Firms Liable for Buying Ill-Gotten Email Lists
eSecurityPlanet Columnist Ray Everett-Church says the case against Datran Media serves as a good warning. Knowingly buying an ill-gotten email list could leave you liable.
But when it comes to email spam, the message from New York's intrepid Attorney General Eliot Spitzer is clear: Knowingly buy a crappy email list and you could be in big trouble!
In fact, according to Spitzer, his office's investigation ''revealed that Datran knew of Gratis' promise to consumers when it purchased the consumer lists. But after obtaining these lists, Datran sent millions of unsolicited emails to the listed consumers.''
Thus, Datran settled the case, paid $1.1 Million in penalties, agreed to destroy the email lists, and -- in a provision near and dear to my heart -- agreed to hire a chief privacy officer to oversee the company's future behavior.
Being held accountable for buying illegally obtained material is neither a new concept, nor should its application to this scenario be considered surprising. People have been prosecuted for receiving stolen goods for decades.
Most people with IQs higher than houseplants know that if somebody is selling a real Rolex wristwatch on a street corner for $50, the watch is so 'hot' it would burn a hole through your wrist.
I have no doubt that if Gratis employees or executives had gone out of their way to be more stealthy in disguising the nature of the company's data gathering practices, or if Datran had a more credible claim to having been hoodwinked, the story for Datran would be very different.
So if you can get pinched for buying goods that 'fell off the back of the truck', why not face liability for receiving data that you knew, or had reason to know, was obtained through improper means?
That is the core of Spitzer's case against Datran, and it is the $1.1 million lesson that Datran learned.
But how does a business know if the database of email addresses that it's buying is 'hot' or otherwise legally suspect? The answer is simple: due diligence.
One of the roles of a privacy officer is to look askance at every deal and, in an updated version of Deep Throat's' exhortation to Watergate sleuths Woodward and Bernstein: ''Follow the data''.
In the case of Datran's purchase of lists from Gratis, the entire investigation could have been conducted during the first meeting between the salesperson from Gratis and the buyers at Datran.
It would have consisted of three simple steps:
If there's one thing I've learned over the last decade of dealing with spam and email marketing issues, it's that there are a lot of sleazebags in the industry. But the problem is that it can be hard to tell who the sleaziest players are without doing a little research.
Fortunately, there are amazingly detailed resources on the Internet, including the Registry of Known Spam Operations (ROKSO) list operated by SpamHaus.org, that make it easy to peer into the past behavior of email marketers.
And when you're as brazen as Gratis is accused of being, the investigation need go no farther than a few clicks on the company's web page.
While some in the database marketing industry may be appalled to learn that people like Spitzer expect them to act like responsible fiduciaries for their company and do basic due diligence, none of this should come as a surprise. Indeed, smart privacy officers have been doing due diligence on email marketers, mailing lists, and service providers for years.
Sniffing out suspicious email list practices is just one of the many critical functions served by privacy officers -- and one of the many areas of potential disaster that you can look forward to if your company is foolish enough to venture into these waters without a privacy officer on the command deck.