There's no question that it's burdensome and costly for companies to safeguard personally identifiable information of customers. However, in addition to other good reasons to protect private data, the truth is that failures in this area can be far more burdensome and costly than getting it right in the first place. Tower Records recently learned that lesson when it agreed to enter into a consent order with the Federal Trade Commission (FTC).

The problem

According to the FTC, Tower Records had proclaimed in its privacy policy that it utilized state-of-the-art-technology, but had nevertheless introduced a security flaw when redesigning its Web site. Published reports indicate that the security flaw arose as a result of a programming error in a script known as "orderStatus.asp."

When customers requested information on their orders on the Tower Records Web site, the script supposedly called up the record displaying the order number as part of the URL of the resulting page, but also gave the capability to type different order numbers into the URL to retrieve other records. This flaw apparently enabled Web users to access Tower Records' order-history records and personally identifiable information of others.

Published reports indicate that over a period of eight days names, addresses, phone numbers and purchase details for approximately 5,225 customers became available for viewing.

Tough love from the FTC

In a recent consent order, Tower Records agreed to a number of enforcement provisions mandated by the FTC, all resulting from this security flaw, which compromised the privacy of personal

First, Tower Records is prohibited from misrepresenting the extent to which it maintains and protects privacy, confidentiality and security of personal information collected from and about consumers.

Second, Tower Records must establish a "comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from and about consumers." This program must be documented in writing and must contain detailed "administrative, technical, and physical safeguards."

Third, Tower Records must obtain an assessment and report "from a qualified, objective, independent third-party professional" within 180 days of the order and biannually for ten years that sets forth the administrative, technical, and physical safeguards that have been implemented and maintained, explains how these safeguards are appropriate, and certifies that the security program of Tower Records is operating with sufficient effectiveness to protect personal information.

Fourth, for five years, Tower Records must make available to the FTC upon request "a sample copy of each different print, broadcast, cable or Internet advertisement, promotion, information collection form, Web page, screen, email message, or other document containing any representation regarding [Tower Records'] online collection, use, and security of personal information from or about consumers," as well as any documents that contradict or qualify Tower Records' compliance with the FTC order; and for three years, Tower Records must make available to the FTC upon request "all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments" relating to compliance with the FTC order.

Fifth, within 180 days of the FTC order, and at such other times as required by the FTC, Tower Records must submit a report to the FTC setting forth in detail how Tower Records has complied with the order.

Sixth, unless specifically provided elsewhere in the FTC order, the order is deemed to expire 20 years after its issuance.

Get it right

Needless to say, Tower Records is under an FTC microscope, and the company will have to devote time and money over a period of years toward complying with the FTC order. The plain lesson here is that getting it right on the front-end in terms of privacy protection can save a lot of trouble and cash on the back-end.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to ejsinrod@duanemorris.com.