State Settles Online Privacy Case

State Attorney General Spitzer today announced an agreement with the American Civil Liberties Union (ACLU) that will help protect consumers from exposure of personal data from the organization's web site.

The agreement with the ACLU follows an incident last year in which consumers' personal information -- including name, address, phone number, e-mail address and a record of purchases -- was accessible through the search mechanism on the organization's web site.

"Consumers who make purchases and provide their personal data to a web site expect that the information will be protected from inadvertent disclosure or unauthorized access," Spitzer said. "My office is committed to making sure that all organizations operating a website have a strong online privacy policy and strictly adhere to that policy."

The data exposure occurred during a three-month period last year, when personally identifiable information about 91 consumers who purchased items from the ACLU's online store was publicly available on the organization's web site. The information included a record of customers' purchases of ACLU literature, buttons, hats and bumper stickers.

The settlement agreement requires the New York City-based ACLU to strengthen its internal standards relating to privacy protection, training, and monitoring. The organization will undergo annual, independent compliance reviews over the next five years and make the findings of those reviews available to the Attorney General's office. The ACLU has also agreed to pay $10,000 to the state.

Spitzer noted that although the privacy breach was caused by a third party vendor serving as a host for the web site, the duty to protect consumers rested with the ACLU because of specific representations in the organization's privacy policy.

Spitzer commended the ACLU for taking prompt remedial action to rectify the situation. The security breach was remedied within one hour after the ACLU received notice of the breach and the files were removed from the web site. In addition, within a few days, the ACLU sent letters to individuals whose information was potentially exposed, informing consumers about the breach and offering a refund for the merchandise each consumer had purchased through the organization's online store.

Assistant Attorney General Don M. Tellock of the Attorney General's Internet Bureau handled the case.

The settlement is one in a series of privacy actions by the Attorney General's office. In 2002, the office reached similar agreements with the Eli Lilly and Ziff Davis corporations.