Sears, Where America Sues

Written by Evan Schuman
January 6th, 2008

With the recent slew of privacy incidents coming to light—including two this week from Sears—red-blooded Americans are doing what we are always do in times of sorrow and anguish: file lawsuits.

But as I was looking at two unrelated privacy legal filings on Friday, was struck by the different legal tactics and the very different probability of success.

When the topic is lawsuits, though, it’s critical to get a clean definition of "success" at the very start. The plaintiffs here were all consumers. Is the objective to make the consumer whole, in the sense of getting them to the point financially where they would have been the data privacy booboo never happened?

Is it to make it much more likely that the wrong will never be repeated, sparing other consumers of the headache? Is it to make money for the consumer? Is it, dare I say, to make moneys for the law firms?

The recent TJX lawsuits, for example, could be said to have failed for their consumer plaintiffs on all of those objectives, other than making money for the law firms and even that money was rather paltry.

As has been noted in this column many times, these lawsuits have an uphill battle for two reasons. There is currently no federal law—and Minnesota is the only state law that even comes close—that requires businesses to protect consumer data. So the accusation that a retailer or other business was reckless in protecting consumer private data is nice sounding, but there’s no law that says businesses have any such obligation.

Until some privacy laws with real teeth are passed, these privacy incidents will continue to happen. Indeed, their frequency will sharpen increase as this legal loophole is understood by more businesses.

The second problem with these consumer data privacy litigation efforts is that there is rarely any true monetary loss. The actions are more galling and infuriating than actually take-money-out-of-a-consumer’s-pocket costly. There are lots of potential true monetary losses but almost no provable ones.

Even if a consumer was ripped off for, let’s say, $2,000 because of information the merchant let loose, the retailer (or bank) would simply refund that $2,000 and eliminate the loss.

That all said, let’s look at two pieces of litigation that were filed last week, in connection with two unrelated privacy breaches from three deep-pocketed companies: $52 billion Sears, $41 billion Sprint and $36 billion Wells Fargo.

The Sears lawsuit was a result one of the two Sears data privacy breaches confirmed last week: a hidden spyware campaign and a feature that allowed consumers to look up other people’s Sears purchases.

Specifically, it was a response to the ability to have a consumer’s Sears purchase history displayed to anyone who knew the consumer’s name, phone number and street address. On Friday, Sears shut down the part of its site that revealed that data. But not before lawyers from the New York City-based KamberEdelson was able to file papers

The lawsuit—filed on behalf of New Jersey resident Christine Desantis—concedes that the consumer lost no money might that she might—possibly—in the future. (There are those cynical sorts who might say, "Fine. When she does lose money, then file the lawsuit," but I won’t go there yet.)

The lawsuit then tried to list the flaw’s consequences, which it identified as "staggering." What do they consider so staggering? Let’s take a look.

Point one, quoting from the lawsuit filing: "A nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."

Point two: "Marketing companies can mine the (Sears) Web site for data about Sears customers in order to transmit detailed advertisements for additional products and/or warranties."

Point three: "Hackers can systematically access this data for much more insidious purposes. They can use the data to commit fraud by, for example, sending e-mails or making phone calls purporting to be from Sears alerting individuals to a recall of a specific product. They then can use the information they have obtained from Sears’s website to gain trust over the unsuspecting victim and obtain access to a person’s credit information, social security numbers or even a person’s house." True, but it’s hypothetical until it happens.

My personal favorite, whose logic escapes me: "Desantis and the members of her class were damaged by Sears’s misconduct, inter alia, because the value of the products and services they purchased from Sears was diminished because Sears made publicly available their personal information connected to those purchases. Put simply, a dishwasher costing $1,000 is worth less than an identical dishwasher where the first purchaser’s private purchase information is made public."

Let me see if I understand this. Let’s say I purchase a $5,000 52-inch plasma TV. Is that set suddenly worth less if my nosy neighbors learn its price? (My life is certainly worth less if my wife discovers the price, but that’s a different issue.)

Then there’s the "how much are you asking for" part of the filing: "The aggregate amount at issue is (less than) $5 million collectively, even when factoring in the cost of the injunctive relief and the request for attorneys’ fees. Further, no individual in the class is seeking more than $75,000 for him or herself, all types of relief included." No one is seeking more than $75,000? How comforting.

Now let’s compare it with the case of Theodore D. Karantsalis, a librarian from Miami, Florida. His case started last month when he received this letter from Sprint Nextel.

The letter told Karantsalis that "a customer logged in through the Checkfree service on the Wells Fargo banking website and, when they clicked on the link to see their current Sprint invoice, they were erroneously presented with your invoice instead. The customer called to report this to Sprint immediately. This issue was caused by a system coding error that mixed up two invoices when two customers were on the system at the same time with the same billing cycle."

Asked the consumer: "I’m not even a customer of Wells Fargo bank. How did they get access to my private information?"

Karantsalis added: "The right to privacy is a personal and fundamental right protected by the Constitution." Not so sure it does that. This is one of these implied rather than explicit rights. Need to leave that one up to the U.S. Supreme Court. *gulp*

Here’s where the contrasts get interesting. Instead of retaining a law firm, Karantsalis filed the lawsuit himself, but he did it in Small Claims court and he’s suing for exactly $597.

When I first saw this filing—Karantsalis E-mailed it to us and, presumably, a bunch of other journalists as well—I dismissed it as trivial but then it grew on me. A small claims filing sidesteps a lot of legal nonsense that large firms opt for. It also delivers any monies received directly to the consumer.

More importantly, a small claims court judge is more likely to think in terms of fairness and often has more latitude. But the best issue is that it’s small enough to not merit Sprint or Wells Fargo fighting it. Unlike Desantis, Karantsalis has a decent shot of getting some dollars and of getting those dollars sometime soon.

Until the laws are changed, what can consumers do to dissuade companies from treating their privacy recklessly? Voting with their purchases seems to be something that most consumers are unwilling to do, if TJX is any indication. Consumers will gleefully say they won’t support retailers who treat their data recklessly, but earnings reports suggest they certainly don’t actually do it.

But what if every consumer who was so victimized filed a small claims court lawsuit locally? It would likely deliver more to those consumers—remember the $15 checks to the consumer TJX victims?—and would collectively cost the retailers more. I hate to suggest such a move, but clearly something has to be done. In a battle for world domination between lawyers and librarians, my money’s riding on the librarians.


8 Comments | Read Sears, Where America Sues

  1. David Parker Says:

    Great story.I bet with the librarian too.Smart.

  2. Melissa Griffin Says:

    I did a class action once and never got a penny.The lawyers got it all.Will you write about whether the librarian wins or settles his case?

  3. Bill Nelson Says:

    Did the librarian use a lawyer or did he file the lawsuit himself?

  4. Evan Schuman Says:

    I believe he filed it himself.

  5. Laura Woods Says:

    Bravo! I have found it nearly worthless to be included in any class action lawsuit, but it’s also not worth my time and money to opt out and do something on my own…until now!

  6. jason gutterman Says:

    stumbled on this article by accident. but may be the most useful one i have ever read. you should let us all know how this librarian guy fares. you might be on to something really huge here. i think i’ll hug a librarian this week. ;)

  7. Mr. John Rida Says:

    I like littyl people standing up to large company.this libraryman has courage.
    John, Security Guard

  8. Ken Thore Says:

    Followed the other story here.I wish my local paper would write stories like this.Good guy wins againt moron companies.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.