Toysmart_2

advertisement
Toysmart
William Frey
Chuck Huff
José A. Cruz-Cruz
An Analogy
• You visit a small village where the tribal leader is taken
sick. He gives you a thousand dollars and makes you
promise that you will use it to build a statue of him
after his death. You take the money and make the
promise.
• After his death, a member of the village comes to you
and asks that you use the money to buy the village
children new shoes which they badly need.
• What should you do? Buy the new shoes for the
shoeless children or keep your promise to the village
chief and build the statue?
Toysmart’s Beginnings
• Dot-Com (Online startup financed by venture
capitalists)
– Out of 10 companies funded:
• Two make it big, two make it, and the rest go belly-up
• Started in December 1998
• Specializing in educational toys
Toysmart and Disney
• Holt Educational Outlet: Brick and
Mortar Toy Company in Waltham,
Mass)
• David Lord decides to create a
dot.com.
• Two choices
–One Venture Capitalist offers 20 million
–Disney offered 20 million in cash plus
25 million in advertising
Decision Point
• You are David Lord
• You have two offers for start-up financing
• Determine Toysmart values.
– Hint: Educational Toys
– Hint: Need to gain customer trust
• Are Disney values compatible with Toysmart
Values? What happens if these conflict
“Click on your child’s potential”
• Good toys
– Toysmart seeks to become an outlet to
quality educational toys
– Places before customers some 50,000 toys
• One stop shopping
– Customers come, search, buy
• Transactions facilitated by exchanging PII and
TGI
– Personal Identifying Information
• Information used to identify an individual (age, job)
– Transaction Generated Information
• address, credit card numbers, buying preferences
So What?
• When you go to the grocery store, you exchange
PII and TGI
– People see you, how you look, how you dress, your
age (roughly), and other identifying characteristics
– When you buy products, the cashier notices often
remembering your buying patterns, preferences,
dislikes
• Why does digitalizing this information and placing
it in cyberspace change things?
PII and TGI Create Customer Data Base
• 260,000 profiles worth up to $500 each:
– Name, address, billing information, shopping
preferences, family profiles (including names and
birthdates of children), and credit card numbers
• One method of collecting customer information: a
contest
– Children entered contest at toysmart.com (= data
input)
– Parents sent e-mail informing them child had entered
– Winners’ parents give address to receive prize (= data
input)
• Information collected from children under 13
Decision Point Two
• You work for Blackstone, "an 18-person
software business."
• Job:
– Design an attractive webpage
– Advise Toysmart on privacy and data security
policy
– How should Toysmart balance privacy (secure
customer information) and promote ease of
Internet access (which requires information
exchange)?
Gaining Customer Trust
• Potential customers stayed away for fear that
their information would not be held secure
• How does Toysmart gain consumer trust?
– By promising strong privacy practices
– By posting a web certification seal such as
TRUSTe® or VeriSign®
– By attesting to a strong set of core values
Privacy Guarantee
(Promise Number 1)
• Toysmart Privacy Policy (since September 1999)
– Personal information, voluntarily submitted by visitors to
our site, such as name, address, billing information and
shopping preferences, is never shared with a third party.
– When you register with toysmart.com, you can rest assured
that your information will never be shared with a third
party.
–
FTC announcement of suit against Toysmart
•
www.ftc.gov/opa/2000/07/toysmart.htm
TRUSTe Certification
(Promise Number 2)
• toysmart.com was licensed by TRUSTe Privacy Program
• Trusted Universal Standards in electronic Transactions
– “independent, non-profit privacy initiative dedicated to building
user’s trust and confidence on the Internet”
• Toysmart displayed TRUSTe trademark on website
– In addition to guarantees that customer personal information
would be safe at toysmart.com
TRUSTe Guidelines for PII transfer (White
Paper from 4/11/01)
• Specifically, these guidelines point to the following:
– “Mandated Third Party Oversight
• The critical point in these guidelines is that personal information transfer requires third party
oversight as an important check against the singularly focused demands imposed by
creditors. In an era marked by increasing consumer vigilance over privacy, third party
oversight in data transfer is mandatory to the trust equation.
– Consumer Notice and Choice
• TRUSTe recommends that giving customers opt-in is the best method to retain full value of a
customer database and extend trust to new users. Indeed, if a company has made the
promise to never share personal information, then a change in data handling and uses
requires consumer opt-in. In other situations, providing both an opt-out option and public
notice will be sufficient.
– Privacy Policies Must Be Honored
• The same promises a company makes while in business, must be honored when going out of
business. Given the current sensitivities towards privacy protection, consumer are beginning
to understand that third parties exist – in the form of seal programs and government bodies
– to ensure the integrity of privacy promises. To that end, both parties, the buyer and the
seller, have an obligation to the consumer. ”
Opt-in vs. Opt-out
• Out-out.
– Transferring the information is the default. Your PII will be
transferred unless to take positive action to prevent this.
– Usually a procedure that requires you to fill out a card and
send it to the information holder
• Opt-in
– The stronger privacy practice
– Your PII will not be sent unless you expressly consent.
Here not sending the information is the default.
– To override you have to consent.
Obligations to TRUSTe
• “1. Inform TRUSTe of impending business changes as they impact customers’
personally identifiable information and privacy practices.
• 2. Provide your customers and/or users with notice of the upcoming change.
• 3. If you have promised never to share personally identifiable information with a
third party, at a minimum you must provide an opt-in before the information is
shared with that third party.
• 4. If you have indicated in your privacy statement that you may share
information with third parties, you should provide notice and an opt-out before
sharing the personally identifiable information.
• 5. If the company will be sold in total to a company in a similar line of business
with the same privacy policy, give notice to the customer.”
