Privacy & Data Protection 2007

The 5th Annual
Privacy & Data Protection 2007
"Data Protection: Global Compliance Management"
25 September 2007
Trinity House
Tower Hill, London

Pre-Press Agenda / Draft Programme: 30 March 2007
.

CLICK here to reserve your place now !!!

8:30 - 9:00 Registration & Coffee

9:00 - 9:15
Chairman's Introduction: Privacy & Data Protection overview
Alastair Gorrie, Partner, Orrick, Herrington & Sutcliffe, UK

Panel One: Data export compliance including binding corporate rules and outsourcing
9.10 - 9.40
Binding Corporate Rules: The UK Regulators perspective
Sian Rudgard, UK Information Commissioners Office
- The motivation for the BCR procedure
- The practical approach adopted by the ICO
- The work currently underway
- Cooperation procedure between EU DP Authorities

9.40 - 10.05
Data Protection and Outsourcing
Dr. Mark Watts, Partner, Bristows, UK
- What are the data protection legal issues?
- What are the respective positions and duties of the client and service provider?
- How to deal with offshore outsourcing and international transfers?
- How to address data protection in outsourcing deals?

10:05 – 10:35
Case Study: BCR approach of Accenture and practical implementation
Bojana Bellamy, Global Data Privacy Compliance Lead, Accenture, UK


10:35 - 11:00
Ensuring data protection compliance on a multi-jurisdictional basis within the EU
Speaker: TBA
- What do companies operating on a multi-jurisdictional basis need to do to ensure data
- compliance within the EU.
- Is a uniform compliance policy feasible?
- Compliance and transfers of data outside of the EU.
- Risk Management.
- How to deal with crisis and regulatory investigations.

11:00 - 11:15 Coffee

Panel Two: Data Transfers & Privacy Breaches

11:15 -11:45
Global Data Transfers: Practical Options for Companies
Mark E. Schreiber, Partner, Edwards Angell Palmer & Dodge LLP, Boston, USA
- Data protection compliance options available for U.S. companies operating in E.U.
- How to audit data flow and identify when a company is subject to these laws
- Methods to address data transfer restrictions to U.S
- Consents, data protection agreements or "U.S. Safe Harbor"
- Constructing Sarbanes-Oxley hotline protocols in France and elsewhere in EU
- Data breach laws and company strategy in the US
- Data breach notices to individuals in US, EU and elsewhere

11:45 12:15
Responding to Privacy Breaches
Karen Jackson, Partner, Stikeman Elliott LLP, Toronto, Canada
- Which laws apply
- Incident Response Plan
- Internal investigations and forensic help
- Notices to individuals and strategy
- Notification Obligations at law and pursuant to contractual commitments
- Investigations by Privacy Regulatory Authorities
- Press relations, website and other remediation/follow-up

12:15- 12:40
SOX, Data Protection and Hotlines: Whistle while you work?
Robert Bond, Partner, Speechly Bircham LLP, UK
- SOX 301(4)
- French, German and other EU concerns
- CNIL Guidelines and Authorisation
- Article 29 Working Party review
- Can 301(4) and EU laws sit side by side?

12:40 - 1:00
The Data Protection Interactive
- SOX, Data Protection and Hotlines
- Responding to Privacy Breaches
- Binding Corporate Rules
- Data Protection and Outsourcing
Panel Chairman: Alastair Gorrie
Panellists: Robert Bond, Mark E. Schreiber, Karen Jackson, Robert Bond, Dr. Mark Watts, Bojana Bellamy, Sian Rudgard

13.00 - 14.00 Lunch

Panel Three: Using and Managing Personal Data
14:00 - 14:10
Co-chairman's Introduction: Direct Marketing and Managing Personal Data
Co-chair: James Leaton Gray, Head of Information Policy & Compliance, BBC UK

14.10 - 14:40
Profiting from Privacy
Tim Beadle, Director, Marketing Improvement, UK
- Using Privacy laws to implement Sales force Automation
- Promoting privacy as a differentiator
- Fitting privacy into your website

14:40 - 15:05
Realizing business Value through Privacy Control Architecture
Speaker: TBA
- Issues: legal compliance does not equal compliance in practice
- Approach: only methodology available
- Outcomes: ROI, Iron clad compliance & transparency

15:05 - 15.30
Data Protection within Practical Marketing
Tim Trent, Consultant, Marketing Improvement, UK
- Incorporating Data Protection into Data Driven Marketing
- Why my Marketing Database needs to shrink
- Do Less and get More

15:30 - 15:45
Panel Discussion: Using and Managing Personal Data
Panel Chairman: James Leaton Gray
Panellists: Tim Beadle, Tim Trent

15:45- 16.00 Coffee

Panel Four: Subject access requests, Employee Protection and litigation
16:00 - 16:35
Data Subject Access Requests: Analysis, impact and case study.
Renzo Marchini, Dechert LLP, UK
- The impact of the Durant v Financial Services Authority UK judgment on data protection law generally, and subject access requests in particular.
- The UK Information Commissioner's reaction: guidance
- Subject Access Requests: practical tips on how to deal with them.
- Other recent cases.

