Establish information security policies and practices to ensure the uninterrupted security of information systems. For example, ask:

• Do we have a written security plan that addresses all areas of our operations?
• Do we have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?
• Do we continually review our policies and practices? And have outside specialists to review our security system, perform risk assessments and audits, and help with compliance?
• Do we have a resolution system for disputes arising from security breaches or alleged misuse of personally identifiable information?

Institute vigorous training and oversight of your designated security team. But dont stop there. Any other employee or contract worker with even occasional access to personally identifiable information must be trained and supervised. For example, ask:

• Do we have a full-time, designated team to develop and implement information security throughout our organization? 
  • Do they have the resources and support they need to do the job right?
  • Do they have effective and up-to-date training tools?
  • Do they conduct regular security audits and response exercises?
• Do we keep records of information access and regularly monitor those records for unusual activity?
• Do we make sure all employees are aware of the penalties for security breaches?

Written policies and training go far, but not far enough. Construct structural and technological walls to contain personal information and run tests to ensure that the system works. Make contingency plans. For example, ask:

• Do we define our security needs and use technology that meets those needs, point by point, specification by specification
• Do weInclude layers of complementary solutions to prevent and detect unauthorized use of information systems? 
• Do we have a backup system in place to recover lost data and ensure uninterrupted continuity of information security?
• Do we have a system for shredding both paper and electronic data before dumping?

The information chain is only as strong as its weakest link. Make sure that personal data in your care are tagged and fenced when they enter your database, while theyre in storage and once they leave. Permit no information transfers without informing business partners to meet your security standards. For example, ask:

• Do we inform business partners of their responsibilities to meet specific security standards?
• Do we ask potential business partners about their security practices before we share any information?
• Do we consider security ramifications before sharing data with business partners?

This customizable guide, prepared by the DMA Committee on the Environment and Social Responsibility (CESR), can be used by call/contact centers to address consumer questions about suspicious emails, e-commerce shopping cart concerns and suspect websites. It also has a section devoted to script guides for use in the event of an actual identity theft situation, so that you can give your customers accurate, timely information to help protect themselves. A preamble for managers of customer service representatives sets the stage for dealing with customers in such a charged, confusing atmosphere.

Please review this guide closely, and share it with internal stakeholders including your own customer service and communications staffs and legal counsel. Feel free to adapt it for optimal internal use in your organization.

• Call Script Guide (pdf, Word)
• Consumer Alert/Checklist on Phishing to Accompany Call Script Guide (pdf)
• Consumer Alert/Checklist on Pharming to Accompany Call Script Guide (pdf)

DMA/Solutionary Information Security and Compliance Assessment Tool

In October 1998, the European Union passed wide-sweeping privacy legislation – called the European Union Data Protection Directive. The Directive places new requirements on businesses that wish to collect, process or transfer personal data from an EU Member State. Under the Directive, the transfer of personal information from an EU Member State to a non-EU country is forbidden unless the country provides an “adequate” level of privacy protection. The EU does not currently view the United States as having an adequate level of protection.

In order to avoid potential disruptions in trade between the United States and the EU, the US Department of Commerce in consultation with the European Commission and the industry developed the safe harbor framework. This framework allows US companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the “adequacy” requirement of the European Directive on Data Protection.

US companies that wish to continue to receive personal information from the EU and who choose not to enter the Safe Harbor must find some other means to assure European authorities that such protection will be available through contractual terms, or the transfer of information must fall within one or more of the following exceptions:

1. The data subject has given his/her consent unambiguously to the proposed transfer,

2. The transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken in response to the data subject’s request,

3. The transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party,

4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims,

5. The transfer is necessary in order to protect the vital interests of the data subject, or

6. The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

Effective February 16th, 2009 data transferred, collected, processed and/or imported from Switzerland can now be covered under the safe harbor framework.

