Spitzer took action after an investigation revealed inconsistency between the Columbus, Ohio-based company's web site privacy policy and its practices.
The privacy policy for Victoria's Secret stated:
"Any information you provide to us at this site when you establish or update an account, enter a contest, shop online or request information ...is maintained in private files on our secure web server and internal systems..."
Despite the policy, investigators found that some consumers' personal information, including name, billing address, and items ordered, was available on the web site for a period beginning in August of 2002 and ending in late November of 2002.
The New York Times suggests that the company failed to take a consumer complaint seriously because credit card details were not among those that could be accessed on-line – apparently deeming insignificant the details of who-bought-what underwear.
So the consumer approached the press, which led to the company fixing the problem but also bringing it to Eliot Spitzer's attention.
"A business that obtains consumers' personal information has a legal duty to ensure that the use and handling of that data complies in all respects with representations made about the company's information security and privacy practices," said Spitzer.
Under the terms of the settlement, Victoria's Secret is required to:
Establish and maintain an information security program to protect personal information;
Establish management oversight and employee training programs;
Hire an external auditor to annually monitor compliance with the security program; and
Provide refunds or credits to all affected New York consumers.
The settlement also requires Victoria's Secret to pay $50,000 to the State of New York in costs and penalties.
William Malcolm, a data protection expert with Masons, the law firm behind OUT-LAW.COM, said:
"The US has less stringent privacy laws than those found in Europe. While privacy policies or data protection notices are not legally required of most US web sites, they are recommended, and consumers largely expect them. This case is further evidence that US authorities are willing to take action when a company does not comply with its own policies and breaches the trust of consumers."
