About Us

Our Services

Contact Us

Chapell Blog



Chapell &Associates

Websites Ė Donít Ask Customers to Assume the Risk of Data Security

March 24, 2004


Thereís a new trend in the online world. Websites that store significant amounts of customer data are beginning to require that customers waive any right to sue if the company systems are hacked. This policy shift was clearly born out of the ever-increasing difficulty of protecting customer data from hackers and other evildoers. Mitigating against the potential damages of forces that are beyond your companyís control is hardly a new concept, and is often a sensible legal strategy. Does that strategy make sense here? Iím not so sure.


If online companies want to prosper, (and to be taken seriously for that matter) they should provide the same basic protections that their offline brethren provide. In other words, it seems reasonable to expect that an online retailer would offer consumers a level of protection that is equivalent to that provided by brick and mortar retailers. Legally, brick and mortar storeowners have a duty to take reasonable steps to assure the safety of customers. For example, if I get mugged while shopping at a department store, depending on the state Iím in, the department store will have some level of liability.So why arenít online shoppers afforded the same protection as brick and mortar shoppers? And why are online companies able to get away with limiting liability?


The answer, folks, is because they can. This is still a new area of law, so I guess that technically, websites donít have to protect consumers from non-egregious security breaches. However, as is very often the case regarding issues of consumer privacy, an over emphasis upon compliance to law and an under emphasis upon building consumer trust can lead to short sighted business decisions. Hereís why websites who limit liability for security breaches will regret that decision in the long run.


First, limiting liability certainly isnít going to make online shopping any more secure. In fact, it will probably make it less so. Accountability is often a key business driver. If companies are allowed to eliminate their responsibility for providing a safe shopping experience, whatís their incentive for investing in website security? Without some level of accountability, security projects risk being delayed, as IT dollars originally earmarked for security will be diverted to more pressing programs.


Second, Iíve found that there are very few good ideas in business that need to be cloaked in secrecy. In an era of enhanced consumer awareness and scrutiny, if your company needs to communicate a new policy in fine print, you probably want to re-examine the policy. I donít mean to sound naÔve, and Iím certainly not expecting companies to place an indemnification on the main page of their website. But why not give consumers notice of this new program somewhere where they can easily find it? Hereís an example: I know of a major airline that is limiting their liability for security breaches. And I recently searched for the security indemnification language on their site. Remember now, I know that information is there, so it should be pretty easy to find, right? Well, I looked at the airlineís privacy policy (1,670 words) but couldnít find it. I looked at their security statement, but couldnít find it there either. Finally, I clicked on a link at the bottom of their home page that read ďlegalĒ, and thatís where I found the security indemnification. Once again, I was looking for this information, and it took me 15 minutes to find it. So Iím just not sure how anyone who doesnít already know about the liability waiver is going to find itÖ. Or perhaps thatís the idea, right?


Third, diminished security is likely to lead to diminished sales. Hereís an illustration from the offline world. Back in the late 1980ís an unfortunate soul was attacked in the parking garage at a major retailer in my hometown. Immediately after the attack, the perception amongst area shoppers was that it was no longer safe for them to patronize that store. Their sales plummeted, and it was not long before the store closed its doors. Consumers need to feel confident that their shopping experience is safe or they will stay away in droves. How well do you think merchants in Baghdad are faring these days? And while online consumers donít necessarily fear for their personal safety, they are extremely wary about risking their financial safety. The specter of identity theft lurks in the minds of the Internet consumer in much the same way that fears of getting mugged haunted shoppers in my hometown.


Iíve read countless consumer studies over the past seven years that conclude that some of the most significant barriers to increased consumer spending online stem from a lack of consumer trust in sitesí privacy and security policies. We all know this, correct? Then how does absolving your company of responsibility for protecting customer data build confidence in your security policies? And how will you build customer trust when you post that message in a place where itís unlikely for customers to read it? And while weíre on the subject, what are the chances Iím flying on that airline any time soon? Not bloody likely, friends.


Fortunately, not all companies that are selling online have chosen this path. Bluefly, for example, has completely bucked the trend. Rather than ask their customers to agree to security waivers, the company has taken steps to guarantee the safety of customer data. For example, if a hacker breaks into their system and misuses customer credit card information, Bluefly will reimburse affected customers for the $50 not covered by their credit card company. Bluefly, you now have my business. If there are any other companies out there who offer similar guarantees, please let me know.


Smart companies will not limit their liability for security breaches. Smart companies will use privacy and security as brand differentiators. Take a picture of all the companies who are limiting their liability in this way. At least one of them isnít going to be around in five years.