There's a trend online. Web sites that store significant amounts of customer data are beginning to require that customers waive any right to sue if the company systems are hacked.
This policy shift clearly is born out of the ever-increasing difficulty of protecting customer data from hackers and other evildoers. Mitigating against the potential damages of forces that are beyond your company's control is hardly a new concept, and is often a sensible legal strategy. Does that strategy make sense here? I'm not so sure.
If online companies want to prosper (and to be taken seriously, for that matter), they should provide the same basic protections that their offline brethren provide. It seems reasonable to expect that an online retailer would offer consumers a level of protection equivalent to that provided by brick-and-mortar retailers.
Legally, brick-and-mortar storeowners have a duty to take reasonable steps to ensure the safety of customers. For example, if I get mugged while shopping at a department store, depending on the state I'm in, the store will have some level of liability. So why aren't online shoppers afforded the same protection as brick-and-mortar shoppers? And why are online companies able to get away with limiting liability?
The answer, folks, is because they can. This is still a new area of law, so I guess that technically, Web sites don't have to protect consumers from non-egregious security breaches. However, as is very often the case regarding issues of consumer privacy, an overemphasis upon compliance to law and an under-emphasis upon building consumer trust can lead to shortsighted business decisions.
Here's why Web sites that limit liability for security breaches will regret that decision in the long run.
First, limiting liability certainly isn't going to make online shopping any more secure. It will probably make it less so. Accountability is often a key business driver. If companies are allowed to eliminate their responsibility for providing a safe shopping experience, what's their incentive for investing in Web site security? Without some level of accountability, security projects risk being delayed, as IT dollars originally earmarked for security will be diverted to more pressing programs.
Second, I've found that very few good ideas in business need to be cloaked in secrecy. In an era of enhanced consumer awareness and scrutiny, if your company needs to communicate a new policy in fine print, you probably want to re-examine the policy. I don't mean to sound na•ve, and I'm certainly not expecting companies to place an indemnification on the main page of their Web site. But why not give consumers notice of this new program somewhere where they can easily find it?
Here's an example: I know of a major airline that is limiting its liability for security breaches. And I recently searched for the security indemnification language on its site. Remember, I know that information is there, so it should be pretty easy to find, right? Well, I looked at the airline's privacy policy (1,670 words) but couldn't find it. I looked at its security statement, but couldn't find it there, either.
Finally, I clicked on a link at the bottom of the airline's home page that read “legal,” and that's where I found the security indemnification. Once again, I was looking for this information, and it took me 15 minutes to find it. So I'm just not sure how anyone who doesn't already know about the liability waiver is going to find it. Perhaps that's the idea.
Third, diminished security is likely to lead to diminished sales. Here's an illustration from the offline world. In the late 1980s, an unfortunate soul was attacked in the parking garage at a major retailer in my hometown. Immediately after the attack, the perception among area shoppers was that it no longer was safe for them to patronize that store. The store's sales plummeted, and it was not long before the store closed.
Consumers need to feel confident that their shopping experience is safe or they will stay away in droves. How well do you think merchants in Baghdad are faring these days? And though online consumers don't necessarily fear for their personal safety, they are extremely wary about risking their financial safety. Identity theft lurks in the minds of Internet consumers in much the way that fears of getting mugged haunted shoppers in my hometown.
I've read countless consumer studies in the past seven years concluding that some of the major barriers to increased consumer spending online stem from a lack of consumer trust in sites' privacy and security policies. We all know this, correct?
Then how does absolving your company of responsibility for protecting customer data build confidence in your security policies? And how will you build customer trust when you post that message in a place where it's unlikely for customers to read it? And while we're on the subject, what are the chances I'm flying on that airline any time soon? Not bloody likely, friends.
Fortunately, not all companies that sell online have chosen this path. Bluefly, for example, has bucked the trend. Rather than ask its customers to agree to security waivers, the company has taken steps to guarantee the safety of customer data. For example, if a hacker breaks into its system and misuses customer credit card information, Bluefly will reimburse affected customers for the $50 not covered by their credit card company. Bluefly, you now have my business. If any other companies out there offer similar guarantees, please let me know.
Smart companies will not limit their liability for security breaches. Smart companies will use privacy and security as brand differentiators. Take a picture of all the companies who are limiting their liability in this way. At least one of them isn't going to be around in five years.
