here's private, and then there's private.
Attorney General Eliot Spitzer of New York signed a settlement yesterday with the retailer Victoria's Secret regarding its online privacy practices. The settlement, including a $50,000 penalty to be paid to the state, will be announced today.
Victoria's Secret, a division of Limited Brands, had left security holes in its Web site last year that allowed visitors to peek at customers' orders for underwear, camisoles, teddies and lotions.
A customer discovered the security flaw on the site last November, and the retailer fixed the problem within days. But it determined that from August to November 2002, the names, addresses and orders of more than 560 customers had been available to anyone who figured out how to manipulate the online customer identification number and order number to call up customer records.
The customer who found the flaw, Jason Sudowski, is an employee of an Internet services company who lives in Niantic, Conn. In an interview yesterday, he said that he was checking the status of an order for his fiancée when he realized that he could gain access to other customers' numbers and see their recent orders. He called the retailer's customer service number and was told that nothing could be done.
"I talked to somebody who said, 'Well, there's no credit card numbers being displayed, so what's the big deal?' " he recalled. "I said, 'I don't think Tammy so-and-so from Ridgefield, Conn., would want me to know that she ordered this or that.' "
Mr. Sudowski then contacted a reporter who wrote an article for MSNBC.com. The day after the reporter called the retailer, it "disabled the flawed order status application" and directed customers to a toll-free number, according to the settlement papers.
Officials of Victoria's Secret did not respond to calls seeking comment yesterday.
The privacy policy posted on the Victoria's Secret Web site promised that customer data "is maintained in private files on our secure Web server," and that "we provide stringent and effective security measures on our Web site."
Because the security flaw violated the retailer's privacy policies, Mr. Spitzer's office accused it of breaking state laws concerning deceptive business practices, false advertising and fraudulent business activities.
Victoria's Secret did not admit to the attorney general's findings, but agreed to pay a fine of $50,000, improve its online security practices, and notify the customers whose data were at risk about the breach. The three customers whose data the attorney general's office determined had actually been seen by unauthorized people will be informed of the breach and will be sent a full refund for their purchases. The other 559 people whose information could have been exposed by the security flaw will be notified, and the 26 New York residents in that group will receive Victoria's Secret gift certificates.
"A business that obtains consumers' personal information has a legal duty to ensure that the use and handling of that data complies with representations made about that company's security and privacy practices," Mr. Spitzer said through a spokesman. "When a business's security and privacy practices do not live up to its promises, a breach occurs."
The Victoria's Secret case is one of a series of actions brought by federal and state officials to compel companies to live up to their privacy policies. Although no overarching privacy protection law has been passed by Congress, said David Medine, a former Federal Trade Commission official who is a lawyer in Washington, decades-old consumer protection measures have been effectively turned to the task.
"The consumer protection laws of the 1930's have become the privacy law of the 21st century," he said.
The private information that was revealed did not include credit card numbers. But Mr. Medine said that some information can be as sensitive as financial data. "The core of it is, what do people expect will be kept secret? And of course when you're dealing with Victoria's Secret, you expect that a lot will be kept secret."
Mr. Sudowski said that he was happy with the result. "It's nice to hear that somebody paid attention to what goes on out there," he said.