Toysmart Database To Be Destroyed

deebaine writes: "CNN has this article describing the settlement of the case of Toysmart.com's customer database, which Toysmart proposed to sell to the highest bidder in order to pay off their creditors. Apparently, the settlement stipulates that a Disney subsidiary will pay Toysmart $50,000, and they will destroy their own records. The FTC is hailing it as a victory."

A way to assure privacy

[AuMatar]

Theres only one way to assure that a privacy agreement is followed by a corporation. Make it a part of the contract. If its part of the contract you sign (or usually click) when you sign up, they can't legally break it. If they do, not only can the comnpany be sued, but sometimes the employees who knowingly broke the contract.

Of course some sites put in those agreements that they have the right to change it at any time. Simply avoid those sites. I do anyway- any site who isnt willing to agree to one policy probably isn't trustworthy anyway. Find a competitor or a brick and mortar version of the service.

A company you can trust

[Technician]

Too bad we find out when they are out of business.

The tears of a marketing droid.

[AtariDatacenter]

I'm sure there are the 'free enterprise/make money fast' types out there that would say this is a complete travesty of justice. Certain parts of a company shouldn't be deemed 'off limits'. In a way, I almost think they're right. Someone *could* buy the customer list, but they should be bound to the conditions that it was compiled under, which means that it can't be used.

The sad thing is that this probably happens all the time, just this was a high enough profile case to be caught.

Re:The tears of a marketing droid.

[Technician]

Is your Name, Address, & credit card number "company property"? I think that failed companies are forced to sell this to pay creditors by law is a travisty to the consumer.

Re:The tears of a marketing droid.

[Danse]

If a company promises not to sell your information, I believe that means they shouldn't be able to sell it as part of the sale of their company as well. It should never be an issue. You simply don't sell the information regardless of circumstances. If your company is bought by another company, then destroying the information is the only way to make sure it is not transferred. It should be made clear to the purchasing company that customer information is not for sale.

Re:The tears of a marketing droid.

[Sodium+Attack]

Certain parts of a company shouldn't be deemed 'off limits'.

There's even a precedent for this--a company's pension fund. By law, when one company is bought out by another, the purchasing company cannot plunder the other's pension fund--it must be maintained as a pension fund.

Re:The tears of a marketing droid.

[denshi]

that would say this is a complete travesty of justice. Certain parts of a company shouldn't be deemed 'off limits'.

The FTC is calling this a win b/c of the underlying principle - that one company acquired a property under certain conditions, and another company seeks to take the property and be freed of said conditions -- this is a recipe for front companies, fraud, corporate deception of the worst kind. The FTC is enforcing regs ensuring basic levels of corporate honesty.

In the larger sense, parts of a company can be declared 'off limits' in the same way that certain actions can be declared 'off limits' (eg, selling crack, monopoly, dangerous working conditions). Our legal precedents define regulations-to-protect-the-citizens to constrain the pure capitalist anarchy that makes living in the US such an interesting place. Please try to remember that.

Re:The tears of a marketing droid.

[Danse]

Besides, these are also business records that can't legally be destroyed for a certain period of time if the company will continue to exist.

Business records are one thing. Marketing data is another. There may be some overlap for essential information, but anything beyond that should be destroyed if customers were promised that the information would not be sold.

The flip side of this is that it denies the ability to sell a company under some circumstances, which would violate all manner of legal and constitutional rights.

What about the contract between the customer and the business? Should that simply be disregarded? Should businesses be allowed to create contracts that violate the Constitution? If they do violate the Constitution, shouldn't the contract be deemed null and void? If so, then the data that the business gained through the contract should be destroyed.

An option.

[Restil]

The way I read that article, a company may be 100% willing to uphold their promises to maintain the privacy of their customers, but bankrupcy laws force them to sell off all assets, including their list of customers.

Ok.. fine. They can sell off their list of customers. However, what if their list of customers only includes those customers that have purchased something in the last 30 days.

If I'm a brick&morter operation, sure.. MAYBE I want to send my customers advertisements every once in a while. After all, happy customers will come back for more. For this very reason, there is no need to keep their information on file. THEY WILL RETURN BY THEMSELVES.

If they don't return, well, they probably aren't all that interested anyways, and there's no reason to keep their records on file. All you need is the record of the transaction.

If the computer system automatically deletes the records of any customer who has not purchased something in the last 30 days, then the only customers who will have an open account are the ones that purchase something regularly. When the company plans to go out of business, simply disable the order screen but keep the system online for an extra month. Those customers will automatically be deleted by default, but at no time has the company intentionally destroyed any assets, as the customer list was never considered an asset to begin with.

On the other hand, most likely the companies in question actually WANT to sell it off because thats less money they'll have to come up with later to cover the debts after bankrupcy if any.

-Restil

Re:An option.

[olim]

I can't believe that this comment is moderated up to 5. It shows a dramatic lack of understanding of business and human nature. I love it when people say things like 'If they don't return, well, they probably aren't all that interested anyways.' Maybe that is how things should be, but it sure as hell ain't how they are.

A few counter examples:

The obvious one: the company sells large ticket items that don't get purchased every thirty days.

A subtler one: maybe the company introduces a new category of product. A customer who has been there before and had a good experience may not know about the new product category. They don't need any more of the thing they bought before, but they would love to buy the new thing at a store that served them well in the past.

A human one: people forget stuff all the time. If you don't have a strong brand, and you don't market to your previous customers, they will get confused and forget about you.

That is just one area of fallacy. Let's examine the comment "On the other hand, most likely the companies in question actually WANT to sell it off because thats less money they'll have to come up with later to cover the debts after bankrupcy if any."

Companies DO NOT care how many of their debts they cover in bankruptcy. That is what bankruptcy means! Debt forgiveness! The creditors do care, and they take legal action to prevent the destruction of assets that could conceivably provide value. Your 30 day system would be doing just that, and a smart creditor would try to stop it (and a smart company would never have done it anyway).

The solution to this problem is _exactly_ the one the FTC has pursued; we have here a rare case of successful government regulation. Collect the data, keep the data, use the data in accordance with the promises that you made to your customers, then if the data must be sold, the data still must be used in accordance with the promises that you made to your customers. That is admittedly tough to enforce, which is why the ultimate settlement led to the destruction of the data.

Re:An option.

[taustin]

If I deleted the complete details of credit card transactions after 30 days, and my merchant service found out about it, I'd lose my merchant account. It's a violation of the contract I signed with them, which requires me to keep those records for several years.

And only an idiot would keep them in any form other than a database these days, readily accessible.

Plus, parts of those records are also tax records, and failing to keep them for the several years the IRS requires is a good way to end up paying a lot of extra taxes, fines, and penalties. Possibly even to go prison.

Re:How the hell is this a win?

[Technician]

They sold their database to another company (Disney). Doesn't sound like a win to me

It's a win because Disney directed them to destroy the database. They did not take it over. Disney got the ashes, not the data. That is the win.

(un)TrustE

[deran9ed]

Would make sense in order to keep clients' information safe and this is first time I've heard a corporation turning down more money. I remember NSI's and ICANN's bickering over the whois database and some might have said the issue revolved around the same means however it was not.

Personally I dont think this will set any standard and in the article it mentioned complaints by privacy groups which is the foundation for the decision to take legal action, only one would hope ethical questions would've outweighed a watchful eye, but hey money talks.

I wonder what will happen when some of the bigger fish go out like Doubleclick, Netcreations.com, etc, are there standards in place already set to avoid this from happening or is information just going to end up on the eBay selling block? What about with mergers and takeovers, will the same rules apply if the newer parent company doesn't have the rules the other company did?

SourceForge Spoof

Seems like a simple contract to me.

[AtariDatacenter]

Imagine that Company X acquires information from Company Y with a contract that says it will only be used to certain purposes. Now Company X goes out of business. Company Z buys the information from Company X in bankruptcy.

