Epsilon agrees to pay $150m fine to DoJ for selling data to fraudsters | News | GRC World Forums
Marketing company Epsilon Data Management has agreed a $150m settlement with the United States’ Department of Justice (DoJ) to resolve a criminal charge for selling data on more than 30 million Americans to perpetrators of fraud schemes who were targeting older people.
The deferred prosecution agreement (DPA) includes Epsilon selecting and covering the costs of an independent claims administrator to distribute $127.5m compensation to victims with established losses caused by fraud schemes which used the company’s data.
“Epsilon also agreed to implement significant compliance measures designed to safeguardconsumers’ data and prevent its sale to individuals or entities engaged in fraudulent or deceptive marketing campaigns,” the DoJ said. “Further, the DPA requires Epsilon to maintain a procedure for consumers to request that it not sell their information to others.”
Acting assistant attorney general Brian Boynton added: “By allowing clients engaged in fraudulent schemes to buy data on millions of consumers most susceptible to their schemes, Epsilon employees facilitated those schemes with staggering effect. “We are encouraged by Epsilon’s cooperation since the misconduct was discovered, its remediation efforts, and its commitment to stringent new compliance measures.”
The company’s agreement is with the DoJ’s consumer protection branch and the US Attorney’s Office for the District of Colorado in connection with one count of conspiracy to commit mail and wire fraud. Headquartered in Irving, Texas, Epsilon’s principal sales office is in Westminster, Colorado.
According to the DoJ, the company used sophisticated data modelling to identify consumers most likely to respond to clients’ marketing solicitations. Between July 2008 and July 2017 that included employees of the direct to consumer (DTC) unit knowingly selling to clients engaged in fraud lists containing data on more than 30m consumers.
“In particular, Epsilon acknowledged that the DTC unit sold consumer lists to a number of mass-mailing fraud schemes that sent false ‘sweepstakes’ and ‘astrology’ solicitations to consumers,” the department said.
“Those solicitations stated that each consumer recipient had won a large prize or individualised psychic service that they could obtain by paying a fee. In reality, the solicitations, as known to DTC unit employees, were mass-produced mailings and victims who paid a fee received nothing of value.”
The schemes disproportionately affected the elderly and other vulnerable individuals, the DoJ said.
Consumer data sold by the DTC unit to fraudsters came from both fraudulent and legitimate Epsilon clients, including non-profit and charitable organisations. The unit’s staff continued to sell consumer data to clients engaged in fraud despite knowing those and similar clients had been arrested, charged with crimes, convicted and were subject to law enforcement actions for false and misleading practices, the department added.
US attorney in Colorado Jason Dunn stated: “Companies who sell consumer information have a responsibility to avoid knowingly selling it to those who will use the data to defraud or swindle consumers. I hope other data companies will take note of this outcome and ensure that they don’t likewise help fraudsters.”
Deputy chief postal inspector Craig Goldberg of the U.S. Postal Inspection Service. “When data firms such as Epsilon use their extraordinary access to consumers’ personal information to provide laser-focused marketing lists supporting deceptive practices, more American consumers are placed in harm’s way. Firms that amass big data assume a big responsibility to ensure this data is not used by malicious actors.”
The deferred prosecution agreement (DPA) includes Epsilon selecting and covering the costs of an independent claims administrator to distribute $127.5m compensation to victims with established losses caused by fraud schemes which used the company’s data.
“Epsilon also agreed to implement significant compliance measures designed to safeguardconsumers’ data and prevent its sale to individuals or entities engaged in fraudulent or deceptive marketing campaigns,” the DoJ said. “Further, the DPA requires Epsilon to maintain a procedure for consumers to request that it not sell their information to others.”
Acting assistant attorney general Brian Boynton added: “By allowing clients engaged in fraudulent schemes to buy data on millions of consumers most susceptible to their schemes, Epsilon employees facilitated those schemes with staggering effect. “We are encouraged by Epsilon’s cooperation since the misconduct was discovered, its remediation efforts, and its commitment to stringent new compliance measures.”
The company’s agreement is with the DoJ’s consumer protection branch and the US Attorney’s Office for the District of Colorado in connection with one count of conspiracy to commit mail and wire fraud. Headquartered in Irving, Texas, Epsilon’s principal sales office is in Westminster, Colorado.
According to the DoJ, the company used sophisticated data modelling to identify consumers most likely to respond to clients’ marketing solicitations. Between July 2008 and July 2017 that included employees of the direct to consumer (DTC) unit knowingly selling to clients engaged in fraud lists containing data on more than 30m consumers.
“In particular, Epsilon acknowledged that the DTC unit sold consumer lists to a number of mass-mailing fraud schemes that sent false ‘sweepstakes’ and ‘astrology’ solicitations to consumers,” the department said.
“Those solicitations stated that each consumer recipient had won a large prize or individualised psychic service that they could obtain by paying a fee. In reality, the solicitations, as known to DTC unit employees, were mass-produced mailings and victims who paid a fee received nothing of value.”
The schemes disproportionately affected the elderly and other vulnerable individuals, the DoJ said.
Consumer data sold by the DTC unit to fraudsters came from both fraudulent and legitimate Epsilon clients, including non-profit and charitable organisations. The unit’s staff continued to sell consumer data to clients engaged in fraud despite knowing those and similar clients had been arrested, charged with crimes, convicted and were subject to law enforcement actions for false and misleading practices, the department added.
US attorney in Colorado Jason Dunn stated: “Companies who sell consumer information have a responsibility to avoid knowingly selling it to those who will use the data to defraud or swindle consumers. I hope other data companies will take note of this outcome and ensure that they don’t likewise help fraudsters.”
Deputy chief postal inspector Craig Goldberg of the U.S. Postal Inspection Service. “When data firms such as Epsilon use their extraordinary access to consumers’ personal information to provide laser-focused marketing lists supporting deceptive practices, more American consumers are placed in harm’s way. Firms that amass big data assume a big responsibility to ensure this data is not used by malicious actors.”