Women’s apparel cataloger/retailer Victoria’s Secret agreed on Oct. 20 to pay $50,000 in costs and penalties for leaving the names, addresses, and order information of more than 560 customers exposed on its Website to those who could figure out how to call up customer records.
New York attorney general Eliot Spitzer had accused Victoria’s Secret of breaking New York state deceptive business and fraudulent advertising laws, because the error violated the privacy policy stated on the company’s site.
Victoria’s Secret inadvertently exposed the information between August and November 2002. In November, a customer in Niantic, CT, found the gaffe and reported it to Victoria’s Secret, which fixed it within a few days. Victoria’s Secret would only make a formal statement on the matter: “We take issues of maintaining our customers’ privacy very seriously. When we became aware of the matter we addressed it and worked cooperatively with the appropriate authorities.”
In addition to payments to the 560 customers, the settlement calls for Victoria’s Secret to establish and maintain an information security program to protect personal information, establish management oversight and employee training programs, and hire an external auditor to annually monitor compliance with the security program.