Page 1

4

19

The 7 Analytics in operational an age of impacts of AI disruption and CX PM 4 0 0 5 0 8 0 3

vol. 32 • No. 7 • July 2019

The Authority on Data-Driven Engagement & Operations

Security & Compliance Laws, rules and standards protecting marketers and customers

❱6

Why marketers must engage on cybersecurity

❱ 10 New directions, requirements to reduce fraud ❱ 11 Understanding Trademarks Act changes


// 3 Customer Centricity

❯❯4

Vol. 32 | No. 7 | July 2019

The 7 operational impacts of AI and CX

EDITOR Brendan Read - brendan@dmn.ca

Security

PRESIDENT Steve Lloyd - steve@dmn.ca DESIGN / PRODUCTION Jennifer O’Neill - jennifer@dmn.ca Advertising Sales Mark Henry - mark@dmn.ca CONTRIBUTING WRITERS Mike Aoki Yves Paquette Andrew Berthoff Ben Rafferty Richard Boire Stephen Shaw Robert Capps James Smith Isabella Jing Xie De Michelis di Colleen Spring Slonghello Zimmerman Michael DeSalles

❯❯12

CMA updates ethics code, practices, adds toolkit

❯❯12

Comparing Canadian and California privacy legislation

❯❯14

❯❯6

Why marketers must engage on cybersecurity

A new way to manage consent and privacy

LLOYDMEDIA INC. HEAD OFFICE / SUBSCRIPTIONS / PRODUCTION:

302-137 Main Street North Markham ON L3P 1Y2 Phone: 905.201.6600 Fax: 905.201.6601 Toll-free: 800.668.1838 home@dmn.ca www.dmn.ca EDITORIAL CONTACT: DM Magazine is published monthly by Lloydmedia Inc. plus the annual DM Industry Guide. DM Magazine may be obtained through paid subscription. Rates: Canada 1 year (12 issues $48) 2 years (24 issues $70) U.S. 1 year (12 issues $60) 2 years (24 issues $100) DM Magazine is an independently-produced publication not affiliated in any way with any association or organized group nor with any publication produced either in Canada or the United States. Unsolicited manuscripts are welcome. However unused manuscripts will not be returned unless accompanied by sufficient postage. Occasionally DM Magazine provides its subscriber mailing list to other companies whose product or service may be of value to readers. If you do not want to receive information this way simply send your subscriber mailing label with this notice to: Lloydmedia Inc. 302-137 Main Street North Markham ON L3P 1Y2 Canada.

❯❯7

Benefitting from music: The evolving business e-mail scams ethically and legally

❯❯8

Combatting look-alike domains

❯❯9

Engineering a security-conscious culture

Compliance

POSTMASTER: Please send all address changes and return all undeliverable copies to: Lloydmedia Inc. 302-137 Main Street North Markham ON L3P 1Y2 Canada Canada Post Canadian Publications Mail Sales Product Agreement No. 40050803

Twitter: @DMNewsCanada

❯❯16

❯❯10

New directions, requirements to reduce fraud

❯❯11

Understanding Trademarks Act changes July 2019

Features

❯❯17

AI: Interview with Gary Saarenvirta

❯❯19

Analytics in an age of disruption Excellent Execution

❯❯22

Investing in privacy and security DMN.ca ❰


// 4

Customer Centricity

The 7 operational impacts of AI and CX W

ith all the buzz regarding artificial intelligence (AI) and customer experience (CX) in the contact centre world, it is important to note some of the real-life successes and challenges presented by these trends. To explore and understand them here are the seven impacts of AI and CX at the operational level.

1 Mike Aoki is president of Reflective Keynotes

Inc. (www.reflectivekeynotes.com), a Toronto, Ontario-based training firm.

AI is harder to implement than expected. There is an old phrase in computing called “garbage in, garbage out.” That means the quality of your input determines the quality of your output. If an AI chatbot responses are the output, the input is your contact centre’s ability to predict common customer questions and conversation flows. That includes accounting for customer variations in grammar and spelling for chat and accents/ pronunciation differences in speech. Human input is needed to build the AI algorithms used for customer interactions. AI works well for easily mapped processes, such as FAQs and simple transactions, like online purchases. However, AI struggles with complexity, because the programming and human variables become too complex. That may change as programmes (and programmers) become more sophisticated. However, AI is still primarily used for basic customer interactions at this time.

2

AI can handle “easy” inquiries and therefore reduce the volume of contact centre agent interactions. Think of AI as being similar to an automated banking machine (ABM). ABMs are great for routine transactions, such as withdrawing money or checking your balance. But you still need to interact with a live customer service person for anything complex, such as disputing a bank charge or setting up an RRSP. AI can take care of simple inquiries and transactions. That reduces the overall volume of interactions for agents. However, those remaining interactions tend to be more complex and may take longer for your agents to handle.

3

AI means those remaining customer interactions require a higher agent skill set. Complex, emotionally challenging interactions require agents who are emotionally intelligent and able to creatively problem-solve. That requires additional training on communication skills, self-awareness, negotiation skills and analytical ability. So, constant training and coaching become paramount in this new environment.

4

AI changes agent hiring criteria and employee retention strategies. Have you updated your hiring criteria to reflect them? Are you testing for emotional intelligence? Are you evaluating candidates on their ability to problem❱ DMN.ca

solve? Have you changed your compensation package to attract and retain agents with this higher skill set? If not, you and your Human Resources team need to re-examine your hiring and retention strategies in the age of AI.

5

AI can also generate a backlash. Customers are catching on to AI. They may type “Are you a real person?” when confronted with a chatbot. Some customers do not want to deal with AI. Like when they press “0” as soon as they hear your IVR message. So, there will always be a need for agents to handle the subset of customers who prefer interacting with a real person, all the time.

6

Growing CX focus has changed the way organizations discuss “Customer Service”. CX creates a more holistic view of your customer’s interactions when dealing with your organization. It provides a framework to discuss the customer journey, company-wide customer touchpoints and customer effort reduction. It also shifts responsibility for improving customer relations from the contact centre to the whole organization. Done well, CX tools such as journey mapping, continuous improvement and customer effort reduction can improve CSAT (customer satisfaction score), NPS (Net Promoter Score) and profitability.

7

However, there is still a long way to go in organization-wide acceptance of CX at some companies. Many businesses still use “Customer Experience” as a trendy way to say customer service instead of truly focusing on the customer’s end-to-end experience. CX discussions are often limited to the contact centre rather than being organization-wide. Determining your company-wide CX goals, doing a “town hall” announcement and providing CX training for all employees are good first steps. However, you need to supplement that with the hard work of changing processes and eliminating customer frustration points in order to succeed. That means incorporating VoC (voice of the customer) and VoE (voice of the employee) for feedback and improvement. It also requires viewing CX as being a continuous journey of improvement rather than a destination. In many ways, AI represents the classic contact centre goal of improved efficiency, while CX symbolizes a philosophy of effectiveness in taking care of your customer base. The good news is that properly done, AI can enhance the CX by quickly handling routine transactions. AI is like a superhero’s sidekick, who takes care of mundane aspects of the job, while freeing your agents to tackle the more complex, emotionally intelligent interactions with your customers. July 2019


Marketing Success Word Search

25-30% of contact data goes bad each year, causing poor response and lackluster sales. Time to step up your game! The key to marketing success – clean data. Melissa Direct can help! Increase sales, build better brand awareness and improve customer retention. Try our fun word search to learn more!

Word Bank D

M

C

M

H

I

M

A

D

G

M

P

J

B

N

E

N

I

C

O

A

R

A

O

B

E

M

A

I

L

M

A

R

K

E

T

I

N

G

V

S

R

• Address Verify

S

V

N

E

U

C

I

V

Z

S

Y

A

O

X

H

A

Z

U

W

X

Q

• Canada Post NCOA

W

T

S

V

Y

S

L

G

X

T

O

C

J

S

Q

H

T

F

C

I

S

A

Z

U

M

E

L

I

S

S

A

D

I

R

E

C

T

E

M

A

Y

A

B

L

M

F

P

F

N

N

G

T

D

I

Y

S

Z

V

O

G

N

T

D

M

G

E

A

O

U

G

W

E

O

A

Z

D

D

A

I

N

X

A

P

D

E

E

R

Y

R

S

S

X

S

S

M

S

L

S

V

I

Y

D

D

H

R

T

O

S

P

K

S

O

A

U

X

S

L

D

V

K

X

N

K

A

Q

E

S

G

A

E

E

F

F

Q

C

N

T

S

R

C

V

A

W

F

P

S

S

R

R

L

M

M

T

T

I

C

A

Y

Z

A

G

E

F

U

N

O

Y

S

I

A

E

G

S

N

W

V

E

D

U

R

Z

L

L

I

R

U

S

V

V

D

P

S

Q

U

T

A

W

S

R

T

Z

C

I

E

D

I

E

T

W

E

Q

H

L

O

C

Y

R

Q

S

R

W

B

S

S

B

S

N

Y

N

K

R

J

I

E

A

W

N

E

M

O

C

I

Y

H

T

J

F

L

Y

C

L

I

• Phone Append

P

C

A

P

R

O

W

T

T

M

C

E

Y

H

P

S

O

E

O

U

F

• Success

A

D

D

E

M

A

I

L

V

E

R

I

F

Y

T

R

T

S

A

A

Y

S

A

S

Z

R

S

U

D

B

T

W

S

Y

G

H

A

Z

W

T

D

H

H

T

X

K

I

E

S

N

S

I

R

Y

C

I

P

D

O

B

R

X

S

M

A

B

V

T

U

M

A

M

G

A

G

Y

E

F

S

W

H

R

W

O

K

Q

B

Y

A

R

U

X

Q

V

P

H

O

N

E

A

P

P

E

N

D

F

E

N

G

V

E

S

S

N

B

V

P

K

E

Z

U

P

U

S

Z

W

W

W

N

A

D

J

A

I

E

L

E

M

O

S

S

A

T

C

E

K

L

• Consumer Sales Leads • Geographic Data • Email Marketing • Email Verify • List Hygiene • Mailing Software • Melissa Direct

• Business Sales Leads • Web Visitor Tracking

Bonus word challenge: What is the key to marketing success?

Once complete, scan and send to marketing@melissadirect.com for 1,000 free sales leads + a chance to win $100 Amazon gift card!

Melissadirect.com/dm-search

1-800-MELISSA


// 6

Security

Why marketers must engage on cybersecurity By Yves Paquette

A

lthough marketing professionals are naturally concerned about data confidentiality, data security is generally not very high on their priority lists mainly because they feel that it is the responsibility of other company employees. However, the recent introduction of stricter requirements in personal data protection legislation should make them verify whether the data they use are sufficiently well protected. Since November 1, 2018, all organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) must report to the Privacy Commissioner of Canada “any breach of security safeguards involving personal information…that poses a real risk of significant harm” to individuals. Organizations are therefore now required to keep records of all breaches and notify affected individuals about those breaches. That said, the definition of “significant harm” is relatively broad, including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”. If all the information in your databases was exposed to the light of day, couldn’t one or more of your customers or prospects very well suffer harmful consequences? Companies that do not adequately protect the personal data in their possession are liable to be fined up to $100,000 for each offence, not counting other financial losses resulting from potential litigation. In addition to potential liabilities, these companies also run a major risk of damage to their reputation. This reputational risk is all the more serious given that Canadians are ❱ DMN.ca

particularly wary about how their personal data are used, and in fact are amongst the most mistrustful in the world. According to a recent KPMG study, nearly two thirds of Canadians don’t trust any organization to look at or hold their personal data with nearly one third (31%) unwilling to share their personal data for any reason1. Cyberthreats on the rise Alongside the above, perhaps not coincidentally, cybersecurity is a growing critical issue. It remains the Achilles’ heel for most businesses across the country. According to the 2019 NOVIPRO/ Léger IT Trends Survey2 of 476 decision-makers in Canadian companies with 100 or more employees, 28% acknowledge that they have already fallen victim to a cyber attack. Since most cyber attacks are not detected—including some attacks that successfully gain access to IT systems—the proportion of companies that have been hacked is certainly higher. Cyberthreats to companies are becoming increasingly numerous and varied because of growth on two fronts: ❯❯ First, the number of malware programmes is constantly increasing, with no fewer than three million new instances identified daily; and ❯❯ Second, the attack surface that companies offer hackers is expanding. In practice, the more the number of connected devices (e.g. laptops, phones, tablets, watches) used by a company’s employees, the more vulnerable the company becomes because these devices are endpoints that expand the perimeter of its network and constitute potential targets. At the same time, increasing use of cloud computing services disperses the company’s data into many environments, each with its own vulnerabilities.

If hackers access your databases, they can demand a ransom by making various threats, such as to destroy or publish your information or sell it to a competitor. Spies can also attempt to obtain strategic information about a new product that you’re preparing to launch. If you’re operating in a sector that has generated controversy or public debate (e.g. the energy or food sectors or industries considered to be polluters or corruptionprone), hackers can try to harm you by divulging confidential information. You might think that another manager in your organization is on top of cybersecurity and is fully aware of the obligations you need to meet. I sincerely hope your confidence is well placed! The fact is that companies generally do not seem prepared to meet the new data breach requirements with respect to notification. According to the 2019 NOVIPRO/Léger IT Survey, only around half of the companies polled (49%) would write a note to their clients in the event of a data breach, even though the survey was conducted shortly after November 1, 2018: the date on which the data breach notification obligation came into effect. Other worrisome news: only 40% of Canadian companies performed a security audit last year. Too many managers believe that their company is protected because it has a firewall and uses antivirus software, when, in fact, these solutions are often outdated and inadequate in meeting current cyber threats. A host of solutions and options There are a wide range of effective products to protect and defend organizations against cyber attacks. Here are just two examples: ❯❯ First, tools that give organizations a 360-degree view of their networks in order to

❯❯

control access, track the activity of each connected device, and detect any deviant or suspect behaviour; and Second, security information and event management (SIEM) systems that can analyze security alerts in real time, facilitate a rapid response and determine how to counter any similar attacks in the future.

What’s more, specialized datasecurity firms can conduct security audits on your organization and help you perform “penetration tests” both externally and internally. These firms can also scan all your apps and other software that have been developed in-house or by contract developers in order to ensure that these programmes do not represent any risk for your company or its clients. You can also entrust the hosting of your critical data to a firm that operates a secure data centre. Even if you prefer to host your data in-house, given the scarcity of data-security personnel, you can ask an external partner to act as a managed security service provider. If necessary, an expert consultant can also play the role of Chief Information Security Officer (CISO) for your organization in order to fill any gap in your management team. Whatever the options are that best meet your company’s needs, you—as a marketing professional—clearly have everything to gain by ensuring that all your organization’s critical data are “cyber secure”. Yves Paquette is co-founder and president,

NOVIPRO (https://novipro.com). Yves uses the knowledge acquired during the last 30 years of his career to assist companies in their transformation. Since NOVIPRO was founded in 1993, the company has continued to grow and adapt to technological changes and market realities. 1 KPMG, “Me, my Canadian life, my wallet”, 2018. 2 NOVIPRO/Léger, “IT portrait of Canadian medium and large sized companies”, February 5, 2019.

July 2019


// 7

Security

The evolving business e-mail scams By Robert Capps

A

bout 35,000 executives from some of the world’s biggest banks and mortgage companies never imagined themselves as being on a cyber hit list, until they were. Cybercriminals with hopes of tricking executives into money transfers embarked on a very professional business e-mail compromise (BEC) scam discovered by security researchers at Agari1. They uncovered such a plot against its own CEO, who tipped them off to the gang’s activities. The gang, known as London Blue, are of West African origin, apparently centered around Nigeria, a region known for its well-organized cybercriminals that perpetrate scams, including the infamous “Nigerian Prince” advance-fee scam. London Blue operates as an incredibly organized network across multiple countries, including Western Europe and the United States. Their targets range in size, from independent businesses to multinational corporations, but one thing remains constant: the targets are always people who have financial responsibilities within an organization. CEOs, CFOs, accountants and financial executives are all ripe for the picking. BEC scams If normal phishers are hoping to hook an ordinary fish with their scams, business e-mail July 2019

compromise scammers are looking for whales with access to significant money. BEC scams are a form of highly targeted phishing attacks, which work to impersonate a member of an organization in order to extract money from that organization or an associated business, such as a supplier or a customer. Cybercriminals also rely on something which is a lot harder to change: human nature. Often jobs in large organizations, and particularly jobs with a financial remit are extremely fast-paced and high-stress environments, where there is a company-wide emphasis on moving quickly on decisions. Disguised as insiders, the gang does their homework to target executives with professional documentation and e-mails that would fool the savviest. They impersonate everyone from third-party business contractors to actual customers and utilize document forgeries that anyone would be hard-pressed to discern from the real thing. Combined with spoofed e-mails, made all the easier by the advent of businessfocused social media channels such as Twitter or LinkedIn, the trap is complete. These BEC attacks have been devastatingly effective as noted by the FBI that found in 2018 alone, over 350,000 BEC scams reported, which generated losses to American businesses amounting to $1.2 billion2.

What’s to be done? Awareness training and educational measures are the first line of defence against such targeted scams. Employees should be closely reviewing all e-mails, especially those that are slightly unusual, to look for tell-tale signs of a scam. Employees should ask themselves: ❯❯ Is the content of this e-mail unusual, especially if it is someone the organization has dealt with on a regular basis? ❯❯ Is the structure of the e-mail unusual? Sometimes the biggest giveaway in these intrinsically human scams is in fact, human. Refer back to known, legitimate e-mails from that sender: are they structured or written in the same way? There are other steps companies can take. Any wire transfers or transactions involving significant amounts of money should be double-checked by phoning the recipients and confirming the transaction, using well known and vetted contact information. Companies should also run targeted phishing campaigns against their staff and see who takes the bait. For those that keep clicking, more education is warranted. For those who spot a fake, some type of rewards system should be instituted. Technology, combined with education is the best line of defence. While cyber gangs like London Blue

can steal credentials and passwords, next-generation technologies such as passive biometrics are still able to detect if it is the right person behind the device. Passive biometrics are able to identify people online by their behaviour within an online account both inside and outside a company. This type of technology is able to detect hundreds of unique identifiers such as how hard someone types and how fast they go from page to page all the way to device identification and more. It is these types of technologies that can identify the human behind the device, so that even if a scammer gets a hold of legitimate documents, credentials, passwords and creates the perfect fraudulent e-mail, they can still be unmasked and stopped. Technologies such as behaviour-based authentication frameworks that detect the user’s unusual activities paired up with money laundering systems can flag suspicious transactions. Robert Capps is vice president and

authentication strategist for NuData Security (https://nudatasecurity.com), a Mastercard company. He is a recognized technologist, thought leader and advisor with over 20 years of experience in the design, management and protection of complex information systems, leveraging people, process and technology to counter cyber risks. 1 Agari, “London Blue UK-Based Multinational Gang Runs BEC Scams like a Modern Corporation”, report, April 2019. 2 Lindsey O’Donnell, “FBI: BEC Scam Losses Almost Double To Reach $1.2 Billion”, Threatpost, April 23, 2019.

