Earlier this month, AmmoToGo.com, an online ammunition retailer, sent out an e-mail to customers disclosing the theft of consumer information including e-mail addresses and passwords. The e-mail provided a link to a password reset page and offered assistance to stop possible SPAM from anyone who might have purchased the list.
It’s a remarkably pro-active response from a small business in light of the fact that no credit card numbers, firearm owner identification information or driver licenses seem to have been compromised. But it raises once more the problem of online data security and the risk that hacker attacks pose to small businesses.
The business risk is fairly obvious. Customers concerned about data breaches will stop buying, and other merchants will market from the stolen list. The legal risk is harder to define because the law has not yet caught up to online hacking.
Preventative Moves by Small Businesses
Although public attention has focused on the recent huge data breaches at Target, Home Depot or JPMorgan, most actually occur at the small business level. Four years ago, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit responded to a combined 761 data breaches, 63 percent of which were at companies with 100 employees or fewer. In 2011 Visa estimated that about 95 percent of the credit card data breaches it discovers are on its smallest business customers.
Since cyber security measures can also be expensive, most small businesses divide data into levels of sensitivity, and spend the greatest resources protecting at the top of the list. In descending level of priority, these are generally:
- Highly confidential data, the disclosure of which could seriously and adversely impact the company, business partners, vendors and/or customers in the short and long term. This includes include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information, for those in the healthcare business.
- Sensitive business information intended for use only within the company. This might include financial reports, internal audit reports, product designs, partnership agreements, marketing plans, email marketing lists and employee performance evaluations.
- Information intended only for internal use, disclosure of which may be undesirable but not expected to have a lasting impact on the company, employees, business partners or vendors.
Legal Protections for Consumers
Federal and state laws tend to reach the top category only. Relevant federal laws are both ancient in cyber security-years and piecemeal. The Fair Credit Reporting Act of 1970 has some elements of data protection, the Gramm-Leach-Bliley Act of 1999 deals with financial institutions and the Health Insurance Portability and Accountability Act of 1996 focuses only on medical data. Many are calling for a modern, comprehensive overhaul of federal data protection law.
States have therefore stepped into the vacuum. Most have adopted breach notification statutes that may also impose legal liability on merchants for negligent storage and handling of data in addition to the costs of notification.
California’s breach notification law (Cal. Civ. Code §1798.82) has recently been amended to extend protection into the second lower category, covering email addresses, which in combination with a password or security question and answer that would permit access to an online account. One reason that AmmoToGo’s response to its security breach was notable was because it voluntarily embraced this standard, even though not legally required in Texas.
Further, since online retailing is international, merchants should also be aware that the European Union and United Kingdom have also enacted laws that impose a considerably higher standard for data protection.
The Risk of Civil Lawsuits
Consumers, themselves, may sue based on the theory that publicizing private information about an individual is a tort and that companies that recklessly fail to protect data should be liable even if the victim hasn’t suffered a monetary loss. These are increasingly taking the form of class action lawsuits.
September 07, 2015
The guys discuss the lawsuit filed by PhantomAlert against Waze concerning accusations of data scraping a database. Transcript: NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. …
September 17, 2015
Diversity in the workplace, a totally laudable goal, is actually harder to achieve than many employers appreciate, and ill-conceived or badly executed efforts can actually make things worse, opening the door to legal liability. To …
December 11, 2014
I once worked for a company that had been rumored, maybe, at some distant time in the future, possibly, but not certainly, perhaps in connection with a potential sale or not, to be tentatively considering …
September 18, 2014
If you are thinking about buying a business, you must have lots of questions. Of course, you should get some help with this process -- from your banker, your attorney, your accountant, and possibly a …
October 21, 2014
If your small business is about to begin to hire its first employees, you may be puzzled about how much to pay them. If you offer too little, you won’t be able to hire who …
August 17, 2015
Nasir and Matt discuss how racism led to employees getting fired and another instance where a judge overturned a decision to terminate a racist employee. Transcript: NASIR: Okay. Welcome to our podcast where we cover business in …
March 14, 2016
The guys kick off the week by discussing the lawsuit in Hawaii where an employee posted a defamatory remark about a customer and tried to hold the employer liable. They also discuss the new anti-discrimination and …
November 27, 2014
The Texas Court of Appeals 2013 decision in Nacogdoches Heart Clinic, P.A. v. Pokala raises some puzzling questions about the direction of noncompete law in Texas. It makes sense from a public policy perspective, but …
April 14, 2016
If Mad Men taught us anything, it's that corporate America has come a long way since the 1960's with regard to its treatment of alcohol in the workplace. Some viewers of the show may envy that …
January 21, 2016
The name brand ambassador says it all. Similar to an ambassador for a foreign country, the goal of that person is to represent the brand in a positive light and bring consumers closer to the …
Whether an online merchant must post a privacy and security policy and what that policy must cover is a matter of state law, to the extent that it is regulated at all. In California, which is highly protective of privacy rights, the California Online Privacy Protection Act requires commercial websites that collect personally identifiable information to post a policy.
In general, however, companies are free to establish their own rules. As a business matter, it is reasonable to assume that consumers wary of the destructive potential of data breaches will look for one.
Once a company posts a policy, however, it must adhere to its terms at risk of being charged with fair trade violations according to the U.S. Federal Trade Commission. Businesses that market to minors should take particular note of the provisions of the Children’s Online Privacy Protection Act.
AmmoToGo’s response to the theft of consumer information may be a leading indication of the direction businesses should consider for the future. While it is certainly necessary to protect consumer financial and health data, the net of protection should probably be cast more widely, to include other sensitive business information, including e-mail marketing information lists, performance reviews and other data containing information about customers or employees. The business and legal risks from these third parties may be as great as the risks from competitors who access illegally acquired trade secrets.