Search This Blog

Wednesday, November 23, 2005

Beware the Third-Party (Temporary) Database

They’re out there everywhere, even more so than the humongous, permanent databases like ChoicePoint, Acxiom, Experian, Equifax, TransUnion, etc. They are assembled on a temporary basis for a specific purpose, usually for a mailing to several million households. They can end up in the largest of metropolitan areas or on the rural back roads of any state.

I am talking about third-party databases that are created solely for the purpose of mailing a company’s products or services, and involve a very specific selection technique that often requires the use of personal data. In addition to your name and address, this could include age, income, ethnicity, travel habits, religion and politics, home equity, credit cards carried, reading choices, likelihood of being a drinker or gambler and much, much more. You get the idea.

The most likely places these temporary databases end up are: printing companies, mailing houses, advertising agencies, computer service bureaus, fulfillment operations, list brokers, list managers, and market research firms. And then there are the delivery services: UPS, U.S. Postal Service, Fed Ex, DHL, etc. Earlier this year, UPS lost computer tapes with the private information of 3.9 million CitiFinancial customers. They were in transit to a credit bureau.

I worked for one of the giant database compilers and during my indoctrination period, was sent to the home office for orientation into the company’s various procedures. On the day we visited the data processing department, the thing that stood out was not the impressive amount of computer equipment that was all around us, but it was the massive inventory of computer tapes that were stored in the tape library. Thousands of tapes, row upon row.

My usual curiosity got the best of me and I started asking questions about what was on the tapes. The answer was that many of them contained raw data for input into the master file, but the largest number included transactions of list orders (names and personal data) that had been prepared for junk mail companies. Commenting on a stack of tapes in disarray, the head of the department told me that it was often necessary to ship out hundreds of tapes with the names and private information to themselves (the same company address), just to make room for inventory during those few days of transit.

But the sleeping giants of third-party databases are the computer facilities that perform what is known in junk mail as the “merge/purge.” This is a matching process where millions of names and personal data are fed into the computer simultaneously to eliminate duplicate names. In the process, this procedure also extracts meaningful data that can be used later to draw comparisons and to pry even deeper into the everyday lives of the typical household.

So what happens to these computer tapes after they have fulfilled their job? They are supposed to be returned to the original computer service bureau maintaining the database, or scratched (meaning, erased). In a number of instances they are returned, but in many cases they languish in the third-party locations, mostly forgotten, and eventually just end up on a shelf with minimum or no security.

Third-party use of consumers’ private information by financial institutions is controlled by the Gramm-Leach-Bliley Act, passed in 1999. They are required to notify customers when their data is supplied to third-party vendors. The time has come to expand this approach to all data of a personal nature in order to curb the current identity crisis.

This problem is not just a figment of my imagination. These are either first-hand observations by myself, or they are reported fact from individuals who maintain control over the ordering and shipping of names and personal data, and/or the junk mail companies that receive them.

Your private information continues to remain in perpetual jeopardy, and the only answer is to pass federal legislation that gives you control, and, in the process, pay you for its use. Don't you agree?

Wednesday, November 09, 2005

Microsoft Agrees, Well Almost, With The Dunning Letter

In a Washington Post article, “Microsoft Calls for National Privacy Law”, by Brian Krebs and dated November 3, 2005, he writes that Microsoft has called on Congress to pass federal privacy legislation. He goes on to predict that this move will push lawmakers beyond the current provision of just notifying individuals when their personal data is breached. Nothing really new yet.

And then Krebs hits the target. Well, almost. He writes that “…Microsoft said consumers should have at least some control over how their personal information is used and disclosed.” Beginning to sound familiar? This has been my stand for over ten years, except, I would give individuals complete control over their names and private information and pay them for its use.

As the article indicates, here is an industry giant that seems to be admitting that the information business is simply too large to regulate itself on privacy. Further, that fifty different—and, perhaps, not nationally acceptable—state laws could be a nightmare.

Besides, when it comes to regulation, we aren’t just talking the junk mail companies—whose revenue on selling names and personal data alone accounts for $4 billion annually—we are also talking non-junk mail, such as the pharmaceutical industry and financial institutions. We need federal legislation that will level the playing field between government and business needs, while at the same time protecting consumer privacy and giving back what is rightfully ours.

The big guys posted a statement online, “Microsoft Advocates Comprehensive Federal Privacy Legislation,” also on November 3. Brad Smith, senior vice president and general counsel, delivered a speech to the Congressional Internet Caucus and outlined three key factors: 1) the state and federal patchwork of data privacy laws; 2) growing consumer fears over identity theft; and 3) the increasing desire of individuals for control over their names and private information. All three, staples of The Dunning Letter since its introduction last April.

The irony of the situation is that, if the junk mailers and non-junk mail companies would just give up control of this data and share in the wealth, the average consumer would most likely reciprocate by increasing their habits of shopping or dealing direct, and everyone would be the winner. The idea is original, bold and even outrageous according to present-day standards, but workable.