The US Department of Commerce has entered into a Safe Harbor framework with Switzerland. If your organization transfers data from Switzerland to the US and you would like it to be covered under the Safe Harbor framework then you would need to review the US-Swiss Safe Harbor principles and FAQs posted on the US Department of Commerce’s website at www.export.gov/safeharbor. It is important to note that the US-Swiss safe harbor principles are based on the US-EU safe harbor principles.

What are the key elements of the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework?

Participation by companies in either the US-EU or the US-Swiss safe harbor framework is completely voluntary. However, if your company decides to take advantage of the safe harbor framework, then you must:

It is important to note that the DMA Safe Harbor Program does not cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the safe harbor framework. For further clarification, please refer to the Department of Commerce’s FAQ #9 export.gov/safeharbor.

In order for your company to be compliant with the safe harbor framework, you must abide by and incorporate the safe harbor privacy principles into your privacy policy and corporate practices.

By adhering to the core principles of: notice, choice, onward transfer, access, security, data integrity and enforcement, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and/or Swiss’ requests regarding use of their personal information.

By adhering to the following principles as developed by the Department of Commerce and European Commission and the Department of Commerce and the Federal Data Protection and Information Commission of Switzerland, you will stand out in the marketplace as one of the trusted organizations that promises to meet the requirements of the safe harbor framework.

These safe harbor principles pertain to the personal information that your company transfers from the EU and/or Switzerland to the US. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information.

SAFE HARBOR PRINCIPLES

1. NOTICE

You must clearly inform customers in a timely manner about what information you are collecting, why you are collecting it, who you are forwarding it to, how its use can be limited and how the customer can contact you for additional information;

2. CHOICE

You must honor customers requests to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used. You must provide customers with the ability to opt-out of certain information uses and exchanges. Where the information is sensitive, you must obtain opt-in consent. These choices should be clear and conspicuous, readily available and affordable.

Your company must offer customers the ability to opt-out of your disclosing their information to a third-party or using their information for a purpose incompatible with that for which it was originally collected.

In addition, the DMA Safe Harbor Program requires that your company accept and maintain consumer requests to be placed on your in-house suppression file to stop receiving solicitations from your company. The DMA also recommends that your company utilize European Preference Service Systems to update your list. If you need assistance in locating the appropriate European system, please feel free to contact DMA staff.

Sensitive Information
It is important to note that for “sensitive” information, consumers must be given the explicit ability to opt-in before you disclose that information to a third-party or use that information for a purpose different from that for which it was originally collected. You may not use or transfer this information unless the individuals have given affirmative or explicit “opt-in” choice.

Sensitive information includes personal information regarding a medical or health condition, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual lifestyle. There are limited exceptions to the opt-in requirement. For further clarification, please refer to the Department of Commerce’s FAQ #1 at export.gov/safeharbor.

3. ONWARD TRANSFER

You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.

4. ACCESS

You must provide customers the ability to access the personal information being maintained by the company and the ability to correct it where it is inaccurate (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). You must provide customers the ability to access the personal information being maintained by the company. This access should be provided to the individual unless there would be: (1) a disproportionate effort on the part of the company relative to the potential risk to the individual’s privacy, (2) the rights of others would be violated, or (3) the request by the individual is clearly vexatious or repetitious. Companies can meet this requirement by providing customers with a copy of the personal information that is being maintained about them or by addressing the individual’s concerns through the company’s customer service department. You do not have to give customers access to your database.

In addition, customers must be given the ability to correct, amend or delete their personal information if it is inaccurate. A reasonable fee can be charged to the individual for accessing information.

In general, expense and burden can be considered in providing access to personal information. However, access to certain information that is used to grant or deny a significant benefit or service must always be provided regardless of the expense and burden. The following are examples of important benefits: insurance, grants, mortgages, loans, college admission, employment applications and similar benefits or services.

Companies denying access to information citing disproportionate effort or cost should be in a position to substantiate their decision.

5. SECURITY

Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your company should make every effort to use appropriate security measures to protect the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Such measures should ensure an appropriate level of security given the nature of the data processed.

6. DATA INTEGRITY

Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected. Your company is responsible for ensuring that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. You should not use the information in a way that is incompatible with the purpose for which it was collected, unless subsequently authorized by the consumer.