DMN.ca ❰


// 8

Security

Combatting look-alike domains By Jing Xie

C

yberattackers use many methods to lure people into divulging their private information while online. One of the most effective ways is by creating lookalike domains that share some of the same characters in their URLs as legitimate domains. Malicious look-alike domains use many techniques to fool users, including: ❯❯ The addition of other characters to the spoofed URL (e.g. “gooogle.com” for “google.com”); ❯❯ The use of characters (homoglyphs), which are different from the legitimate domain but, at a glance, look identical to the spoofed URL (e.g. “retai1er.com” for “retailer. com”); ❯❯ The use of homophones, which have the same sounds but have different spellings and meanings (e.g. new and knew); and ❯❯ The use of internationalized domain names (IDNs) that use international character sets (Unicode) translated into American Standard Code for Information Interchange (ASCII) characters. They cannot be differentiated from legitimate, trusted URLs when translated (e.g. “apple.com” for “apple.com”, the former has a Cyrillic “a” and the latter has a Latin “a”). Threat actors can make their lookalike domains appear even more authentic in two key ways. First, they create web sites that mimic their legitimate counterparts, even down to the last pixel. The second is through the use of transport layer security (TLS) certificates, which act as machine identities to reassure customers (as well as search engines) that the web sites are safe to use. The scale of look-alike threats To better understand the scope of this problem, Venafi analyzed the look-alike domains of the top 20 retailers in five key markets—the U.S., U.K., France, Germany and Australia—in June 2018. After ❱ DMN.ca

discovering an alarmingly high number of look-alike domains associated with these retailers, we found that a high percentage of these domains have been validated with legitimate TLS certificates. While look-alike domains are not all necessarily malicious, many of them have been used with malice. Unfortunately, the legitimacy of a certificate does not indicate that the domain is for a non-malicious purpose.

Malicious lookalike domains use a variety of techniques to fool users. The prevalence of look-alike domains with ambiguous legitimacy, and the lack of effective means in telling their legitimacy with certainty, can create extra challenges for direct and digital marketers. Especially as entire campaigns typically revolve around clickable hyperlinks. To trick consumers into visiting malicious look-alike domains, cyberattackers often create phishing e-mails that resemble official marketing campaigns. This means marketing teams of all sizes must devise strategies to monitor, track and analyze the number of look-alike domains, particularly those that are certified through legitimate channels. This will help protect their customers from being tricked into using phishing sites that mimic their own campaigns. To begin, digital and direct marketing teams need to work with their companies’ IT staff to institute customer (and customerfacing employee) awareness initiatives on the risks posed by these look-alike domains. Not only would such initiatives help prevent customers from becoming victims

of suspicious domains, but they also illustrate an organization’s concern for the well-being of its customers. This is a great way to encourage safe practices, persuade more people to participate in future campaigns and, ultimately, increase revenues. Depending on the scenario, you can then follow these recommendations to minimize the risks posed by suspicious lookalike domains that have a high chance of being malicious: ❯❯ Search and report suspicious domains using Google Safe Browsing. Google Safe Browsing is an industry anti-phishing service that identifies and blacklists dangerous web sites. You can report a domain at https://safebrowsing.google. com/safebrowsing/report_ general/; ❯❯ Report suspicious domains to the Anti-Phishing Working Group (APWG). The APWG is an international volunteer organization that focuses on limiting cybercrime perpetrated through phishing. You can report a suspicious domain at https://www.antiphishing.org/ report-phishing/, or send an e-mail to reportphishing@apwg.org; ❯❯ Add Certificate Authority Authorization (CAA) to the domain name system (DNS) records of domains and subdomains. CAA is a methodology that lets organizations choose which certificate authorities (CAs) they use for certificate issuance. It is an extension of the domain’s DNS record, supporting property tags that let participating CAs know that the domain name owners obtain their certificates from specific sources. For example, if an organization names a specific CA like Comodo, the CAA lets other CAs know that any attempt to obtain certificates for that domain is invalid and should not be issued. Because CAA is a relatively new framework, its utility is limited and only works with

❯❯

CAA-compliant CAs. While threat actors can easily get fraudulent certificates from non-compliant CAs and spoof domains, adoption of the CAA framework is growing, and your organization will see the benefit of adding it to your DNS records over time; and Leverage software packages to search for suspicious domains. If you already use copyright infringement software to stop unauthorized use of your logo or brand, check to see if it also provides antiphishing functionalities. Many of these software packages seek out and compile suspicious domains that, because they are mimicking your web site, fall under copyright infringement and may be shut down through legal action based on laws like the U.S. Digital Millennium Copyright Act.

Finally, consider investing in a more comprehensive security suite. Most of the recommendations above address what to do once you’ve discovered a look-alike domain that abuses your brand for phishing. But how do you find these sites as they pop out? As mentioned earlier, copyright infringement software can help with this. However, organizations benefit when they approach the search from a security perspective, not just a copyright standpoint. Direct marketing can exist entirely online. Every time someone clicks a link in your campaign, that’s a win for your organization’s bottom line. By watching out for malicious lookalike domains, you are making sure that your online presence is guarded, and your reputation is protected. For more information on lookalike domains and what you can do to protect yourself, please visit https://www.venafi.com/resource/ Venafi-Research-Brief-The-RiskLookalike-Domains-Pose-toOnline-Retailers. Jing Xie is senior threat intelligence analyst,

Venafi (www.venafi.com). July 2019


// 9

Security

Engineering a securityconscious culture By Michael DeSalles

L

et’s be honest: contact centre agent fraud, within captive or outsourced contact centres, represents one of the most significant security threats facing organizations. For example, one of the most common fraud practices is for a contact centre agent to change a customer’s postal address with the intent to place a new order for a warranty replacement item. The dishonest agent then ships the product to an accomplice or to their own address. There are other reasons why contact centres are vulnerable to fraud. Contact centres are known for large employee populations and high turnover. Combine that with access to personally identifiable information and you have the potential for agent fraud. One can point to several obvious sources of contact centre “insider” entry points. 1. Agents, supervisors, quality analysts, account managers and other employees. 2. Contractors (maintenance teams, catering and food vendors, janitorial crews, construction workers). 3. Third-party suppliers of computer equipment/software and office equipment. 4. Telephony providers and electrical subcontractors. 5. Visitors (clients, prospects, analysts, press corps, consultants). Certifications are not enough! Consider this: security certifications are certainly very important. But in and of themselves they aren’t comprehensive enough to prevent and detect contact centre fraud. Every day, agents make a conscious decision to either commit fraud or behave honestly. If we accept the fact that a high percentage of fraud occurs from within, then organizations must consistently and responsibly: July 2019

❯❯

❯❯

Authenticate the identity of the agent with something the person knows and is; and Track agent activity with technology across multiple sites and geographies.

Using information that only the agent knows, in combination with verifying who they are, provides a much more secure environment in the enterprise. Hardening facilities Controlling access is a critical strategy both to prevent individuals from being in areas where they do not have authorization and to thwart (and stop) illegal activities. Here is a partial list of rigorous facilities controls that Frost & Sullivan analysts have observed in contact centre sites across the globe: ❯❯ Written security policies and building access procedures, including signage and posters on security; ❯❯ All visitors must be logged and admitted through reception; ❯❯ ID badge systems for all employees and visitors; ❯❯ Prohibiting badge-sharing and piggyback entry; ❯❯ Card key, biometric or similar entry locks; ❯❯ Individual lockers to enforce a clean desk policy; ❯❯ 24/7 onsite security guards; and ❯❯ Video surveillance and motion sensors for entrances, interior doors, equipment cages and critical equipment locations within the building. Creating a culture of safety and protection But all the best systems and measures to prevent fraud won’t significantly help unless the company and staff buy into it from top down. Therefore, it becomes imperative that there is an institutional security culture baked into the DNA of the organization. Here are some steps to take to

create this culture. 1. Leadership. The CEO must support security with a system of internal controls and security measures to ensure the privacy of critical customer data. Consider a council or executive body that governs security worldwide. 2. Security organization and management. There should be a separate security organization (not part of IT) that reports directly to a C-level executive with experienced executives with extensive backgrounds. This organization would be responsible for creating and managing employee and vendor (particularly contact centre outsourcer) background check programmes. It also would be responsible for procedures like insider-threat detection and access management and would work with IT security. It would conduct end-to-end security analytics and behaviour analysis to detect and thwart attacks and insider fraud. 3. Fraud risk assessment. Perform regular comprehensive vulnerability assessment analysis of your applications and processes. This process typically generates a list of fraud “opportunities”. One of the outcomes could be to create remediation efforts to eliminate those opportunities in agent recruiting, training and daily operations. 4. Certifications and compliance. Employ a team of Certified Information Systems Security Professional (CISSP)certified information security experts and fraud risk analysts and conduct independent audits. Ensure that the company is in full compliance with the strictest internationally recognized security standards and with the regulations in the countries you market to and serve across industry verticals.

