Learning from Zappos Breach Response

Privacy Attorney Offers Mixed Reviews of Retailer's Incident Response
Zappos was quick to communicate after discovering a data breach impacting 24 million customers. But did the online retailer respond appropriately, or make some missteps in its haste to notify? Francoise Gilbert of the IT Law Group gives a mixed review.

On one hand, she lauds the retailer for sending quick, informal notification - even if perhaps there was no legal obligation to do so.

But she does not support the company's tactics of shutting down its customer service phone lines and denying access to the website from locations outside the U.S.

"I understand why they did that, because they were overwhelmed," says Gilbert, speaking from the IT Law Group's offices in France. "But that's not appropriate for a company of their size. Zappos is not a start-up."

Organizations of all sizes need to engage in incident response planning, she says, and part of that planning should have included customer communications via telephone and the web. "In this case, shutting down the phone lines is not an appropriate response to the situation."

According to Zappos, the data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).

The database that stores customers' critical credit card and other payment data was not affected or accessed, Zappos says.

In an interview about the breach and how Zappos responded, Gilbert discusses:

  • The tone and content of Zappos' breach notice;
  • Missteps the company took by shutting down its phone lines and web site;
  • Breach preparedness advice for organizations of all sizes.

Gilbert has extensive experience with data privacy and security issues, Internet, eBusiness and information technology law. Her clients include Fortune 500 and other global corporations, as well as selected emerging technology start-ups. She advises companies on how to strategically manage their privacy, security, electronic workplace and e-business risks; develop and implement information privacy and security strategies and compliance programs; and integrate privacy and security in mergers and acquisitions, outsourcing, marketing and other relations.

She regularly addresses a wide range of privacy and security issues, from HIPAA, COPPA or CAN SPAM compliance, to security breach disclosure laws, implementation of FTC or HIPAA Security Safeguards, U.S. Department of Commerce Safe Harbor self-certification, or foreign data protection laws (Western Europe, North America, or Asia Pacific) and cross-border data flow issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.