IAMAL, but it would seem that Company Z wouldn't then have the right to use the information for whatever purposes they want. The same would seem to go for a contract/agreement where the customer provides information to Company X. Company Z may have bought it, but there should be nothing that they can do with it, because it is outside the terms of the agreement.

At least, that seems like natural law. It would appear to hold some water, though.

FAR from a victory...

[somethingwicked]

Many e-commerce companies lacking the large inventories and capital of brick-and-mortar firms are finding their customer databases to be one of their few assets and may be required to sell off those databases to pay debts under bankruptcy laws.

The actions of the lawyers are to be expected: "What can we sell, what can we sell??"

The truly disgusting issue is that the courts would allow a company to do this. Toysmart clearly announced that this information would not be divulged, and blatantly turned around and tried to sell it.

This was not a victory, it was a close call that was saved by the fact that Disney was more worried about its rep than the money this would generate.

Won't be surprised when the next company in this situation has no rep to lose and sells its promises.

Those names aren't an asset

[Shotgun]

"You're sworn to sell whatever assets you have and give it to the creditors. You're caught between a rock and a hard place," Leahy said.

But that information is not an asset, because the company doesn't have complete control over it. If I put my name in that pot, it would have been under an agreement between Toysmart and myselft that stipulates that my name would not be sold. That contract does not change under bankruptcy proceedings does it? They don't own my information, they've only been given leave to hold it for a while. If a bank goes under, can it take all the deposits and hand it out to creditors? If one of those companies that provide small storage spaces goes out of business, are they suddenly allowed to open all the shed and start auctioning off what they find?

You can't call something you don't own an asset, and I think the bankruptcy court erred when it assumed that Toysmarts marketing list was under the companies control.

Re:Those names aren't an asset

[remy+the+man]

>>>If I put my name in that pot, it would have been under an agreement between Toysmart and myselft that stipulates that my name would not be sold.

That is not always true. How do you think that you get all of those "great" credit card offers. Because someone has your information and is selling it to these other companines that we have grown to hate.

Re:Those names aren't an asset

[Shotgun]

If you have something that somebody else is willing to buy, well, that's an asset.

So, someone is willing to buy a stolen TV. If I steal yours, then go bankrupt, will the bankruptcy court hold that I be allowed to sell your TV to pay my debts? Remember, possession is 9/10ths of the law, but it is only 9/10ths.

What about the backup tapes?

[tholt]

It doesn't take much to misappropriate a backup tape. It doesn't take much to copy a backup tape. It isn't a big thing to sell and read a backup tape.

I doubt very much that this database is going to magically disappear, even for 50 grand.

Remember, there's probably a backup tape with at least part of this database on it for EVERY DAY this company has been doing business. That's a lot of tapes. Will every one be inventoried?

I doubt it.

There's one shocking detail to this...

[AFCArchvile]

...according to the report, toysmart.com would be responsible for destroying the records. I fear that they would just pull a "Let's not and say we did!" and then decide internally to keep the database. Bam, toysmart gets 50,000 smackeroos for KEEPING the database.

Sure, this is pure speculation, but that's the advantage of being a pessimist; you're either proven right or pleasantly surprised.

Re:Who to sue?

[Stephen+Samuel]

IANAL, but I've definitely heard of companies in bancruptcy being sued. A slightly nicer target, however, might be the bankruptcy trustee who took the positive action to cause the trust relationship RE: Privacy to be breached. As far as I know, any costs to the bankruptcy trustee (including setlements and related legal fees) would come off the top of any asset sales.

If it could be shown that such costs would reasonably exceed the value of any such sale -- I think that such a database could then be legaly considered 'unsalable'.
`ø,,ø!

Re:How the hell is this a win?

