Today’s Guest Blogger is Lisa Dubrow, of Dubrow & Charne, an advertising law firm in New York (212-865-0200), who has these thoughts on online privacy of consumer data and the recent settlement between the New York AG and Victoria’s Secret:

Would you want the world to know what you purchased from Victoria’s Secret?  Well if you don’t, you agree with New York State Attorney General Eliot Spitzer. He recently announced that his office had reached an agreement with Victoria’s Secret Direct, LLC following an investigation into allegations made last fall that the company’s Web site inadvertently left information about what its customers’ purchased online accessible to other online customers. The security flaw was discovered a year ago by a customer who reported the problem to the company. The company allegedly chose to ignore the tip thinking that since the security risk did not concern customers’ credit card numbers the flaw was not really an issue.

 That was not a smart move.

 Apparently, even though the retailer’s website’s privacy policy promised that customer data “is maintained in private files on our secure Web server,” and that “we provide stringent and effective security measures on our Web site”, the names, addresses, and orders of more than 560 customers were available to anyone who could manipulate the online customer id number and order number. Feeling that the security flaw was not being taken seriously, the customer reported the problem to the press. That seemed to do the trick: the flaw was fixed immediately.

 However, because the security flaw violated the retailer’s privacy policy, Mr. Spitzer’s office accused it of breaking state laws concerning deceptive business practices, false advertising and fraudulent business activities. Said Mr. Spitzer’s spokesman. “When a business’s security and privacy practices do not live up to its promises, a breach occurs.” While Victoria’s Secret did not admit to the attorney general’s findings, it did agree to pay a fine of $50,000 and improve its online security practices. It also agreed to notify the customers whose data was at risk.

 “A business that obtains consumers’ personal information has a legal duty to ensure that the use and handling of that data complies with representations made about that company’s security and privacy practices,” Mr. Spitzer said through a spokesman. “When a business’s security and privacy practices do not live up to its promises, a breach occurs.

 This type of action by state and federal regulators is becoming more common. Just recently, settled with the Federal Trade Commission as a result of’s vunerability to attacks, such as SQL injection attempts, directed at its web applications at the same time that it published online that its customers’ information was protected.  “If you make a claim about information important to consumers, such as security, and it is false, it could be a violation of the Federal Trade Commission Act, a legal violation,” stated Jessica Rick, assistant director of the financial practices, Bureau of Consumer Protection of the FTC.

 If you make promises online, make sure you can keep to them. The care of customer data should not merely be limited to credit card information. If any customer data is exposed this case reveals that a company is at risk for a fine, and more importantly, unfavorable publicity, even if that flaw if corrected quickly. There is another lesson here: listen to customers’ complaints and take them seriously.

Ed’s note:  Vintage undies picture from here.