7. ENFORCEMENT

Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (The DMA is pleased to offer members this service.); and (3) having appropriate monitoring, verification and remedy procedures in place.The Safe Harbor Principles require companies to:

1. Refer consumers to their customer service department or other in-house dispute resolution program;
2. Subscribe to a readily available and affordable independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Safe Harbor Program Complaint Procedure fact sheet on our web site at: www.dmaresponsibility.org/SafeHarbor.);
3. Have appropriate verification procedures in place to comply with your safe harbor privacy policy. This policy must be verified at least annually by either an internal self-assessment review process, or by an outside third-party review/audit. (The DMA’s Safe Harbor Program does not provide for the DMA to act as the independent third-party auditor); and
4. Train staff regarding your safe harbor privacy policy.

In addition, your company should consider offering consumer education packages in languages which reflect your European and/or Swiss customer markets.

Attention retailers, list owners, list brokers, list managers, mailing houses, and other data processors or controllers:

Category A

Category B

The DMA has developed a program to assist those companies that wish to comply with the safe harbor requirements, and thus be able to certify to the Department of Commerce that it has fulfilled the requirements of the safe harbor principles. The DMA will:

THE DMA SAFE HARBOR PROGRAM THIRD PARTY DISPUTE RESOLUTION MECHANISM

The major component of DMA’s Safe Harbor Program is to provide businesses seeking to certify under the US-EU and/or US-Swiss Safe Harbor Framework with an independent third party dispute mechanism that complies with the Safe Harbor enforcement requirements.

The Safe Harbor requires that the dispute resolution mechanism be readily available to consumers, affordable, and be able to ensure compliance with the Safe Harbor privacy protections. The DMA’s Safe Harbor Program adheres to the belief that an independent dispute resolution mechanism should:

To provide a mechanism that is fair, the DMA has created a Safe Harbor Program Committee that is comprised of respected experts from the direct marketing industry, and recognized consumer representatives. The Committee will have the power to hear both sides of a dispute, and provide a final determination. When businesses join the DMA’s Safe Harbor Program, they will be required to sign a Contract whereby they agree to abide by the decisions of the Committee. They will also be notified in the contract that the Committee will have the authority to issue certain sanctions as a result of their decision. The sanctions available to the Committee include, but are not limited to:

1. Correction of actions found not to be in compliance with the Safe Harbor Principles, the EU Directives, or the Safe Harbor FAQ’s.
2. Correction or deletion of inaccurate personal information.
3. Reimbursement of actual, direct monetary damages incurred by the consumer.
4. Removal from the DMA Safe Harbor Program and revocation of the company’s ability to display the DMA Safe Harbor Mark.
5. Public notification of the decision and action taken by the Committee.
6. Notification to the Department of Commerce of the Committee’s decision and a request for removal from the Safe Harbor Certification List due to failure to comply with the Safe Harbor Principles.
7. Referral of the matter to the Federal Trade Commission or other appropriate governmental agency for enforcement action.

The lynchpin to any dispute resolution mechanism is that it be impartial. One way to assure impartiality is to assure openness of the results of the program by publishing the outcomes of the cases on a regular basis, and for DMA staff to be constantly vigilant that the results are fair and legal.

To assure accessibility, there will be no cost to the consumer, and businesses will be required to notify consumers of the availability of DMA’s Safe Harbor Program in an open and conspicuous manner and prominently display the DMA Safe Harbor Program Mark. The program will provide consumers an easy method to bring their disputes before the Committee. It is the goal of the Program to obtain a determination of all cases in a quick and timely manner, but in no case longer than 60 days.

THE DMA SAFE HARBOR PROGRAM COMPLAINT PROCEDURES

1. When a complaint is received, staff will verify that the complaint involves matters over which the DMA Safe Harbor Program Committee has jurisdiction.

2. Staff will verify that the business’ in-house complaint handling system has had a reasonable opportunity to address the consumer’s complaint.

3. Staff will write a letter to the business requesting that the complaint be reviewed and that a response be provided within 10 days.

