Privacy Not Only Requires Securing PII, It Also Requires Keeping the Trust of Your Customers

Recently I was speaking with a client about a new Internet e-commerce application they were testing, and I asked them to give a demonstration. One of the questions I asked while watching was whether there were any ways in which someone could get information about customers’ orders. After doing some various tests, a screen popped up showing a database of names, item descriptions, and other information related to the orders. The billing information, such as credit card number, was *NOT* within this database, but the names and mailing addresses were; these were used for the indexing links to the database.

“Ooh, this is something you need to address,” I said.
“Why?” asked the project lead. “Our lawyer reviewed this and said that none of these items are considered sensitive PII within any laws. Why do more work than we need to? It would put us behind schedule.”
“Well, let’s look at your website privacy policy,” I suggested.
The policy made a common, general statement that security was in place to protect customer information collected at the site from being disclosed or otherwise having unauthorized access.
I pointed out, “Your customers are trusting that their transactions with your company will be protected. Courts have found that revealing order information on the Internet is not only a violation of this trust, but can also be a violation of your posted website policy, and may be considered an unfair and deceptive business practice under the FTC Act. Plus, your customers would not be happy knowing you are making their purchase details public.”
I know there are likely many companies that are not adequately protecting all the information collected from e-commerce websites. It is typical to protect only those data items explicitly listed within laws and regulations. This is a practice endorsed by many lawyers I’ve spoken to over the years. A narrow interpretation of the “letter of the law.”
Protecting privacy goes beyond just protecting items specified as personally identifiable information (PII). Protecting privacy also involves protecting information about the choices, purchases, and other general life activities persons participate in and the choices they make. Protecting privacy also means you do not knowingly reveal personal information about your customers that could embarrass them.
In 2003 Victoria’s Secret settled a complaint from then New York Attorney General Eliot Spitzer that alleged a breach occurred that made the order details of their customers available for viewing by anyone on the Internet, violating the company’s privacy policy.
Victoria’s Secret learned of the security breach November 25, 2002, when a customer discovered that he could read the orders of any web customers that had been placed in the prior eight months. The customer called the company, only to be told that what he was describing was “impossible.”
Ouch! Very bad customer service. Also a very stupid thing to tell a customer.
The customer called again, giving examples. One day later, the Victoria Secret’s web team shut down the “check order status” function of the site, telling customers to call customer service instead. Reportedly no significant action was taken to correct the situation until the understandably upset customer got a news organization involved to report the problem.
No, credit card numbers, social security numbers, and other types of PII typically considered as sensitive were not available for viewing. However, names, ordered items, sizes, dates and other related order information was.
In settling the complaint, Victoria’s Secret “admitted no wrongdoing in making the settlement” and agreed to:
* Establish an information security program to protect customer data
* Hire an external auditor to review the program annually
* Alert 559 customers outside New York to the possible exposure of their personal information and orders
* Provide refunds and alerts to 26 affected New York customers
* Pay $50,000 to the State of New York for costs and fines
A pretty lenient fine, but definitely not good PR. And the cost to establish an acceptable information security program, along with annually hiring a third party to perform an audit, would also impact the company’s bottom line. Of course they should have had a good security program in place any way.
People expect that details of their orders from retailers will be kept confidential. It is a matter of trust. And when the website makes promises within the posted website privacy/security policy to keep details confidential, it becomes a legal obligation the company must meet.
A few months ago a similar type of incident occurred. Astroglide, a company that makes “personal lubricant” products typically used for intimate encounters, reportedly revealed their customer order information. According to an April 21, 2007 Homeland Stupidity report, as in the Victoria’s Secret incident, there were no credit card numbers or social security numbers exposed, but it is claimed the names, products, email addresses and shipping addresses of customers ordering from the website from 2003 were available for basically anyone on the Internet to see. It is interesting to note that Astroglide does not define what information they consider as personally identifiable information (PII), but that they also make the following broad promise within their posted privacy policy:

We take reasonable steps to protect your personally identifiable information as you transmit your information from your computer to our site and to protect such information from loss, misuse, unauthorized access, disclosure, alteration, or destruction.”

These are not the only two companies that have promised to protect PII within their posted privacy policy, but then did not implement measures to keep customer information, such as order details, from being publicly posted.
A few lessons companies should learn from the mistakes of these two companies:
* You must ensure you have procedures and technologies in place to support your *legally binding* posted privacy and security policies.
* You must ensure your personnel, most assuredly your customer service representatives, know how to appropriately respond to customers calling to report your website is revealing inappropriate customer information. Customer service reps must also know how to appropriately respond to customers questions about your company’s security and privacy practices. Make sure you have procedures for them to follow, give them training for the procedures, and provide ongoing awareness communications.
* Remember your customers trust that you will protect *ALL* of the details about their transactions with your company, above and beyond protecting what is often too narrowly defined as PII. You need safeguards, technology and procedures in place to protect order details, services customers have hired your company to perform, and any other type of information that was created as a result of a customer doing business with your company. You should only share or reveal details about specific customer business transactions with the explicit permission of your customers.
* Protecting privacy is about more than just protecting a narrowly defined set of PII items; it involves protecting the history of your customers’ purchases and other communications with your organization, along with meeting their expectations of trust that you will do this appropriately.
Trust is a very large component of privacy.

Tags: , , , , , , , , , ,

Leave a Reply