16:35 - 17:00
Recent Developments with Employee information in Europe: subject access requests and litigation
Anne Coles, Senior Partner, AMC Law, UK
EMPLOYEE INFORMATION
- Employee records what you can collect, what you can retain and what you must delete
- Monitoring your workers - email, web access, CCTV and surveillance - -what you can and can't do
- Health records - occupational health schemes, drug and alcohol testing, genetic testing and beyond
LITIGATION
- Celebrity cases don't make good law
- Brief examination of recent case on privacy and data protection

17:00 - 17:25
Panel Discussion: Subject access requests and litigation
Panel Chairman: Alastair Gorrie. Panelists: Renzo Marchini, Anne Coles

17:25 Chairman's final remarks and close of conference

- End of Conference -

18:00 – 21:00 Cocktail Party

CLICK here to reserve your place now !!!

Yahoo is having an email meltdown

This is the time to be very grateful that your permission based email marketing list is not a Yahoo Group:

Duplicate Messages and Email Delivery

We're aware of the duplicate message bug that has been affecting groups today and are working to resolve the issue (a side effect of this bug is that some messages are also being delayed). We have actually pushed two fixes already, but we are aware that some groups are still experiencing the problem and that more needs to be done to fully resolve the issue.

There is, however, one silver lining to this bug. It was the result of our latest system updates intended to improve email delivery speeds. So once the bugs are resolved, we should see a significant reduction in the time it takes to deliver messages to Yahoo! Groups members.

We will update this blog entry as soon as we have more definitive information on the status of this issue.

Thank you and our apologies for any inconvenience caused by the duplicate messages.

The Yahoo! Groups Team

P.S. It would be helpful to get reports of duplicate issues if your groups are still experiencing the problem with messages posted (not received) after 8:00 pm PST. If so, please add a comment to the bug letting us know the name of your group and the message numbers of the duplicate messages. Thanks!

The problem is severe. The affected groups have so far had the same email delivered 8 or more times. If that were an email marketing list every single user would have unsubscribed by now. Spammers on those lists must be having a field day!

The art of the Domain

It was the words "Office friendly"that made me think of this. Urls suggested in this post are most assuredly not office friendly and i take no responsibility for your clicking them.

When I was at Gartner there was gartner.com. How a salesman once regretted that they had not also bought garter.com, a site much toned down today (yes, I checked), but which was previously a site of scantily clad ladies whose seductive forms were barely masked with almost well placed stars.

Worse, the site was persistent. Close it and it reopened itself again and again and again.

First Direct is worse. firstdirect.com is fine. Remove the first "r" and it isn't. I have a son who showed me that one!

When you buy a domain name consider seriously the marketing implications of the surrounding names. Imagine directing someone to a landing page and making a typo in the domain! We've all done it. Luckily most are not as horrible as the two examples.

Changing the Horses on the Stage Coach of Permission

Permissions are often hard won, and they are easily rescinded. And, once rescinded, "no means no". Regaining permission is a huge and uphill battle, and one probably not worth the effort. After all, to lose a permission you had to upset someone.

"It's only a newsletter subscription, it doesn't matter."

But it does. You use your newsletter to nurture those who are not yet ready to buy from you, and you use it to nurture those with whom you are dealing currently. It's the warm and acceptable face of keeping in touch. People subscribed for a reason. It may have been because you asked them to, or it may have been because they perceived enough value in you and what you have to say for them to volunteer. Either is great, but each will unsubscribe at the drop of a hat if you upset them. The nice guys will give you a chance to explain first.

Now, let's be fair. Most people receive your newsletter, skim it if you're lucky, and then delete it. They don't really "matter" in the global scheme of things because they are not walking by your side yet. It's the few who thought they were in step with you that matter because they are either your customers today or are considering being your customers tomorrow.

What do I mean about "Changing the Horses on the Stage Coach of Permission"?

I'm talking about changes of direction. Stage coaches look great with a team of horses of the same colour. Add a chestnut to a team of blacks and you see an oddity. See it once and you register it, decide a horse went lame, and forget about it. See it twice and you decide maybe a horse died and hasn't been replaced yet. See it all the time and you just know the owner's policy is to have a chestnut in the team. And, if you no longer like the look of the team you may no longer want to travel in the coach.

Against that, a newsletter is a great place to signal a new direction, a great place to offer a new direction, and a great place to gain permissions for the new direction. After all, everyone's happy to have a taster, and to be offered the chance, which they may decline, to take part. I advise clients to use newsletters in just this way - as a signal that may be accepted or rejected. But we make sure that it is the signal that is accepted or rejected, not the newsletter.

An example?

It is hypothetical.

Let's take a mail order company for specialist, mid shelf magazines, whose newsletter tells of things in the marketplace, points out that this month's edition of Underwater Showjumping carries a full review of equine snorkels, and has a few other snippets. The newsletter has been running for several years, and has regular readers. People join the mailing list, others leave. There's a feeling of community about it.

The company, as a new venture, buys another company whose product line is for those of more specialist tastes. If in newsagents it would be on the top shelf, but it is probably sold at the more specialist outlets that adult requisites congregate in.

How should it handle this in its newsletter?

Absolutely not by adding a segment "Fun with leatherwear".

I think we're all agreed on that one. Even if we want to have fun with leatherwear, this is not the place to have it!

The right way is simple.

"We've just acquired a new company in the adult marketplace. We wanted to let you know about it, and to suggest you click on this link (which is office-friendly) to learn more and to choose whether you'd like to hear more about it. There is a special offer for those who subscribe to its newsletter."

Obvious, yet discrete. We give information clearly and cleanly, but we do not intrude into people's personal space. Most important, we've kept to the spirit of our newsletter and we've kept to the letter of the permissions we've gathered. And we've reassured people that the link they click is office friendly, just in case they click it by accident.

