Websites – Don’t Ask Customers to Assume the Risk of Data Security
March 24, 2004
There’s
a new trend in the online world. Websites that store significant amounts of customer
data are beginning to require that customers waive any right to sue if the
company systems are hacked. This policy shift was clearly born out of the
ever-increasing difficulty of protecting customer data from hackers and other
evildoers. Mitigating against the potential damages of forces that are beyond
your company’s control is hardly a new concept, and is often a sensible legal
strategy. Does that strategy make sense here? I’m not so sure.
If
online companies want to prosper, (and to be taken seriously for that matter)
they should provide the same basic protections that their offline brethren
provide. In other words, it seems reasonable to expect that an online retailer
would offer consumers a level of protection that is equivalent to that provided
by brick and mortar retailers. Legally, brick and mortar storeowners have a
duty to take reasonable steps to assure the safety of customers. For example,
if I get mugged while shopping at a department store, depending on the state
I’m in, the department store will have some level of liability. So why aren’t online shoppers afforded the
same protection as brick and mortar shoppers? And why are online companies able
to get away with limiting liability?
The
answer, folks, is because they can. This is still a new area of law, so I guess
that technically, websites don’t have to protect consumers from non-egregious
security breaches. However, as is very often the case regarding issues of
consumer privacy, an over emphasis upon compliance to law and an under emphasis
upon building consumer trust can lead to short sighted business decisions.
Here’s why websites who limit liability for security breaches will regret that
decision in the long run.
First,
limiting liability certainly isn’t going to make online shopping any more
secure. In fact, it will probably make it less so. Accountability is often a
key business driver. If companies are allowed to eliminate their responsibility
for providing a safe shopping experience, what’s their incentive for investing
in website security? Without some level of accountability, security projects
risk being delayed, as IT dollars originally earmarked for security will be
diverted to more pressing programs.
Second,
I’ve found that there are very few good ideas in business that need to be
cloaked in secrecy. In an era of enhanced consumer awareness and scrutiny, if
your company needs to communicate a new policy in fine print, you probably want
to re-examine the policy. I don’t mean to sound naïve, and I’m certainly not
expecting companies to place an indemnification on the main page of their
website. But why not give consumers notice of this new program somewhere where
they can easily find it? Here’s an example: I know of a major airline that is
limiting their liability for security breaches. And I recently searched for the
security indemnification language on their site. Remember now, I know that
information is there, so it should be pretty easy to find, right? Well, I
looked at the airline’s privacy policy (1,670 words) but couldn’t find it. I
looked at their security statement, but couldn’t find it there either. Finally,
I clicked on a link at the bottom of their home page that read “legal”, and
that’s where I found the security indemnification. Once again, I was looking
for this information, and it took me 15 minutes to find it. So I’m just not
sure how anyone who doesn’t already know about the liability waiver is going to
find it…. Or perhaps that’s the idea, right?
Third,
diminished security is likely to lead to diminished sales. Here’s an
illustration from the offline world. Back in the late 1980’s an unfortunate
soul was attacked in the parking garage at a major retailer in my hometown.
Immediately after the attack, the perception amongst area shoppers was that it
was no longer safe for them to patronize that store. Their sales plummeted, and
it was not long before the store closed its doors. Consumers need to feel
confident that their shopping experience is safe or they will stay away in
droves. How well do you think merchants in Baghdad are faring these days? And
while online consumers don’t necessarily fear for their personal safety, they
are extremely wary about risking their financial safety. The specter of
identity theft lurks in the minds of the Internet consumer in much the same way
that fears of getting mugged haunted shoppers in my hometown.
I’ve
read countless consumer studies over the past seven years that conclude that
some of the most significant barriers to increased consumer spending online
stem from a lack of consumer trust in sites’ privacy and security policies. We
all know this, correct? Then how does absolving your company of responsibility
for protecting customer data build confidence in your security policies? And
how will you build customer trust when you post that message in a place where
it’s unlikely for customers to read it? And while we’re on the subject, what
are the chances I’m flying on that airline any time soon? Not bloody likely,
friends.
Fortunately,
not all companies that are selling online have chosen this path. Bluefly, for
example, has completely bucked the trend. Rather than ask their customers to
agree to security waivers, the company has taken steps to guarantee the safety
of customer data. For example, if a hacker breaks into their system and misuses
customer credit card information, Bluefly will reimburse affected customers for
the $50 not covered by their credit card company. Bluefly, you now have my
business. If there are any other companies out there who offer similar
guarantees, please let me know.
Smart
companies will not limit their liability for security breaches. Smart companies
will use privacy and security as brand differentiators. Take a picture of all
the companies who are limiting their liability in this way. At least one of
them isn’t going to be around in five years.