Evan Schuman's StorefrontBacktalk

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

If a customer slips and falls in a large box store and then decides to sue the store, it would certainly be appropriate for the retailer to examine the videotapes relating to the slip and fall, see whether the customer did—in fact—fall, observe how that person was behaving before the fall and afterward, and determine what the condition of the floor was at the time of the incident.

But when Vons customer Robert Rivera sued the grocery store after he allegedly slipped on spilled yogurt, the supermarket in litigation called up Rivera’s purchasing habits, determined he had purchased “a lot” of alcohol and questioned his sobriety at the time of the accident. (Vons denied the allegation, and the lawsuit was reportedly thrown out of court.)

What if a customer alleges some injury and the store has a record from the in-house pharmacy showing the customer had been prescribed, and purchased, pain medication for months or years before the alleged injury—suggesting a pre-existing condition. How about a customer suggesting that a retailer’s conduct caused severe weight gain or loss. Could that person’s purchasing records of sizes worn be used against him or her? If a customer purchases a book titled “How to Sue Anyone for Anything” (sounds like my next project) in the days or weeks before initiating litigation, could the retailer pull up these records for examination in the litigation?

As long as the privacy policy is written in a way that warns consumers that their personal information may be used in this way (and there is no law prohibiting such use, like HIPAA does for certain health data), then lawyers for the retailer could at least make a colorable claim that it is fair game.

But be careful what you wish for. If customers know that you intend to monitor their every activity and use that information against them, they may be less likely to shop at your store. And they may be less likely to share accurate personal information with you. In some cases, as with AT&T, the company may have no choice; virtually all telecommunications providers have the same or similar policies. There, the only alternative is two Dixie cups, a string and a friend on the other end with a bad memory.

Big data can be good data or bad data, depending on which side of the table you find yourself.

As a retailer, you have access to a wealth of information about your customers. Not only can this information be used to help you sell and market to those customers, but it can likely be used to devastate them should they ever choose to sue you or an affiliate—or it may even be used to scare customers into not suing you.

Your phone company, for example, may listen in on your calls. Your E-mail provider may read your mail. Your Internet service provider may track every Web site you visit. And then this information may be made public should you have the temerity to sue, or threaten to sue, any of these entities.

Ordinary brick-and-mortar stores may similarly collect and use personal data about customers not only as a shield against false claims but as a hammer to intimidate potential litigants. Their power to do so seems, for now, to be limited only by the terms of the privacy policies they themselves write.

As retailers not only collect but have access to more and more information about customers, and as retailers increasingly become not only stores but technology and service providers, the opportunity for misuse and abuse of personal information increases. Nowhere is this more evident than in the areas of online retail, telecommunications and the Internet, not only because these companies collect and store so much information about their customers but also because of the intimate nature of the information they collect—and their broad retained powers to use it.

Let’s say you are upset with AT&T.