Something better to do

I try to make a habit of giving out “tagged” email addresses to web sites when I sign up for accounts / mailing lists / whatever. For example, when creating an account at widgets.com, instead of just signing up as “jik@kamens.us”, I might sign up as “jik+widgets@kamens.us”. It ends up in the same mailbox regardless, and it gives me some visibility into who is sharing or selling or allowing my email address to be stolen.

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.

(more…)

Close Bookmark and Share This Page

Save to Browser Favorites / Bookmarks

Ask backflip blinklist BlogBookmark Bloglines BlogMarks Blogsvine BuddyMarks BUMPzee! CiteULike co.mments Connotea del.icio.us

Digg diigo DotNetKicks DropJack dzone Facebook Fark Faves Feed Me Links Friendsite folkd.com Furl Google

Hugg Jamespot Jeqq Kaboodle kirtsy linkaGoGo LinkedIn LinksMarker Ma.gnolia Mister Wong Mixx MySpace MyWeb

Netvouz Newsvine oneview OnlyWire PlugIM Propeller Reddit Rojo Segnalo Shoutwire Simpy Slashdot Sphere

Sphinn Spurl Squidoo StumbleUpon Technorati ThisNext Twitter Webride Windows Live Worlds Movies Yahoo!

Email This to a Friend

Copy HTML: 

 If you like this then please subscribe to the RSS Feed.

Powered by Bookmarkify™

More »

Powered by Bookmarkify™