4. After checking with the consumer, if the complaint has been resolved, the matter will be closed out. If the matter is still in dispute, the complaint (all written materials from both the consumer and the business) will be presented to the Committee for a determination (Initial Decision) on the matter. The meeting will take place by telephone conference call, unless the Committee decides that another meeting form is more appropriate.

5. A conference call will be set up for the Committee to review the case and make an Initial Decision. The Committee can either find no violation of the Safe Harbor Principles and close out the case, or find that a violation(s) of the Principles have occurred, and set a remedy that the Committee determines is appropriate.

6. The business and the consumer will be notified by letter of the Initial Decision of the Committee. Within ten (10) days of their notification, either the consumer or the business can request a Further Consideration Hearing before the Committee. The request must state the reason(s) why the Further Consideration Hearing is being requested. If no request by either party has been made within 10 days, then the Initial Decision automatically becomes the Final Decision. The case will be followed-up by staff to verify adherence to the remedies stated in the Committee’s decision.

7. If the matter is appealed within 10 days by either party, a Further Consideration Hearing will be set-up for the Committee by telephone conference call at a mutually agreed upon time for all the parties. Both the consumer and the business may submit any further informational materials for the Committee’s consideration, and both may take part in the Hearing via telephone conference call. After the Hearing, a Final Decision on the case will be made by the Committee. The consumer and the business will be notified by letter of the Committee’s Final Decision. Staff will provide any necessary follow-up to verify adherence to the Committee’s Final Decision.

8. The cost of the conference call will be the responsibility of the DMA. The DMA will provide a telephone language translation service at no cost to the consumer, if requested.

Committee on Ethical Business Practice (Ethics Operating Committee)

Comprised of 17 executives from DMA member organizations, the Ethics Operating Committee examines promotions and practices that may violate DMA’s self-regulatory Guidelines for Ethical Business Practice. The Committee works with both member and non-member companies to gain voluntary cooperation in adhering to the guidelines and to increase good business practices for direct marketers. Although cooperation with the Committees is voluntary, it is in everyone’s best interest to work together to ensure that high standards are maintained and consumer confidence in direct marketing is enhanced.

The DMA Guidelines for Ethical Business Practice have been applied to hundreds of direct marketing cases concerning deception, unfair business practices, personal information protection, and other ethics issues. In order to educate marketing professionals on acceptable marketing practices, a case report is regularly issued which summarizes questioned direct marketing promotions and how cases were administered. The report also is used to educate regulators and others interested in consumer protection issues about DMA’s self-regulatory guidelines and how they are implemented.

The Ethics Operating Committee is also responsible, along with the Ethics Policy Committee, for reviewing and revising The DMA Guidelines for Ethical Business Practice as necessary to keep the guidelines timely, specific, and meaningful in relation to DMA’s stated broad corporate responsibility objectives.

The DMA is interested in hearing from you if you believe a direct marketing promotion or practice is questionable and may warrant a formal review by the Committees. The DMA receives and investigates complaints against member and nonmember organizations. These complaints are reviewed and handled by DMA’s Corporate Responsibility Department and/or the DMA Committee on Ethical Business Practice, also known as the Ethics Operating Committee.

Case Handling Procedures/Confidentiality Policy

The DMA Corporate Responsibility team and Ethics Operating Committee receive promotions for review in a number of ways: from consumers, member companies, non-members, or, sometimes, consumer protection agencies. The Committee reviews most of the matters that are received by the DMA concerning possible violations of the ethics guidelines; however, it is not possible for the Committee to review all complaints or inquiries received. The most important criteria for accepting cases to be reviewed include the following: the magnitude of the promotion or practice brought to DMA’s attention; the possible damage or economic harm to consumers; a pattern of complaints received by the DMA; and complaints that are the subject of media and/or government attention. Complaints referred to the Committee are reviewed against the Guidelines for Ethical Business Practice and if a majority of Committee members believe there is a potential violation, the company is contacted. Most companies work with the Committees to cease or change the questioned practice. Case proceedings are kept strictly confidential. However, if a member company does not cooperate and the Committees believe there are ongoing guidelines violations, the Committees can recommend that action be taken by the Board of Directors and can make case results public. Board action could include censure, suspension or expulsion from membership, and the Board may also make its actions public. If a non-member or a member company does not cooperate with the Committees and the Committees believe violations of law may also have occurred, referral of the case is generally made to federal and/or state law enforcement authorities for their review; such referral may be made public.

