FTC Names Breaches, Spam Top Priorities

“None of our cases in this area have been close calls,” Harrington said: “They involve the failure to do [easy] things that should have been done,” such as failing to “implement security patches and to prevent the most common hacker attacks.” Businesses should feel comfortable coming to the FTC for policy advice, she said: “We're not trying to put notches in our data security belt.” FTC personnel “really want” to work with lawmakers to craft a good breach notice policy, she said: “Any notification should be triggered by a threat of real harm. We don’t want notices to be as ubiquitous as privacy notices from credit card companies that nobody understands.”

The FTC continues to push companies to adopt e-mail verification, although “we never thought it was a silver bullet,” Harrington said. Only about 1/4 of Fortune 500 firms authenticate e-mail, she said: “That’s just not good enough.” Also of concern to the FTC is a recent surge in malicious spam “beyond annoyance or garden variety fraud,” Harrington said. The FTC Spam Summit July 11-12 doesn’t aim to “tee up” a request for new laws or authority, she said: “The first resort is not new laws, but to encourage the industry” to develop technical solutions. For technology problems, “we think the solutions are likely to be technology-based and that the private sector can be much more nimble in responding to” such technological issues, she said.

The FTC also is battling a rise in spam, Harrington said. Under the CAN-SPAM Act, the Commission has brought more than 89 spam-related cases against 241 defendants -- “a drop in the ocean,” but for a 1,000-person agency that’s an impressive effort, she said. The Commission should finish its CAN-SPAM rulemaking “pretty soon,” she said: “But since the worst -- keystroke bloggers, people emptying out bank accounts -- are hard-core criminal enterprises… that’s a real challenge,” she said: “One of the best things to do is secure your systems” and work with customers to do the same. -- Alexis Fabbri

DMA E-mail Policy Notebook…

Jurisdiction shouldn’t be a “huge dilemma” in sorting out the data breach bills in Senate committees, Commerce Minority Chief Counsel Ken Nahigian said at the conference. His committee’s bill resulted from industry pressure to simplify the state “patchwork” of laws. It emphasizes company flexibility, a “reasonable trigger” for notification and state preemption. The Judiciary bill focuses on criminal behavior and taps the Secret Service rather than FTC to investigate whereas the Banking bill was only a response to states instituting their own credit-freeze provisions, so there’s not much in conflict, he said: “I think [settling on one bill] can be done if we're told to do so.” The Banking bill is “still a work in progress,” but Senate Majority Leader Reid (D-Nev.) has called passing a breach bill a priority, said Majority Counsel Alex Hoehn-Saric. The conflict is partisan rather than jurisdictional, with Nahigian calling preemption in a breach bill “game-set-match” for Republicans: Co-Chmn. Stevens (R-Alaska) “doesn’t see the point of this exercise at all” if states can build on federal breach law. He blamed a “media-driven frenzy” after breach publicity that ignores whether actual harm has been done, and said in his 7 years on the Committee, he has only heard industry say it’s having a “horrible time complying with these [state] laws.” Commerce is waiting for FTC’s response to its request to analyze CAN-SPAM’s efficacy, and Interstate Commerce Chmn. Dorgan (D-N.D.) is satisfied with “further oversight” and not a rewrite or new bill, Hoehn- Saric said. Nahigian said his Yahoo inbox had 3,000 unwanted messages that day, and this weighed against CAN-SPAM’s adequacy. Business must find “a way of making money off of stopping” spam, rather than Congress succumbing to “pent-up frustration” over spam and passing “hyperbolic and politically driven” legislation that doesn’t really protect consumers. It’s not clear whether the Wyden-Boxer-Nelson spyware bill from last Congress will be resurrected by the remaining Commerce sponsors, said Hoehn-Saric, a Boxer staffer last Congress -- but Senate tradition is to “revise [prior bills] for the current situation.” “There are legacy bills that are passed on,” but the new members on Commerce and the absence of the “Freedom Corner,” led by ex-Sens. George Allen and Conrad Burns, may cut against the bill’s return, Nahigian said. To hold congressional attention on an issue, Hoehn-Saric said, business shouldn’t “flood” the committee just before a markup or hearing, but give it a steady flow of information to digest. Both counsels avowed no telecom expertise on the committee, but Nahigian noted a roadblock to renewing the Internet tax moratorium: “There’s a divide in different caucuses on that issue.” Chmn. Inouye’s (D-Hawaii) Identity Theft Prevention Act (S-1178) passed the committee, and though it sets up a confrontation with Finance because of its Social Security number privacy provisions, Finance may decide a fight isn’t worth it, Hoehn- Saric said: “We've become better and better at doing things outside our jurisdiction.” -- GP ----

