Data

Our commitment: Be a leader in the secure and responsible use of consumer data.

Every day,

our industry faces new threats.

Technology has propelled us into an era that enables institutions to collect and process more data than ever before. Every day, our industry faces new threats and issues related to information security and consumer privacy. And every day, we examine our systems and protocols to see how we can further safeguard our operations. Due to our ongoing vigilance in this area, we had no data breaches in 2015. But security is only one part of what we do. We are equally committed to consumer privacy. We believe that being transparent with the public about our use of data is not only the right thing to do, but it also sets the tone for the entire industry. As we lead by example, we’re changing the face of big data. And this is only the beginning. As we look to the future, we’ll expand our partnerships with non-profit organizations, helping them use data to make good things happen. Data and how we use it — it’s what defines us, what sets us apart from the crowd, and what is changing the world as we know it.

Spotlight: Data for Good

When lives are at stake, every second counts. Here’s how we’re helping save lives through the Federation for Internet Alerts (FIA).

2015 Highlights

ISSUED AMBER ALERTS

for the National Center for Missing & Exploited Children

Conversant’s technology helped FIA issue 300 million AMBER Alert messages in 2015

Delivered to all 50 states across tablets, smartphones, and desktop computers

Recipient of 2015 People’s Voice Webby Award for Advertising & Media for Public Service & Activism

BROADCAST TORNADO WARNINGS

for the National Weather Service

Delivered life-saving weather alerts through FIA

Alerted families in the paths of devastating storms to
prepare for danger and take cover

Issued 3 million tornado alerts in 2015

Monitored how evolving privacy/security issues might impact

OUR BUSINESS AND CONSUMERS

Prepared for anticipated changes to EU-U.S. Safe Harbor (now EU-U.S. Privacy Shield), as well as EU General Data Privacy Regulation, to ensure that we could meet regulations to transfer data internationally

Met with public policy leaders and industry leaders to discuss the responsible use and collection of data

Developed guidance for cross-device marketing and helped draft a mobile code of conduct to make sure consumer expectations for data collection are met

Here’s how we’re progressing toward our three-year goals.

GOAL PROGRESS 2015 ACCOMPLISHMENTS
Educate and provide transparency to consumers, lawmakers, and regulators about how we use and safeguard personal information.
***
  • Advocated for the highest responsible standards of self-regulation to demonstrate our commitment to the ethical and transparent use of data for marketing purposes.
  • Participated as knowledgeable expert at numerous industry events such as Online Trust Alliance Data Privacy & Protection Day, Network Advertising Initiative, and Digital Advertising Alliance Summit.
  • Created the Fair and Responsible Banking Team to enhance consumer protection monitoring for more vulnerable and distinctive populations such as military service members and the elderly.
  • Enhanced Epsilon’s online Knowledge Center, increasing the level of transparency with consumers by allowing them to access the data we collect and provide them choice as to how it is used.
  • Continued to be involved in determining how President Obama’s Executive Order (which promotes private sector cybersecurity information sharing) applies to our business and the industry.
Collaborate and exchange information with industry peers and regulators about ongoing opportunities for privacy and security improvements.
***
  • Provided guidance on cross-device marketing and inter-space advertising with the Digital Advertising Alliance.
  • Helped draft a mobile code of conduct for the industry with the Network Advertising Initiative (NAI).
  • Provided thought leadership and industry expertise through executive board level participation with organizations such as the Direct Marketing Association (DMA), Network Advertising Initiative (NAI), and Interactive Advertising Bureau (IAB).
  • Achieved certification as nationally recognized Certified Information Privacy Professionals (CIPP) by the International Association of Privacy Professionals (IAPP).
  • Our Alliance Data card services business participated in Auriemma Consulting Group’s Card Compliance
    Roundtables. Privacy and data security are regular topics discussed among the compliance professionals
    representing many of the largest card issuers in the United States.
Understand and address the international regulatory landscape: what are the evolving issues and how they might impact our business and consumers.
***
  • Monitored for anticipated changes to U.S.-EU Safe Harbor (now EU-U.S. Privacy Shield), as well as EU General Data Privacy Regulation.
  • Continued to modify our information security standards to proactively address the dynamically changing information security landscape.
  • Collaborated with clients as a trusted partner and expert throughout the relationship to ensure the latest information security and privacy measures are proactively incorporated in everything we do.
Conduct rigorous, ongoing associate training to continuously improve associate knowledge and minimize risks due to human error.
***
  • Conducted annual information security awareness campaign.
  • Had nearly 90% of associates and contractors complete information security and privacy training.
  • 100% of Alliance Data’s card services business privacy compliance associates obtained the Certified Information Privacy Professional designation offered by the International Association of Privacy Professionals.
Assess new evolving technologies/protocols to continually drive improvement and proactively protect our systems and information.
***
  • Enhanced our defenses around cloud-based technology by implementing tools to monitor and assess risks associated with cloud-based computing services.
  • Initiated a leading level of third-party assurance conducted by PwC. The AT 101 Privacy and Security report is designed to demonstrate operating effectiveness pertaining to the management, collection, and security for privacy of consumer data.

Some Progress Made

Good Progress Made

Excellent Progress Made

These 2015 roadmap activities have all been achieved to their fullest extent, and thus will not be included in future reports. We will continue to report on the three-year goals.

GOAL PROGRESS 2015 ACCOMPLISHMENTS
People
Continue to develop and advance the enterprise Threat Intervention and Response Team, leveraging knowledge and resources across our businesses as a proactive means of threat management/mitigation.
***
  • The team met monthly to assess emerging security developments as a means of ongoing proactive defense and prevention. This team is now an integrated part of our operations and will continue facilitating real-time threat intelligence monitoring and sharing.
Build closer alignment with the enterprise Risk Management Team to ensure IT-related risks are appropriately weighted, understood, and included on the enterprise risk register.
***
  • In collaboration with the Enterprise Risk Management Team, IT Governance created the IT risk register to detail IT-related risks and establish handling protocol that can be measured to ensure risk is appropriately managed.
Process
Align internal security requirements with “best practice” industry risk management and control frameworks.
***
  • Actively participated in industry leadership groups such as FS-ISAC, PCI Security Council (voting member), and Online Trust Alliance (OTA).
  • Continued deploying RSA’s Archer tool for Governance, Risk, and Compliance (GRC) management. Archer catalogs information security and compliance regulatory requirements, internal policies, control handling procedures, and issue resolution modules. Alliance Data’s card services business chief compliance officer co-presented with KPMG at the annual RSA Charge Summit on our successful launch of the compliance and risk management modules in Archer.
Integrate acquired entities (specifically Conversant and BrandLoyalty) into protection protocols.
***
  • Completed.
Technology
Implement a threat intelligence tool for improved sharing and documentation of security threat issues.
***
  • Completed — Implemented enterprise real-time push-pull threat intelligence sharing tool.
Deploy next generation endpoint security software, incorporating the most advanced early warning behavioral technology tools.
***
  • Continued to test and evaluate next generation endpoint security software. Additional exploration is scheduled for 2016 to firmly identify the best solution for the organization.

Some Progress Made

Good Progress Made

Excellent Progress Made