If you want to work with Fortune 500 clients, you must bolster your cybersecurity efforts.

Data protection has become large prospects’ number-one priority in the RFP process, edging out sustainability and DEI, according to Robert Fiveash, co-owner and co-president of Raleigh, North Carolina-based distributor Brand Fuel.

“If somebody wants to do harm and has enough money, time and skills, they’ll find a way to do it,” Fiveash says. “So, we all have to be diligent here. We have lots of client data for kitting and fulfillment projects, and we have to be safe stewards of that data. It’s a conversation that this industry needs to have.”


GDPR: The Gamechanger

The General Data Protection Regulation (GDPR), which went into effect in 2018, has raised the stakes for any promo firm doing business with clients either based in the European Union (EU) or serving customers there.  

  • Considered the toughest privacy and security law in the world, the GDPR limits what organizations can do with personal data and significantly penalizes those who violate its standards.


Large enterprise clients don’t want to run afoul of the law, so they require distributors, as well as the suppliers and third-party logistics (3PL) providers they work with, to also be GDPR compliant.

As a result, Brand Fuel has had to obtain data privacy agreements from its technology and fulfillment vendors. “They’ve all done it after some jostling and explanation as to what it is and why it’s important,” Fiveash says.

“This isn’t inexpensive – you have to get lawyers involved and work on contracts. It takes time and education. But at the end of the day, these 3PLs will be much better off in terms of their data protection and marketing. It’s a competitive advantage to be compliant.”

Paying The Price

Fiveash stresses that getting – and remaining – compliant comes with a hefty price tag, estimating that it could cost between $50,000 to $250,000 depending on the size of your clients.

For example, if you service a national insurance company who wants to send kits to its millions of policy holders, that firm will require a much greater level of data protection than a mom-and-pop shop wanting to send 10 kits locally.

“This stuff is expensive and requires a level of understanding of technology that’s sometimes hard for everyday folks to comprehend,” Fiveash says. “If there was a collective solution that would enable smaller distributors to jump in this together and benefit all the clients we have, I think it would be met with very eager ears and eyes.”

With most of its clients being large technology firms, Brooklyn Center, Minnesota-based distributor Imprint Engine has invested a lot in cybersecurity, even paying for third-party audits to find room for improvement.

The company spends around $50,000 a year to ensure systems are up to date, which CEO Caleb Gilbertson considers as merely the cost of doing business.

“Every RFP for large organizations that I’ve seen in the last five years includes some level of cybersecurity requirements,” Gilbertson says. “It’s becoming an even bigger requirement for the more modern distributors who are being asked to run e-commerce software and deal with sensitive employee information.”

Cautionary Tale

Memphis, Tennessee-based distributor Signet learned the hard way about the importance of cybersecurity.

Six years ago, an employee clicked on a link that led to ransomware. Fortunately, the system was protected enough so that only a day of emails was lost. But because of that security breach, David Tate, president and COO of Signet, has become a fanatic about cybersecurity.

I thought that we were in good shape, but we didn’t have those layers of protection,” Tate says. “Whereas nowadays, if our employees receive a malicious link, it’s already stripped. They can click on it and nothing will happen.”

Signet, which earned PPAI 100 High Marks in the Innovation category, relies upon a Layer 7 firewall with anti-malware and intrusion detection/prevention. The configuration monitors all traffic within the organization and is capable of stopping it, even between internal devices.

  • The company’s external/VPN users are subject to the same inspections.
  • Workstations, laptops and servers are also protected by a software security suite. 
  • User accounts are all protected by multi-factor authentication (MFA) and a variety of security access policies.
  • Data integrity is maintained by a multi-stage backup configuration, in which servers are backed up locally to a warm cloud site, and then to a separate cold cloud site.


“You never say we’re totally safe, but cybersecurity is a continual focus,” Tate says. “We’re continuously upgrading to new protected devices, or our current protective software is greatly enhanced. There’s no question that it has to be part of the cost of doing business because the cost of having your system be down is so catastrophic now.”

“Do It The Right Way”

North Georgia Promotions, which also earned PPAI 100 High Marks in the Innovation category, stepped up its data protection game at the dawn of 2022 after switching IT providers.

Among its improvements, the Alpharetta, Georgia-based distributor set up folders in which only employees who need the information are able to access it, enabled facial recognition for using machines and has a triplicate backup of files. Plus, the company uses Intuit for storing client payment information.

“If you want to stay in business and be a reputable business, do it the right way and pay whatever the cost is,” says Shawn LaFave, MAS, president of North Georgia Promotions. “Don’t jeopardize exposing your clients, including their artwork or emails. Don’t jeopardize someone having access to that who’s going to use it maliciously.”

LaFave says he’s been asking suppliers and tech providers to upgrade their systems for years. He’s optimistic about the future of the industry, though, after seeing a “critical mass” of suppliers finally joining PromoStandards – a PPAI business services member – in the last couple years.

“No one needs to get compromised when it’s not that difficult,” LaFave says. “It does cost monthly expenses to keep the IT team going, but it’s one of those things where even if you’re in a buying group and they do a lot of your processing, you’ll still have documents that you have to transfer back and forth. If you’re not doing it securely, that’s exposure.”