How Zappos Breach May Affect How Organizations Handle Customer Data
A data breach at Zappos.com that exposed information about more than 24 million customers has led to a lawsuit, filed in Kentucky, against the company and its parent, Amazon.com, charging that the company was entrusted with "safeguarding plaintiff's and class members' PCAI [personal customer account information]." It claims the companies are in violation of the Fair Credit Reporting Act. No credit card account numbers were exposed, according to the company.
The suit claims that Zappos and Amazon didn’t adopt and maintain adequate procedures to protect information and limit its dissemination only for the “permissible purposes set forth in the Act.”
According to Todd Thiemann, senior director of product marketing for enterprise encryption specialist Vormetric, Inc., the lawsuit could have serious security implications for any organization that handles customer data. “If this lawsuit progresses and the decision is against Zappos-Amazon, it could invoke a sea change in data security requirements for organizations that maintain personal customer account information. Today, organizations are typically securing just cardholder data and are required to do so by the Payment Card Industry Data Security Standard.
“This lawsuit could force organizations to have to protect other PCAI data beyond credit card numbers.” Thiemann says that includes e-mail addresses, shipping addresses, and phone numbers.
“From a brand equity standpoint, this lawsuit is likely to significantly increase the costs associated with not securing PCAI.”
Thiemann also points out that the lawsuit “will likely cause enterprises to reevaluate their definitions of what constitutes sensitive information and how much they should invest to protect it. The downside associated with data breaches involving non-regulated PCAI just got a whole lot worse. Zappos clearly met the requirements of PCI DSS, so it will be interesting to see whether the lawsuit prevails.”
Thiemann praises the company for their incident response; they “quickly notified affected parties of the breach and explaining the steps they are taking to remediate the problem.” Among other things, the company forced all users to reset their passwords.
When I went to find links to any information on Zappo’s site, I found nothing on the home page. A Google search did turn up the original e-mail sent to employees here.
Thiemann points out that the lawsuit signals to the industry that a Zappos-style post-breach response isn't good enough anymore from a customer perspective.”
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 01/30/2012