FTC Beat
Mar 23
2012

How Zappos Defused a Potential Online Privacy Crisis

When hackers breached the computer systems of online retailer Zappos.com in January, they gained access to the personal information of up to 24 million customers. The information included customer names, billing and shipping addresses, email addresses, and phone numbers. In a predictable response, customers immediately filed federal class action lawsuits against Zappos, and the attorneys general of nine states sent a joint letter to the company demanding more information about the breach of consumer data.

Despite the rush to accuse, much of the personal information that was taken— names, addresses, and phone numbers — is available in any phone book or internet search. Customers and state attorneys general were so quick to accuse Zappos of wrongdoing that they did not stop to consider what Zappos did right.

Thanks to Zappos’ prior planning, the hackers were unable to reach the most sensitive information, such as passwords and full credit card numbers, because they were secured, encrypted, and stored in a separate database. When the breach came to light, Zappos responded immediately by putting into effect its existing contingency plan for a data breach. Zappos quickly alerted customers to the breach via email and automatically reset the passwords of all 24 million customers. Additionally, Zappos informed its employees of the facts of the breach and trained all employees to pitch in and respond to customer inquiries.

Certainly, as the attorneys general’s letter pointed out, there are huge risks involved with any security breach. For instance, even the limited information the hackers obtained from Zappos could be used in carrying out a targeted email phishing scheme aimed at the customers. Keeping customers’ personal information secure is a huge responsibility that all online retailers must take seriously and take every step to avoid.

While Zappos will certainly have to review the circumstances of how this happened and put into place further steps to protect customers’ information, the company’s prior planning prevented a much more serious breach, and its response was swift and effective. Zappos set a good example of the precautions that online merchants should take with customers’ information, and how to respond in case of a breach.

related practices at ifrah law:
posted in:
Privacy
Leave a Comment
Subscribe to Comments

Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts