The Texas Attorney General accused RadioShack of violating provisions of the 2005 Identity Theft Enforcement and Protection Act because "company employees dumped bulk customer records in garbage containers behind the store. According to investigators, the records contained sensitive consumer information, including Social Security numbers, credit and debit card information, names, addresses, and telephone numbers," said a statement the Texas AG issued.
RadioShack, in its own statement, essentially conceded the incident happened. "In this isolated instance, the store did not act in accordance with (the RadioShack document destruction) program. However, we moved quickly to reclaim and secure those documents," the RadioShack statement said.
Industry officials, already weary from major retail data breaches, were not in the mood to be gentile with this incident. "?Customer data does not belong in dumpsters and clearly throwing out vast amounts of sensitive customer data is a brainless thing to do," said Mehlam Shakir, Chief Technology Officer for RippleTech, a Conshohocken, Pa., security firm. ?But that?s not the real issue. The primary issue is that most retailers don?t have the formal procedures in place to properly dispose of sensitive data, especially in paper form. Retailers must break out of their traditionally reactive modes and become proactive. Setting guidelines is a good first step, but what happens when electronic data becomes paper data in the hands of employees? They need to not only know what data is being printed, when and by whom, but also follow this information from print-out to disposal to prevent heavy fines and reassure customer loyalty."
The best line in the Lone Star state prosecutor's statement: "The records included personal information from one consumer?s 1998 credit application and another receipt from a local woman who, ironically, purchased a shredder from RadioShack in order to protect herself from identity theft." When an irony is so obvious that lawyers pick up on it, it's a wonderful thing.
Beyond identity theft law--with potential penalties of as much as $50,000 per violation--Texas also charged RadioShack with violations under Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients? personal information. The law provides for civil penalties of up to $500 for each abandoned record.