5. Technology. Develop special processes, tools and platforms designed to make the contact centre environment more secure. As examples utilize data loss prevention system and intrusion detection systems. 6. Security hotline. Set up an internal fraud hotline at each site that allows employees to report suspected fraudulent activity. Most critically, educate all employees on the dangers of fraud and on how these acts harm them, their customers and the company. Building daily awareness with employees is a fraud deterrent in and of itself. Making anti-fraud operational best practices part of your company’s DNA goes a long way in supporting and embracing security as not only “the right thing to do”, but also a competitive advantage for the future. Make no mistake. Contact centre security is complicated, multifaceted and difficult to manage particularly across multiple sites, countries and regions. It takes C-level support and millions in resources and investments. It is challenging, but not impossible, to build a security-conscious culture within the entire organization: reinforcing customer trust, reducing agent churn and uncovering gaps that may put clients’ intellectual property at risk. Frost & Sullivan believes that a truly effective contact centre security programme is proactive in not only understanding the current threat environment, but also detecting the kind of fraud that insiders will commit in the future. Michael DeSalles is a principal analyst, with

consulting firm Frost & Sullivan (www.frost.com). He has over 25 years of industry experience spanning contact centre operations management, customer service and support, agent supervision, sales training and project management. DMN.ca ❰


// 10

Compliance

New directions, requirements to reduce fraud By Ben Rafferty

N

ew guidance and compliance changes have been recently implemented aimed at reducing (and responding to) the growing data and payments fraud threats. Here are the most pertinent ones that Canadian contact centres should be aware of. Revised PCI guidance The Payment Card Industry Security Standards Council (PCI SSC) unveiled its revised guidance for Protecting Telephone-based Payment Card Data in late 2018. Updated for the first time since 2011, it provides direction to ensure compliance with the PCI Data Security Standard (PCI DSS), which applies to any merchant in any country accepting card payments. The guidance also provides critical technology and process recommendations to secure payments and keep customer data safe. Here’s a summary: ❯❯ Additional call recording controls. Call recordings may contain cardholder data (CHD) and sensitive authentication data (SAD) even when pause and resume technology is in use. Recordings that contain CHD/SAD must be securely deleted, while contact centres should only allow single call recordings to be retrieved or listened to by authorized senior managers. The guidance also provides considerations around monitoring the effectiveness of controls for call recordings with, in particular, data leak detection and protection; ❯❯ Pause and resume solutions need more supervision. A proper pause and resume solution could reduce the applicability of PCI DSS by taking call recordings and storage systems out of scope, but the technology does not reduce PCI DSS applicability to the agents nor their desktops, phone or chat environments. The new guidelines specify a need for ❱ DMN.ca

❯❯

❯❯

greater supervision of manual systems and prescribe testing for automated systems; Be careful with VoIP and softphones. The adoption of VoIP and softphones create an opportunity for massive scope creep as they are often connected to the desktop environments for processing payments. Therefore, contact centres that do not segment their data and telephony networks will require a host of additional PCI DSS controls; and Embrace dual-tone multifrequency (DTMF) masking. Recommendations for DTMF masking stand out within the guidance as one of the most effective solutions for keeping sensitive authentication data completely out of the contact centres and maintaining PCI DSS compliance. DTMF masking solutions can be used to securely capture and process credit card payments taken over the phone. But beware of “DTMF bleed”. The guidance warns that a misalignment of the masking, allowing even twothree milliseconds of the digit’s sound to be exposed, will bring you back into scope for PCI DSS. Check that your solution has built-in bleed prevention.

New merchant requirements Visa Canada released its new compliance requirements in October 2018 through the Visa Contactless Payment Specification, which is outlined below. These changes have been expanded to include all e-commerce transactions and to those Canadian merchants taking telephone payments: ❯❯ EMV technology. With the introduction of EMV technology, Visa found that as of July 2017, almost 93% of Canadian-acquired card present transactions have been via chip-and-PIN. However, a small number of merchants have yet to adopt chip technology

❯❯

terminals and are consequently continuing to put consumers’ payment card information at risk. Because of this, Visa has made it a requirement that all merchants be chip-enabled by October 2020; Contactless payments. Contactless payments are also becoming more prevalent. In fact, the majority of contactless terminals in Canada support both magnetic stripe data (MSD) and quick Visa Smart Debit/ Credit (qVSDC) transactions. But they have also been used for fraud, where criminals have used mobile applications to emulate Visa MSD contactless magnetic stripe transactions and use a transmitter that replicates the authentication data, either on a cloned card or a mobile phone, at merchants with contactless acceptance. As a result, Visa will require that effective October 2019, all contactless acceptance devices in Canada not support MSD; and

order transactions if the data is provided in a written format. This reduces potential for that information to be stolen and used fraudulently. It should be noted that these changes will not be applicable for credential on file, recurring or installment payments or Visa commercial card virtual account and digital wallet transactions. How these changes help These new guidance recommendations and compliance changes are helping merchants combat new-age security and privacy risks associated with making credit card payments. As merchants accept more payments over traditional and new communication channels—such as VoIP, web chat, softphones and chatbots—adhering to compliance best practices and implementing new technologies will become even more critical to keeping customer data safe and avoiding costly fines.

The guidance provides critical technology and process recommendations. ❯❯

CVV2 Codes. Since October 14, 2017, all new e-commerce or telephone order merchants have been required to capture Card Verification Value 2 (CVV2) and include them in the authorization requests during Visa transactions. Further, if an issuer approves a “no-match” transaction—for example, a CVV2 is provided but it doesn’t match the cardholder’s account—the issuer is 100% liable for that amount. This offers an added layer of protection for merchants. Additionally, all merchants in Canada are now prohibited from requesting CVV2 for mail-

We encourage all merchants to take full advantage of the new compliance and recommendation resources available to them so they can prepare for the future. For more information on PCI DSS visit: https://www.pcisecuritystandards.org and on Visa’s Contactless Payment Specification visit https://technologypartner.visa. com/Library/Specifications.aspx Ben Rafferty is responsible for heading up

product innovation at Semafone (https://semafone.com): advising on new product development and new markets and technologies to facilitate customer compliance programmes.

July 2019


// 11

Compliance

Understanding Trademarks Act changes By Colleen Spring Zimmerman

individual, domestic company or foreign company) can obtain registration of the mark without proving any use of the mark. This means that any applicant filing in Canada can obtain registration for a trademark regardless of whether it has used the mark in Canada. This could result in “brand trolls” trying to take the rights of legitimate brand owners, which have not moved to obtain registration of their rights. This will result in the legitimate brand owners having to be more proactive in terms of registering and protecting their brands;

O

n June 17, 2019, Canada’s Trademarks Act changed, resulting in its modernization. Canada has now joined five international intellectual property treaties, including the Madrid Protocol, Singapore Treaty and the Nice Agreement, all related to trademarks. There has been a great deal of activity to get ready for the changes. To implement the changes, the Canadian Trademarks Office had to update its technology, hire and train new staff and modify its processes and procedures. It also held national training events and webinars to inform the public. Lawyers and agents who work in the trademark field have had to alter their processes and procedures and learn about the consequences. Here are the highlights: ❯❯ The definition of “trademark” has been broadened. The new definition includes a word, personal name, design, letter, numeral, a colour, figurative element, three-dimensional shape, hologram, moving image, mode of packaging goods, sound, scent, taste, texture and the positioning of a sign. Canadians can now be innovative in the type of trademarks they protect. Therefore, applications can be filed, and registrations obtained, for this broader array, which can give Canadian businesses broader trademark rights with their registrations. Canadians should consider expanding their portfolios of registered marks; ❯❯ Removal of the “use” requirement. This is significant as the requirement to allege use had been fundamental to obtaining registration. A trademark application and subsequent registration now do not have to include any claim to use of the trademark in Canada or elsewhere in the world. As well, the applicant (e.g. July 2019

❯❯

❯❯

higher than prior to June 17; and The trademark registration renewal time has been shortened and fees increased. Before June 17, 2019, a Canadian trademark registration was valid for 15 years. Now each registration must be renewed within 10 years of the date of registration. The renewal fee is now $400 for one Class and $125 for each additional Class. If these fees are not paid, the registration is cancelled; and The number of Opposition Proceedings may increase. The above changes are and will be affecting other aspects of

Canadians can now be innovative in the type of trademarks they protect. ❯❯

❯❯

Preparing a trademark application where there are many goods and services associated with the mark is more complicated. The goods and services must now be classified according to the Nice Agreement, an international treaty administered by the World Intellectual Property Organization or WIPO. The Nice Classification defines 45 Classes of goods and services. There are 34 Classes for goods and 11 Classes for services. The trademark application must set out the goods and services in these Classes; Filing trademark applications costs more. The base government filing fee is now $330 for one Class of goods or services and $100 for each additional Class of goods and services. Therefore, a trademark application that is filed for a number of goods and services in various Classes will result in government filing fees that are

the trademark process. Each application (once it has passed examination by a Trademarks Office examiner) is advertised in the Trademarks Journal for the purposes of opposition. Any member of the public may oppose the registration of that mark. In Opposition Proceedings, the opponent sets out the reason why it objects to registration of the mark. The possible grounds for opposition are set out in the Trademarks Act and can include previous use of the trademark or a similar trademark by the opponent. Brand owners will need to monitor applications as they are advertised. In the future, there may be more Opposition Proceedings to trademark applications as brand owners move to protect their preexisting rights. For the last year or so, applications for trademark registration have been taking longer to process

as the Trademarks Office has been ramping up to implement the processes and procedures necessary for these changes. These delays have been anywhere from months to a year. This will continue for some time. The Madrid Protocol Through these changes, Canada has joined the Madrid Protocol. Canadians can now file trademark applications for protection of their marks outside Canada with the WIPO, which also administers the Madrid System. Previously, Canadians seeking to protect their marks in foreign countries or geographical areas had to file applications in each country/ area individually. Now, Canadian applicants can file for trademark protection in a number of countries or geographical areas by filing one application and paying one set of fees to WIPO to obtain an international registration, which is a bundle of national registrations. Currently, the Madrid System has 103 members, covering 119 countries, representing more than 80% of world trade. Obtaining registration through the Madrid Protocol processes results in one registration to renew, which may be renewed every 10 years with the payment of one fee. Having access to this system is a great benefit to Canadians interested in protecting their marks outside Canada. Before the changes came into effect, the Canadian Marketing Association held its “Future-Proof Your Brand – Trademark Changes In Canada” event on March 27, 2019 to educate its members. Trademark and brand experts spoke on these changes and needed future steps for protecting marks in Canada. Colleen Spring Zimmerman practices

intellectual property law including trademark law at Fogler Rubinoff LLP (http://foglers.com) in Toronto, Ont. You can contact Colleen at cspringzimmerman@foglers.com. DMN.ca ❰


// 12

Compliance

CMA updates ethics code, practices, adds toolkit

T

he Canadian Marketing Association (CMA) (www.the-cma.org) has recently released revisions to its Code of Ethics and Standards of Practice to help Canadian marketers maintain high standards of professional conduct and strengthen their knowledge of compliance requirements. “Marketing has the power to transform business,” said John Wiltshire, president and CEO of the CMA. “The CMA Code of Ethics and Standards of Practice helps

marketers realize the economic benefits of their work and provides the knowledge to maintain high standards of conduct and ensure greater consumer confidence.” One key aspect of the Code revisions is a new section on best practices in agency search, developed by agencies and brands through a collaborative process. These best practices address the need for companies to clearly articulate budget and scope at the outset of a request for proposal (RFP) process, including appropriate financial

disclosure, limits on speculative work, non-disclosure rules and debriefing practices. The CMA has created an “Agency Search Toolkit” for agencies and clients to help navigate the RFP process. The toolkit includes the following items, which will be released throughout the summer: ❯❯ Blog describing the initiative; ❯❯ Principles of agency search; ❯❯ Application of principles to searches in the not-for-profit sector; ❯❯ Application of principles for

❯❯

searches for PR agencies; and Preparing an effective procurement brief.

