Please ensure Javascript is enabled for purposes of website accessibility
Don't miss
Home / News / Privacy trashed

Privacy trashed

Reporter finds old Macy's internal, customer documents left for days to blow in wind

There they were, in open bins on a sidewalk in downtown St. Louis: enough internal documents to make the heart of a Macy’s competitor or a business journalist go pitter-patter.

But also enough vendor and customer information, including debit card numbers, to make privacy experts or concerned consumers scream.

Macy’s Inc., which announced the closure of its Midwest division in downtown St. Louis last year, was cleaning out some of its offices.

But there was a snag.

Bins filled with financial and customer documents from the old May Department Stores Co. sat for more than a week on Locust Street in downtown St. Louis. Photo by Karen Elshout

Bins filled with financial and customer documents from the old May Department Stores Co. sat for more than a week on Locust Street in downtown St. Louis. Photo by Karen Elshout

Records bound for the shredder were piling up in outdoor bins more quickly than anyone was picking them up.

So for at least four days in late September, heaped over the rims of more than half a dozen gray recycling bins with wheels – and open pickings for passers-by on Locust Street – were reams of internal Macy’s documents.

And after the documents were belatedly emptied from the bins for shredding on a windy day, papers could be found Tuesday morning on the streets and sidewalks for blocks. Three open trash cans of papers also remained on the sidewalk.

The incident is a reminder to all attorneys about the need to take care when disposing of sensitive documents.

Missouri Lawyers Weekly looked at only a stack of the many thousands of documents in the bins. But that lone stack contained all sorts of information, including purchase orders, sales figures and legal memos.

Among the documents was a 2000 memo saying the U.S. Office for the Comptroller of the Currency had found “improper advertising credit disclosures” in one May Department Stores Co. division’s advertising. Macy’s, then known as Federated Department Stores Inc., purchased St. Louis-based May in 2005.

May responded to the disclosure issue by conducting internal advertising reviews and hiring Doner Advertising, according to the memo.

Spreadsheets in the bins detailed sales figures for May Department Stores for two weeks ending Feb. 12, 2005, shortly before the acquisition was announced. China, glassware and other housewares were listed by brand name, including Waterford and Vera Wang, along with the sales figures of the brands by division.

At the bottom of each spreadsheet was a notice: “This information is confidential, proprietary, and a protectable trade secret of The May Department Stores Company. Possession or use of this information by any unauthorized person will result in liability for misappropriation, inducement to breach, bribery, or theft.”

It’s not certain the spreadsheets’ contents still would be trade secrets.

The Missouri Uniform Trade Secrets Act requires reasonable efforts be made to keep information private for it to qualify as a trade secret. In the absence of reasonable efforts, information is not going to get trade secret protection, said Pete Salsich III, an intellectual property attorney with St. Louis firm The BrickHouse Law Group.

Courts look at the type of information, the industry and the difficulty of keeping the information secret. Leaving the documents in open bins on the sidewalk would leave the protection open to a challenge in court, he said.

The bins also had a 1996 telephone script for talking to bankrupt clients who owed May money and didn’t have an attorney. The script said callers should be polite, hang up if asked, and refrain from arguing with customers, but it also included advice on how to get around a customer complaint that creditors are prohibited from calling to collect a debt:

“State the following: ‘This is not an attempt to collect a debt. I am calling you only to communicate an offer for reaffirmation of your former account balance and to explain the special incentive arrangements [DIVISION] is prepared to offer in exchange for your agreement to reaffirm.'”

After wind sent some of the papers flying into the street last week, a reporter scooped up records from the pavement, including: a 2005 notice of a class-action settlement in anti-trust litigation against Visa Check and MasterMoney stamped “Received by Legal Department;” printers’ bids from 2002 for privacy notices; and a 2003 debit card processing report – including eight customer card numbers, just in that tiny, random sampling. There was no customer information, such as names or Social Security numbers, with the debit card numbers.

Ironically, another document was a worksheet (marked with tire tracks) dealing with compliance with the 1999 federal Gramm-Leach-Bliley Act, which requires companies to keep customer financial information private.

“Level of Potential Penalties: significant,” the worksheet says, “including potential civil money penalties, referral to law enforcement agencies, and regulatory enforcement actions.”

Behind the bins, in the Railway Exchange Building, are the offices of Macy’s St. Louis law department, which still has about 20 attorneys. A few hours after a reporter’s phone call Tuesday to that law department, the three remaining trash cans with documents were removed and the papers cleaned off the street.

Macy’s building services cleared out the documents, said Richard Cohen, group vice-president in the law department in St. Louis. According to the company’s purging policies, the customer personal information was to be shredded, but the documents got “backed up,” Cohen said.

“There was more there than we anticipated,” Cohen said.

For material from legal files, the purging may not have met Missouri ethics guidelines, which say lawyers’ client files must be secure until they are destroyed. Macy’s could be considered its in-house attorneys’ client.

Missouri’s Chief Disciplinary Counsel Alan Pratzel, who emphasized he was speaking generally, said even an in-house attorney arguably has a client whose confidential information must be protected when a file is destroyed.

The fact that customer debit card numbers were found in the street raises questions about whether Macy’s will have to notify customers and state authorities under a state law that took effect in August. The law requires notice be given to people affected by when someone gets unauthorized access to personal information. If the breach of security affects more than a thousand people, the state attorney general and consumer reporting agencies must be notified.

Cohen said he knew what the procedures for getting rid of the documents should have been.

“If I had it to do all over again,” Cohen said, “I would have bins with lids on them.”