Borders CRM Data Still In Play

With all the attention on the closing of the almost 400 remaining Borders stores, the chain's IT jewel—purchase history and other CRM data on tens of millions of its customers—is still to be sold to the highest bidder. When that happens, any privacy promises Borders made to loyalty-program customers are out the window. If the CRM data is misused by the buyer, that could spark a legal crackdown on what retailers can do with the information customers give them.

Unfortunately, bankruptcy courts really don't care what promises were made to collect CRM data—it's an asset, so it's for sale. Unless retailers can find a way to enforce customer privacy even after the retailer has gone belly-up (something no retailer wants to think about in creating a loyalty program), there's a very real risk of losing customer trust—and gaining the unwanted attention of politicians who have discovered that privacy is now a popular buzzword.

Any new approach to CRM privacy will come too late for Borders, whose inventory and store fixtures will be sold off starting on Friday (July 22) and continuing through the end of September. But the companies handling the store liquidations—Hilco Merchant Resources and Gordon Brothers Group—aren't dealing with Borders' intellectual property, which includes the CRM data, the Borders brand and Those will be auctioned off separately, and the buyer could decide to relaunch Borders as an online-only retailer. (That's what happened when Circuit City was shuttered and its name and CRM data were snapped up by online electronics retailer Systemax.)

Borders did try to limit the information available about CRM data in its bankruptcy filings. According to the Borders schedule of assets, "Agreements with individuals under the Borders Rewards loyalty program have been excluded in order to consistently keep confidential personal information about our customers." That's boilerplate language from the days when Borders still thought it could be sold as a going concern.

It also sounds a lot like the wording that begins the privacy policy for the Borders Rewards loyalty program. According to that policy, Borders and its subsidiaries "believe that your personal information—including your purchase history, phone number(s), E-mail and residential addresses and credit-card data—belongs to you." It continues: "We will only disclose your E-mail address or other personal information to third parties if you expressly consent to such disclosure."

To a customer signing up for a loyalty program, that probably sounds pretty airtight—customer data is going nowhere without each customer's express permission.To a customer signing up for a loyalty program, that probably sounds pretty airtight—customer data is going nowhere without each customer's express permission. Maybe Borders management actually believed that, too—after all, they launched the program in 2008, at a time when you had to believe a lot of impossible things to be in the big-box bookstore business.

But apparently the Borders lawyers didn't mind contradicting faith with reality. Buried deep in the 3,500-word privacy policy is a none-too-surprising disclaimer:

"Disclosures in connection with acquisitions or divestitures. Circumstances may arise where for strategic or other business reasons Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal and other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets."

In other words, the CRM data belongs to customers—until Borders is acquired, at which point it doesn't. And that may be a problem, depending on how the bankruptcy court disposes of the information on what Borders says are 43 million loyalty-program customers. If that data is bundled with the brand and relaunched as an online bookstore, or swallowed and digested by another bookselling competitor—say, Amazon (Borders' former E-tail partner), Barnes & Noble (its biggest brick-and-mortar competitor) or some smaller bookseller, there's not likely to be much more than grumbling from customers or consumer advocates.

But if the CRM data is sold off separately—or to a buyer who simply dumps the Borders brand and uses or peddles the Borders customer list—that could jerk the chains of politicians who are increasingly twitchy about customer privacy and especially information on book-buying behavior.

It's the same sticking point that gave Amazon a courtroom win last year, in which the North Carolina Department of Revenue was blocked from getting data on what North Carolina residents bought from Amazon, so the state's tax agency could try to collect sales tax on the purchases. And California is currently in the late stages of passing legislation to slap tight controls on getting access to the book-buying habits of customers without their explicit permission.What if Congress—or a federal court—decided to declare that personal information in CRM systems really does belong to customers? That would cut CRM data out of bankruptcy assets, unless a buyer was willing to contact every customer to get opt-in all over again.

But it could also change the legal landscape for how security breaches involving CRM data are handled. And it could force all U.S. retailers to offer customers the ability to block retailers from handing off their personal information to third parties without explicit permission. That could dramatically complicate how loyalty programs can be run, in addition to forcing something like PCI requirements on CRM data.

All of that may ride on how responsible the high bidder in the coming intellectual property part of the Borders bankruptcy auction is. There's got to be a better way for retailers to keep privacy promises, even beyond the bankruptcy grave.

Maybe it would mean loyalty-program agreements with customers that explicitly state personally identifiable data given to retailers by customers is the customers' property and only on loan to the retailers. That way it's not an asset. No asset, no bankruptcy auction.

But that would require a loyalty customer to opt out—and withdraw that personal information—at any time. It might also raise the stakes in the case of a data breach, because the retailer would have allowed not just information about a customer to be stolen but the customer's own intellectual property.

Or maybe it means a retailer would hand off ownership of the CRM data to a third party and lease it back for use under strictly defined terms. Once again, it's no longer an asset, so it can't be sold at bankruptcy. Terms of transfer of the data to the third party might specify the conditions under which the retailer could buy it back—say, in the event of the retailer's acquisition as a going concern but not if the retailer goes bankrupt.

That would require finding (or funding) such an independent third party and making sure the company is disconnected enough to not be caught up in a bankruptcy but reliable enough to be trusted with CRM data privacy. And those data-handoff agreements would have to be very carefully written, so no one could acquire the third party and walk away with all that customer data.

It's all much more complicated and costly than an empty promise by a retailer to customers that "your personal information belongs to you." But it may only take a few cases of misused customer data from retailer bankruptcies to sour customers on loyalty programs. And for retailers, that could get very expensive.