Cases may be submitted by writing to the DMA and including a copy of the promotion or an example of the practice that is the subject of the complaint.

General Online Ads:

Advertising seeks to target the right products to the right audience, and makes possible low-or no-cost content and services. Most online ads aren’t matched to you as an individual, but to data categories — such as demographics, interest groups, or location. The web sites you visit work with online advertising companies to provide you with advertising that is as relevant and useful as possible, and the ads are placed according to this criteria.

Interest-Based Online Ads: What is online behavioral advertising?
Online behavioral advertising — which is also sometimes called “interest-based advertising” — uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you. Many companies engaged in OBA will indicate their adherence to ethical best practices for OBA by providing an Advertising Icon   to indicate their participation in the self-regulatory program and should be responsive to your concerns and choice requests. The Icon will also be labeled — Ad Choices.

The self-regulatory program requires the participants to:

• Be transparent about its data collection and use practices associated with OBA, providing you with a clear, meaningful and prominent notice about the practices through a privacy policy and an enhanced notice policy that is specific to OBA. Did you see/review these notices?
• Provide you with consumer control over whether data is collected and used or transferred to third parties for OBA purposes through use of a consumer choice mechanism that you can use to opt-out of such activity by the organization. Were you able to opt-out easily?
• Obtain your consent before a material change is made to its practices regarding OBA data collection and use policies, limiting the collection of sensitive data. What is the policy stated by the company regarding use of sensitive data (such as health, financial information)?

If you have not already done so, please visit aboutads.info to learn more about OBA, compliance principles and the opt-out choices you can make for OBA ads.

The DMA’s Committee on Ethical Business Practice is interested in hearing from you if you believe an online behavioral advertising practice is questionable.

To submit a potential case for Committee review, complete the form below. Be sure to provide a copy of the promotion, an example or description of the practice that is of concern. We will review the issues you have raised to determine if your concerns warrant a formal ethics investigation. In some cases, the issues can be resolved without Committee action.

We will not be able to review a matter without supporting documentation in hard copy or via email proof (see bottom of page for mailing address and contact information).

Thank you for your assistance with this important self-regulatory program for online behavioral advertising! Please Note: If, after review, the Committee believes there are potential violations of the Guidelines for Ethical Business Practice specific to Online Behavioral Advertising, the organization will be contacted and asked to revise or discontinue the promotion and/or practice. The case handling process is confidential. Names of companies under review are not released publicly unless the issues are not resolved, or DMA’s records become the subject of legal process.

DMA handles complaints about member and non-member marketers. DMA’s Committee on Ethical Business Practice compares marketer practices to DMA’s ethics guidelines and asks companies to come into compliance.

• Members who don’t comply with the requests of the Committee face public DMA Board censure, suspension or expulsion.

• Non-members that do not cooperate are referred to law enforcement agencies and their cases are publicized.

Reports on Ethics Committee Findings [PDFs]

• 2011
• February 2009- February 2010
• July-December 2008
• January – May 2008
• August – December 2007
• January – July 2007
• August – December 2006
• April – July 2006
• January-March 2006
• July – November 2005
• January – June 2005
• July-December 2004

Who is responsible for ethics/compliance, privacy and environmental affairs in your organization? The DMA’s Corporate & Social Responsibility (CSR) department oversees a wide range of ethical and privacy guidelines, compliance initiatives and environmental best practices for the marketing community. Regulatory issues are constantly evolving. The need to communicate about self-regulation and compliance in crucial, now more than ever.

Complete the form and designate the appropriate individual(s) at your company to serve as our key contact(s).