Other changes to the Code reference evolving best practices in cannabis marketing, environmental citizenship and promotional contests. The CMA’s Ethics and Standards Committee is continuing to review the Code of Ethics and Standards of Practice. A second set of updates is expected to be released later this year.

Comparing Canadian and California privacy legislation The following chart, compiled by the Canadian Marketing Association (CMA), compares some of the key provisions of Canada’s privacy law with the new California privacy law. Both have extraterritorial application. A more comprehensive chart is available to CMA members at www.the-CMA.org. Prepared May 30, 2019. CANADA

CALIFORNIA

Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA)

California Consumer Privacy Act (CCPA)

In effect date:

January 2004

July 2020 (postponed from January 2020)

Fines:

Fines of up to $100,000 can be imposed, but only by the Federal Court.

Attorney General may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. Once organizations are given notice of a violation, they are given a 30-day grace period to rectify.

Private right of action:

In certain circumstances, the Federal Court may award damages to a complainant.

The CCPA establishes a private right of action for data breaches involving specific types of personal information. Individuals may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident. Courts may also impose injunctive or declaratory relief.

Applies to who:

Private-sector organizations in the course of for-profit, commercial activities. Federally regulated organizations (e.g. banks, airlines) and their related employee information.

Any for-profit entity doing business in California.

Excludes government institutions covered under separate legislation. Excludes private sector organizations that operate entirely within a province with substantially similar privacy legislation (Alberta, British Columbia and Quebec).

Organizations must meet at least one of the following criteria: a) generates annual gross revenue in excess of $25M, b) receives or shares personal information of more than 50,000 California residents annually or c) derives at least 50% of its annual revenue by selling the personal information of California residents. Also applies to any entity that either: a) controls or is controlled by a covered business or b) shares common branding with a covered business.

❱ DMN.ca

July 2019


// 13

Compliance

Applies to what:

Consent:

CANADA

CALIFORNIA

“Personal information”: Information about an identifiable individual (other than business contact information of an individual that an organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession).

“Personal information”: Information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.

Organizations are required to obtain meaningful consent, meaning individuals are provided with clear information explaining what organizations are doing with their information.

May be implied (in principle no express consent required).

Consent may be express or implied, depending on the circumstances and the type of information, and can only be required for the specified business purpose.

Includes a broad definition drawing in a list of data categories related to the consumer and their household. Excludes information that is in publicly available government records, aggregated or de-identified data and personal information covered by sector specific legislation (e.g. health data).

May be withdrawn at any time in a way that is clear, conspicuous and accessible. Minimum age of consent is 16 years.

Consent may be withdrawn, subject to legal/contractual restrictions and reasonable notice. Exceptions apply, including compliance with legal obligations. No minimum age of consent stated, but typically valid from age 13 according to OPC [Office of the Privacy Commissioner of Canada] guidelines. Security and safeguarding responsibilities:

Individual rights:

Appropriate to the sensitivity of the information, an organization must adopt security safeguards to protect the personal information in its custody and control.

Although specific safeguards aren’t explicitly included, organizations must implement reasonable security measures appropriate to the nature of the information.

Organizations must implement applicable policies and practices to give effect to PIPEDA, including: a) designating one or more individuals who are accountable for the organization’s privacy compliance, b) implementing procedures to protect personal information, c) establishing procedures to receive and respond to complaints and inquiries and d) training staff and communicating to staff information about the organization’s policies and practices developing information to explain the organization’s policies and procedures.

No obligation to appoint a designated officer.

PIPEDA includes the following rights for individuals: a) the right to access personal information under the custody or control of an organization, b) the right to have one’s personal information be accurate, complete and up-to-date, c) the right to have one’s personal information be amended when an individual successfully demonstrates the inaccuracy or incompleteness of personal information and d) the right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

CCPA includes the following rights for individuals: a) the right to request information, b) the right of portability, c) the right of deletion, d) the right to opt-out and obligations to inform and e) the private right of action.

No right to be forgotten (no search engine de-indexing). No right to data portability. Mandatory data breach notifications:

An organization must: a) report to the OPC any breach of security safeguard involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual and b) notify the individuals.

While the CCPA does not include a data breach notification requirement, California has a separate, pre-existing, data breach notification law: the California Security Breach Information Act.

Retention of information:

For such a time as is necessary for the purposes identified, or to allow the individual to exhaust any appropriate legal recourse.

For such a time as is necessary to allow the individual concerned to exercise their rights of access to information, but for a period not exceeding 12 months.

Principle Resource • Karl Delwaide, Antoine Aylwin and Antoine Guilman. “Comparative Table of Personal Information Protection Laws”, Fasken, May 2019.

July 2019

DMN.ca ❰


// 14

Compliance

A new way to manage consent and privacy By Isabella De Michelis di Slonghello

T

he European General Data Protection Regulation (GDPR), which came into force in May 2018, has imposed a whole new framework for companies using personal data. Companies, in response, have started putting in motion IT strategies that protect their businesses from regulatory risks. Because the GDPR has put a strict requirement on consent proof for digital advertisement platforms in particular, we see the effects, like forcing companies to change their business models, Google and Facebook included. These changes impact also voice assistants like Alexa and Cortana. But companies have not really changed their approach to data mining. Their ravenous appetites for consumer data continue to grow following the surge of Internet of Things and artificial intelligence (AI)-based platforms opportunities. The paradox is that with strict privacy regulations coming into force, including outside Europe, inspired by GDPR’s overarching principle of “privacy as a right”, these companies can achieve their data gathering and consumption objectives at almost no cost, unless some disruption happens in the market. ErnieApp has decided to invest in a mission, which is to curb this trend! Turning upside down the relationship between users and service providers (to give more control to users like ad-blockers do) or storing your personal data in a third-party database had always been the standard approach taken by various privacy-bydesign companies to win user engagement. But it has proved not to work so well (except for ad-block solutions). Users dislike changing their behaviours on-line if this is calling them to re-route their personal data into another party database. Despite the Cambridge Analytica scandal and several other high-profile privacy breaches, Facebook saw its ad revenues and the average time spent on its application grow. They have done so for two prominent reasons: first, people are not seeing the value of the data they share and second, people prefer to keep the data where they are, rather than relocating them. Our approach Differently from everybody else, we considered that only disrupting directly the business-to-business relationships ❱ DMN.ca

between Internet companies would trigger a meaningful change. And that such disruption could only be driven by users, if actioned appropriately. We set up a new, automatable and scalable scheme to trigger a new competition lever onto digital companies and have it homed in a mobile native app (usable also by nondigitally skilled users). We called the app ErnieApp and the service provided via the app a PKM or “Privacy Knowledge Manager”. A PKM service for end-users would come in three levels (BASE, CUSTOM and PLUS) where the PKM BASE should always be free (privacy as a service) and the two others as a freemiums (consent as a service). With ErnieApp, if companies want to process qualified consumer personal data (meaning data for which the legal basis for processing is based on express or explicit consent), they must enter into a competitive race and bid to convince the users to maintain the adequate level of permission for as long as possible. Key features To facilitate user decision comprehension of the scheme and help user decision making process we combined in the app three bundled features: a proxy indicator, a privacy configurator and a game. The proxy indicator is called the “Openness Index”. This is a meter reading in app that appears as soon as the user has added any third-party service in their dashboard. The Openness Index is a personal computed metric. It gives to an individual a proxy indicator to help them understand how generous they are with their personal data sharing toward certain applications (probably those he/she uses the most daily). The privacy configurator, which starts functioning as soon as the user adds their first third-party account, allows the retrieval of third-party service privacy settings and their visualization in a single view. By visualizing the settings among different services, a user can compare the settings and derive which company is more privacy-friendly. User can then manage privacy settings in order to build a consistent consent policy across multiple services. When the PKM BASE was launched, in February 2019, we launched the support for the privacy settings of Google Search, Maps and YouTube, Twitter and Facebook to begin. We then expanded the support for LinkedIn, Spotify and Netflix. We plan to add more in July 2019


