• by Laurie Sullivan  @lauriesullivan, July 14, 2010

Did you know that unknowingly passing personally identifiable information to a third-party source is considered identity theft? Marketing and ad executives got the lowdown on mitigating risk, protecting trade secrets, and protocols for storing PII at the Southern California Venture Network ad event earlier this week.

Tiffany Kahnen, corporate attorney, put out a call to SCVN attendees to pay more attention to collected, bought and stored data. Companies that buy data, for example, from "dirty sources" might have 500 names in a million that include credit card and social security information, but "passing that credit card data to a third party is considered identity theft -- something that can get you in deep trouble with the FTC," she says. (See Kahnen's clarification in comments.)

To mitigate risk, Kahnen offered some suggestions. For starters, take time to sort through the terabytes of data and strip away sensitive information that could unknowingly be sent to third-party companies.

The Federal Trade Commission has begun to take action against those who misuse data, "lining up people left and right, and it's getting ugly out there," Kahnen says. Technology will require the advertising industry to lock down data and find ways to mitigate risk, she adds.

The Massachusetts data privacy law now requires companies to write down what the company will do if there's a security breech, how to handle it, and estimates on how far the breeches can extend, according to Kahnen. It also requires encryption and programs that enable companies to identify when breeches occur.

Aside from protecting customer data for behavioral targeting or retargeting platforms, lock up any trade secrets if suits get to court and judges need to make decisions based on company evidence.

Most ad executives have the ability to keep trade secrets a secret in some ways, but not in others. Kahnen defines "trade secret" as information, device, or compilation of ideas. The online advertising industry, built on these trade secrets, relies on ingenuity and intellectual property -- things that cannot be patented, but offer the company a competitive edge.

Kahnen suggests that small companies that don't have corporate formalities in place to protect themselves can discover that one lawsuit can easily penetrate through the business and into personal lives.

Putting firewalls and password protection into place for Web sites, storage devices and mobile phones are the obvious tactics to protect intrusions, but what about protecting trade secrets? Sometimes data sent out to third-party companies could contain confidential client information, similar to data lists bought from outside sources.

Always encrypt data sent out of the company. Unencrypted data will destroy trade secret protection lawsuits because it says to the court the data wasn't worth protecting.

Kahnen also touched on electronic contracts. As more advertisers move to electronic contracts, putting safeguards in place can save companies tons of money. Some hold weight in a court, but most times in litigation, they fall flat. For starters, clients must scroll through the agreement to click the "I accept" or "I agree" button. Along with the "I Agree" button, add an "I do not accept" button that logs out the person from the Web site when clicked on.

Technologies like ContractPal -- electronic signature software that's ESIGN-compliant -- can cost a mere $2.50 per contract, but can prevent headaches in the long run. Kahnen also suggests storing the IP address when capturing the signature.

If there's a jurisdiction clause, have an initial box next to the provision before the person scrolls down to the "I agree" button. For companies that choose not to use a digital signature, these features add validity to quick-wrap agreements built into the Web page that enable clients and consumers to scroll through and acknowledge an understanding of the terms and conditions with a click.