Victoria's Secret Settles Privacy Case

New York State Attorney General Spitzer today announced an agreement with a leading retailer of women's apparel to protect the privacy of its customers.

Under the agreement, Victoria's Secret Direct, LLC, will compensate New Yorkers whose personal information was inadvertently left accessible via the internet and implement a series of reforms to improve website security.

The agreement follows an investigation of the company's privacy policies after a published report last fall indicated that the personal information of Victoria's Secret customers was available through the company web site.

"A business that obtains consumers' personal information has a legal duty to ensure that the use and handling of that data complies in all respects with representations made about the company's information security and privacy practices," Spitzer said.

The published privacy policy for Victoria's Secret indicated that: "Any information you provide to us at this site when you establish or update an account, enter a contest, shop online or request information . . . is maintained in private files on our secure web server and internal systems . . . ."

Despite that policy, investigators found that some consumers' personal information, including name, billing address, and items ordered, was available on the company web site for a period beginning in August of 2002 and ending in late November of 2002.

Under the terms of the settlement, Victoria's Secret is required to:

  • Establish and maintain an information security program to protect personal information;

  • Establish management oversight and employee training programs;

  • Hire an external auditor to annually monitor compliance with the security program;

  • Provide refunds or credits to all affected New York consumers.

The settlement also requires Victoria's Secret to pay $50,000 to the State of New York as costs and penalties. Spitzer commended the Columbus, Ohio-based company for its cooperation with the investigation.

This case was handled by Assistant Attorney General Don M. Tellock of Attorney General Spitzer's Internet Bureau, under the supervision of Kenneth Dreifach, chief of the Internet Bureau.