 |
Sears, Where America Sues
Written by Evan Schuman
January 6, 2008
With the recent slew of privacy incidents coming to light—including two this week from Sears—red-blooded Americans are doing what we are always do in times of sorrow and anguish: file lawsuits.
But as I was looking at two unrelated privacy legal filings on Friday, was struck by the different legal tactics and the very different probability of success.
When the topic is lawsuits, though, it's critical to get a clean definition of "success" at the very start. The plaintiffs here were all consumers. Is the objective to make the consumer whole, in the sense of getting them to the point financially where they would have been the data privacy booboo never happened?
Is it to make it much more likely that the wrong will never be repeated, sparing other consumers of the headache? Is it to make money for the consumer? Is it, dare I say, to make moneys for the law firms?
The recent TJX lawsuits, for example, could be said to have failed for their consumer plaintiffs on all of those objectives, other than making money for the law firms and even that money was rather paltry.
As has been noted in this column many times, these lawsuits have an uphill battle for two reasons. There is currently no federal law—and Minnesota is the only state law that even comes close—that requires businesses to protect consumer data. So the accusation that a retailer or other business was reckless in protecting consumer private data is nice sounding, but there's no law that says businesses have any such obligation.
Until some privacy laws with real teeth are passed, these privacy incidents will continue to happen. Indeed, their frequency will sharpen increase as this legal loophole is understood by more businesses.
The second problem with these consumer data privacy litigation efforts is that there is rarely any true monetary loss. The actions are more galling and infuriating than actually take-money-out-of-a-consumer's-pocket costly. There are lots of potential true monetary losses but almost no provable ones.
Even if a consumer was ripped off for, let's say, $2,000 because of information the merchant let loose, the retailer (or bank) would simply refund that $2,000 and eliminate the loss.
That all said, let's look at two pieces of litigation that were filed last week, in connection with two unrelated privacy breaches from three deep-pocketed companies: $52 billion Sears, $41 billion Sprint and $36 billion Wells Fargo.
The Sears lawsuit was a result one of the two Sears data privacy breaches confirmed last week: a hidden spyware campaign and a feature that allowed consumers to look up other people's Sears purchases.
Specifically, it was a response to the ability to have a consumer's Sears purchase history displayed to anyone who knew the consumer's name, phone number and street address. On Friday, Sears shut down the part of its site that revealed that data. But not before lawyers from the New York City-based KamberEdelson was able to file papers
The lawsuit—filed on behalf of New Jersey resident Christine Desantis—concedes that the consumer lost no money might that she might—possibly—in the future. (There are those cynical sorts who might say, "Fine. When she does lose money, then file the lawsuit," but I won't go there yet.)
The lawsuit then tried to list the flaw's consequences, which it identified as "staggering." What do they consider so staggering? Let's take a look.
Point one, quoting from the lawsuit filing: "A nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."
Point two: "Marketing companies can mine the (Sears) Web site for data about Sears customers in order to transmit detailed advertisements for additional products and/or warranties."
Point three: "Hackers can systematically access this data for much more insidious purposes. They can use the data to commit fraud by, for example, sending e-mails or making phone calls purporting to be from Sears alerting individuals to a recall of a specific product. They then can use the information they have obtained from Sears's website to gain trust over the unsuspecting victim and obtain access to a person's credit information, social security numbers or even a person's house." True, but it's hypothetical until it happens.
My personal favorite, whose logic escapes me: "Desantis and the members of her class were damaged by Sears's misconduct, inter alia, because the value of the products and services they purchased from Sears was diminished because Sears made publicly available their personal information connected to those purchases. Put simply, a dishwasher costing $1,000 is worth less than an identical dishwasher where the first purchaser's private purchase information is made public."
Let me see if I understand this. Let's say I purchase a $5,000 52-inch plasma TV. Is that set suddenly worth less if my nosy neighbors learn its price? (My life is certainly worth less if my wife discovers the price, but that's a different issue.)
Then there's the "how much are you asking for" part of the filing: "The aggregate amount at issue is (less than) $5 million collectively, even when factoring in the cost of the injunctive relief and the request for attorneys' fees. Further, no individual in the class is seeking more than $75,000 for him or herself, all types of relief included." No one is seeking more than $75,000? How comforting.
Now let's compare it with the case of Theodore D. Karantsalis, a librarian from Miami, Florida. His case started last month when he received this letter from Sprint Nextel.
The letter told Karantsalis that "a customer logged in through the Checkfree service on the Wells Fargo banking website and, when they clicked on the link to see their current Sprint invoice, they were erroneously presented with your invoice instead. The customer called to report this to Sprint immediately. This issue was caused by a system coding error that mixed up two invoices when two customers were on the system at the same time with the same billing cycle."
