EmergeSmarter Blog

By Walt Dickie, Executive Vice President

C+R started moving online in the late 90s, and the trickle became a flood in 2000 when we launched www.kidzeyes.com, our first online panel. From that point on we always had the Children’s Online Privacy Protection Act (COPPA) in our minds. The result was that an awareness of online privacy and security issues got baked into C+R’s DNA.

We were lucky because we were prepared when the Sarbanes-Oxley Act made companies re-think their risk management strategies, the Gramm-Leach-Bliley Act drove our financial clients to focus on privacy, and the Health Insurance Portability and Accountability Act changed the focus in healthcare. And big public privacy gaffes – most recently, the disclosure of customer data connected with 77 million Playstation accounts – brought the importance of protecting customer data to the fore for almost everyone else.

As part of our regular SAS70 review we recently re-drafted our Privacy Policy and website Terms of Use statements to make them easier to understand and to bring them up to date with changing technologies and methods.

We have a procedure in place for reviewing our data collection partners’ data handling policies and practices to determine whether we can trust them to receive protected data, such as personally identifiable financial or health data. We’ve scored phone rooms and focus group facilities for a while now, but until recently hadn’t considered online community platforms, bulletin board systems, journaling sites, webcam focus group facilities, or other suppliers catering to the skyrocketing online qualitative arena.

We’ve realized two things: one is that we have to be prepared for the explosion of MR methods that’s going to turn the field upside down in the next few years and expand our supplier review to cover new methods as soon as possible; the other is that the MR industry hasn’t gotten the message.

I’m not going to name names; that’s not the point of this post. But having recently scoured suppliers’ websites for Privacy Policies and formally requested documentation from vendors ranging from major software providers to online start-ups, we’ve found an industry that’s at least 10 years behind the curve.

The major MR organizations, such as CASRO, of which C+R is a member, have spoken loudly and clearly about these issues for some time. Any number of conference presentations have been given. Leading edge clients have demanded proof and audited results from us. But we found that minimal steps, such as a well thought out privacy policy, are above the reach of many vendors. And more serious programs, such as security audits and regular penetration testing haven’t generally been so much as considered.

Will it take a Playstation-sized data fiasco for the industry to finally understand what we are risking – for ourselves and our clients – by our cavalier attitude?

By Walt Dickie, Executive Vice President

C+R Research received the final copy of our first SAS 70 audit about three weeks ago. It was the end of a year-long effort to review and re-think our privacy and security policies and procedures, and everyone involved was elated when we passed with flying colors.

But I’ve been thinking, now that the hard work and occasional frenzy that got us to this point is over, what the real value of all that effort really was. And I’m pleased to discover that we got more benefits than we expected.

For those of you who don’t know, SAS 70 is an audit standard developed for service organizations by the American Institute of Certified Public Accountants. A SAS 70 audit is an in-depth examination of a firm’s information technology and processes, and companies obtain them to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

Like most market research providers, C+R regularly receives confidential information from many of our clients. For clients in the financial services and healthcare industries, the confidentiality of customer information involves specific legal obligations, but clients in all industries are becoming more conscious of the importance of safeguarding customer data.

Many of us here at C+R cut our teeth handling information from young kids – we've been complying with the Children’s Online Privacy Protection Act (COPPA) since 2000, when we started our KidzEyes.com panel. So we were pretty confident that we knew what we were doing when it came to security and privacy issues.

And we were right, for the most part. When we dug in to the SAS 70 process, we discovered that we had the fundamentals solidly covered. What we didn’t have was systematic procedures for reviewing and improving our processes. And we hadn’t given enough thought to training, passing on knowledge and experience. And, most of all, we hadn’t focused enough on being able to backtrack along our own processes so we could prove that we had done what we intended to – or, should the dreaded day arrive, find the point when something went astray.

So, although I’m pleased that we can now share the results of a successful audit with our clients, I’m most pleased that we’ve given ourselves a better chance to stay on course in the future. That has turned out to be the real, and unexpected benefit of the SAS 70. It was well worth the time and money. And for all the work involved, I’d recommend it to others.