// 15

Compliance

the near future. Users shall feel the power of controlling the privacy settings across all these popular apps and also become aware that all these apps need the users’ express consent to use their data for digital marketing purposes. The game is rather a gamification experience than a video game for now. Users make a journey through a map; to advance they need to answer quizzes across several playgrounds (playgrounds mimic different settings where the user can identify him or herself, like outdoor or indoor). When he or she answers correctly, they accrue tokens and pass the level so that they can attain a certain status, plus they also redeem tokens in a prize draw. The game narrative is focused on the Internet and how it functions, main business models, technologies and players that coexist and compete, along with consumer rights, laws and July 2019

regulations. By playing the game a user elevates his or her knowledge both as regarding privacy and how to best manage their consent as a tradable asset. Responses, challenges and developments We have received excellent feedback since our launch. It is interesting to note that most of our users love the game and rated it 5 ’s in market surveys; people say they learned interesting staff while having fun. People also scored high (4.5 ’s) the service novelty as the privacy configurator is very easy to use and gives them an immediate visualization of the changes when they implement them. Not surprisingly, people expressed also discontent when they discovered that companies implement very different privacy settings on their apps and that no common taxonomy or

standards exist in this space. Or that some companies do not have privacy settings at all. We at ErnieApp think there is a good opportunity here to build wide user consensus that privacy settings are needed and should be easy understandable. For example, we have started an online petition on Change.Org to make opt-in/ opt-out features more accessible by consumers. One of our biggest challenges when we designed our app was to identify the target “persona”. Would a PKM service be attractive for specific age segments? Gender? Geographies? Or would it have the potential to become a universal service? It’s a bit too early to give an answer to this question, but our analytics indicate there is not much difference between how the app is used in Europe and in U.S. or in other countries at the moment we speak. People like the

user experience we offer, and they appreciate the increasing features approach we propose in the app. This summer we plan to localize the app in Italian and possibly in French. We plan to add new countries where the app will be available, add additional supported third-party services privacy settings, upgrade game content and add new features which will make the user more powerful in their negotiation tactics with Internet service providers. Isabella De Michelis di Slonghello is ErnieApp

(www.ernieapp.com) CEO and founder. Prior to that she founded High Pulse, a strategy consulting company focusing on advising private and public clients on broadband and digital transformation projects. She has also served as group vice president, government affairs at Qualcomm, managed European public affairs for Cisco Systems and worked for Telecom Italia, Telespazio and for Elsacom (a Finmeccanica company). DMN.ca ❰


// 16

Compliance

Benefitting from music: ethically and legally

By Andrew Berthoff

I

have worked in marketing and communications for 25 years. And if there is one constant with all the changes, like the rise of the Internet, social media and smartphones, it is the powerful punch that music brings to brands. Whether music is used in a traditional TV or radio commercial or a music video, at an event or rally, during a sponsor intro in a podcast, an Instagram story ad or a YouTube pre-roll spot, its ability to grab and hold attention is singular. In fact, research shows that using music in consumer-facing advertisements builds strong emotional connection to brands. Smart brands use music to set the stage for relaunches, to underscore their positions or to simply generate recall in their target audiences. According to recent research by Léger for SOCAN, 74% of Canadians say a catchy song directly impacts their ability to remember a commercial and the brand it was advertising. Given the number of messages consumers are bombarded with daily, rising above is essential, and music used well can propel a brand to the top of the charts. Think of previous commercial uses of music to illustrate this ❱ DMN.ca

truth. Feist’s 1234 is a great song on its own, but it’s likely to make you think of Apple. Tom Cochrane’s Life is a Highway help catapult Hyundai to prominence in 1995. Stephan Moccio’s themes are synonymous with Canadian sports. Our music creators have been providing their work to marketers for decades, and all have benefitted significantly as a result of their willingness to work together. Respecting the creators Maybe more than any other art form, music adds value for marketers. But, when we use a creator’s original music, it’s important to remember that there are rules. The Society of Composers, Authors and Music Publishers of Canada (SOCAN), the company I work for, tracks how and where music is used to ensure that those who own the music are compensated for its use. After all, music is a product, like any other product. So, shouldn’t those who make it receive a fair return on their investment? A return that will help to create more products? In my marketing role I occupy a unique position: I understand the point of view of the music creator as well as the wishes of

the marketer. I understand why it’s beneficial to use a popular song to market a brand, but I also understand that to do so legally and ethically protocols have been put in place. If you have your ear on a certain piece of music, you first need to find out if the rights-holder is willing to let you use the piece for that specific purpose. If they are, the next questions are how and for how long. Through negotiations you determine if and how the music can be used. If all parties agree, a legal licence is created so that the holder of the rights to the work is compensated for their contribution to your marketing campaign. I am also a musician and you might be, too. This introduces yet another possibility. Let’s imagine for a moment that the song you have in mind for your marketing campaign doesn’t yet exist. Solution: you can create it. While there is no reason why you cannot use your own song in your campaign, like any creator you deserve to be paid for what you have contributed. SOCAN’s role This is where SOCAN plays a role too. Part of our mandate is to track and collect royalties so that any

time one of our nearly 160,000 songwriter, composer or music publisher member and client work is used—in a commercial, during a television programme, or as background music at an event— that use is tracked. Members are then paid by the person or company that used it, and, as a result, added value to their business. Collecting royalties for the songs used in commercials can be tricky, but SOCAN is committed to finding new ways to track music every day. Technological advances in tracking happen regularly, which is great news for our stakeholders. But until you become someone who’s both developing music campaigns and writing the music for them, make sure that you’re using other people’s music ethically and legally by licensing it properly. Music might well be the greatest tool that a marketer can use to gain major results through its intangibly positive power. The gifted artists who made the music deserve to share in your results, so that, along with you, they can continue to make more. Andrew Berthoff, APR, is chief

communications and marketing officer, SOCAN (www.socan.com). July 2019


// 17

Features

AI: Interview with Gary Saarenvirta

B

Stephen Shaw is the chief strategy officer

of Kenna, a marketing solutions provider specializing in customer experience management. He is also the host of a regular podcast called Customer First Thinking. Stephen can be reached via e-mail at sshaw@kenna.ca.

usinesses are “drowning in data but starving for insight”. But relief is on the way in the form of artificial intelligence (AI). The ability to skip right to the answers without even forming the questions will be the salvation of marketers. With AI, the analytical load shifts to machine learning algorithms. Most of the major marketing automation vendors have already integrated AI capabilities into their platforms. But companies also have the option of outsourcing the analytical work to software-as-aservice (SaaS) platform providers that can help them benefit from the technology immediately. One of those providers is Toronto, Ontario-based Daisy Intelligence, founded by CEO Gary Saarenvirta. The company’s AI platform can determine the best product price points, adjust the promotional mix to minimize cannibalization and identify optimal store locations and layout, saving merchandisers from needing to figure it Gary Saarenvirta, CEO and founder of out themselves. Toronto, Ontario-based Daisy Intelligence. AI is very much like magic because no one can ever say how it arrives at the answers it comes up with. Yet it offers clear advantages over traditional approaches to data mining and analysis, both in speed and precision, as Gary Saarenvirta explains.

is a numerical label or a text label, but what do you do with that? There’s no decision-making process wrapped around that label. If the label says two instead of one, what do you do?

Q: A:

Q: A:

How did you come up with the “Daisy” name? It was inspired by the first song ever sung by a computer back in 1961: Daisy Bell. And of course, that song was famously sung by HAL in 2001: A Space Odyssey.

Q: A:

It’s a perfect name for an AI company. What was the genesis of your business? My goal has always been to use math and science to make companies smarter. Take a retailer with hundreds of locations, a hundred thousand products and millions of customers it’s hard to figure out what’s going on, no matter how many analysts you have. Our vision was to build an autonomous decision-making system using AI. That was 15 years ago.

Q: A:

Half of companies today report that they’re still struggling to create actionable insights. Why is that? Data mining technology has always been aimed at a technical user with a mathematical or statistics degree. Which is why a gap still exists today between data analytics and business decision-making. It’s the main reason why analytics hasn’t become a strategic practice yet. The output of a predictive model July 2019

Q: A:

Is the problem a lack of data fluency?

Yeah. But what’s missing is a tie back to the P&L [profit and loss]. At Air Miles—fantastic company, it was a formative place for me—I remember every PowerPoint report declaring, “This is a 100% ROI [return on investment]…a 500% ROI…a 200% lift over random”. That was all wonderful, but then the client’s P&L figures wouldn’t move. You saw all of this awesomeness from a statistical perspective, but it wasn’t translating into business results.

Q: A:

You mean data mining is more of a tactical tool as opposed to strategic? Just think about the retail business. Maybe you did a shopper marketing campaign to sell Coke and you sold twice as much Coke this week as last week. But then you didn’t take into account that Pepsi sales went down and that juice sales went down. You didn’t measure cannibalization. You also didn’t measure the forward buying: people who bought two cases this week because they were on sale but who did not buy their usual case the following week. Marketers don’t bother to measure all of the ripple effects because that gets too complicated. I tell my customers “If I don’t move the P&L, then fire me because there’s no point doing analytics if you’re not moving the P&L”. Selling AI When you’re knocking on doors, are you talking to the CIO or the CMO? Who do you have to convince of the merits of AI? In retail, we want to talk to the CMO [Chief Marketing Officer] and the head of merchandising. Our goal in retail is to double the net incomes of retailers. We want to turn a 1% industry into a 6% industry. The people who care about that are in the C-suite. Our users are the retail operators, the merchandisers, the category managers and the marketers who use our technology on a day-to-day basis. In insurance and banking we go after the C-suite, the claims people and the risk people.

Q: A:

Not only do retailers have to deal with the omnichannel shopper, they’ve also got to deal with a sudden deluge of interaction data. That is a real challenge. One of the reasons I chose retail was because of the technical complexity of making use of all that data. Something like 50% of the world’s GDP [gross domestic product] is retail. So, if we can move the needle in retail, we can move the world.

Q:

What phase is AI at? Is it still in a hype phase? An early adoption phase? Even a honeymoon phase? DMN.ca ❰


// 18

Features

A:

I think it’s still in the hype phase. Let me explain. If you only analyze historical data, that’s called statistical analysis. You learn from history only. You have to have labeled training examples to train your algorithm, whether that’s linear regression, invented in 1805, or deep learning, which has become popular in the last five years. That’s all mathematical labeling. You create a label, namely a numerical number, e.g. this is a dog, that’s a cat. It’s just a label. It’s a mathematical process and it can only learn new things at the speed you collect new data.

