Can a company be liable for security statements made in its Web privacy policy?

Yes, Web privacy policies have been enforced through lawsuits and the actions of government agencies.

For example, some state attorney generals (AGs), notably Eliot Spitzer of New York, are aggressively applying consumer protection statutes to promote Web security. Technology publisher Ziff Davis agreed with the New York, California and Vermont attorneys general to pay $125,000 in legal fines, costs and damages for insecurity on its Web site. (Read more about it here.)

The agreement concluded an investigation launched by the AGs on the grounds that Ziff Davis had violated state deceptive trade practices statutes.

Ziff Davis had published on its Web site a privacy policy that said it would use reasonable security controls to protect information (such as name, address and credit card number) disclosed by consumers. But the AGs found that Ziff Davis stored information from 12,000 subscribers in an unencrypted file accessible to hackers via the Internet. Hackers did access the information and then boasted about it on a bulletin board.

Within those 12,000 entries, a mere 50 contained credit card information. As a result of this security lapse, at least five consumers suffered from fraudulent transactions against their credit cards.

Ziff Davis cooperated with the investigation and reached an out-of-court agreement with the AGs. Ziff Davis agreed to implement new security controls. It agreed to pay $500 to each of the 50 credit cardholders whose credit card information was exposed. And it agreed to pay the AGs $100,000.

This case pivoted on Ziff Davis' publication of a privacy policy telling consumers that it would implement security. The essence of the AGs' argument is that ZD promised to consumers that if they give it information, it would keep it secure. The AGs said Ziff Davis broke its promise and therefore engaged in a deceptive trade practice. Had there been no published privacy policy, it would have been much more difficult for the AGs to assert that deceptive trade practices laws had been broken. This case should make corporate Web site owners be very careful about what they say in privacy policies.

None of Mr. Wright's statements on SearchSecurity.com are legal advice for any particular situation. If you need legal advice, you should consult a lawyer.