Will people object?

A few will, and they will leave. That's ok, they'd have left anyway, sooner or later, and they'd never have bought from you anyway. They were really just tyre kickers, and hey were only there out of curiosity anyway. The rest will either click your link with glee and potentially subscribe to your new, adult newsletter, or will not. And that's the whole point: you start a new community of people who want to learn about your new business area. There's overlap with the old, of course there is, but you have separate permissions for each, and you keep your permission integrity.

SEO bewilders at times

The black art of Search Engine Optimisation bewilders. Pride, as usual, comes before it gets a bloody nose. After getting in poll position with a search on ken hamlin cowboys we have now (well, yesterday), moved into position 99 and falling. (For those who really want to know, Ken Hamlin's signing to play for the Dallas Cowboys is big sports news in the USA)

Those with many years SEO experience will say "Yes, that's precisely what should happen", and they'd be right. But there is an oddity, too. Enter the search site:haveballs.net into Google or yahoo and, today, the number of indexed pages has fallen to 48 from 150 or so. To me that's odd. However it also seems to coincide with the end of month(ish) and end of quarter(ish) rationalisations that big G performs.

I have to understand that the early indexing was the unusual behaviour, and the rationalisation is the usual behaviour.

And this leads to what we expect all sites to do for marketing purposes. I'm currently working with IndirectChannel on sites that generate top quality sales enquiries for high value business to business products and services. We provide buying guides. We're piloting the service currently with a few carefully selected vendors in the business communications area. Our objective is to drive down the cost of acquisition of the enquiry (which is more than a sales lead, it's a full and prequalified request for a quotation) down while driving the quality up.

To do this we are optimising the site more and more for good position on search engine results pages (SERPs) because we want our message to be heard in the organic side of search engines, not just in the cost per click (CPC) side. We must recognise that this odd early listing phenomenon may also take place here, and must not let it divert our business plan or give us reason for early celebration.

Search Engine Optimisation as an art gets even darker

I'm good enough at search engine optimisation, by which I mean I get decent results, good Google page rank for sites of my class, and I rely on content, content, content, plus inbound links when available from good net neighbourhoods. I know how to submit to search engines, directories, and yes I have some tricks of the trade that are pretty obvious and also not sneaky.

I've always been dead envious of sites that get listed in less than 4-6 weeks, just like all small business webmasters.

Imagine my surprise on launching two new sites to hit Google within 24 hours of each site being open for business!

We launched Finance Mentor on Sunday, March 18, and we were in Google by Tuesday, and we now have 196 of its 600 or so pages spidered already. We launched HaveBalls.Net on Friday, and we were in Google search results the next day! We have 82 of its 3,500 pages already indexed in Google.

Yahoo is usually far faster than Google to pick sites like these up, but it is lagging woefully with 20 for Finance Mentor and eight for Have Balls. But even Yahoo is a month ahead of where it is usually.

We did design the two sites to be search engine friendly, but design is one thing, getting the bots to visit early is quite another. And they not only visited, but we're getting traffic from search engines delivered to each site. We're analysing what we've done to try and bottle it, but it may be the topics themselves, nothing else.

Jury still out on Autoroll blog widget

That little widget is designed to add to the traffic to a blog. There's no point in blogging if you aren't hoping for traffic, after all. And this little thing is context sensitive in some manner and shows blogs that people should like to go to from your blog, and shows your blog on other like minded souls' blogs.

Anyone remembering Webring (yes, it still exists) as a traffic creation mechanism will recognise Autoroll at once. Ok, let's look at performance (the huge gap below seems to be a blogger software issue, not my bad blogging):

Visits from other blogs (clicks)	Seen on other blogs (impressions)	Unique users visits from other blogs	Unique users views from other blogs	Unique user click ratio
3	3875	3	2659	0.113%

So far it doesn't look very good, does it? But it is free. And that also leads to a question: "What is their revenue model?"

Sainsbury's Bank security saga continues

This morning I met Sainsbury's Bank. I fell victim to the stringent security system and was locked out of my account. I like the fact that a malefactor would have been locked out as easily; I'm not criticising that at all. My concern is with their security system in the first place, and the myriad security questions one has to remember in order to gain legitimate access.

Customer Service called me back. That was required, and probably, they will feel with hindsight, a major error. The call was not about the problems with their security system, which is, of course, both strong and perfect, but with my memory. Happily the lady in the call centre gave me hints to be able to remember the things in those fields.

"You need," she said, "if you can't remember the real things, and if you have, for example, no favourite singer, to put simple answers in those fields."

I asked her to explain.

"There are four fields," she said. "Date, place, singer, (it' no good, I've even forgotten what the fourth one is) and (let's call it "Song") song. What you can do is to enter the following into each of them:

In Singer, type 'singer', in Place, type 'place', in Date, type 'date' and in Song, type 'song', and that will make life so much easier for you."

And that, formal advice from the bank itself, drives a coach and horses through their security. We not only have a bank with impenetrable security for its own customers, we have it advising people on a simple method to pretty much disable it.

I confess I suggested that this was rather banal, and made the security system an irrelevance, but I fear the point was not to be made today.

I asked to be able to speak to the people who had implemented the security system in order to give them proper feedback, but it seems that is impossible, because they have a call centre (why was I so happy that it was in the UK? It makes no difference) and "Those people read the complaint and comment forms, but they don't speak to customers, ever."

