Using CRM To Defend Your Chain <i>Against</i> Lawsuits

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

If a customer slips and falls in a large box store and then decides to sue the store, it would certainly be appropriate for the retailer to examine the videotapes relating to the slip and fall, see whether the customer did—in fact—fall, observe how that person was behaving before the fall and afterward, and determine what the condition of the floor was at the time of the incident.

But when Vons customer Robert Rivera sued the grocery store after he allegedly slipped on spilled yogurt, the supermarket in litigation called up Rivera's purchasing habits, determined he had purchased "a lot" of alcohol and questioned his sobriety at the time of the accident. (Vons denied the allegation, and the lawsuit was reportedly thrown out of court.)

What if a customer alleges some injury and the store has a record from the in-house pharmacy showing the customer had been prescribed, and purchased, pain medication for months or years before the alleged injury—suggesting a pre-existing condition. How about a customer suggesting that a retailer's conduct caused severe weight gain or loss. Could that person's purchasing records of sizes worn be used against him or her? If a customer purchases a book titled "How to Sue Anyone for Anything" (sounds like my next project) in the days or weeks before initiating litigation, could the retailer pull up these records for examination in the litigation?

As long as the privacy policy is written in a way that warns consumers that their personal information may be used in this way (and there is no law prohibiting such use, like HIPAA does for certain health data), then lawyers for the retailer could at least make a colorable claim that it is fair game.

But be careful what you wish for. If customers know that you intend to monitor their every activity and use that information against them, they may be less likely to shop at your store. And they may be less likely to share accurate personal information with you. In some cases, as with AT&T, the company may have no choice; virtually all telecommunications providers have the same or similar policies. There, the only alternative is two Dixie cups, a string and a friend on the other end with a bad memory.

Big data can be good data or bad data, depending on which side of the table you find yourself.

As a retailer, you have access to a wealth of information about your customers. Not only can this information be used to help you sell and market to those customers, but it can likely be used to devastate them should they ever choose to sue you or an affiliate—or it may even be used to scare customers into not suing you.

Your phone company, for example, may listen in on your calls. Your E-mail provider may read your mail. Your Internet service provider may track every Web site you visit. And then this information may be made public should you have the temerity to sue, or threaten to sue, any of these entities.

Ordinary brick-and-mortar stores may similarly collect and use personal data about customers not only as a shield against false claims but as a hammer to intimidate potential litigants. Their power to do so seems, for now, to be limited only by the terms of the privacy policies they themselves write.

As retailers not only collect but have access to more and more information about customers, and as retailers increasingly become not only stores but technology and service providers, the opportunity for misuse and abuse of personal information increases. Nowhere is this more evident than in the areas of online retail, telecommunications and the Internet, not only because these companies collect and store so much information about their customers but also because of the intimate nature of the information they collect—and their broad retained powers to use it.

Let's say you are upset with AT&T.Let's say you are upset with AT&T, because it decided to "throttle" your cell phone data usage, and you decide that you either want to arbitrate the dispute or file a claim in small claims court. AT&T has listed a host of "prohibited" activities that its customers may not do—including copyright infringement, harassment, etc. Indeed, the AT&T data contract by its terms only allows non-corporate users to use data for two things—E-mail and Internet browsing. Everything else is prohibited.

The AT&T "contract" has a little clause that says, "AT&T may, but is not required to, monitor your compliance, or the compliance of other subscribers, with AT&T's terms, conditions or policies." Because the policies relate to both the amount and type of data and voice used, in addition to the content of the messages sent and received, presumably AT&T could use this clause to listen in on the telephone calls, read the E-mails and capture the text messages, Internet browsing habits, photos sent and received, apps downloaded or virtually any other activity of its customers, should they have the temerity to sue AT&T.

Indeed, federal law reinforces this "right" of the phone company, expressly excluding it from the provisions of the wiretap law, 18 USC 251. The statute permits "an operator of a switchboard, or an officer, employee or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service."

Thus, if a phone company, ISP or other "provider of wire or electronic communication service" feels that it is helpful to protect the rights or property (profits?) of the company by listening in on phone calls, reading E-mails or intercepting text messages, then the law and the contract appear to permit it. And the unwary litigant who sues or arbitrates against AT&T may find his or her intimate E-mails, browsing activity and other personal information used against him or her. Indeed, merely the threat of such use may scare away potential litigants, where the remedy available in small claims court may be only a few hundred dollars.

Google's new privacy policy, for example, provides that "We use the information we collect from all of our services to protect Google." The policy goes on to note, "We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: enforce applicable Terms of Service, including investigation of potential violations. Detect, prevent or otherwise address fraud, security or technical issues. Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law."

So, if you sue Google for any reason, you may expect that Google may (but not necessarily will) use everything it knows about you against you.If a retailer is sued, the first instinct is to find out whatever it can about the person suing the company. "Who is this guy, and why is he suing us?" This principle may apply to not only the actual litigant but any witnesses or experts that the litigant may call or threaten to call.

Sure, it's appropriate to scan the Internet for articles or postings by a plaintiff's expert witness. But are you permitted to pull up their record of alcohol purchases or reading habits or other records in an effort to discredit them? If you can do it, can third-party litigants then subpoena the same records from you for the same purposes, merely on a showing of possible relevance?

The way most privacy policies are written, the answer may be yes. If you say, "We can use any information we have collected about you in any way to protect ourselves, our assets or our property," then you at least have a colorable argument that the consumer has "consented." So if a witness shows up to testify against a retailer, impeccably dressed, the retailer might be able to call up the videotape of the same witness acting belligerently to a store clerk on a Saturday night four years ago (depending on the retention policies of the retailer.) If a retailer has affiliate agreements with other third parties, then their databases may be ripe for mining about potential litigants or witnesses.

Maybe that person who claims to have seen the slip and fall at Costco also got (or failed to renew) a prescription for eyeglasses. Maybe the "unrelated" witnesses were observed coming into the store together (or making purchases) years ago. The same data could also be used by retailers seeking to affirmatively initiate litigation.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.