Petco's FTC action...what were they thinking? a Parry rant

Petco…What were you thinking!?!

Today the FTC announced the settlement of a complaint brought against Petco for security breaches and their failure to adhere to their privacy promises at their website. Since 2001 the petco.com website has had broad privacy statements and security promises to induce e-commerce and trust. And the FTC has determined that they made promises they didn’t keep.

I’m not sure which is more unforgiveable, companies that play fast and loose with our credit card information to steal it, or those that play fast and loose with it because they aren’t thinking. E-commerce is selling far more than pet food. It is, and has to be, selling trust. And they have to be worthy of that trust.

What were they thinking? Their statement sounds more like a PR firm wrote it, not a lawyer or anyone with an eye to risk management or technology. “[S]trictly protected against any unauthorized access,” “provides a “100% Safeguard Your Shopping Experience Guarantee” so you never have to worry about the safety of your credit card information.”

No one who thinks about it ever offers a claim of anything online being “strictly protected against any unauthorized access.” No one could and pass the “red face test.” (That’s a legal test I use when the statement you are making is so outrageous, no one could make it without blushing.) You can make access harder, and add protective measures. You can promise to reimburse your customers if anyone steals their credit card information. You can do many things but provide strict protection against any unauthorized access.

But wait. There’s more!

They claim to have a secure server and that they encrypt the information so no one else can access it. But the FTC found that they weren’t using secure servers or encryption as promised. And even worse, the credit card information inputted by their customers was easily accessible by anyone who wanted to steal it and had a knowledge of coding.

And, just in case you missed the first few promises, they made two more.

They promised that “your personal data is strictly shielded from unauthorized access.” And their promises meant “you never ha[d] to worry about the safety of your credit card information.”

I would much prefer I could rank about a sleazeball company, not one that donates time and money to protect homeless animals. I would prefer that I could demonize a company I don’t buy from. But perhaps this means more. Perhaps it will have a bigger impact because Petco is a household name and otherwise trusted retailer.

This case should be a wake-up call to all e-commerce providers. If you aren’t going to take your customers’ trust seriously and protect them from security risks online, you’re in the wrong business. Consumers are entitled to be protected. They are also entitled to believe and rely on your promises. Dig out your policies and make sure your promises are reliable.

You should be worthy of the trust your customers give you.

And if you won’t protect them, the FTC will.

Amen.