I am to get a letter.

I have insisted that the letter be hand crafted and answer my individual concerns, and that any attempt to fob me off with a standard letter will lead to a very serious complaint.

And my point?

"Tim", you may say, "You are just using a blog to pillory Sainsbury's Bank." They are aware of the blog. They know I am using this as a customer based case study.

I am not. I'm making a serious point about listening to the customer, especially when you are the purveyor of a commodity product such as a credit card. CRM. My relationship is not being managed. I wonder of E-CRM is 'Ex-Customer Relationship Management'?

Sainsbury's Bank overwhelms customers with online security

Great security makes for a great online bank. FirstDirect knows that, and upgraded its security recently. ING Direct has always known it, started with excellent security and now has security that avoids the keyboard or predictable mouse movements. Sainsbury's Bank has a very powerful security system indeed, with a battery of questions to prevent access, even by powercrackers.

Sainsbury's Bank is so secure that its customers can't recall the myriad of security answers they have to give. The choices, and there are many, range from "favourite singer" through "memorable place" to "memorable date".

Ok, I don't have a memorable singer, but, let's assume I like "The Beatles". The capitalisation is important. I have many memorable places - first kiss, first love, first school, first... (never mind). Which did I choose? And as for memorable date, they give you free format! you can type in any combination of date formats. Did I use "/" or "." or not? Was the year "yyyy" or "yy"?

After a lengthy call with their online help desk today after locking myself out of my account yet again they agreed with me that I am relatively intelligent, unlikely to be senile, and, most importantly, am not alone in repeatedly locking myself out of my account. I do it about one time in four, and need a couple of attempts to get in almost every successful time.

The only way I am ever going to get into my own account reliably and repeatably is to write the whole lot down.

So, let's look at that. I write it down, or I conceal it on my laptop somehow. Now I have no security at all. All someone has to do is to find my piece of paper, or look at my laptop hard, and they are in.

By this logic, Sainsbury's Bank has such strong security that it has no security at all. That's bad for business.

I've been very fair to them. I've complained on several occasions, only to receive smiles and nods and pats on the head. They feel secure, you see. "Our security locks the malefactor out!" And it does. Or it does until the malefactor finds the good customer's little piece of paper, and, Shazoooom!!!, they are in.

This morning I was on the phone to a very nice lady in their Leeds call centre (mental note, it was in the UK, at least) for 44 minutes and 59 seconds. The battery on my hands free phone limited the call to that, while I spent money and time telling their complaint form how bad their security is for business. I was fair. I mentioned that this would appear in this blog, and that it may also appear as a customer based case study on Compliance and Privacy after I get a response from their complaints team.

I have been overwhelmed with a security system designed by a security expert. So are many other customers. The message is simple: There is a fine line between excellent security and an appalling customer experience. To make your system secure, thus properly private, you need the customer to walk beside you as you explore that line. Compromises must be made, and, very probably, security experts should reassess the level of security required. This is marketing, in its broadest sense. The customer experience is all part of marketing. After this experience, the repeat of many, I am highly likely to withdraw my consent for them to market to me. I've got the message, you see. They want my money, not my recommendation.

**I've just had the call from customer service. Here is part 2

UK FSA fines Nationwide GBP980,000 over security failures

This is not a new story:

The UK Financial Services Authority has fined Nationwide Building Society GBP980,000 for failing to have effective systems and controls to manage its information security risks. According to the watchdog, these failings came to light when a laptop was stolen from a Nationwide employee's house in August 2006.

The Financial Services Authority (FSA) commented that, during its investigation, it found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. It added that it had taken swift enforcement action to send a clear message to all firms about the importance of information security.

According to the FSA, Nationwide worryingly did not realize that the laptop contained confidential customer information or start an investigation until three weeks after the theft. According to the BBC, the computer has still not been recovered.

Margaret Cole, FSA director of enforcement, said: "Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure."

I carried it last month in Compliance and Privacy in the Finance NewsRoll. It's a spectacular fine, though. What's new is the involvement of the UK Information Commissioner and his stepping back to allow a swingeing fine to be levied instead of his paltry £5,000.

This sends out an interesting mixed message. It says "My law may be strong, but its fines are pathetic." Those who understand the UKIC's powers know that he can stop all processing of data he finds being processed in an unlawful manner, and that this sanction is far more costly than any fine. In this case that was inappropriate - the data had gone - and he was right to step aside. But ordinary citizens do not understand that he stepped aside.

The man on the London Underground (He replaced 'The man on the Clapham Omnibus' some time ago) understands fines. Ricard Thomas needs two things:

• Bigger penalties
• The cohones to use them

Otherwise we have a law that is badly respected. Enforce it or repeal it.

YouTube Awards to highlight non copyrighted material

Sorry to be cynical, but the YouTube Awards sound like an attempt to highlight non copyrighted material before they go to trial for copyright infringement in the Viacom case. We did the same thing at Napster. We called it the New Artist Program or NAPster. The idea is to show the courts that there is "substantial non-infringing use" of the service.

read more | digg story

There are huge ramifications here. A video is an item capable of identifying a living individual. "Processing" (placing it in Youtube) contrary to copyright law is unlawful, this not only is copyright breached, but in the UK the Data Protection Act 1998 is breached. Thus this could get very complicated with the UK Information Commissioner also being asked to get involved.

Of course that won't happen. After all, when did you last see a UKIC prosecution? Probably this one is a wise area for Richard Thomas's people to avoid, though!

