Today’s Guest Blogger is Lisa Dubrow, of Dubrow & Charne, an advertising law firm in New York (212-865-0200), who has these thoughts on online privacy of consumer data and the recent settlement between the New York AG and Victoria’s Secret:
Would you want the world to know what you purchased from Victoria’s Secret? Well if you dont, you agree with New York State Attorney General Eliot Spitzer. He recently announced that his office had reached an agreement with Victoria’s Secret Direct, LLC following an investigation into allegations made last fall that the companys Web site inadvertently left information about what its customers purchased online accessible to other online customers. The security flaw was discovered a year ago by a customer who reported the problem to the company. The company allegedly chose to ignore the tip thinking that since the security risk did not concern customers credit card numbers the flaw was not really an issue.
That was not a smart move.
“A business that obtains consumers’ personal information has a legal duty to ensure that the use and handling of that data complies with representations made about that company’s security and privacy practices,” Mr. Spitzer said through a spokesman. “When a business’s security and privacy practices do not live up to its promises, a breach occurs.
This type of action by state and federal regulators is becoming more common. Just recently, Guess.com settled with the Federal Trade Commission as a result of Guess.coms vunerability to attacks, such as SQL injection attempts, directed at its web applications at the same time that it published online that its customers information was protected. If you make a claim about information important to consumers, such as security, and it is false, it could be a violation of the Federal Trade Commission Act, a legal violation, stated Jessica Rick, assistant director of the financial practices, Bureau of Consumer Protection of the FTC.
If you make promises online, make sure you can keep to them. The care of customer data should not merely be limited to credit card information. If any customer data is exposed this case reveals that a company is at risk for a fine, and more importantly, unfavorable publicity, even if that flaw if corrected quickly. There is another lesson here: listen to customers complaints and take them seriously.
Ed’s note: Vintage undies picture from here.