Suits against Aaron’s offer window into larger privacy concerns

Lawsuits are mounting against rent-to-own giant Aaron’s and its franchisees over allegations the company used embedded software to spy on customers, including copying their passwords and snagging photos and videos of private moments.

But cybersecurity experts say consumers better get used to digital intrusion. Privacy in today’s world of all-things-Internet is fast becoming a myth.

“Electronic privacy should not be assumed by anyone,” said David Barton, the principal of the Atlanta-based cybersecurity firm UHY LLC. “Free email services should not be considered private or secure. Terms of service for social media generally force you to give up most rights to privacy in exchange for using the service. The only way to truly maintain your privacy is to stay away from computers and use cash to pay for everything.”

Customers of Aaron’s filed class-action lawsuits against franchisees of the Atlanta-based company in Georgia and California last week as well as an individual complaint in Fulton County against the company and one its franchisees in the state of Washington. The legal action follows another class-action suit filed in Pennsylvania in 2011 and other complaints over the past two years.

At issue is software by Designerware LLC, a Pennsylvania software company that has been forced into bankruptcy. The software was included on laptops and desktops rented from Aaron’s so that the company and its franchisees could recover unreturned computer equipment.

But the lawsuits allege the software was turned on to spy on paying customers — regardless of their rental status — and that more than 180,000 pieces of ill-gotten customer information are being stored on Aaron’s computers.

The captured information, according to the suits, include passwords to emails, social media websites and financial institutions; medical records; and Social Security numbers. They also claim pictures of children, partially clothed individuals and couples in intimate moments were also taken.

The suits seek to get Aaron’s to pay for any adjustments consumers have to pay for repairing credit problems brought on by the alleged activities — including new credit and bank cards — and monetary and punitive damages and attorneys fees. No specific settlement target has been set.

The suits also maintain that customers were never told about the software.

Maury A. Herman, the managing partner of Atlanta-based Herman Gerel LLP, which has filed many of the lawsuits, said even after Aaron’s became aware of the issues, the company did not prohibit its franchisees from using the software.

Herman said both Georgia and the federal government have statutes protecting consumers’ privacy, including the Electronics Communications Privacy Act.

“Even if they felt there was a reason to activate (the software), it would be absolutely illegal because they never told their customers it existed,” he said.

The suits also seek an order from the court for Aaron’s to notify other potentially affected customers.

In a statement, Aaron’s said it disagreed with the claims and “will defend the litigation vigorously.”

“Aaron’s, Inc. respects our customers’ privacy,” the statement says. “Not one of our 1,300-plus company-operated stores has used PC Rental Agent or any other product developed by Designerware LLC. The customers referenced in recent filings in the Byrd litigation are customers of certain independently owned and operated Aaron’s franchisees and are not customers of Aaron’s, Inc. The referenced Designerware emails were caused by actions taken by the certain franchisees, not Aaron’s, Inc.”

Pointing the finger at franchisees may not help Aaron’s avoid the hit to its reputation or bottom line, said Tim Calkins, a branding expert at Northwestern University’s Kellogg School of Management. Customers can’t distinguish between corporate stores operated by Aaron’s and the brand’s franchisees.

“This will be a huge challenge for them because you lose trust with your customer,” he said. “And once that’s gone, it can have a devastating impact on your brand.”

But cybersecurity experts said the Aaron’s allegations are a study in the changing relationship between companies and their customers and employees.

Internet service providers are increasingly sharing consumer information with police, surveillance cameras dot the landscape and the popular Instagram app had to back off “terms of service” language in December that suggested it would use customer pictures in advertising without the user’s permission.

In the office, technology has made it easier for bosses to know where employees are at all times if the employees use company-owned smartphones with location-tracking software.

“Privacy risk is rising at an alarming rate as more and more personal data moves from offline to online,” said David Abouchar, the senior director of product management at Atlanta-based ControlScan, which helps companies with payment security and payment card industry compliance. “The digitization movement is being fueled by an insatiable corporate appetite for streamlining processes and capturing consumer data to extract actionable insights.”