When Privacy Is Paramount For A CIO

"We look forward to audits," says Gerhard Lindenmayer, CIO of DialAmerica Marketing. Say what?DialAmerica Marketing is one of those companies whose representatives call at dinner time to offer you a discount subscription to Time magazine. As CIO, Lindenmayer is very concerned about the security of the consumer data his company deals with every day, particularly in light of the recent problems other companies have had with exposing personal customer data, inadvertently or through security problems.

One way to ensure the security of his network is by inviting third parties to examine the company's internal processes. "We look forward to audits because every single audit we do makes us that much better," says Lindenmayer. For instance, DialAmerica is audited at least once a year by the banks that fulfill its credit card transactions. More important, the company is audited for its compliance with the Card Information Security Program, part of Payment Card Industry, or PCI, data security standards established by Visa and MasterCard. Visa requires PCI compliance audits take place quarterly. "We chose to have them do it once a month," says Lindenmayer.

The data DialAmerica uses to conduct its business -- names, phone numbers, addresses, ZIP codes, credit card numbers, and Social Security numbers -- is kept at company headquarters in Mahwah, N.J. That data is transferred over a "secure VPN tunnel" to the 27 call centers the company uses across the United States. "We utilize two different carriers for redundant purposes," Lindenmayer says. Also, data encryption is a key strategic effort. "The entire leg over the network is triple encrypted," he says.

That data, along with product offers and product keys, is used to populate the buffers of the electronic dialers that make the phone calls for each call center session. A homegrown interface on a call center worker's workstation displays "only what [data] they need to make the call," Lindenmayer says. No cell phones, papers, pens, or pencils are allowed in those call centers, to keep workers from recording data. At the end of a session the call center worker logs off and the buffers are emptied of data. "At no time do we keep a lot of records out in the field," he says.

It's an insular, mostly homegrown system, which helps Lindenmayer, who's worked for DialAmerica for 25 years, the last three as its CIO, keep it secure. "We've gone to great lengths to lock down the company internally," he says. "We've seen the writing on the wall. We need to be sure we don't lose any of this data."