The email that "may or may not have been spam"

It turned out to be a useful email, which was good news. I've deployed it in the left margin. Its from Citeo, and looks very much like the old, obsolete "Webring" concept, freshened up and made intelligent.

Maybe you'll tell me what you think about it?

How do we tell if inbound emails are spam?

I've had a "just can't tell" one this morning. So I'm going to follow it through and see where it leads. It came to me regarding this blog and about this blog, and offers me a new widget for it. I'm not wholly sure what this widget will do, and they say it's in beta.

Sure is! Because it refuses to let me have it! But when it does it will appear here, perhaps long term.

The email was personalised, and was sweetly flattering, and it therefore got under my radar. Obviously it was generic, but they have done some reasonable research, so it is not bulk, just unsolicited.

Why is this significant?

Simple. It means that enough care with wording will get your message under my rather cranky radar. And this means that, just sometimes, permissioning may be ignored. I'm actually feeling frustrated now because I can't get the thing (their site has a technical fault!) rather than possibly spammed. How about that?

After all, it may be useful for my new site!

Some folks just do not get Permissioning

They don't seem to get the Data Protection Act either. Nor do they get my money, especially when something seems unusual.

My alter-ego, Mild Mannered Reporter Peter Andrews of Compliance and Privacy fame, received an email exhorting him to buy a costly domain name:

Dear Sirs,

We are selling the domain name IdentityTheft.co.uk. This is the very first time since 1996 that this important domain has ever been available on the open market. The domain is currently on sale for £2,795 + VAT.

Most of our clients are now finding that prime domains such as this pay for themselves within weeks rather than months by virtue of the extra business that they drive to their websites by means of type in traffic and greatly enhanced search engine positions.

Would you like to go ahead with this?

Best regards,

Alan Lawson
HSBF Internet

Now Peter(!) is ever curious about people's obtaining of his details, since he is neither a person, nor can the details be personal. he doesn't join things, and the only places his email address appears are the Compliance and Privacy site, and, when it was published, the newsletter.

He emailed Alan Lawson and received no reply. It's not that he was interested in the domain name. If someone wants it at that inflated price they can have it. he wanted to know where the details came from.

HSBF Internet are easy enough to track down. My favourite search engine is dnsstuff.com, and that produced this brief result. So far so good. This led me to an 0870 number in Lancaster, which I phoned as myself. I got voicemail. As Tim Trent, I left a voicemail message, and my private phone number. And I had no reply by phone.

I did by email, though. To my Marketing Improvement email address, details I never gave out at all, and prefaces by a stranger's name who had allegedly suggested we might be interested in a raft of other domain names:

Dear Tim,

Thank you for your voicemail message that we received earlier today. Steve Johnson had suggested that we contact MIL. I do apologise if the name that we informed you about was not of interest.

We also have the following domains currently on sale:

ChannelMarketing.co.uk DirectTelemarketing.co.uk InternetLeads.co.uk InternetSalesTraining.co.uk

InternetMarketingConsultant.co.uk InternetMarketingSolutions.co.uk MarketingCompany.co.uk

MarketingHelpline.co.uk MarketingPublications.co.uk MarketingStaff.co.uk SmartMarketing.co.uk

StealthMarketing.co.uk TelemarketingTraining.co.uk WebmasterMarketing.co.uk

Please feel free to get in touch if any of these might be of interest to MIL. Have a great weekend!

Best regards,

Alan Lawson

I did get in touch. He emailed me on the 9th of March. I asked him who Steve Johnson is. No reply.

Today the whois record points to the USA, and a US phone number:

Registrant :
HSBF Internet Sales@HSBFInternet.com +1.3102271876
HSBF Internet
2421 Ives Lane
Redondo Beach CA US 90278

Domain Name: HSBF.COM {hsbf.com }
Registration Date : 2003-10-27
Expiration Date : 2007-10-27
Last update :2007-03-09 11:52:28

Domain Name Server:
ns1.dns-diy.net
ns2.dns-diy.net

Administrator:
HSBF Internet Sales@HSBFInternet.com +1.3102271876
HSBF Internet
2421 Ives Lane
Redondo Beach CA US 90278

Technical Contact:
HSBF Internet Sales@HSBFInternet.com +1.3102271876
HSBF Internet
2421 Ives Lane
Redondo Beach CA US 90278

Billing Contact:
HSBF Internet Sales@HSBFInternet.com +1.3102271876
HSBF Internet
2421 Ives Lane
Redondo Beach CA US 90278

Note that the change was made on the 9th of March. Obviously they don't want calls from the UK! There is also no web presence at hsbf.com, just a shell site "ready" for something in the future.

I'm not sure what to conclude from this. I'm sure they would have been happy to receive my money. The don't seem to own channelmarketing.co.uk, though, and they are selling that. If I am generous I suggest they will be selling it as a broker.

But they associated private citizen Tim Trent with Marketing Improvement Tim Trent. Odd in the extreme.

One other blogger has heard of Alan.lawson@HSBF.net though:

The whole thing is rather perplexing. So, over to you. Can anyone solve this for me?

Pump and Dump is now a UK phenomenon

I've been getting pump and dump scam spam for ages. Now I have had my first UK one. Oh joy, oh rapture! The first of many, or an isolated outbreak?

In case anyone is still unfamiliar with this trash, there is the UK example (please do not fall for it, you'll only lose money):

Patientline's mission is to be the UK market leader in the provision of bedside systems in acute hospitals, offering communication, entertainment, information and healthcare services for patients, clinicians, administrators and other users.

