Earlier this month, AmmoToGo.com, an online ammunition retailer, sent out an e-mail to customers disclosing the theft of consumer information including e-mail addresses and passwords. The e-mail provided a link to a password reset page and offered assistance to stop possible SPAM from anyone who might have purchased the list.
It’s a remarkably pro-active response from a small business in light of the fact that no credit card numbers, firearm owner identification information or driver licenses seem to have been compromised. But it raises once more the problem of online data security and the risk that hacker attacks pose to small businesses.
The business risk is fairly obvious. Customers concerned about data breaches will stop buying, and other merchants will market from the stolen list. The legal risk is harder to define because the law has not yet caught up to online hacking.
Preventative Moves by Small Businesses
Although public attention has focused on the recent huge data breaches at Target, Home Depot or JPMorgan, most actually occur at the small business level. Four years ago, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit responded to a combined 761 data breaches, 63 percent of which were at companies with 100 employees or fewer. In 2011 Visa estimated that about 95 percent of the credit card data breaches it discovers are on its smallest business customers.
Since cyber security measures can also be expensive, most small businesses divide data into levels of sensitivity, and spend the greatest resources protecting at the top of the list. In descending level of priority, these are generally:
- Highly confidential data, the disclosure of which could seriously and adversely impact the company, business partners, vendors and/or customers in the short and long term. This includes include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information, for those in the healthcare business.
- Sensitive business information intended for use only within the company. This might include financial reports, internal audit reports, product designs, partnership agreements, marketing plans, email marketing lists and employee performance evaluations.
- Information intended only for internal use, disclosure of which may be undesirable but not expected to have a lasting impact on the company, employees, business partners or vendors.
Legal Protections for Consumers
Federal and state laws tend to reach the top category only. Relevant federal laws are both ancient in cyber security-years and piecemeal. The Fair Credit Reporting Act of 1970 has some elements of data protection, the Gramm-Leach-Bliley Act of 1999 deals with financial institutions and the Health Insurance Portability and Accountability Act of 1996 focuses only on medical data. Many are calling for a modern, comprehensive overhaul of federal data protection law.
States have therefore stepped into the vacuum. Most have adopted breach notification statutes that may also impose legal liability on merchants for negligent storage and handling of data in addition to the costs of notification.
California’s breach notification law (Cal. Civ. Code §1798.82) has recently been amended to extend protection into the second lower category, covering email addresses, which in combination with a password or security question and answer that would permit access to an online account. One reason that AmmoToGo’s response to its security breach was notable was because it voluntarily embraced this standard, even though not legally required in Texas.
Further, since online retailing is international, merchants should also be aware that the European Union and United Kingdom have also enacted laws that impose a considerably higher standard for data protection.
The Risk of Civil Lawsuits
Consumers, themselves, may sue based on the theory that publicizing private information about an individual is a tort and that companies that recklessly fail to protect data should be liable even if the victim hasn’t suffered a monetary loss. These are increasingly taking the form of class action lawsuits.
September 07, 2015
The guys discuss the lawsuit filed by PhantomAlert against Waze concerning accusations of data scraping a database. Transcript: NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. …
September 30, 2014
Truthfully, most sellers don’t want to take back paper. An all-cash deal often looks like the easiest and cleanest way to get on to the next venture, much preferable to waiting for another 5 to …
March 03, 2016
The topic of teachers getting into trouble over sex-related matters has become almost a sub-genre of American journalism for several decades now. In the late 1990's, Washington schoolteacher Mary Kay Letourneau became a tabloid feature …
February 10, 2015
There are some clients that I know, no matter what advice we give, no matter what we do, they are bound to enter into the courtroom. It is as if they are destined without any …
September 18, 2014
If you are thinking about buying a business, you must have lots of questions. Of course, you should get some help with this process -- from your banker, your attorney, your accountant, and possibly a …
September 30, 2015
Nasir and Matt talk about a judge in New York awarding a business owner $1,000 as a result of a bad Yelp review left by a disgruntled customer. They also discuss a recent lawsuit appeal …
July 30, 2015
Twenty-four states and New York City either are or have very recently considered establishing state run retirement savings plans. Several of these are modeled on SB 1234, the California Secure Choice Retirement Savings Trust Act. …
October 06, 2015
While Uber may be receiving the lion’s share of the attention on the topic, there has been no shortage of court rulings, IRS audits, and labor decisions on the issue of workforce misclassification. With a …
October 21, 2014
If your small business is about to begin to hire its first employees, you may be puzzled about how much to pay them. If you offer too little, you won’t be able to hire who …
June 18, 2015
Job seekers hate credit checks. They see it as invasive data collection with only remote relevance to job performance. It has also been argued that credit checks unfairly burden those who have or have had …
Whether an online merchant must post a privacy and security policy and what that policy must cover is a matter of state law, to the extent that it is regulated at all. In California, which is highly protective of privacy rights, the California Online Privacy Protection Act requires commercial websites that collect personally identifiable information to post a policy.
In general, however, companies are free to establish their own rules. As a business matter, it is reasonable to assume that consumers wary of the destructive potential of data breaches will look for one.
Once a company posts a policy, however, it must adhere to its terms at risk of being charged with fair trade violations according to the U.S. Federal Trade Commission. Businesses that market to minors should take particular note of the provisions of the Children’s Online Privacy Protection Act.
AmmoToGo’s response to the theft of consumer information may be a leading indication of the direction businesses should consider for the future. While it is certainly necessary to protect consumer financial and health data, the net of protection should probably be cast more widely, to include other sensitive business information, including e-mail marketing information lists, performance reviews and other data containing information about customers or employees. The business and legal risks from these third parties may be as great as the risks from competitors who access illegally acquired trade secrets.