27 May 2004 – LAWFUEL – A website design vulnerability that theoretically could have allowed third parties to access the personal information of Barnes & Noble.com customers has led to a settlement agreement requiring Barnes & Noble.com to institute an information security program and pay $60,000 worth of costs and penalties to New York State.
New York State Attorney General Eliot Spitzer launched an investigation into Barnes & Noble.com’s privacy and information security practices after discovering that the online retailer’s method of “cookie-less” shopping left customer information vulnerable to third-party exposure. To allow Internet customers to shop without the use of “cookies” stored on their hard drives, Barnes & Noble.com placed user authentication information directly in web page URLs (uniform resource locators). As the Attorney General’s investigation revealed, however, this method of user authentication also permitted anyone who obtained access to the URL – such as where the online customer forwarded the URL to third parties or posted it as a web link – to use the customer information in the URL to access the customer’s account and even to make purchases under that account. Personal information that the technology rendered vulnerable to disclosure included order histories and customer names, addresses, and some credit card information, but not credit card numbers. The website design vulnerability alone, rather than any allegations that customer information was in fact obtained by third parties, formed the basis for the Attorney General’s complaint.
According to Attorney General Spitzer, Barnes & Noble.com’s cookie-less shopping programming method, which was used from 1998 to 2002, was inconsistent with the retailer’s posted privacy policy and therefore constituted a deceptive business practice, false advertising and fraud in violation of New York’s general business law provisions. In settling the Attorney General’s claims, Barnes & Noble.com agreed to pay $60,000 to the State and to establish a comprehensive information security program to protect customers’ personal information. One component of the program will be a risk assessment designed to identify the potential for unauthorized disclosure, misuse or other means by which information may be compromised. The retailer must then implement safeguards to control any risks that are identified during the risk assessment. Barnes & Noble.com must also establish employee training programs and, for at least the next three years, carry out an annual review of its information security program.
For further information about this issue or the Intellectual Property, Internet and Privacy Practice Group of Sidley Austin Brown & Wood LLP, please contact Alan Charles Raul at (202) 736-8477 or Edward R. McNicholas at (202) 736-8010.