Products and services

The Patientline systems include a terminal at each bed. These provide telephone, television and radio and in most hospitals, internet, gaming and email services. The systems can also provide additional hospital based services such as electronic patient records and food ordering functionality.

A large audience, nationwide coverage and a wide range of advertising options makes Patientline the ideal choice for advertisers.With a TV and telephone at bedsides in over 155 NHS hospitals Patientline can offer advertisers the chance to communicate directly to the patient using the television whilst also providing a strong call to action via the telephone.

~ Nationwide coverage (England, Scotland, Wales and Northern Ireland)
+ Potential annual audience of 8 million
~ Over 75,000 bedside TVs and telephones
+ Over 155 NHS hospitals offer Patientline services


The company offers the really necessary service.Any man or women, who will ever get in a hospital will be happy to use the services of the company.The company found an absolutely new direction of business. No doubts that it will come to success in the nearest time.

At the london stock exchange company stock symbol is PTL.L
Call your broker today if you are interested.
Company price for 14 March 07 is 1.85p per share.
Buy it now and get benefits tomorrow.

As usual, if it looks too good to be true, it probably is. I had 6 of these today. None, of course, permissioned, all probably from botnets.

Data Protection: You can run, but you can't hide!

Back in January 2007 I looked at people who hide behind the Data Protection Act with more than a little scorn. I loathe it when people do this. It makes me want to give them a very long lecture on what is and is not included in the law. Sometimes I fail to resist this urge!

My friend Thom Kohn, who runs Transatlantic Events, and whose events I have been known to speak at on the subject of Permission Based Marketing sent me an amusing email trail. I promised to sanitise it before posting it to the blog.

Here's how it started:

From: sales@johnmccann.co.uk

To: Mr Khon

Sent: Wednesday, March 14, 2007 12:34 PM

Subject: Saved Property Listing from Mr Khon

Mr Khon thought you might like to look at the following properties. Please do not reply to this message

It's a pretty standard "refer a friend" type of email. No harm in that if carried out well. The problem is, this was addressed to Mrs Kohn, not Mr Khon. Hmm, even the spelling is amusing.

Thom feels strongly about data privacy matters. He wrote back:

From: Thomas M. Kohn
Sent: 14 March 2007 16:55
To: sales@johnmccann.co.uk
Subject: Re: Saved Property Listing from Mr Khon
Importance: High

Hello....

1. First of all, the Name is KOHN

2. You have sent this to my wife saying "I thought she might be interested" ...and when right now it would have been the worst of all times to do that!

Who are you (obviously an estate agents) ... but when did I instruct you to do this???

Please advise, ASAP.

Thomas Kohn

Notice he totally ignored the exhortation not to reply. It's always worth a try. And it was. He got an interesting reply:

From: (Named individual at the estate agent)

To: Thomas M. Kohn

Sent: Thursday, March 15, 2007 9:00 AM

Subject: RE: Saved Property Listing from Mr Khon

Dear Mr Kohn,

Thank you for your email.

Unfortunately due to the "Data Protection Act", we can't discuss any matters relating to the original enquiry, except with the person who registered with us.

Regards

(Named individual)

Interesting, and, of course, the very best way to endear himself to Thom. "Let's all hide behind the Data Protection Act, and, certainly in this case, make a total fool of ourself." We should remember that Thom is a data privacy fanatic, and that he runs events with speakers from European Information Commissioners offices, and in some cases the commissioners themselves.

He wrote back:

From: Thomas M. Kohn
Sent: 15 March 2007 09:22
To: (Named individual at the estate agent)
Subject: Re: Saved Property Listing from Mr Khon

Mr Morgan.

How Ironic, I actually work with the UK Information Commissioners Office and their legal staff ... as this is what I do for a living.

According to the email as it is written, I would have been the one who supposedly registered (although you have spelt my name wrong!) I probably made an enquiry years and years ago... but for some reason, you wrongfully retained my information after all this time... didn't bother to verify or update my details, and sent this onto my wife at the worst possible time and with the worst possible subject ...

An apology from you would have been sufficient... but...

Please remove my name and contact from your database (how ever you have spelt it) and under no circumstances are you to send further emails to my wife ...and I will, as you suggest, address my concerns to the UK Data Commissioners Office this morning in our meeting this afternoon (ironically timed), and I will see what they suggest.

All the best,

Thomas Kohn

That line "An apology from you would have been sufficient." is significant, isn't it? "Treat me well and I treat you well. Treat me poorly and my wrath is unconfined."

Unsurprisingly he received a reply:

From: (Named individual at the estate agent)

To: Thomas M. Kohn

Sent: Thursday, March 15, 2007 10:00 AM

Subject: RE: Saved Property Listing from Mr Khon

Dear Mr Kohn,

I am sorry for any inconvenience this may have caused you.

I can only surmise that you may have registered through a website, Rightmove, Find a Property, Prime Location etc' who send out details automatically.

As we are unable to remove your details from these website's could I suggest contacting them directly.

Once again please accept my apologise for any inconvience caused.

Kind Regards

(Named individual at the estate agent)

Quite a saga, and a very simple lesson: Customers know more than you think, and usually more than you do. Hide behind the law at your peril. It doesn't even matter if you're right, use common sense in the way you deal with people.

