Evan Schuman's StorefrontBacktalk

Bank-based payment card systems just aren’t designed for this. Any card tied to a loyalty system is easy to track, but when there’s nothing but a name and card number, at a minimum a customer address requires jumping through hoops to get it from the card-issuing bank.

Which still only helps for customers who used a payment card instead of paying cash.

Even then, it’s all but impossible to know who exactly might have actually been exposed. Typhoid is typically spread by direct contact with food, but in a busy kitchen it might be impossible to determine which line cook touched what meal orders. Even if the kitchen is highly automated (which means theoretically every food item can be tracked to a specific line cook), in reality a lot of hands can touch a plate—and that’s before customers eat off each other’s plates.

All that means Nordstrom will have to cast a wide net in sifting through POS and food-order data, just to be on the safe side.

If this whole process sounds something like a payment card breach—delayed discovery, difficulty identifying customers who will actually be affected—it clearly is. And as with a breach, the more entities involved, the harder it is to get everyone onboard with contacting customers. It may be a little easier to get issuing banks to cooperate when the problem is a disease like typhoid rather than payment-card accounts, but it’s still a challenge.

Of course, as Nordstrom tries to track down at-risk customers using systems that really weren’t designed for that, it might all be unnecessary. If that line cook was careful to wash his hands, there might be no spread of the disease at all. That’s what everyone is hoping. Unfortunately for Nordstrom, it’s still necessary for the retailer to do the best it can with the data it has available. When it comes to a card breach, waiting to see whether card numbers show up in fraud is a possible approach. When it comes to public health, waiting to see if customers get sick isn’t really an option.