Data Security: What do you need from your 3PL?
The last few years have seen data security take center stage as stories of hacking and identity theft have made front page news. (For an interesting way to see the big data breaches of the past decade, see this interactive graph.) If such violations of privacy could happen to huge corporations like Target, Home Depot, and Experian/T-mobile, it could happen to anyone… right?
Reasoning like this helps explain why we get so many questions about data and data security. As warehouse management and logistics systems become more and more integrated across organizations and even between partners, people’s fear of data breaches is also growing. Clients worry that using a 3PL (or other collaborative partner) might open them up to another avenue of attack.
When it comes to data security, it is important to look past the headlines and the hysteria and ask: What is really at risk? And what positive steps can we take to protect ourselves?
Financial Data is Not Likely at Risk
First, it is important to realize that most news stories about data breaches involve third parties scraping financial data from payment systems, usually using malware. This means that both personal information and financial information (think credit cards numbers) are stolen in mass.
This threat does not exist when using a 3PL. When an order is accepted through a shopping cart, the vendor receives all the information so the payment can be processed and the order started. When this data flows to the 3PL for fulfillment, only the recipient’s personal information gets passed – name, address, and so on. So, even if a would-be hacker intercepts the data or somehow hacks the 3PL’s systems, no financial information would be stolen.
Also keep in mind that the companies most likely to be targeted are large retail chains (like Target and Home Depot) or websites that store large amounts of user data (dating web sites, social media, etc.). These companies have tons of data and many points of access to that data, making them prime marks for hackers. Most 3PLs are not even on the radar for hackers.
Privacy Might Still be an Issue
Still, an enterprising criminal could still get away with hundreds or thousands of customer entries—including where they lived and what they have ordered. This would be a massive breach of consumers’ privacy. That information could have value on the black market, especially for spammers and other…let’s just say less than reputable business people.
So, as a vendor, you should still be concerned about data security when contracting with a 3PL. You will want to know that your customer’s data is safe and secure, at all times, so that you can guarantee their privacy when ordering.
To that end, there are certain questions you should ask your 3PL to ensure that your customer’s data is safe. Granted, you cannot simply ask about their security measures. Sharing those measures would, itself, be a security risk. But there are roundabout ways that you can ask about data security without fishing for the exact details.
For example, you should ask:
– Does the 3PL follow standard procedures for upgrading software, installing patches, and keeping anti-virus and anti-malware software up-to-date? (Frequent updates and documented procedures signal a tighter, more secure system.)
– Are security procedures routinely audited? (Audits mean that the 3PL takes security seriously, and is more likely to have best practices in place.)
– How many people at the 3PL’s facilities have access to the entire database of customer data? Have they had any sort of security training? (Few people should have access to all the data, and they should know how to keep it safe.)
– Is there an audit trail in their logistics software? (Being able to track who did what, and when, makes troubleshooting easier and prevents problems from growing out of control.)
– If a data breach happens, what then? (Companies should always be ready for the worst.)
– If credit card processing is required, is the 3PL PCI compliant? (This is important for any vendor who might process cards on your behalf.)
– Does the 3PL have a written, documented plan which governs all the aforementioned points? Can they provide the appropriate parts of that plan? (Certainly they should not share specifics that would compromise the program security, but having written documents readily available is a sign that a plan is in place and part of operating procedures. If those documents are difficult to obtain, the 3PL might not have a written plan.)
– What do you suggest we do to help keep our data secure? (Data security does not fall solely on the 3PL. But they might have some suggestions to help you keep your data secure. Again, this is a sign they take data security seriously.)
Materialogic takes data security very seriously and honors the privacy of your customers. If you would like our answers to these questions, feel free to contact us.
Bill Young – Senior Vice President / Business Development