The San Francisco health department notified the store late last Thursday (May 2) that an employee was diagnosed with typhoid and may have exposed customers who ate in the restaurant to it on April 16, 17, 18, 20 or 27. As of this week, no cases of customers or other store associates having the disease have been reported, according to the health department. But Nordstrom is still trying to track down anyone potentially exposed.
"We actually are in the process of trying to determine customers who ate in the Cafe during the days of exposure by pulling purchasing information" from the POS system, said Tara Darrow, public affairs director at Nordstrom. "The process to do this is not as easy as we hoped it would be, but we're hoping that we can make that happen and communicate direct with those customers this week."
The dates that customers were at risk stretch back more than two weeks because typhoid fever symptoms develop slowly, and until the cook felt sick enough to get medical help he wouldn't have known he had typhoid, which is rare in the U.S.—only a few hundred cases are reported each year, though there are tens of millions of typhoid fever cases every year worldwide.
The good news is that the infected line cook would have probably spread the disease only if he failed to wash his hands properly after a bathroom break. If standard food-handling sanitation was observed, there shouldn't be any further contagion.
Along with the health department's announcement, Nordstrom issued its own statement, offering free testing at local clinics for anyone who might have been exposed.
Nordstrom's Darrow didn't elaborate on the issues that are hobbling the effort to identify exposed customers using POS data. But the biggest problem is likely the fact that payment cards are designed to take customer details out of the hands of retailers. Between PCI security requirements and state laws, there's only a limited range of personal information that a retailer can keep on a customer with an ordinary in-store transaction.Bank-based payment card systems just aren't designed for this. Any card tied to a loyalty system is easy to track, but when there's nothing but a name and card number, at a minimum a customer address requires jumping through hoops to get it from the card-issuing bank.
Which still only helps for customers who used a payment card instead of paying cash.
Even then, it's all but impossible to know who exactly might have actually been exposed. Typhoid is typically spread by direct contact with food, but in a busy kitchen it might be impossible to determine which line cook touched what meal orders. Even if the kitchen is highly automated (which means theoretically every food item can be tracked to a specific line cook), in reality a lot of hands can touch a plate—and that's before customers eat off each other's plates.
All that means Nordstrom will have to cast a wide net in sifting through POS and food-order data, just to be on the safe side.
If this whole process sounds something like a payment card breach—delayed discovery, difficulty identifying customers who will actually be affected—it clearly is. And as with a breach, the more entities involved, the harder it is to get everyone onboard with contacting customers. It may be a little easier to get issuing banks to cooperate when the problem is a disease like typhoid rather than payment-card accounts, but it's still a challenge.
Of course, as Nordstrom tries to track down at-risk customers using systems that really weren't designed for that, it might all be unnecessary. If that line cook was careful to wash his hands, there might be no spread of the disease at all. That's what everyone is hoping. Unfortunately for Nordstrom, it's still necessary for the retailer to do the best it can with the data it has available. When it comes to a card breach, waiting to see whether card numbers show up in fraud is a possible approach. When it comes to public health, waiting to see if customers get sick isn't really an option.