed a similar project before.
5. Can you remove or destroy my data after my project? Can you provide a certificate of destruction?
This is one of the most commonly overlooked data security issues in market research: the post-project maintenance of data. That secure client list you provided your recruiting partner or the confidential product marketing material uploaded to your technology platform’s site might live far longer than you anticipate. Many times the researcher moves on to their next project and doesn’t take the time to go back and request removal of secure content. And because the fieldwork partner might not know exactly when you are “done” with the data, that content might sit on their servers for months or even years. It’s good practice to request confirmation from your supplier in writing that all project data has been deleted or purged from their systems.
As project budgets become leaner, some researchers cast a wide net and bid each piece of the project to a variety of suppliers in search of the best deal. Pricing should be a major source of competition in our industry but one cannot make all of their decisions based on the cheapest resource available. The lowest-cost provider may also be the one who invests little in their internal systems to protect your client’s valuable data. Work with partners you have vetted and fully trust before handing them any confidential content.
Steps you can take
The above five steps can help ensure you are choosing the highest-quality suppliers and partners. But what are some steps you can take to further reduce the risk of a data security issue?
Kill your e-mail. OK, so that might be a bit tongue-in-cheek, but in all honesty, e-mail is likely the No. 1 riskiest way to transfer sensitive data between yourself, your client and your research partners. In fact, a 2013 study by the data security firm Symantec found that out of 277 data security breaches, malicious attacks represent merely a third of all offenses! Human error and system glitches account for the overwhelming majority of issues regarding data security breaches. While the hackers might get the headlines, the bigger threats lie elsewhere.
Many security experts will point to the common e-mail as the single biggest threat to data security. In market research, a staggering amount of project data flies across the Internet via e-mail attachments; this practice is extremely risky and a huge threat to high-security projects. A simple typo sends that secure file to the wrong in-box or accidentally attaching the wrong file exposes confidential client data to the wrong recipient. We’ve all been guilty of sending e-mail to the wrong person, which is precisely why it should NEVER be used to send secure data.
Luckily, there are many simple solutions that allow you to easily share secure content with your suppliers. All of your vendors should already have a secure file transfer system or digital dropbox with password-protection and encryption. Use this kind of system to transmit confidential content. If your supplier doesn’t provide this type of system, it should be a red flag.
However, you can always set up your own portal. Anyone can choose from a variety of low-cost online solutions (Egnyte, Accellion and others) that provide password-protected and -encrypted file sharing. Many of these solutions cost a few hundred dollars a year and are well worth the effort to use. Additionally, your end-client might have just such a system or a secure FTP server that you can use to share content.
Minimize your exposure. When clients are providing their customer lists or confidential product data, it can often be tempting to just say “Send me everything in case we need it later in the project.” In reality, that practice opens you up to unnecessary risk. A better approach is to define exactly what is needed from your client and request only that content. A common example is client customer data; these client lists are used in the recruiting process and often contain rich customer profile, demographic, transactional or even behavioral data. Much of that extra information contains personal, sensitive information about customers that should never be shared with a recruiting firm unless absolutely necessary to the project. Instead, take the time to strip out the extraneous content and share only the important contact details.
Keep participants informed. While we often think of client-provided data as the main source of secure content, the participants themselves can generate a tremendous amount of sensitive information during the course of a research project. While participants often provide this information willingly as a part of the overall engagement, one of the most common complaints we hear from participants is the lack of transparency during the recruiting process.
In countless cases the recruiting firm is never told of the type of confidential or private data the consumer may need to provide to the researcher until the day of the focus group or the first time they log in to an online discussion. This not only infuriates the respondent, it also creates the potential for a breach of confidence if the situation is not resolved effectively.
Researchers should be as transparent as possible to their recruiting firms so they can prepare the participant for the level of information sharing that may be required. This transparency allows participants to opt-out early during the process. Additionally, signed or explicitly confirmed data release documents should be used in many, if not most, projects. These data release waivers are a great way to ensure the participant knows exactly how and where both the researcher and the sponsoring client will use the shared personal information. Several industry resources provide example releases, or you can have an attorney draft one for you for a nominal fee.
Use industry resources. Pay attention to the security briefs and association standards in the industry. We have a wealth of organizations that serve our industry to provide knowledge and best practices when it comes to how the researcher should approach data security. The ease of digital data sharing has made this aspect of research a critical area of concern and there are fantastic advocates within these organizations who can help researchers navigate the new digital waters.
Plan for the threats
While I’m no expert on the sinking of that historic ship (although I did see the movie!), the actual experts lay much of the blame on aggressive speed and timelines posed for the ship’s first voyage. In their haste to speed across the Atlantic, they didn’t take the time to plan for the threats on the horizon. Even as other ships reported icebergs in the area, the Titanic sailed with little heed to the warnings. Ironically, that same “full steam ahead” mentality is what causes many of today’s market researchers to ignore the risks in data security, even as we hear news of massive data breaches in the retail and financial sectors.
Unless all of us in the industry address this potential problem, both with ourselves and with our vendors, we are likely to face a massive disaster that could lead to suffocating regulation and a loss of all trust among our respondents. A single project could one day hit that looming threat on the horizon and we all might have to deal with the fallout.
The good news is that you can take a few extra steps today to insulate yourself from much of the risk by understanding the role of data security within your own research. If that fateful day comes when the industry must deal with a publicized security failure, you will be in a better spot to assure your clients and participants that their confidential data is being treated with the respect it deserves.