Q: A:

When you talk about deep learning, are you referring to neural nets? Neural nets or support vector machines or support vector regression, it’s really all historical data learning. You can only learn a new mathematical pattern when you collect new data. If statistical analysis was a panacea, it would have had a greater impact long ago given the proliferation of statistical analysis tools. The hype is a whole new generation going “Wow, this predictive modeling stuff is really powerful.” Market differentiator

Q: A:

What separates Daisy Intelligence from the hype pack? What we do is different. It’s called reinforcement learning. Think about retail promotion. I have to pick 500 products to promote out of 100,000. But you can’t treat Coke and cheese and bread as three independent things. They’re all related. It’s the marketing mix that drives the result. In predictive analytics, I have to create a label for each mix. The combinatorial math tells me I could never come up with enough labels. So predictive analytics can’t work in that scenario. You have to use reinforcement learning. We can tell the retailer “here’s what you should promote, here’s the price and here’s the inventory allocation”.

Q:

What’s the business case you make to the merchandiser sitting across the table from you when you talk ❱ DMN.ca

about this? We deliver decisions. If you execute the decisions, we’re going to grow your revenue by 3% to 5% or more and in a 1% net margin industry, we just doubled your profit.

A:

Q: A:

And you do that by optimizing price and shelf allocation and promotions? And product selection. There are a lot of companies doing price optimization and forecasting, but I haven’t seen anybody help decide which products to pick. An example would be a product like ground beef. Consumers see ground beef promoted, they go “Oh, I’m going to make an Italian dinner”. So, you buy pasta, tomato sauce and produce. If you’re making hamburgers, you buy hamburger buns and condiments. But because I bought ground beef to make hamburgers, I might not buy hot dogs. And then there’s forward buying where you’re stealing from the future. There is [also] the spatial geography. I’m not going to go out of my way to get a 10 cent discount on carrots. But if you’re giving gold bars away for free, I’ll drive across the world to get it. All the commonsense things that retailers know, like lower prices equal more sales and front page of the flyer is better than back page. All these commonsense rules we’ve assembled into a theory of retail like the laws of physics.

Q: A:

What might merchandisers do differently by using your model? Let’s use a household promotional flyer as an example. In the dairy category, I need to decide which products I’m promoting. Well, Daisy says “Put milk on the front page, cheese and yogurt on the inside page and here’s the price you should charge.” So, we tell the merchant “Here’s what you should do.” In promotional planning there’s way too many data points for analysts to look at. One very large retailer was looking to do 90 billion product forecasts three times a day. 90 billion. They had several million products and thousands of locations. They wanted to know three times a day what the demand for those product combinations

would be at the store level. These problems are beyond human capability to compute. That’s the class of problems AI should focus on.

Q: A:

Where else can AI have an immediate business impact? Anywhere involving large volumes of data where highly complex decisions need to be made. In insurance, we’re doing fraud detection and predictive underwriting, for example, where you might get a million claims coming in every day, needing to decide what’s fraudulent. Another example is screening bank transactions for money laundering or speeding up mortgage approvals which might happen thousands of times a day. Again, just moving the needle 1% or 2% can have a significant financial impact.

Q: A:

Is AI going to govern the real-time interaction experience of customers? We’re analyzing 100% of the transactions and interactions of our retail clients across all channels: in-store, online, mobile, you name it. Using that data, we’re able to help our retailers give their customers what they want, which is having the products available that they’re interested in, at prices they find compelling and having the stock there when they go to buy the products. AI risks, obstacles, solutions

Q:

Is there a risk with AI that it will actually create greater distance between marketers and analytics because those decisions are now being handed off to a machine? That’s a good point. It could happen. I think customers are always asking “So what’s inside the black box?” We try to be as transparent as possible. But it’s so complex. We might do a hundred trillion computations to come up with an answer. There needs to be some element of trust. But it’s not like the machines will take over all analysis and humans will do none.

A:

Q:

So, you’re saying there’s still a role for predictive

analytics and the sister disciplines? Yeah, certain problems. A customer acquisition challenge. A targeting challenge. Those are perfect predictive modeling opportunities. So, there are certain problems where predictive analytics will play a role and certain problems where reinforcement learning is better.

A:

Q: A:

What’s the on-ramp for AI in a company that hasn’t been down this path before? Start with a big problem. Then look at business processes where people struggle, where there’s lots of data, super complicated trade-offs, dependent on old rule-based systems. Figure out how the math is going to help. If you’re going to create a predictive model, think about what you’re going to do with the answer. And there’s still a lot of data management issues that haven’t been addressed. You need to manage your master data, product hierarchies and historical promotions. All of that drives the quality of AI.

Q: A:

Data quality is still an obstacle? It still is. To me, it’s the proof point that nobody is really doing any strategic analytics because we haven’t solved that problem yet. With every retailer we work with, the first thing we do is tons of data management work. For example, you have all these different UPCs [universal product codes]—like all the different flavours of yogurt —which should be considered as one group. That data entity doesn’t exist in the vast majority of retailers. Large retailers only very, very recently, like in the last year or two, started to actually think about those things. Which is proof that analytics hasn’t even scratched the surface of possibilities.

Q:

As a long-time data mining advocate, it must be gratifying to see all of this interest in AI. I’ve been at this for 25 years and finally my vision is starting to gain traction. At times I thought I was out of my mind. So, yeah, it’s very exciting to have people buy into the vision.

A:

July 2019


// 19

Features

Analytics in an age of disruption By Richard Boire

D

isruption seems to be the only constant in our vastly changing world. Increased digital interconnection and tremendous capabilities in processing huge volumes of data at ever-increasing velocities are now the norm for many businesses. These increased technological capabilities have resulted in the emergence of artificial intelligence (AI) and the resulting paradigm shift towards even more automation. The emergence of AI Before delving more deeply into this area of AI, let us be clear what AI is not. In some conferences and articles, you will hear that AI encompasses any type of predictive models/machine learning algorithms. This is a fallacy. AI, in reality, is much more specific in that true artificial intelligence is about deep learning, which is the use of the mathematics of neural nets where you have an input layer, hidden layers and an output layer. Complex algorithms using different optimization approaches have been developed in delivering solutions which can, and have, demonstrated great performance in the last few years. But what has caused this tremendous upsurge in AI interest given the research has been around for decades? Like many processes, AI needs fuel, and in this case data, where it requires huge volumes. Technology has always been the limiting barrier in being able to process huge volumes. However, this is no longer the case as companies can now more fully leverage big data technology and its parallel data processing approach. With companies now able to consume these ever-increasing quantities, the improvements caused by AI have been enormous in certain sectors. For instance, in the area of image recognition, accuracy rates have improved from rates of 45%-50% in the 1990s to well over 95% in the current era. These significant strides have also been manifested in the area of text recognition. July 2019

Even prior to the great breakthroughs achieved by AI, increased automation of many tasks and routines has been the norm in many industries, which have reduced the need for human intervention and ultimately the need to pay someone. AI has simply accelerated automation to a new level as companies seek opportunities to improve their business processes in serving customers with fewer employees. However, the emerging social impacts of these changes is really the subject of another study or book. Data Scientist versus the Business Analyst But in the world of analytics, what has been the impact? Yet before we explore this impact in more detail, let’s examine more closely the roles of the analytics practitioners. In today’s environment, we have essentially two levels of analysts: ❯❯ The business analyst; and ❯❯ The data scientist. The business analyst is typically the “face” and the key contact with the business unit. He or she is responsible in terms of presentations to the business unit and its key stakeholders, which is essentially the delivery of the solution. Storytelling is a prerequisite skill for this individual. Meanwhile, the data scientist is a more technical person who is wellversed in the area of programming and coding alongside deep mathematical skills or at least the ability to interpret the output. Both practitioners work closely together. The data scientist provides the technical output, such as predictive analytics solutions or the creation of an analytical file for reporting and visualization. Meanwhile, the business analyst in effect works with the technical output in order to present the solution in an understandable manner to the stakeholders of the relevant business unit. In today’s environment, the hiring trends of many organization exemplifies these divergent skills. For the business analyst, the

technical skills are the flexibility and nimbleness in being able to work with the many typical office applications, such as MS Excel and PowerPoint alongside existing data visualization tools such as Tableau, as well as emerging new software in this area. But the more important skill for them within an analytics project is arguably the much softer one of communication and storytelling. Are technical skills enough? For the data scientist, deep technical skills in computer programming and mathematics are the pre-requisite skills and in fact this is amplified by the number of Ph.Ds and master’s degrees recipients who are being considered for these positions. Certainly, knowledge of the techniques and its output are mission-critical for any data scientist. But does the arcane knowledge of how an algorithm is mathematically calculated through a series of equations really necessary for every data science exercise? Are these deep technical skills fulfilling the real business needs of many organizations? Certainly, the Googles and Facebooks of the world will always need these deep technical skills given their extensive research needs in their never-ending quest for new products and services. But for many organizations, it is more about the practical application of these technologies and how they will impact the business. Specialized skillsets, such as extensive knowledge in how the mathematics work behind a convolutional neural net, are not really required. Rather it is how the output of a convolutional neural net can be used to classify images, thereby providing better information in such areas as claim processing and health care diagnostics. Another good example would be the use of a recurrent neural net in being able to build time-series type forecasting models. A much more generalist approach is really the required skillset in this area in applying

the right technical outcome to a business need. But what are these more “generalist” skillsets? The initial demand and arguably the most important one is the ability to identify the right problem or business challenge. Alongside this capability is the ability to create the right data environment in being able to derive a solution. With the data framework being created, the data scientist then needs to determine the appropriate approach and tools in developing the solution. At the same time, he or she needs to determine how this solution will be actioned and more importantly how it will be measured. Keep in mind these practical demands still need to be complemented by technical skills. Without them, the data scientist lacks the knowledge in whether an advanced analytics solution is appropriate for a given business problem or challenge. For example, what does the output of a decision tree using random forests mean versus the output of a deep learning model? More importantly, how do we assess which approach is better in delivering a better solution? These key demands of both a technical and general nature are not new. Businesses prior to the big data digital explosion have always struggled in trying to utilize both types of skillsets in resolving their business challenges. The limiting barrier, though, was always time, as many of the tasks and activities of the data scientist were still very manual. Intensive programming whether through software like Python, R and SAS was always required in order to create the analytical file which, in most cases, consumes 85% or more of the data scientist’s time within an overall project. Once these files were created, the data scientist would then run a series of routines or load modules in either generating a report or producing a predictive model. Again, programming was required Continued on page 21 DMN.ca ❰


// 20 PBI-DirectMarketMag_Ad_4.32x8_052919.pdf

1

5/29/19

FULL SERVICE OPERATIONS

Date:

July 4, 2013

AD:

Client:

Cleanlist.ca

AM:

Docket:

3540

Version:

F6

Application:

Print, 4x4.325", 4C

Media:

Direct Marketing Magazine

11:05 AM

Carter

Resource Directory

PLEASE NOTE This file has been optimized for its intende application only. For uses other than inten please contact Seed for alternate formats.

