Attorney General Reaches Agreement With Barnes And Noble On Privacy And Security Standards

New York State Attorney General Spitzer today announced an agreement with online book seller Barnes & Noble.com, to correct an internet security breach that exposed the personal information of some of the company's consumers.

The agreement follows an investigation into the company's privacy and information security practices, in which the Attorney General found that a design vulnerability in Barnes & Noble.com's web site permitted unauthorized access to consumers' accounts and personal information and enabled users to make purchases on the site from consumers' accounts.

The vulnerability arose from Barnes & Noble.com's use of "cookie-less" shopping, whereby, in order to avoid the use of "cookies" – textual identifiers or markers placed on users' hard drives – Barnes & Noble.com stored certain user information in the web page URL. In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties.

"Consumers are concerned about how their personal information is secured and protected by online merchants, Spitzer said. Our effort here should help assure that the terms of Barnes and Noble's internet privacy policy are met."

Under the terms of the agreement, Barnes & Noble.com will establish an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to monitor compliance with the security program; and pay $60,000 in costs and penalties. Spitzer commended Barnes & Noble.com for its cooperation with the investigation and its implementation of appropriate security safeguards.

This case was handled by Assistant Attorney General Don M. Tellock of Attorney General Spitzer's Internet Bureau, under the direction of Ken Dreifach, who is Chief of the Internet Bureau.