Is Thom likely to use them to buy a house? Maybe. Will he use them to sell a house? Maybe not. Would he if the first response had been good customer service? That is pretty much a certainty

ISPA, SPAM, Trend Micro, Port 25

All of which sounds very technical for a marketing blog!

I picked up this article on Compliance and Privacy, based around a silicon.com article in ISPA's submission today to parliament in the UK on what ISPs can do about SPAM.

What really surprised me was the knee jerk reaction from Trend Micro's CTO over blocking port 25. I'm one of the many hundreds of thousands of internet email users who works from home but needs to be able to log in to his own business email server in order to send mail. My ISP prevents this by blocking port 25. This makes my life awkward, at best.

For the mail servers I control, that's ok, I use an alternate port, currently. But for the work I do with Marketing Improvement I can't get that access to their email server. My ISP makes sure I have to have a separate M$oft Outwit outbound SMTP server for home and for the office. And, Outwit being what it is, it decides which queue to put outbound email in and it has been known to be stuck for ages while I try to re-queue it.

So, no, Mr Rand. No way. As Fagin sings in Oliver!: "I think you'd better think it out again!"

Risk Management

Years ago, while I was at Gartner, I was charged with the task of increasing sales of their rather bizarre "Y2K Risk Manager" software product. It wasn't really very special, just a bit of gap analysis surrounded with a fancy user interface. I managed precisely no sales of it, and performed no worse than anyone else trying to push wet string! But it led me to thinking about risk analysis and risk management.

I see a major field of risk management in the areas of data privacy and permission based marketing, but I see only cursory interest in the field from purveyors of risk management systems. Even so it's great to see David Rowe of Sungard starting a Risk Management blog. I've already taken the feed from it to publish it on Compliance and Privacy. I'm hoping for great things from it, and I'm hoping to prod him gently towards risk from privacy breaches, too.

UK Information Commissioner calls for international privacy standards

According to reports of his speech at International Association of Privacy Professionals' summit in Washington, The U.K.'s information commissioner, Richard Thomas, has called for international harmonization of privacy rules.

His call follows recent disputes between the E.U. and the U.S. over privacy safeguards for European air passenger data and financial transaction information requested by the U.S. as part of its anti-terrorism efforts.

Thomas said: "We must all do global privacy better. Information flows do not recognize international boundaries. The internet is rightly called the world wide web. Likewise travel, finance, commerce, telecoms, crime, scams and terrorism all increasingly operate internationally.

Well, so far so good. We must do all sorts of things. But Europe in itself is a poor example, because none of the EC Member States seem to agree on the correct interpretation of the directive anyway, and the UK is under pressure from Brussels to re-implement it "properly".

There is no hope of anything other than a lowest common denominator set of standards, either. I think it makes a great speech, but there is no substance possible behind it. We have more chance agreeing on stopping pollution that we do on congruent privacy laws globally.

Does this call mean that the Binding Corporate Rules initiative is being given a lower priority?

"In your face" yet sneaky permissions

Yesterday I bought a new sofa. I took advantage of the 12 months interest free credit option, and was given an extremely long form. I could not say it was hidden in the form, not exactly, but there was a small statement on my giving permission "according to the terms and conditions on the back of this sheet" for all sorts of things, including email and SMS marketing.

It meant "the back of this sheet", too. I had to separate the NCR set to find it and it isn't printed on my copy at all.

It meant I was giving permission for people to spam the bejasus out of me.

You've probably gathered by now that I am allergic to doing things like that. So I found the box for "no marketing" and ticked that, and also endorsed the form prohibiting email and SMS marketing absolutely and restricting 3rd part transfer to "For the sole purpose of credit being extended under this unique agreement only" on the front of the form.

Interesting that the finance company is the first UK corporation to have Binding Corporate Rules approved for data transfer worldwide, albeit only its HR data!

Second UK Spammer sued successfully

The individual is fighting back, and the fight seems to be in the small claims court rather than via the UK Information Commissioner or via the Advertising Standards Authority, precisely because those august bodies don't seem to work effectively.

After Nigel Roberts sued Media Logistics UK in the Colchester Small Claims Court in October 2005 everything went quiet. Business was worried that there would be a rash of suits. There wasn't. And the UKIC was always pretty silent on the matter, so extra silence was not really surprising.

Having complained to the ASA myself over spam I've found that, despite their action against The Training Guild, of Southampton in 2003 or so, nothing happens. or, rather, you get a polite note saying that nothing much is happening, but they will ask the spammer nicely to desist.

The Training Guild got "Google-hammered". The snapshot shows Google results for a search on their name. This is a shot of the then top results, with red arrows against those that mentioned the ruling against them. It takes a strong brand to weather that sort of counter-publicity, especially as this article will now be googled and added to the list. And The Training Guild were not spammers. I can say that conclusively because I interviewed then at the time. They just made a simple error of judgement when handling the ASA's investigation.

But that has all led me away from Gordon Dick and his landmark victory in the Edinburgh Sheriff Courts. Nigel Roberts got a judgment by default. Gordon Dick also had judgment in absentia, and has had £1368.66 awarded to him from Transcom Internet Services Limited of Henley on Thames.

What does Google think? This is what Google thinks!

Google finds every article about the company linking it with Gordon Dick and the case he won.

It does rather look as though, had Transcom used Permission Based Marketing they would have kept out of trouble.

Will they survive this welter of bad Google-press?

Who can say, today? In six months we may have a better idea. But, since our first reaction with a proposal or contact from a new supplier is to Google them, just how much new business will they be doing?