Sinclair

LIST SERVICES

BETTER DATA

FRom CANADA’S LEADER iN CoNTACT DATA SoLuTioNS Data Cleaning • Address Correction • Mover Update • Deceased Identification Data Enhancement • Phone Append • Demographics

1-800-454-0223 sales@cleanlist.ca

)

Prospect Databases • ResponseCanada • Consumers, Movers and Businesses

Ask for a FREE EvALuATioN and pricing!

cleanlist.ca

Custom Solutions

an interact direct company

CL_ResourceAd_4x4.325_v04.indd 1

LIST SERVICES

Global Verify Address, Name, Phone & Email

+

@

Clean, Update & Enrich Your People Data to Improve Targeting, ROI

Data Appends Phone, Email, Demographics, Firmographics & Property

NCOA

list brokerage list management consumer/business lists data processing printing and mailing services

postal/prospecting lists alternative media/CASL email lists data append services database prospecting modeling and profiling services

Contact: Kim.Young@nadminc.com • Jannett.Lewis@nadminc.com • Jacqueline.Collymore@nadminc.com

U.S., Canada & International

Leads & Lists Consumer, Business & Specialty

To advertise Contact Mark Henry, mark@dmn.ca

Get a Free Quote Now

www.melissa.com/ca 1-800-MELISSA


// 21

Resource Directory LIST SERVICES

Data Analytics

YOU SHOULD BE HERE

DM Magazine

represents all areas of the DM industry: from small businesses to Canadian Business 1000 companies. No matter what our reader's size, resources or strategies, each and every organization we reach is driven by data, powered by orders and striving for loyal customers.

To advertise in DM Magazine Resource Directory Contact: Mark Henry, mark@dmn.ca

To advertise Contact Mark Henry, mark@dmn.ca

Analytics in an age of disruption Continued from page 19

in order to run these routines against the data. All these tasks were very time-consuming despite the fact that a high level of technical knowledge was required for their execution. Increased automation of analytics tasks With the big data explosion, demands for data science skills have accelerated at logarithmic rates. Vendors have now emerged on the scene in an attempt to automate these time-consuming tasks and at the same time empower more people in both the development as well as execution of solutions. Automation has occurred in creating the analytical file where the practitioner does not need programming expertise, yet still requires a deep knowledge of how data works in order to create the right data framework for analysis. Meanwhile, the actual development of predictive models has created companies where their end deliverable is the ability to “manufacture” many models quickly. This is much like what happened to the auto industry when Henry Ford transformed what was

a much-customized approach to a more mass-automated approach. This “factory” type approach to predictive modelling still requires the data scientist to understand the mechanics and implications in order to more optimally leverage these tools. The phrase “A fool with a tool is still a fool” is still very appropriate in this scenario. Finally, there is automation occurring in reporting and visualization, which is perhaps the most significant area and is exemplified by the large number of vendors attempting to meet this demand. The reason for its significance is that without this capability, all the hard work in creating the analytical file and developing predictive models is meaningless if the work is not actioned. Communication and storytelling are the keys to a solution being actioned within a business and reporting/visualization tools greatly facilitate this kind of capability. How will the data scientist and business analyst evolve? The essence of data science and its many activities have not changed.

However, there is now more of a realignment towards those tasks and activities that require the deeper intellectual activities of the data scientist in creating business solutions. These skills translate into the softer skills of utilizing the “creative” side of their brain in order to design solutions that are tailored to the specific business needs. At the same time, these “creative” elements are also manifested in enhanced “communication and storytelling” capabilities. In effect, the data science role is now executing many of the tasks of the typical business analyst. So, what, in turn, will become of the business analyst? As discussed above, the analytics tools now empower business analysts to run advanced analytics routines without any programming skills. One can surmise that the data science and business analysts’ skills are essentially converging into what may be referred to as a hybrid. The need to both of them to apply deep analytical skills creatively is the key to developing solutions across a myriad of different business problems. As many people in the

industry have mentioned, the ability to combine both art and science is really what data science is all about and really represents the hallmark of the hybrid. The hybrid is both a creative artist and engineer. Growing demand for hybrid staff The demand for these hybrid workers has always existed even prior to the digital explosion. But in today’s increasingly automated analytics environment, demand for hybrid staff will continue to accelerate. The future of data science has never been brighter, even with increased automation as businesses increasingly seek more of these creative artists/engineers or hybrids. Exciting times lie ahead for the data science hybrid. In the next article, I will highlight examples and business cases of what this hybrid role might look like. Richard Boire is currently president of Boire

Analytics, an organization that is a leader in data analytics with over 30 years in applied analytics solutions across virtually all industry disciplines. He can be reached at boire@boireanalytics.com or for more information, go to: www.boireanalytics.com.


Excellent Execution

// 22

Investing in privacy and security G

James Smith is the chief compliance and privacy

officer at Environics Analytics.

ood companies talk about privacy and security; great ones back their words up with third-party audits. At the most basic level, audits establish trust. Submitting to a privacy and security audit is not something that should be done lightly. It involves countless hours of work and resources, not to mention a significant capital investment to execute. Note that I describe it as an investment, not an expense. Audits should not be viewed as a cost of doing business. Instead, they should be seen as an investment to bolster your clients’ faith in your capabilities and systems. This is particularly important for direct marketers because they ensure that marketers are using high quality, privacy-compliant data that will enable them to execute effective programmes and campaigns. But audits do more than help put clients at ease. They help manage the rising threats and associated risks of handling and securing data. In a rapidly changing environment—one that’s rightly under increasing levels of scrutiny around privacy and security—audits motivate business working with data to innovate and improve.

Audits help manage the rising threats and associated risks of handling and securing data. Not only do auditors make sure businesses have the right policies and procedures in place, but they also demand physical evidence to prove you are adhering to those rules as part of your daily routine. A thorough auditor will perform checks in your offices to ensure desks are clear of sensitive client information, that your server rooms have proper security controls and that hard copies of client information are destroyed when they are no longer needed. What does a privacy and security audit entail? For those unfamiliar with the process of data and security audits, they serve several essential functions. For starters, they provide focus and offer persistent reminders to ensure that a business is keeping up with best practices and standards issued by the industry. They ask questions like: are the data on your servers and backups encrypted? How often do you patch your servers? Are employees trained on security? Do you have quality controls? Can you produce a complete data inventory? And do you destroy data and what is the process? In total, to comply with an audit ❱ DMN.ca

(such as the SOC2), an accounting company will review more than 100 items to ensure adherence to industry best practices. More than a month before the auditors arrive, stakeholders from finance, operations, legal, software development, research, project management, IT, human resources, office administration and sales should clear time to collect supporting evidence and prepare answers to auditor questions. This team (under project management leadership) should conduct a gap analysis, map the existing controls, and perform internal audits and other related tasks. By the time the auditors arrive, your staff should be armed with hundreds of pages of documents, ranging from basic policies and procedures to operating manuals, checklists and signed contracts. Ideally, companies should already have logs and digital records ready for auditors to demonstrate that “correct content” file transfers involving client data are conducted securely. To their credit, the auditors don’t leave you any room to hide. Not surprisingly, in an industry that is continuously experimenting with new technologies, the things that they look for are constantly changing, which is why it’s critical to submit to this process every year. For instance, in the past year, SOC2 trust services criteria were updated to focus on risk management, incident management (breach protocol) and performing internal ongoing as well as periodic evaluations of relevant controls. As a result, auditors this year will examine your policies and processes and conduct data fire drills and training to make sure they meet all of the requirements. Proof of exemplary service These audits also help companies ensure that you are providing your customers with the best level of service possible. In the event of a critical failure, for example, your company will have to prove that your systems can fail over to a disaster recovery hot site within the service level agreement. Business continuity plans/disaster recovery requirements are contractual and auditable. If you’re serious about privacy and security, one audit may not be sufficient. If you work with client data, three audits that might be relevant. The first are financial controls assurance (SOC1, previously SAS 70). The second are operational controls assurance of a service organization’s environment (SOC2). The third audit focuses on handling sensitive health data. While audits don’t assign a grade beyond a simple pass/fail, the reports will highlight areas for improvement and deficiencies where companies fail to meet best practices, as well as the standards they set out for themselves. We’re proud to report that we’re among an elite group of companies that can claim to meet every standard and test for those audits: without exception. Clients should always ask to see these reports as a normal course of business. We’ll proudly share ours; it’s our competitive advantage. July 2019


2019 SPECIAL

TRIBUTE SUPPLEmEnT

RESERVE YOUR SPACE TODAY Book your space in the Tribute Supplement and make sure Cynthia Quigley and the entire AFP Community know how much we owe her for an outstanding career achievement. Simply contact mark Henry, Publisher Dm magazine at 905-201-6600 x 223 or email mark@dmn.ca. Please don’t miss out on this once-in-forever edition. For more information visit www.dmn.ca/tribute

Greater Toronto Chapter

Sponsored by


Profile for Lloydmedia Inc

DM Magazine July 2019  

DM Magazine July 2019  

Profile for dmn.ca