Asked the consumer: "I'm not even a customer of Wells Fargo bank. How did they get access to my private information?"
Karantsalis added: "The right to privacy is a personal and fundamental right protected by the Constitution." Not so sure it does that. This is one of these implied rather than explicit rights. Need to leave that one up to the U.S. Supreme Court. *gulp*
Here's where the contrasts get interesting. Instead of retaining a law firm, Karantsalis filed the lawsuit himself, but he did it in Small Claims court and he's suing for exactly $597.
When I first saw this filing—Karantsalis E-mailed it to us and, presumably, a bunch of other journalists as well—I dismissed it as trivial but then it grew on me. A small claims filing sidesteps a lot of legal nonsense that large firms opt for. It also delivers any monies received directly to the consumer.
More importantly, a small claims court judge is more likely to think in terms of fairness and often has more latitude. But the best issue is that it's small enough to not merit Sprint or Wells Fargo fighting it. Unlike Desantis, Karantsalis has a decent shot of getting some dollars and of getting those dollars sometime soon.
Until the laws are changed, what can consumers do to dissuade companies from treating their privacy recklessly? Voting with their purchases seems to be something that most consumers are unwilling to do, if TJX is any indication. Consumers will gleefully say they won't support retailers who treat their data recklessly, but earnings reports suggest they certainly don't actually do it.
But what if every consumer who was so victimized filed a small claims court lawsuit locally? It would likely deliver more to those consumers—remember the $15 checks to the consumer TJX victims?—and would collectively cost the retailers more. I hate to suggest such a move, but clearly something has to be done. In a battle for world domination between lawyers and librarians, my money's riding on the librarians. |
|
 |
Advertisement 
 
|
Evan Schuman is the former retail technology editor for eWEEK.com, PCMagazine, CIOInsight and retail reporter for RISNews and Consumer Goods Technology. Having covered IT issues for 21 years - and other stuff like legal affairs, politics, Wall Street and the environment for about eight years before that - Schuman is in a good position to gripe about technology trends and sometimes accidentally make a good point.
|
|
 |
 |
Over the last month, I've been struck by an unusually large number of reader E-mails that fundamentally question whether E-Commerce will ever truly work: Whether it will consistently make money, be profitable and be, well, worth all of the effort.
If the slip of a lip can sink a ship, perhaps a retailer's flick of the click can kill a prestigious campaign mighty quick. The best way for a retail chain to make a customer happy is to offer him/her a program that few others can get. And the best way to undermine that—as Best Buy discovered on Wed. (Sept. 3)—is to then accidentally make that offer to every single reward customer you have.
It looks like Amazon is no longer backing up its pricing, putting an end to its Post-Order Price Guarantee — a policy that allowed customers to recover the difference from an Amazon price drop within 30 days of a purchase. As of Monday (Sept. 1), customers who place orders on Amazon.com are not offered the 30-day guarantee, a customer service representative confirmed.
Security is nothing if not filled with seeming contradictions, and the latest version of PCI—slated to be officially unveiled next month (October)—is highlighting a beauty: To most effectively protect payment-card-related systems, protection must be focused on anything that is not related to payment card data.
Quite a few retailers have been involved in site changes to make the Web more accessible to those with vision difficulties, but Target has been the most aggressive in fighting such efforts. As such, Target's settlement has an especially strong chance of pressuring retailers to aggressively embrace such changes.
Wal-Mart on Wednesday (Sept. 3) launched what it dubbed the Walmart Smart Network—a series of next-generation digital-ad systems—to 2,700 stores. The funky aspect of this rollout is that all 27,000 screens will be centrally controlled via an Internet Protocol Television connection.
Site navigation problems and unpleasant booking engines are driving customers away from online travel sites and pushing them through the doors of traditional, more personable travel agencies. Even though sales for online travel sites are growing, fewer travelers are actually booking their trips online.
A TJX senior executive is apparently trying to push chip-and-PIN, arguing that cyberthieves are focused on the United States partly because we haven't adopted it. "Criminals, I believe, are focusing on the countries that haven't added that higher level of security," TJX Vice Chairman Donald G. Campbell said.
Calvin Klein finally gave its HTML blessing to E-Commerce, offering its first for-sale items on its Web site, although the E-Commerce launch is U.S.-only. Anyone visiting from outside the United States will be routed to the existing corporate brochure site.
It seems clear that most retailers are adopting one of two distinctly different strategies when it comes to data security and compliance. Let's label them Cost-Effective Compliance (CEC) and Compliance-Driven Security (CDS). Both approaches are based on best practices and solid risk management principles. But, GuestView Columnist David Taylor argues, they lead to quite different spending patterns, technology decisions and business cultures.
