Wednesday, January 9, 2008

Lawsuit Against Sears Attacks Customer Information Sharing Practices

A class action lawsuit against Sears Holdings Corp. filed last week illustrates how far the plaintiff's bar is willing to go to extend the frontier of tort liability for the alleged breach of consumer privacy rights. See Computerworld article
The lawsuit challenges the availability of Sears' customers' purchasing history on its website. Besides providing Sears shoppers with the ability to download manuals, find product tips and get home-renovation ideas, it also let customers track purchases and product warranties by entering their name, address and phone number. Since it was not password-protected, anyone could enter any other name and address and obtain others' information as well. The "Find your Products" section of the site has been disabled in the wake of public criticism and the filing of the lawsuit.

While the legal merits of the case may be tenuous, the more important lesson from this case for companies is that it illustrates what NOT to do. First, Sears created a site knowingly giving public access to its customers' personal information. No matter that it did not include account or Social Security numbers -- most laws define "nonpublic personal information" to be a consumer's name and any of that person's address, phone number, Social Security number, account number, etc. So, by definition, this information was considered "private" and should have been password-protected. Secondly, Sears did not inform its customers that they were making this information available on the website. Its privacy policy made no mention of it, and while it may not be required by law, it would have been prudent to give the customers the opportunity to opt out. Finally, Sears learned of the issue weeks before it took any action to rectify the situation. It did not take the feature off the website until after the lawsuit was filed. Even if it was convinced that its behavior did not expose it to legal action, its inaction indicated an insensitivity to public concern for privacy rights. One would hope that given the amount of adverse publicity TJX and others have suffered from their experiences with security breaches, that such insensitivity to consumers' privacy concerns by companies that are the repositories of consumers' personal information would be a faint memory.

At a minimum, the Sears lawsuit should serve as a wake-up call to other companies that a cavalier attitude to consumer privacy will no longer be tolerated by the public.

No comments: