From: John Klassa (klassa@cisco.com)
Date: Fri Jun 30 2000 - 13:16:46 PDT
Looks like nothing is sacred when you're going under...
http://news.cnet.com/news/0-1007-200-2176430.html
Failed dot-coms may be selling your private information
By Greg Sandoval
Staff Writer, CNET News.com
June 29, 2000, 5:05 p.m. PT
Some dot-com failures are resorting to selling information their
customers may have thought would remain under lock and key as they
scramble to find assets that can be sold to appease creditors.
At least three companies that have recently failed, Boo.com, Toysmart
and CraftShop.com, have either sold or are trying to sell highly
sought-after customer data that could include information such as phone
and credit card numbers, home addresses, and even statistics on shopping
habits.
The practice has raised the hackles of some privacy watchdogs and
possibly thousands of consumers who assumed the data would not be
transferred.
"It is inappropriate and potentially illegal to sell customer
information when it was collected under the assumption that it wouldn't
be shared," said Truste spokesman Dave Steer. "It's an invasion of
privacy and if not handled swiftly could happen again and again."
Truste is a Net privacy program that is a sort of Good Housekeeping
Seal of Approval for the Web. Boo.com and Toysmart are among the more
than 2,000 sites to receive the Truste "seal," meaning they met certain
criteria for safeguarding their customers' privacy.
When Fashionmall.com purchased some of the assets of Boo.com this month,
it specifically noted that it had acquired data on Boo.com's 350,000
customers. CraftShop, since filing for Chapter 11 bankruptcy in May, is
actively seeking a buyer for its customers' personal information that it
had promised "to never disclose...Ever."
Toysmart, meanwhile, advertised the sale of its customer list
and database in The Wall Street Journal last month after ceasing
operations. The company overseeing the sale of Toysmart's assets, the
Recovery Group, said several interested parties have bid on the customer
information.
A final sale will depend on settling the question of whether a sale
violates Toysmart's privacy agreement. A disagreement among Toysmart's
creditors has led to the case being turned over to a federal bankruptcy
judge, said Stephen Gray, the Recovery Group's managing director.
"A federal judge (Carol Kenner), will probably decide whether the
information can be sold," Gray said.
Companies on the Internet are not alone in collecting data about
customers or turning it over to new owners following bankruptcies or
mergers. For example, it is routine for banks and hospitals to transfer
intimate consumer or patient data following an acquisition.
However, the assurance of privacy on the Net is particularly troubling
for many consumers, because they have only a vague notion about the
wealth of information that can be gathered, analyzed and transmitted to
third parties.
Privacy in the fine print In response, the industry has sought to
temper consumer fears by posting detailed explanations about the
information being collected and how it is used. Privacy agreements are
now standard on most e-tailing sites, with varying degrees of actual
privacy depending on the wording.
Some companies say they are being careful to honor the letter of the
privacy agreement. For example, privately held CraftShop is selling
customer information along with the actual name of the site, noting that
it does not constitute a transfer of information to a "third party."
The company that buys the CraftShop name is free to use the list as long
as it does so as CraftShop.com, according to the company's former CEO,
Angus Mackey.
"CraftShop promised that it wouldn't release the names without
approval," Mackey said. "So we just can't take the names and sell them
to anyone interested. We couldn't deal them independently. (The company
name and customer list) had to go together."
While such a transfer may be perfectly legal, some privacy advocates
find that to be little solace.
Such a sale is taking advantage of a loophole, according to Andrew
Shen, policy analyst with the Electronic Privacy and Information Center
(EPIC), a privacy watchdog group based in Washington, D.C.
"This is why the (Federal Trade Commission) act is not a sufficient
manner in which to protect privacy," Shen said. "We need stronger laws
to prevent the exchange of customer information when companies merge or
are sold."
Among the provisions of the FTC act is a section that prohibits unfair
or deceptive business practices. That's the section the FTC is using to
make inquiries into the Toysmart sale, Steer said. Truste contacted the
FTC after learning the e-tailer was planning to sell its customer list.
Gray confirmed that the FTC has contacted Recovery Group about the sale.
Legislation at work The FTC has acted before to protect consumer privacy
on the Web. In 1998, the FTC forced GeoCities to post a notice on
privacy after determining the community site misled customers when it
asked them to provide personal information it eventually shared with
marketing firms.
Shen said lawmakers should bar bankrupt companies from selling customer
data to pay their creditors or for any other reason.
"A lot of these companies are going to go belly-up," he said. "And one
of the things these companies are going to sell is personal data. Quite
clearly there should be legal prohibitions on doing that."
Congress is moving to create more safeguards. Sen. Fritz Hollings,
D-S.C., has sponsored legislation that, among other things, would
prevent creditors from including customer information among a failed
company's assets. It would also make it illegal to share customer
information without the customer's prior consent.
In Toysmart's privacy statement, the company stated that "personal
information," such as "name, address, billing information and shopping
preferences, is never shared with a third party."
CraftShop's was even more detailed: "We will hold your secure online
shopping information in the strictest confidence," the agreement
said. "We will never release it to any person or any company for any
purpose. We do not sell, rent or lend any part of our mailing list."
London-based Boo.com's privacy agreement was unavailable, but
Fashionmall chief executive Ben Narasin said that Boo.com did have one
and that it stood up to strict European privacy laws. Narasin said he
intended to send email to all the customers on the Boo.com list to get
their permission to continue sending them information.
All three companies say their efforts are aimed at paying
creditors. Fire sales of Net companies aren't particularly lucrative;
the assets can make 10 cents on the dollar, according to some bankruptcy
attorneys. Customer lists are considered among the most valued assets
of any technology company.
However companies decide to handle the data about their customers, it is
generally believed that the courts will make the final decision.
"Its one thing for a private company to have to decide, but man, there's
a lot of money in public companies," Mackey said. "And believe me,
there's going to be a race to the lawyers."
-- John Klassa / Cisco Systems, Inc. / RTP, NC / USA / klassa@cisco.com / <><
This archive was generated by hypermail 2b29 : Fri Jun 30 2000 - 13:21:30 PDT