27 May 2004 – LAWFUEL – A website design vulnerability that theoretically could have allowed third parties to access the personal information of Barnes & Noble.com customers has led to a settlement agreement requiring Barnes & Noble.com to institute an information security program and pay $60,000 worth of costs and penalties to New York State.
New York State Attorney General Eliot Spitzer launched an investigation into Barnes & Noble.com’s privacy and information security practices after discovering that the online retailer’s method of “cookie-less” shopping left customer information vulnerable to third-party exposure. To allow Internet customers to shop without the use of “cookies” stored on their hard drives, Barnes & Noble.com placed user authentication information directly in web page URLs (uniform resource locators). As the Attorney General’s investigation revealed, however, this method of user authentication also permitted anyone who obtained access to the URL – such as where the online customer forwarded the URL to third parties or posted it as a web link – to use the customer information in the URL to access the customer’s account and even to make purchases under that account. Personal information that the technology rendered vulnerable to disclosure included order histories and customer names, addresses, and some credit card information, but not credit card numbers. The website design vulnerability alone, rather than any allegations that customer information was in fact obtained by third parties, formed the basis for the Attorney General’s complaint.
For further information about this issue or the Intellectual Property, Internet and Privacy Practice Group of Sidley Austin Brown & Wood LLP, please contact Alan Charles Raul at (202) 736-8477 or Edward R. McNicholas at (202) 736-8010.