A retail IT lesson from the world of politics? Maybe. Web tracking firm Keynote was studied the text message blast sent by the U.S. presidential campaign of Barack Obama, the one in which his campaign promised to tell supporters his VP selection before it was broadly announced.
Has Amazon decided what it wants to be when it grows up? More to the point, are there indications that it has now decided that one thing it does not want to be is yet another thin-margined retailer?
The IT chief at Netflix has pointed the finger of blame for its site problems last month at "a database corruption event in our shipping system." The problem prevented customers from receiving their DVDs for about three days.
Almost a year after TJX settled with banks and bank associations impacted by the worst data breach in credit card history, another bank has come forward with its own lawsuit against the retailer, claiming the incident compromised some 4,000 of its customer accounts.
The number of data breaches reported as of Aug. 22 of this year has already surpassed the total number in all of 2007, including a new one from Macy's impacting some 4,100 customers.
On the best-paid list of CIOs at publicly held companies, Best Buy's Bob Willett ($4.7 million), Home Depot's Bob DeRodes ($4.3 million) and Kohl's Thomas Kingsbury ($2.5 million) stand at the top, doing the pocket-protector crowd proud.
With the frequent product changes executed by any large e-tailer's site, the tech hurdles of launching a mirror site in another language can be daunting. But this challenge has created a small industry of companies that are trying to facilitate rapid globalization for e-tailers.
JCPenney is testing the Australian waters a bit with an online push. The retailer has a local URL and an Australian company handling all operations, but it's still shipping merchandise from the States and asking Australian shoppers to wait "12 to 14 working days. This "request" prompted one Australian publication to ask "whether Australians would be prepared to wait two weeks to receive something purchased online."
In an overall down market where the 150-store Nordstrom chain is seeing a 4.3 percent sales drop, online operations are accounting for 15 percent, hitting almost 8 percent of all sales. Company execs there now project online to soon top 10 percent.
The new version of PCI due out in October will let the outdated WEP wireless security standard stick around for almost two more years, while also reducing the required frequency of firewall rule reviews.
It's late on a Friday night and as Jane Smith walks into her local grocery frozen food aisle, she notices a neighbor walking away carrying a frozen pizza, right near a digital advertisement for 20 percent off of a Budweiser six-pack. Jane reaches into the freezer to grab her favorite Häagen-Dazs vanilla ice cream but notices that the digital ad instantly changes to hawk 40 percent off fresh apple pie in the bakery section.
It's generally accepted that any key economic issue—whether it's a housing slump, rising gas prices or tax refund checks—can have a sharp impact on business spending. But the IHL Group is floating an interesting theory that recent gas price hikes are going to have a very specific and direct impact on IT spending next year.
After years of trials with only the rarest evidence of CFO-friendly RFID ROI, shelf stock monitoring is quickly emerging as "the first major application of RFID in retail with a strong business case," according to a new report from London-based RFID analyst firm IDTechEx.
While North American retail execs are planning for trivial—if any—IT investment increases this year, with "more than one-quarter of retailers expecting lower IT spending," more than half of their Asian Pacific counterparts are preparing for significantly higher IT spending, according to new Forrester numbers released this week. A bit of the Tortoise and the Hare perhaps?
A gang of data thieves in Ireland has well learned the lesson that the best place to hide is in plain sight. The group hit a large number of retailers throughout Ireland and grabbed more than 20,000 payment cards by placing skimmers on card-swipes by wearing what appeared to be maintenance uniforms and saying that they were performing bank repairs.
These days, when U.S. government officials want to ask questions about privacy and data security, it's never clear if they want to protect consumers' privacy or learn the best way to violate it themselves. But retail execs who want hints can drop by a Sept. 22 hearing at the U.S. Federal Trade Commission's Washington, D.C., headquarters.
Retailers who are worried about RFID security problems will have more details available to them now that a federal judge has killed a gag order on MIT students who had identified flaws in Boston's contactless RFID subway cards.
Based on the PCI Standards Committee's official hints about what will be in the 1.2 release, it appears that clarifying when and how virtualized servers can be PCI compliant didn't make the cut. But before the server and security geeks start lighting their torches and getting all "vigilante" on the card brands, let GuestView Columnist David Taylor make his case for why it won't matter in the slightest.
As major chains are doubling up their focus on computer-savvy young consumers, some are finding their aversion to avatars giving in to their adoration of avarice.
A "persistent and mysterious technical glitch" has severely disrupted business operations at the massive online film rental site Netflix, "potentially affecting millions of its customers."