Getting the Web Site Right is all part of Permissioning

There are so many different things that today's marketer needs to understand. The most forgotten is the website.

"I've got my new landing page sorted"

Yes, but have you got the rest right? And have you worked out that getting the site and your new landing page properly listed in Search Engine results Pages (SERPs) will pay dividends?

You haven't?

OK, take a step back.

A marketing campaign, any marketing campaign, that drives people to the web costs hard cash. The more people who get to the landing page, who are in your target market, the better. Using adverts, using direct response mechanisms to get them there is great. Those are the people you can target, the people you can aim for and grab. You're on a hunt, go get them!

But, while hunting, you can miss the critter that has money and wants to buy from you. How much better to get that critter to walk into your arms!

A well optimised website, with a good "sitemap" (I do not mean the link people put in the site for you to click, I mean a technical, XML based sitemap), will get indexed far faster than your competitor's poor one.

A well indexed site drives people to it, and especially if well crafted, to your landing pages.

"But search engines don't visit very often"

They may not visit you, necessarily, but they visit other sites that link to you. And, more and more, as you push up the SERPs rankings, they visit you often. And they index your new pages far faster than your competitors if you get it right.

And the permissions?

Those you gather on the landing pages, along with the results of the campaign. And you then have them, captured, ready for a full lead nurturing scheme, ready for sales to convert to cash, and, very important, you are able to increase your ROI.

Your website drives people to register and give permissions, if you get it right, whether you advertise or not. When we ran a newsletter from Compliance and Privacy we had an average of two registrations per day whether we advertised or not. Advertising simply increased the number of registrations. The campaign was effective without spending vast sums of money.

Silent Calls

Hard pressed telesales companies need high agent productivity. Many years ago they started the deployment of predictive dialers to get it.

• The dialler dials a call, hoping the agent is free.
• Ideally an agent is free as the called party answers
• If the agent is not free then the called party hears silence

Quote a while ago, now, Ofcom updated its regulations to make the Silent Call unlawful. Instead of silence, the called party would hear an "Informational Message".

This is Bloggins the Incompetent. We tried to call you but were too stupid to realise how counterproductive it is to upset you, so here we are, doing just that. The difference today is that we have to tell you who we are.

No sane marketeer would ever allow this to happen, and we predicted the death of the silent call then. Except, of course, from outsourced call centres. Albatross Telecomm, anyone?

Today, wearing my Peter Andrews hat (Peter edits Compliance and Privacy), I found this press release: Excell dumps Silent Calls, gains Compliance and Return on Investment goes up. Significantly it says "Excell has reported no loss in productivity (an argument the industry has typically used against rejecting the use of AMD), and also reports how it has improved customer service and gives 100% guarantee of eradicating silent calls."

Improved customer service. The Holy Grail. And by turning something off.

B4U, OUT-LAW and the UK Information Commissioner

What amazes me is that the UK Information Commissioner's lack of prosecution of B4U had almost no news coverage. Pinsent Masons is a law firm with a journalistic side. They covered it, but otherwise I could find nothing:

clipped from www.out-law.com

Matthew Magee:
The Information Commissioner's office has been talking tough of
late. Commissioner Richard Thomas has said that he would come down
harder than ever on those breaking data protection law and has
called for journalists to be locked up over legally squiffy
investigation techniques. But in one case of misuse of personal
information the tougher side has crumbled leaving victims asking
whether he is making an ass of the law. A Birmingham company called
B4U which runs B4Usearch.com listed the personal details of people
without their permission. Those who complained and asked for it to
be taken down were told they would have to supply even more data to
the company which some were naturally reluctant to do. The
Information Commissioner issued an enforcement notice to the
company after receiving 1,600 complaints but when the date for
takedown passed further action was clearly necessary. Tim Trent was
one of the victims of the breach.

You can download the full podcast at OUT-LAW Radio

How to lose my permission

"How can you upset me? Let me count the ways....."

The best way to lose me is to send me rubbish. And I define rubbish as something I must click on to see any content at all, and where I see no WIIFM.

I keep getting a wonderfully crafted, almost collectable quality, gloriously copywritten newsletter from a well known and respected network security corporation. I am on their list because, just sometimes, a piece of news is interesting, But I am starting to regret it.

It comes as a link in a text email that tells me of the many and glorious things that this corporation has done, and reminds me how wonderful they are at every turn. Both of those things are a pretty fine emetic.

Why would I bother to open a pdf? It takes time to load, hangs my browser while it loads, and is formatted for paper, not for the screen. A pdf implies "this is really valuable". It isn't. It's a newsletter. Any value is ephemeral.

This month's edition contained a survey. Something along the lines of "how can our web presence help you better?" Not a single question about the vehicle that drove me there, though.

Nothing about it, not the email and not the pdf, had any "you appeal" in it. It was news about them and had nothing in it for me.

If I weren't reading it from a journalistic perspective, and frankly they don't want readers like me anyway, I would junk it right now.

The thing is, I have three ways of junking it:

• aim it at my junk folder
• report it as spam (I'll bet others are, and if they don't use an email outsourcer, SPEWS here we come!)
• Just unsubscribe (the link heartens me. It says they will comply with my request within 10 days... But the link is immediate, isn't it? It goes to the database, doesn't it? Can I trust their products now?
  

This newsletter lets them down badly. They do know. I've told them before. They never respond. So this time I'm pointing them here by email.