The CAN-SPAM Act is showing limitations in situations the drafters didn’t contemplate, Center for Democracy & Technology (CDT) staff counsel David Sohn told the conference. A Senate Commerce Committee staffer under Sen. Wyden (D-Ore.) who helped draft CAN-SPAM, Sohn said most CAN- SPAM reform ideas “wouldn’t make a lot of difference,” since the main challenge is law enforcement, not substantive provisions about unwanted e-mail. The committee didn’t expect states to pass their own CAN-SPAM-type law, Sohn said. CAN-SPAM contains carveouts for states to enforce their criminal laws in the e-mail context. But Utah and Mich. approved do-not-e-mail registries to keep smutmongers from e- mailing children, citing the e-mail spread of child porn as the justification. Not wanting to hamstring states in applying broad criminal laws, the committee didn’t foresee emergence of criminal laws specific to e-mail, Sohn said. The Utah and Mich. registries catch legitimate senders and crooks, negating the law’s intent, he said. CDT wasn’t satisfied with changes Utah made to its registry, and its suit to overturn the law continues (WID March 22 p10). -- GP ----

Marketers are worried that antispyware bills and the CAN-SPAM rulemaking will block “legitimate” marketing techniques, said Tony Hadley, Experian vp-govt. affairs. The Direct Mktg. Assn. “believes in its own ability to handle the problems,” he said. Jordan Cohen, Epsilon dir.-industry & govt. relations, agreed: “We want to convey the message to the FTC that yes, the raw volume of spam out there is high,” but not much actually makes it into inboxes. Cookies, Web beacons, behavioral targeting and other modern marketing techniques would “fall under the purview” of 2 antispyware bills, SPY-ACT (HR-964) and I-SPY (HR-1525), he noted: “It’s such a threat,” to the industry, “it’s really broader than spyware,” Cohen said: “It speaks to the bigger issue of data,” the cornerstone of the marketing business. “If we accept opt-in as a precedent, we're all in for a very bleak future.” Marketers instead urge a “relevancy” standard that would allow the transmission of messages that consumers would -- in theory -- actually want but perhaps not request, he said. -- AF ----

E-mail marketing is no longer “glamorous,” and people call practitioners spammers, but it still offers an eye- popping $57 return on each dollar spent, Return Path Chmn. Mark Blumberg said at the conference. At the recent E-Mail Insider conference, 2/3 of onlookers said their e-mail marketing budgets had risen more than inflation from last year’s, he said. Filters still block 20-25% of messages, but the rates varying widely by ISP and filter, Blumberg said. Small changes to e-mail newsletters can draw subscriptions, marketers said. SmartBrief, which handles e-mail newsletters for industry and advocacy groups, saw subscriptions to its services rise after adding a “top 5 most e-mailed stories” section to its template, CEO Rick Stamberger said. At the National Geographic Society, e-mail subscriptions jumped 70% after changing from text to HTML the format of its generic confirmation e-mail message for Web transactions and adding a link to a “photo of the day,” said Lauren Skena, e-marketing mgr. Some sites rush to dump subscribers from e-mail lists when they show no indication of heeding messages, a potentially costly move, said Jeanniey Mullen, Ogilvy & Mather e-mail mktg. dir. The ad agency learned that a hotel client’s customers weren’t traveling when they weren’t dealing with the e-mails, and changed hotels after they stopped getting them. “Holistic branding” must be considered when dealing with consumers perhaps influenced by e-mail but not clicking links.