Nasir Pasha, Esq.

Ammo To Go’s Remarkable Response to Data Breach

Earlier this month,, an online ammunition retailer, sent out an e-mail to  customers disclosing the theft of consumer information including e-mail addresses and passwords. The e-mail provided a link to a password reset page and offered assistance to stop possible SPAM from anyone who might have purchased the list.

It’s a remarkably pro-active response from a small business in light of the fact that no credit card numbers, firearm owner identification information or driver licenses seem to have been compromised. But it raises once more the problem of online data security and the risk that hacker attacks pose to small businesses.

The business risk is fairly obvious. Customers concerned about data breaches will stop buying, and other merchants will market from the stolen list. The legal risk is harder to define because the law has not yet caught up to online hacking.

Preventative Moves by Small Businesses

Although public attention has focused on the recent huge data breaches at Target, Home Depot or JPMorgan, most actually occur at the small business level. Four years ago, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit responded to a combined 761 data breaches, 63 percent of which were at companies with 100 employees or fewer. In 2011 Visa estimated that about 95 percent of the credit card data breaches it discovers are on its smallest business customers.

Since cyber security measures can also be expensive, most small businesses divide data into levels of sensitivity, and spend the greatest resources protecting at the top of the list. In descending level of priority, these are generally:

  • Highly confidential data, the disclosure of which could seriously and adversely impact the company, business partners, vendors and/or customers in the short and long term. This includes include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information, for those in the healthcare business.
  • Sensitive business information  intended for use only within the company. This might include financial reports, internal audit reports, product designs, partnership agreements, marketing plans, email marketing lists and employee performance evaluations.
  • Information intended only for internal use, disclosure of which may be undesirable but not expected to have a lasting impact on the company, employees, business partners or vendors.

Legal Protections for Consumers

Federal and state laws tend to reach the top category only. Relevant federal laws are both ancient in cyber security-years and piecemeal. The Fair Credit Reporting Act of 1970 has some elements of data protection, the Gramm-Leach-Bliley Act of 1999 deals with financial institutions and the Health Insurance Portability and Accountability Act of 1996 focuses only on medical data. Many are calling for a modern, comprehensive overhaul of federal data protection law.

States have therefore stepped into the vacuum. Most have adopted breach notification statutes that may also impose legal liability on merchants for negligent storage and handling of data in addition to the costs of notification.

California’s breach notification law (Cal. Civ. Code §1798.82) has recently been amended to extend protection into the second lower category, covering email addresses, which in combination with a password or security question and answer that would permit access to an online account. One reason that AmmoToGo’s response to its security breach was notable was because it voluntarily embraced this standard, even though not legally required in Texas.

Further, since online retailing is international, merchants should also be aware that the European Union and United Kingdom have also enacted laws that impose a considerably higher standard for data protection.

The Risk of Civil Lawsuits

Consumers, themselves, may sue based on the theory that publicizing private information about an individual is a tort and that companies that recklessly fail to protect data should be liable even if the victim hasn’t suffered a monetary loss. These are increasingly taking the form of class action lawsuits.

  • The Consequences of Scraping Data From A Competitor [e221]

    September 07, 2015

    The guys discuss the lawsuit filed by PhantomAlert against Waze concerning accusations of data scraping a database. Transcript: NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. …

  • Should You Finance the Sale of Your Business?

    September 30, 2014

    Truthfully, most sellers don’t want to take back paper. An all-cash deal often looks like the easiest and cleanest way to get on to the next venture, much preferable to waiting for another 5 to …

  • Erotic Data on Employee Smartphones: What Can an Employer Do?

    March 03, 2016

    The topic of teachers getting into trouble over sex-related matters has become almost a sub-genre of American journalism for several decades now. In the late 1990's, Washington schoolteacher Mary Kay Letourneau became a tabloid feature …

  • 6 Habits of Business Owners That Will Get Them Sued

    February 10, 2015

    There are some clients that I know, no matter what advice we give, no matter what we do, they are bound to enter into the courtroom. It is as if they are destined without any …

  • Must-Reads if You Are Thinking About Buying a Business

    September 18, 2014

    If you are thinking about buying a business, you must have lots of questions. Of course, you should get some help with this process -- from your banker, your attorney, your accountant, and possibly a …

  • How One Business Was Awarded Money From An Untrue Yelp Review [e226]

    September 30, 2015

    Nasir and Matt talk about a judge in New York awarding a business owner $1,000 as a result of a bad Yelp review left by a disgruntled customer.  They also discuss a recent lawsuit appeal …

  • State Mandated Retirement Savings Plans

    July 30, 2015

    Twenty-four states and New York City either are or have very recently considered establishing state run retirement savings plans.  Several of these are modeled on SB 1234, the California Secure Choice Retirement Savings Trust Act. …

  • The Cost of Converting Independent Contractors to Employees

    October 06, 2015

    While Uber may be receiving the lion’s share of the attention on the topic, there has been no shortage of court rulings, IRS audits, and labor decisions on the issue of workforce misclassification. With a …

  • What Should I Pay My Employees?

    October 21, 2014

    If your small business is about to begin to hire its first employees, you may be puzzled about how much to pay them. If you offer too little, you won’t be able to hire who …

  • Can Employers Still Use Credit History in Hiring?

    June 18, 2015

    Job seekers hate credit checks. They see it as invasive data collection with only remote relevance to job performance. It has also been argued that credit checks unfairly burden those who have or have had …

The Role of a Privacy Policy

Whether an online merchant must post a privacy and security policy and what that  policy must cover is a matter of state law, to the extent that it is regulated at all.  In California, which is highly protective of privacy rights, the California Online Privacy Protection Act requires commercial websites that collect personally identifiable information to post a policy.

In general, however, companies are free to establish their own rules. As a business matter, it is reasonable to assume that consumers wary of the destructive potential of data breaches will look for one.

Once a company posts a policy, however, it must adhere to its terms at risk of being charged with fair trade violations according to the U.S. Federal Trade Commission. Businesses that market to minors should take particular note of the provisions of the Children’s Online Privacy Protection Act.

AmmoToGo’s response to the theft of consumer information may be a leading indication of the direction businesses should consider for the future.  While it is certainly necessary to protect consumer financial and health data, the net of protection should probably be cast more widely, to include other sensitive business information, including e-mail marketing information lists, performance reviews and other data containing information about customers or employees. The business and legal risks from these third parties may be as great as the risks from competitors who access illegally acquired trade secrets.




Read More