NY AG settles massive privacy breach
New York Attorney General's March 13, 2006 press release shows the importance of adhearing to what you say in your privacy statement:
Attorney General Eliot Spitzer today announced a settlement to address what may have been the largest breach of privacy in internet history.
The settlement with Datran Media, a leading e-mail marketer, follows an investigation that identified the improper disclosure of the personal information of more than six million American consumers.
"With this case, we hope to set a new standard for internet marketers and consumer research companies," Spitzer said. "Personal information secured through a promise of confidentiality must always remain confidential."
Datran was alleged to have improperly used information it had obtained from several companies that compile and sell information on consumers.
The largest such company, Gratis Internet, had assured consumers on several web sites it owned and operated that it would "never lend, sell or give out for any reason" the information provided by users. Among the sites on which Gratis collected user information were "freeipods.com" and "freedvds.com."
The Attorney General’s investigation revealed that Datran knew of Gratis’ promise to consumers when it purchased the consumer lists. But after obtaining these lists, Datran sent millions of unsolicited e-mails to the listed consumers.
Under an Assurance of Discontinuance with the Attorney General, Datran has agreed to pay $1.1 million as penalties, disgorgement and costs. Datran must also:
• Destroy the information obtained from Gratis and the other list sellers at issue;
• Avoid acquisition of any personal consumer information without first independently confirming that such acquisition is permissible under relevant seller privacy policies; and
• Appoint a Chief Privacy Officer or other employee to oversee privacy compliance efforts.
Spitzer noted that Datran cooperated fully with his office’s investigation, and that the company began improving its list purchasing and due diligence practices in April 2005, just prior to the commencement of the investigation.
Beth Givens, Director of the Privacy Rights Clearinghouse, a consumer advocacy organization hailed the settlement.
Spitzer said he hoped the case would help establish basic controls on data compiled and sold by professional consumer research companies and list builders.
"Companies must adhere to known privacy policies and promises. Failing to do so constitutes a clear consumer fraud," said Spitzer.
Spitzer’s office is continuing an investigation into Gratis and other companies that compile and sell consumer information.
This matter was handled by Assistant Attorney General Karen Geduldig of the Attorney General’s Internet Bureau, under the direction of Ken Dreifach, Chief of the Internet Bureau, and with the assistance of fraud analyst Sibu Thomas.
Emphasis added. This press release pretty much says it all. Meanwhile, Datran has not issued a press release of its own.
On a related note, Spitzer is ever on the lookout for internet violations. The AG's Internet Bureau has an online complaint form for consumers to file Internet Concerns. A PDF fill-in version of the complaint is here. So, be careful with what you do with personal information and adhear to what you promise to do with such information. You are just a few clicks away from being reported.