How a Net credit card scam might snag you

Brian Livingston reports on how your own bank may be responsible for putting your credit card number into the hands of Internet marketers that make unauthorized charges.

3 min read
You may be one of thousands of people who've had unauthorized charges placed on their credit cards by Internet marketers. But you may not know that your card number was originally handed over to the perpetrators by your own bank.

A case in point is BrandDirect Marketing, a company partly owned by Reader's Digest and Federated Department Stores.

Through its Web site, BrandDirect promotes "free trial memberships" in brand-name buyers clubs. The online clubs BrandDirect currently handles are IBM Small Business Solutions, Simplicity Sewing and Arthur Frommer's Budget Travel, among many others.

On the surface, it all appears professional. But watch out for the skeleton lurking in the closet.

BrandDirect agreed in August to repay consumers $11 million for questionable credit card charges, as part of a settlement it struck with the states of Connecticut and Washington.

"BrandDirect uses information provided by some of the nation's largest financial institutions, including First USA Bank, Citibank, Chase Manhattan Bank, and others," Washington Attorney General Christine Gregoire said in a statement.

Thanks to these banks, BrandDirect's salespeople already had the credit card numbers of the prospects they were calling. This makes it all too easy for a marketer looking for a commission to charge a card, regardless of what the consumer actually said. Since customers were never asked to read their credit card number over the phone, it was easy for people to assume they wouldn't be charged.

So much for "free"
The states alleged that BrandDirect "offered a 30-day 'free' trial membership, but charged many customers during that period." The company also "failed to cancel memberships on demand," the states said.

David Ziller, senior vice president of BrandDirect, said in an interview, "We're doing everything to comply with the Attorney General settlement," and that the company's marketing is not now causing any concern.

It isn't necessarily a crime in the United States for a bank to sell a telemarketing company your credit card number, although it is in some other countries.

The Gramm-Leach-Bliley Act, enacted in November 1999, is the most recent U.S. law affecting the transfer of credit card number to unauthorized third parties. The act allows consumers to "opt out" of a few data-sharing arrangements. But it permits banks to give your credit card numbers to any "affiliated" third party, such as an insurance subsidiary. And--in an exception that infuriates consumer groups--a bank may give the information to a third party that it has a "joint agreement" with.

By contrast, Canada recently adopted a Personal Information and Electronic Documents Act, which went into effect on Jan. 1, 2001. The first phase of the law protects personal banking data, such as credit card numbers. A second phase, beginning on Jan. 1, 2002, will cover personal health information.

And in Europe, a "data protection directive" became effective in 1998, affecting all commerce in the 15 countries of the European Union. Companies must reveal to consumers the information that's been collected on them but protect personal data when exchanging files with other firms.

The sale of credit card numbers is such a lucrative business that it's certain to thrive wherever it's allowed.

In one recent case, U.S. Bank reached a settlement with California and 37 other states last September, prohibiting the bank from sharing credit card data unless its customers agree to "opt in." According to the Idaho attorney general's office, the bank was receiving a commission of 22 percent of the sales made by telemarketing companies.

"The benefit of opt-in as compared to opt-out is this: Who should be in charge of your personal financial information--your bank or you?" Brett Delange, Idaho deputy attorney general, said in an interview.

To protect your credit card numbers, contact your bank to determine whether there's a way to "opt out" of data sharing. Some banks will comply, even where this isn't required by law.

If not, the next best thing you can do is watch your credit card statements like a hawk.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.