Learning from Zappos Breach ResponsePrivacy Attorney Offers Mixed Reviews of Retailer's Incident Response
On one hand, she lauds the retailer for sending quick, informal notification - even if perhaps there was no legal obligation to do so.
But she does not support the company's tactics of shutting down its customer service phone lines and denying access to the website from locations outside the U.S.
"I understand why they did that, because they were overwhelmed," says Gilbert, speaking from the IT Law Group's offices in France. "But that's not appropriate for a company of their size. Zappos is not a start-up."
Organizations of all sizes need to engage in incident response planning, she says, and part of that planning should have included customer communications via telephone and the web. "In this case, shutting down the phone lines is not an appropriate response to the situation."
According to Zappos, the data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).
The database that stores customers' critical credit card and other payment data was not affected or accessed, Zappos says.
In an interview about the breach and how Zappos responded, Gilbert discusses:
- The tone and content of Zappos' breach notice;
- Missteps the company took by shutting down its phone lines and web site;
- Breach preparedness advice for organizations of all sizes.
Gilbert has extensive experience with data privacy and security issues, Internet, eBusiness and information technology law. Her clients include Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace and e-business risks; develop and implement information privacy and security strategies and compliance programs; and integrate privacy and security in mergers and acquisitions, outsourcing, marketing and other relations.
She regularly addresses a wide range of privacy and security issues, from HIPAA, COPPA or CAN SPAM compliance, to security breach disclosure laws, implementation of FTC or HIPAA Security Safeguards, U.S. Department of Commerce Safe Harbor self-certification, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross-border data flow issues.