"Privacy in Peril" Draft Op-ed

America’s privacy protection laws and policies are perilously inadequate. If my recent experience with America’s largest consumer electronics retailer is any indication, more proactive approaches are urgently needed, lest countless consumers fall victim to the costly and increasingly common crime of identity theft.

The Federal Trade Commission etimates that as many as 10 million Americans each year have their identities stolen, either through sophisticated scams or “low-tech” schemes. Losses to businesses and consumers may approach $53 billion per year.

In response to particularly egregious violations in recent years, both the public and private sector have upgraded consumer protection policies, and most states have adopted legislation to mandate prompt notification of potential privacy breaches to customers.

Nevertheless, I have learned the hard way that laws and policies – in the absence of aggressive enforcement – fall short.

Around May 25, a laptop that I entrusted to my local Best Buy store for repair was stolen. Based on indications that proper procedure was not followed on that day and an employee’s revelation that a false record was created weeks later, I believe that the perpetrator of the crime was a Best Buy employee and that the store tried to hide the theft.

As if the store’s initial actions were not appalling enough, Geeksquad “customer service” agents responded to follow-up inquiries with lies about the repair status and location of the phantom computer. These tactics continued until early August, when one conscientious employee finally saw fit to disclose the fact that there was no record that the computer had ever left the store.

More importantly, tax, financial, and other sensitive personal information saved on my laptop were in the hands of a criminal throughout the entire process. Despite this, not once did a single Best Buy representative prioritize (or acknowledge) my vulnerability to identity theft. The first warning I received about potential exposure and the need to protect myself came in late October – from a lawyer I consulted, not Best Buy.

Local statutes and laws in its home state of Minnesota should have compelled Best Buy to disclose the theft and potential privacy breach to me immediately. Best Buy’s official privacy policy asserts that it takes “great care in safeguarding… personal information and in complying with all applicable federal and state privacy laws and our own internal standards and best practices.” Best Buy’s systematic failure to honor its ethical and legal obligations to protect my interests belies this claim and left me unnecessarily exposed for months.

Fortunately for me, whoever has my computer failed to leverage the information it contained before I could subscribe to credit monitoring and identity theft protection services. Unfortunately, I will be forced to bear this cost and concern for years to come.

Were it an isolated incident, rather than the latest in a series of publicized violations by Best Buy and other companies, I would probably walk away without wondering if my experience is but the tip of the iceberg. Were it the act of a single employee rather than an organization-wide culture of disregard for obligations to its customers, I probably would not believe as strongly as I do that the issues involved merit broader consideration.

First, we as consumers need to take responsibility to get better informed about the risks of identity theft, what we can do to minimize vulnerability to it, and how and when we should report violations.

Second, the government should continue efforts to raise awareness. Moreover, local officials and Congressional leaders should ensure existing and pending legislation adequately address consumer needs and empower authorities with the mandate and resources to aggressively enforce the laws.

Third, laws, enforcement policies, and the courts should emphasize prevention of identity theft as well as restitution for damages after personal information is compromised. Authorities should proactively pursue cases where failure to hold a company accountable for ineffective policies could result in significant damages to consumers if practices are left unchanged – even if the initial case does not involve widespread damages.

Finally, Best Buy and other companies should undertake independent audits of the effectiveness of policies and educate employees on the importance of giving privacy protection the priority it deserves.

Five months of calls, visits, and letters to Best Buy went unheeded, so I requested help from the authorities in October. Best Buy’s response: a low-ball compensation offer and a statement to the Attorney General’s Office that “Best Buy feels we have appropriately addressed this issue.”

I disagree, and have filed a lawsuit with the hope that court and public scrutiny might motivate Best Buy to change its assessment and take action to prevent harm to future customers. I doubt I am Best Buy’s first and only victim, but, by bringing attention to the issues and urging aggressive responses, I hope to be among its last.

Raelyn Campbell is a former Best Buy customer. Her blog can be found at: bestbuybadbuyboycott.blogspot.com.