Biofilm has provided some more information about a recent web exposure involving the names and street addresses of over 260,000 people who ordered free samples of one of their products. While Biofilm states that data on paying customers is always kept behind a firewall, they reportedly didn’t use the same security on those ordering free samples. Union-Tribune staff writer Keith Darcé reports:

[...]

Google shouldn’t have found the files, [Biofilm webmaster Matthew] Eckmann said. The company had taken a number of steps to block outsiders from discovering the data, including using password protection and robots.txt files to instruct friendly Internet crawlers to stay away from the customer lists.

But other unprotected files on the server made reference to the sensitive Astroglide files and provided pathways for Googlebot to follow, Eckmann said.

So we’re back to figuring out the “noindex,” “noarchive,” “nofollow” tags, etc., it seems. But once again, the bottom line is that the data were not behind a firewall and were on a public server. And as noted in previous blogs here and on Homeland Stupidity and Threat Level, the breach, however accidental, appears to violate the terms of their published privacy policy:

Biofilm could face lawsuits over the leaks from some of the people on the lists, said Chris Hoofnagle, a senior staff attorney and privacy expert with the University of California Berkeley’s Samuelson Law, Technology and Public Policy Clinic.

Lawyers might argue that Biofilm violated a California law that bars companies from engaging in unfair or deceptive trade practices, Hoofnagle said. They also could argue that the company breached another state law requiring Internet businesses to abide by online privacy policies.

Web pages for ordering Astroglide samples included this disclaimer: “All information will be used for mailing purposes only and will not be distributed to any outside organizations.”

Additionally, a privacy policy Web page for the company promises not to share personal information with outside parties without receiving permission or disclosing plans to distribute the information when it’s collected.

Any financial hit resulting from litigation probably won’t be too large, Hoofnagle said. “This type of leak raises certain legal risks. But these cases settle for very reasonable amounts.”

Is it a “good thing” or a “bad thing” that they are unlikely to take a large financial hit? I suspect most people would argue that it’s good because you don’t want to see a company go out of business or really suffer because of one accident or mistake. And from other media reports, not all customers might be concerned or upset about the exposure. Heck, not all chronologies or databases might even include this incident at all because it didn’t involve financial details.

A quarter of a million people potentially embarrassed or upset, and …. it doesn’t count or get included in most chronologies or databases because it didn’t involve financial details or potentially lead to ID theft? I guess that’s one difference between those concerned with security of financial information and those concerned with privacy.

Comments are closed