• by Erik Sass  @eriksass1, February 13, 2008

Security of consumer data is "of the greatest and highest concern in our enforcement work," according to Eileen Harrington, the deputy director of the Federal Trade Commission's Bureau of Consumer Protection, speaking at the Direct Marketing Association's Email Evolution conference in San Diego on Tuesday.

Forecasting federal legislation protecting data security, Harrington said the FTC has already punished big-name companies for data security breaches. She urged online marketers to adopt all "reasonable and appropriate" measures to protect consumers and themselves.

The bar isn't terribly high. Reasonable and appropriate measures to protect personally identifiable information include, for example, "downloading common security patches to protect against hacking attacks." But that doesn't mean marketers are doing it.

While describing the measures as fairly simple, Harrington noted that Microsoft was one of the companies fined by the FTC for failing to protect consumer information.

On a related note, Harrington had some happy news for behavioral marketers at the conference, organized by the DMA's Email Experience Council. Although some advocates insist that behavioral tracking and ad serving violate consumer privacy, the FTC isn't "so sure." More to the point, the decision by Congress not to consider proposed legislation governing behavioral marketing means the FTC has turned its focus "to cases where there's not just chance, but actual harm to consumers."

Nonetheless, Harrington said the industry must still move to adopt voluntary rules for behavioral marketing. Even among marketers, "there's consensus that there needs to be far greater transparency... [and that] consumers don't know what's happening, and they don't have an opportunity to exercise meaningful choice."

Although it's not an official proposed rule-making, the FTC has posted a series of sample rules online for discussion and comment, and extended the comment period to April.

Turning to the CAN SPAM act, Harrington said the FTC was pleased with the results of the 2003 legislation, noting that legitimate email marketers are mostly compliant, while "ISP email filters are increasingly effective at keeping SPAM out of consumers' inboxes." To date, the commission has "brought over 30 cases challenging illegal SPAM," with 80% involving "some kind of opt-out failure" and 50% involving a deceptive subject line.

In some of these cases, the FTC has levied civil fines up to $900,000. "I'm sure we'll move into fines over $1 million before too long," she added.

The overall success of the act has prompted the FTC to shift its focus somewhat. "The most problematic SPAM now is tied into conduct that is really criminal," she said, including fraud, identity theft, downloads of malware and spyware.

However, this doesn't mean that legitimate marketers are off the hook. Harrington noted that marketers that are otherwise above-board may unwittingly partner with third-party vendors that use illegal methods to deliver advertising.

"You are responsible for knowing how your ads are delivered to people's computers," she said. And while it hasn't happened yet, Harrington warned that the FTC "certainly would" punish advertisers for partnering with a shady third party that, say, loads ad software without adequate disclosure and receiving consent