The Disappointing Christmas
• Toysmart expected sales of 20 million fizzle
out at 6 million. (December 1999)
• Disney withdraws support
• Will Toysmart follow other dot.com
companies to bankruptcy?
– This was the period of the dot.com bust.
Toysmart goes bankrupt
• May 22, 2000:
– FTC: Toysmart “announced that it was closing
its operations and selling its assets”
– Lets go of 170 employees
– Consults with The Recovery Group on
evaluating assets
• Toysmart’s creditors filed involuntary
bankruptcy petition on June 9, 2000
• Toysmart files assent to bankruptcy petition
June 23, 2000 (Chapter 11)
Steps for Bankruptcies
• “Review the privacy statement to determine the promises made to Web site
customers and users. The privacy statement will indicate the restrictions that
will apply to the transfer of the personally identifiable information.
• Inform TRUSTe of the company’s upcoming changes before filing for
bankruptcy.
• Companies selling customer information as part of the asset portfolio must
give all consumers a reasonable opportunity to prevent the sale of their
personally identifiable information, if:
– The PII will be used or disclosed by the buyer for a purpose not outlined in the
TRUSTe approved privacy statement,
– The PII will be used for a purpose unrelated to the primary purpose for which it
was collected, or
– The company promised not to sell, rent, or share the personally identifiable
information.
• Once a buyer of the database is identified, you must contact TRUSTe to
determine the necessary level of notice and choice. ”
More Steps for Bankruptcies
• “TRUSTe will need the following information to determine the
required levels of notice and obtaining choice.
– the name of the company purchasing the assets,
– the effective date of the merger,
– how the new company intends to use the personally identifiable
information in the customer database,
– whether the new company will be adopting the privacy policies of the
licensee, or if it will have different privacy policies, and
– whether the new company intends to maintain a relationship with
TRUSTe, (if not, you should follow the termination procedures of section
5 of License Agreement 6.0).
• Once you and your TRUSTe account manager determine how
customers and/or users will be given notice and/or choice, provide
TRUSTe with documentation of the notice and choice you intend to
send to your customers prior to sending it.”
Procedure on filing bankruptcy
• Receive Creditors’ Committee Solicitation
Form from Office of United States Trustee
(OUST)
– Form creditors’ committee
• Evaluate Assets
• Creditors’ committee has a fiduciary duty to
creditors (duty of trust or loyalty)
– Maximize value of debtor’s assets
Decision Point
• You work for PAN Communications and have been providing advertising
services for Toysmart.
• Because of your knowledge of bankruptcy and accounting procedures, you
have been asked to represent your company on this committee.
• Toysmart’s most valuable asset is its customer data base. The 260,000
profiles could be sold for up to $500 a piece.
• But Toysmart has promised not to exchange this information with third
parties. It is also bound by the strong privacy standards of web
certification company, TRUSTe.
• How should you work to balance customer concerns about privacy ,
Toysmart promises, and the rights of creditors to recover their money
through the bankruptcy process?
Toysmart’s Assets
• Bankruptcy Schedules
– 10.5 million in assets
– 29 million in liabilities
• The Crown Jewells: Toysmart’s customer data base
– 260,000 customers
– Each customer worth “up to” $500
• In June 9, 2000, Disney places an ad in the Wall Street Journal offering
Toysmart’s databases and customer lists for sale
• FTC alerted to problem by TRUSTe
• Warning issued late June 2000
Data Base for Sale
• Toysmart creditors place ads in the
Wall Street Journal and Boston Globe
announcing the sale of its customer
data base.
FTC Files Complaint
• July 10, 2000
• “seeking injunctive and declaratory relief to prevent the sale
of confidential, personal customer information”
• Toysmart “has violated Section 5 of the FTC Act by
misrepresenting to customers that personal information
would never be shared with third parties, then disclosing,
selling, or offering that information for sale”
Framework for FTC
• GeoCities Consent Order
– notice of the web site’s privacy policy;
– consumer choice regarding the use of the
information collected;
– consumer access to correct and update
information;
– safeguards securing the data;
– parental control when children’s information is
involved; and
– some enforcement mechanism
Results of FTC Legal Proceedings
• Late July 2000
– FTC and Toysmart reach settlement
– Toysmart must “file an order in the bankruptcy
court prohibiting the sale of its customer data as a
“stand-alone asset.”
– Toysmart creditors “can sell electronic assets only
if the purchasing company abided by the same
privacy policy”
• On August 17, 2000, the federal bankruptcy court
declines to accept the Toysmart/FTC settlement
– Wait for buyers to come forward
Criticisms of Resolution
• Amendment to Bankruptcy law has problems
– Ultimately prevents dot-coms from selling off their
most valuable assets, information
• The FTC settlement appears as value
integrative
– Sells off data base as asset
– But includes consumer consent including opt out
procedures
– And commits buyer to privacy policy of original
collector
The Final Curtain
• Disney Subsidiary, Buena Vista Toy Company
buys data base for $50,000.
• Toysmart does not transfer information but
destroys it.
• Provides affidavit to this effect.
Thought Experiment
• Should creditors of bankrupt companies be
subject to the privacy policies/promises of the
bankrupt company?
• In other words, do you take the money of the
village chief and buy shoes or build the statue
as you originally promised?
Group Work
• Person Profiles: For each of the following
participants identify the role each plays and key
values at stake:
– David Lord (Toysmart directors/managers); Disney (as
a venture capitalist); TRUSTe (see slide 11); Toysmart
creditors (Pan Communications: see table in module);
FTC (government agency); Toysmart Customers
• Toysmart’s customer data base
– Should Toysmart creditors be allowed to sell the data
base to third parties despite Toysmart’s promise?
– Assume that the data base can be sold if Toysmart
customers consent. How (=what procedure) should
this consent be obtained and documented?
Download