And then there’s the bad news. While Microsoft puts in its two cents for more substantial federal legislation, Congressional leaders continue to mock the plight of the identity crisis by recently passing a bill (November 4, 2005) that not only does not fully protect individuals, but it will pre-empt the California law that does allow consumers to protect themselves. "Data theft bill a step backward" by David Lazarus in the San Francisco Chronicle, states “The Republican-backed bill was approved in a 13-8 vote along party lines…”

The bill does require the reporting of data breaches, but according to Lazarus, the description of this is vague: “…contains no definition of what constitutes a ‘significant risk.’” Consumers Union agrees in their letter to Congressional leaders, “RE: Oppose H.R. 4127, Data Accountability and Trust Act (DATA),” sent on November 2, 2005.

CU had six key concerns you should read about, but their main point was that the bill’s “…so-called breach trigger for notice to individual consumers is nearly insurmountable.” They go on to note that, had the bill been in effect in early 2005, it would be doubtful if any of the 50 million breaches would have been covered.

Pathetic! This doesn’t even qualify as a band-aid approach to the problem. And I don’t know if you can blame it all on the Republicans, since I haven’t heard any screaming by the Democrats over the inequity of the bill.

Folks, if you don’t join my grass-roots effort soon, you’ll find yourselves out in the cold without your identity. According to the Web site Identity Theft Resource Center, victims of ID theft spend over 600 hours of their time to clear their name, equaling nearly $16,000 in lost potential or realized income. And that doesn't even include attorney fees for credit repair.

Let me hear from you. Tell your friends and family. Write your local paper. Contact your members of Congress. Give me some ammunition to get this movement going, and I promise that I will not disappoint you.

Tuesday, November 01, 2005

Why Does the Junk Mail Industry Refuse to Reveal Name and Personal Data Sales Revenue?

The Direct Marketing Assn. (DMA) has just issued its study, “U.S. Direct Marketing Today: Economic Impact 2005,” with figures on most revenue centers in junk mail. Except, that is…the money that is made from the sale of your name and personal data.

Statistics headlined in Direct, an industry publication, trumpets “DM Sales to Hit $1.85 Trillion.” It does not say how many consumer names, addresses, and private information it will take to achieve this goal. I can. Millions. In my best estimate, the junk mail list industry garnered approximately $4 billion off your namesake and personal data in 2004. They do this annually and have, for several years.

Some other figures in the study include 10.6 million jobs in junk mail. There is no breakdown of list business employment, but I can personally attest to the fact that at the annual conventions, the list people appeared to dominate the gathering. Schmoosing, brown-nosing, trying to prevent their clients from talking to other junk mailers. There’s an old saying about list brokers: they are called prostitutes because they’ll do anything to make the sale.

Here’s another fact that is both surprising and bewildering at the same time. Spending on telemarketing, at $47 billion, topped the list of expenditures by medium. This, when the National Do Not Call Registry has grown to over 100 million telephone numbers, with 675,000 complaints filed in 2004. I’m guessing that with this budget, there will be a lot more complaints in 2005.

But why is the junk mail industry so silent, actually downright secretive, about what is made from the sale of mailing lists? It’s an esoteric thing and for years they have kept it that way. That is, until now, with a maverick, former list broker blowing the whistle. That’s me, of course. The list folk are running scared, terrified that they will eventually have to give up some of the spoils. And this applies not just to junk mailers but also to non-junk mail companies that are capturing your name and private information.

Most companies pride themselves on their revenue and earnings. However, most of these are public corporations, and the list business is almost 100% privately held. They have been getting away with it…until now.

Believe me, I tried by surfing every site that might have this data. When searching for “list sales revenue,” the DMA has 159 sites; Direct Magazine, 538; and DM News, only 5; the latter two being industry publications. When “Googling” “mailing list sales revenue stats,” there were 4.1 million hits. As with the others, nothing. Zilch. I consider that anything past the fifth page will probably not produce anything very relevant.

In case you aren’t familiar with the math of mailing lists, let me enlighten you to a profit center that puts all other profit centers to shame. I am speaking of junk mailers here—catalogs, solo mailings, etc.—not data brokers, who have a completely different cost/profit ratio. The junk mailers realize around 60% in profit on every dollar made from the sale of your name and personal data.

How do they do it? Names are a by-product of the merchandise or services you purchase. It’s a, “Duh, look what we found, so what can we do with it?” mentality. Once the potential, along with this neat profit margin was discovered—over fifty years ago—well, you know the rest of the story. That annual $4 billion thing.

The making of all this money doesn’t bother me; that’s the American way. What does worry me is the fact that you, the name holder, do not share in these profits. Am I crazy, or does it really make sense that the person with the name, the address and the private information should benefit from its sale? As far as I am concerned—and I bet the majority of you as well—it’s a slam dunk.

So what do we do? Again, I have the answer. Pass federal legislation that will give you and other consumers control over your names and personal data and pay you for its use. My plan would put $607 per month in the pocket of each age 65 retiree and you would be virtually free of identity theft.

But I cannot do it alone. Please join my grass-roots effort to put this legislation before Congressional leaders. Talk to your friends and family. Write “letters to the editor.” Contact your Congress person. Together we can make this happen.