Aug. 16, 2013 at 1:24 PM ET
A 27-year-old Best Buy customer — and current employee — is suing the electronics retailer, alleging that its employees stole nude photographs of her from her computer she brought in for repair and distributed them online.
Nicole March, a student at the University of Alabama pursuing her master's degree in sculpture, stored revealing photographs of herself for use as reference material in her coursework.
In 2011, March brought her computer in to Best Buy Geek Squad tech repair service for hard drive recovery. According to the lawsuit, nearly two years after the work was completed, she received a text message from a Geek Squad employee who said he had copies of her nudes and that "they were circulating."
March's lawyer told NBC News the worker texted that he "felt bad" and named two other employees involved in taking the photos and redistributing them, including uploading 54 of her pictures online.
Her face was visible in the photographs, and her name appeared in the file names, allowing anyone who downloaded them to identify her as the subject, according to the suit.
March, a part-time computer sales employee at the location at which she had her computer repaired, sued Best Buy earlier this month for, among other things, outrageous conduct and invasion of privacy.
The suit claims March suffered "severe mental anguish, embarrassment and humiliation." Her attorney is seeking compensatory and punitive damages.
Best Buy is investigating the case internally, company spokeswoman Paula Baldwin said.
"Our policies and procedures would prohibit the handling of data in the manner described and the facts alleged do not make sense," she said. "Best Buy engages in responsible customer information management practices, and our employees are trained to follow very specific, industry-leading procedures in caring for this important information.”
Baldwin declined to detail what Best Buy's customer privacy practices were, citing competitive and confidential concerns.
"The proof is in the pirating," said Stephen Heninger, March's attorney. "Whatever their policy was, it wasn't observed."
But it's not the first time the company has gotten into legal trouble for alleged peeking by its Geek Squad.
In 2008, Best Buy was sued for copying revealing photos of a female customer from her computer she brought in for repair. That suit included a written confession by a former Geek Squad agent.
At the time, Baldwin told the Minneapolis Star Tribune that the company remotely scans several hundred Geek Squad computers nightly to see if customer data is stored appropriately, and that the diagnostic software its techs use limits the information viewable on a customer's hard drive to file names. The company had also banned the use of personal flash drives by its Geek Squad technicians.
Those measures are still in place, along with "overlapping layers of control," Baldwin said, "supported by continuous training and communications, regular review of our operating procedures, and audits ensuring those controls are in place."
In another case of digital voyeurism, a former Geek Squad Agent plead no contest to charges he hid a camera phone in a young female customer's bathroom while paying a home repair visit and secretly recording her showering. And in 2012, a woman sued the tech repair company after hiring a Geek Squad worker to transfer photos, which included racy personal modeling shots, from her old iPhone to her new one, but he instead copied the photos to a CD and invited her to his house to pick them up.
"Some technicians are really tempted to snoop through the contents of devices that they've been given to repair," said David Maas, spokesman for the Electronic Frontier Foundation (EFF).
Besides personal photographs and videos, a customer's hard drive could contain banking and financial records, backup copies of passports and social security numbers and other sensitive information.
Maas recommends consumers remove their hard drives before handing computers over to any repair service. Consumers can also use encryption programs to protect their hard drive, such as TrueCrypt or PGPDisk, or use one included in their operating system, such as BitLocker for Windows or FileVault for Mac.
Users should also perform regular backups to avoid handing over their data to a stranger to retrieve lost files.
After all, it's not enough to hide sensitive data in folders or with deceptive file names. Technically astute servicepeople can use programs that turn your hard drive's contents into a picture, easily spotting large images and videos. Even the trash can is no defense against the curious.
"'Delete' in most software means 'don't show me this again, and allow it to be overwritten when necessary' — not 'purge from the system'," said Seth Schoen, senior staff technologist for EFF.
Any company selling computer repair services with access to its customers' hard drives and data "has to keep a close watch on human nature," said attorney Heninger. "Simply writing a black-and-white policy and putting it in a manual isn't going to work. The temptation is too great."