[Stephen+Samuel]

There still is the precedent of the data being 'purchased' by an outside company. Ownership, in the Western world is essentially the right to destroy, and anything less drastic. In this case, Disney essentially paid for the data, and the destruction of it -- at $.20/customer name. It's kinda a backdoor solution, and it doesn't do much to the premise of 'you have to sell your database'. I don't know if the unusual conditions attached to the sale make much of a difference because, once Disney purchased the data, it was Disney's right to have it destroyed.

I thaink that what we really need for a full win would be for the company to destroy the data on their own say-so.
`ø,,ø!

It's a precedent

[SirSlud]

There is alot of "well, what if they use/sell the database anyhow, even though they said they wouldn't?"

Like, duh. Of course they could. The point is, that it would be illegal of them to do so, where, before, it was questionably legal. This case sets a precedent that doing such a thing, is, in vact, a violation of consumer privacy.
If something has never been said/seen/heard before, best stop to think about why that is.

No Buyer - No Duh

[packphour]

"No company came forward to buy the 250,000-customer database."

Who's going to buy it? Other .com's can't afford it and real businesses already have our info. Besides, there's only 250,000 people in that database, once an existing company does a scrub against its own internal database that number will drastically decrease. I know the company I work for (5,000 employee company) loses about 30% of leads when they buy a database like that.

Motorola followup?

[PhilHibbs]

On a related note, does anyone know how the Motorola thing turned out?

Worse horror stories exist

[unicorn]

I used to work for Gazelle.com, a 9 month flameout. When the company turfed, the founders did sell off the mailing list, in violation of the terms that people signed up under. But far worse things happened as well.

The company was set up at a co-lo, where they didn't own the servers. But at the San Francisco office, there was a data mining server that collected all the clickstream data, all the credit card info, etc, into a honking SQL database.

When the company folded, the boxes were simply shut down. No cleanup was done at all. When the company sold all the systems that had been used for building the site, they advertised thm as including softare (non transferable, and never paid for anyhow), so they continued to not be erased.

The company that bought the data mining server apparently decided that rather than flattening, and rebuilding, it would be more fun to crack the box. So they hired someone to break open the security on the systems. Thus getting them a COMPLETE copy of every session ever opened to the production site. Including all the aforementioned credit card info.

Strict Contract Law Interpretation

[scotteparte]

Remember all those lovely EULAs and such that define "the Company", "the User", and "the Software"? That's not just legal jargon, it is a strict definition of roles in a contract. Those roles are especially important in a case like this one, since the contract involved phrases like "anyone else". Therefore, we have to follow along and see what happens to the contract players. Follow along, and correct me if you think I'm missing something.

In this case, we can say that Toysmart ("the Company") owns the list of names. However, in submitting your name to the list, you ("the User") entered into a contract with the Company that personal information about the User would not be shared with any entity which was not the Company, for any purpose.

If Toysmart were bought by another firm, that firm would become the Company in a legally binding way, and therefore would have rights to the list. They would also be under the same contract that Toysmart began under.

However, the Company has dissolved, and by taking its assets, creditors in no way take on the role of the Company. As the contract stated that information about the User would not be shared with non-Company groups under ANY circumstances, the list must be destroyed upon dissolution of the Company. Simple.

Hardly a major victory

[startled]

"This is a landmark case because it tells other companies that the privacy promises you make while you're in business must be kept when you go out of business," said Dave Steer, spokesman for privacy seal-of-approval group TRUSTe.

Unfortunately, it doesn't mean that at all. It just means that's what happened in this case. Next time, it might not go the right way, and what we really need is a fix in the legislation. Encouragingly enough, the article also has this bit of information: Sen. Patrick Leahy, D-Vt., said in an interview that he would like to reform those laws this year to protect consumer privacy.

Keep an eye out for those bills. His statement implied there's something in the bankruptcy laws that allows this sort of thing to happen. So rather than just rail against all the bad legislation (which we should still do), it'd be nice to have some legislation that most /.'ers can really get behind. Here's to hoping for a future story: New Bill to Protect Customer Privacy. Write your senators and congressmen!