Ephemerallaw: Lawsuit Against Sears Attacks Customer Information Sharing Practices

Wednesday, January 9, 2008

Lawsuit Against Sears Attacks Customer Information Sharing Practices

A class action lawsuit against Sears Holdings Corp. filed last week illustrates how far the plaintiff's bar is willing to go to extend the frontier of tort liability for the alleged breach of consumer privacy rights. See Computerworld article
The lawsuit challenges the availability of Sears' customers' purchasing history on its Managemyhome.com website. Besides providing Sears shoppers with the ability to download manuals, find product tips and get home-renovation ideas, it also let customers track purchases and product warranties by entering their name, address and phone number. Since it was not password-protected, anyone could enter any other name and address and obtain others' information as well. The "Find your Products" section of the site has been disabled in the wake of public criticism and the filing of the lawsuit.

While the legal merits of the case may be tenuous, the more important lesson from this case for companies is that it illustrates what NOT to do. First, Sears created a site knowingly giving public access to its customers' personal information. No matter that it did not include account or Social Security numbers -- most laws define "nonpublic personal information" to be a consumer's name and any of that person's address, phone number, Social Security number, account number, etc. So, by definition, this information was considered "private" and should have been password-protected. Secondly, Sears did not inform its customers that they were making this information available on the website. Its privacy policy made no mention of it, and while it may not be required by law, it would have been prudent to give the customers the opportunity to opt out. Finally, Sears learned of the issue weeks before it took any action to rectify the situation. It did not take the feature off the website until after the lawsuit was filed. Even if it was convinced that its behavior did not expose it to legal action, its inaction indicated an insensitivity to public concern for privacy rights. One would hope that given the amount of adverse publicity TJX and others have suffered from their experiences with security breaches, that such insensitivity to consumers' privacy concerns by companies that are the repositories of consumers' personal information would be a faint memory.

At a minimum, the Sears lawsuit should serve as a wake-up call to other companies that a cavalier attitude to consumer privacy will no longer be tolerated by the public.

No comments:

Post a Comment

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors. NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.

Ephemerallaw

Wednesday, January 9, 2008

Lawsuit Against Sears Attacks Customer Information Sharing Practices

No comments:

Useful Resources

Blog Archive

Contributors

Other Sites

Privacy Statement

Disclaimer