Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Friday, March 17, 2006

NY AG settles massive privacy breach

New York Attorney General's March 13, 2006 press release shows the importance of adhearing to what you say in your privacy statement:

Attorney General Eliot Spitzer today announced a settlement to address what may have been the largest breach of privacy in internet history.

The settlement with
Datran Media, a leading e-mail marketer, follows an investigation that identified the improper disclosure of the personal information of more than six million American consumers.

"With this case, we hope to set a new standard for internet marketers and consumer research companies," Spitzer said. "Personal information secured through a promise of confidentiality must always remain confidential."

Datran was alleged to have improperly used information it had obtained from several companies that compile and sell information on consumers.

The largest such company, Gratis Internet, had assured consumers on several web sites it owned and operated that it would "never lend, sell or give out for any reason" the information provided by users. Among the sites on which Gratis collected user information were "freeipods.com" and "freedvds.com."

The Attorney General’s investigation revealed that Datran knew of Gratis’ promise to consumers when it purchased the consumer lists. But after obtaining these lists, Datran sent millions of unsolicited e-mails to the listed consumers.

The seven million files that Gratis sold to Datran is believed to be the largest deliberate breach of a privacy policy discovered by U.S. law enforcement to date.

Under an Assurance of Discontinuance with the Attorney General, Datran has agreed to pay $1.1 million as penalties, disgorgement and costs. Datran must also:

• Destroy the information obtained from Gratis and the other list sellers at issue;

• Avoid acquisition of any personal consumer information without first independently confirming that such acquisition is permissible under relevant seller privacy policies; and

• Appoint a Chief Privacy Officer or other employee to oversee privacy compliance efforts.

Spitzer noted that Datran cooperated fully with his office’s investigation, and that the company began improving its list purchasing and due diligence practices in April 2005, just prior to the commencement of the investigation.

Beth Givens, Director of the Privacy Rights Clearinghouse, a consumer advocacy organization hailed the settlement.

"A privacy policy is more than an empty promise. Companies must be held to their word. Attorney General Spitzer sends an important message to any company that would violate the terms of an agreement of a data seller."

Spitzer said he hoped the case would help establish basic controls on data compiled and sold by professional consumer research companies and list builders.

"Companies must adhere to known privacy policies and promises. Failing to do so constitutes a clear consumer fraud," said Spitzer.

Spitzer’s office is continuing an investigation into Gratis and other companies that compile and sell consumer information.

This matter was handled by Assistant Attorney General Karen Geduldig of the Attorney General’s Internet Bureau, under the direction of Ken Dreifach, Chief of the Internet Bureau, and with the assistance of fraud analyst Sibu Thomas.

Emphasis added. This press release pretty much says it all. Meanwhile, Datran has not issued a press release of its own.

On a related note, Spitzer is ever on the lookout for internet violations. The AG's Internet Bureau has an online complaint form for consumers to file Internet Concerns. A PDF fill-in version of the complaint is here. So, be careful with what you do with personal information and adhear to what you promise to do with such information. You are just a few clicks away from being reported.

Tags: , , , ,


Anonymous Anonymous said...

In the lawsuit filed against Gratis Spitzer states that Gratis falsely represented to each (Datran, JDR, and Jumpstart) that it has received its users' permission to share the data. PP 31 of verified petition. So did Datran settle because they were concerned that they would be held responsible for the privacy guarantee in GRatis' privacy policies even though in the agreement they had with Gratis, Gratis "warranted that the data being shared consisted of records of persons who have supplied Affirmative Consent (as defined in the Can-Spam Act of 2003) to receive third party commercial em-mail advertising messages?" In the investigations that preceded the Datran settlement the Attorney general found that "Notwithstanding this deceptive statement in their agreement, Datran apparently knew about, or discovered, the restrictions on the data, prior to accepting it. For this and related practices, Datran entered into a voluntary Assurance of Discontinuance with the Attorney General..."

So what if Datran had not known? Would they be responsible for investigating the privacy policy themselves? What if they privacy policy had changed after the agreement was made and Gratis did not notify Datran?


3:33 PM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home