Nasir Pasha & Matt Staub

How Small Businesses Handle Security Breaches [e117]

The guys talk about the email Nasir received about informing customers of a security breach.  They then answer the question, “Every quarter we have to take care of some corporate stuff and many of my employees are required to work on the weekend. Some of the employees have voiced complaints but can I legally do this?”


NASIR: All right. Welcome to our podcast where we cover business in the news and answer some of your business legal questions that you, the listener, can send in to My name is Nasir Pasha and I’m your host for today.
MATT: My name’s Matt Staub. I’m also a host for the show, I suppose, today.
NASIR: For your wonderful, quick 10, 15-minute episode. Actually, the topic that we’re covering today is pretty interesting because I think this is our first, like, we’re making up our own news story I guess because I received an email from a vendor. What was it? It was
MATT: You got the email but, actually, I’ll ask my question later that I have just for your specific to this email. So, you got this email. I feel weird telling this story since you’re the one that received it, but I’ll go through it. I’ll go through it then you tell me what’s right, what’s accurate.
NASIR: Yeah.
MATT: So, you got this email, I guess it was a security breach – I don’t know if you want to call it a security breach – but it looks like some of their customer information was sold to a third party and this is Ammo To Go. Their customer email list was sold and they were able to kind of verify that through a couple of different avenues. They basically sent the email out to, I think, only the people they believe were affected – I think they mention that in there – and they said it looks like it might have possibly been sold to Target Sports USA which I assume is related to Target the store but maybe I’m making an inaccurate assumption.
NASIR: No, I don’t think so. I think it’s target like ammo and guns, but go on.
MATT: Oh, yeah, that makes sense. All right. Well, scratch that! So, yeah, they said no credit card information was on there and, interestingly, they said it at about the same time they had re-launched their website and changed their security and this happened conveniently around the same time which – I don’t know – if they’re going to say that, I’ll take them for their word, but who knows if that’s accurate or not. But, yeah, they said no credit card information was taken and, as a result of their new security, they put in place that, you know, everything’s fine, they don’t expect anything in the future. They suggest changing your password if you haven’t already, especially if you use the same password on multiple websites. Like I said, they said they only sent this to the people that they believe were affected which I thought was interesting. I don’t know how you could, I guess if it happened, people that signed up afterwards? I don’t know how they’re drawing that line.
NASIR: Yeah, that’s true. But what’s interesting is that one of the ways that they’ve confirmed all this is that this other Target Sports USA, they actually purchased, or this is what they believe, they purchased an email list from who they thought was Ammo To Go and, from their perspective, that didn’t happen. And so, then they started looking a little bit deeper and found out, “Okay. Wait a minute. Some of our data’s been breached and basically all the emails have been taken and now is being sold on the open market to companies like these.” So, lots of issues here but I think one of the coolest things is that – and we’ll post a screenshot of the actual email because I think – this is a very good representation as to a great way of dealing with a problem like this. I mean, a small business that is, you know, being hacked and we’ve talked about it in the past and I’m sure security experts will agree that there’s only so much things that you can do to prevent a security breach. Obviously, the smaller the business, the harder it is. But, when it happens, what do you do? And besides complying with the notice requirements of a data breach – which, obviously, this is compliant – how the exposure of information which, in some cases, this may be embarrassing for them to admit that, “Hey, not only were our servers hacked, all your email addresses have now been sold to some other company and are being sold otherwise and you may be hit with more spam,” that’s not a really great thing to admit to your customers who you wish to patron your store again.
MATT: Even the biggest of companies, I think those might even be obviously bigger targets because they have more emails and more customer information. But, for a small business, I think they handled this in about the best way they could. The one thing I would do different – at least, because I don’t know the details, but – just to be safe, maybe send this to everyone. But, like I said, maybe the people they didn’t send it to – or I guess don’t even include that clause in there that we’re only sending this to the people that are affected. I would have never even thought about it.
NASIR: Yeah, I think you’re right. They did have a cut-off date because they said, after August 2014, they updated their new secure database and I’m sure they have no reason to believe that, after that time, there’s been any data breach. So, perhaps that has something to do with it. But, you know, at the end, what I like is that I don’t know what they can do but they’re going to do what they can to fight against these hackers and anyone else who buys and abuses their stolen information.
MATT: Yeah, I wonder, I mean, do you think they have a good shot at finding the people that did this?
NASIR: I don’t, I don’t think so. I mean, unless it’s like an inside source, which it very well could be, because what I find strange is, if you steal an email list, why would you pretend to be the vendor that you stole it from to sell the list? Because you know that it’s a very high probability that it’s going to get back to that vendor, you know?
MATT: The listeners can tell we’re recording this on a different day than normal because you completely missed the pun question that I asked you, but that’s all right.
NASIR: A very subtle one.
MATT: So, my question is, have you purchased from them?
NASIR: Oh, yeah, the only reason I’m on the list is because – I don’t really like to talk about it – I have about five or six storage units down the street just full of ammo, just in case, you know, zombie apocalypse.
MATT: I’m not even sure, that seems a little bit dangerous, especially since it gets hot there.
NASIR: No, no, no, I bought some ammo from there in the past, a while ago. In fact, I think I bought something from them once but I didn’t even realize, this kind of shows you it’s almost good marketing because I don’t think they actually sent any kind of newsletters – or if they do, I’ve ignored it or not received it in the past – but this caught my eye and now, okay, now all of a sudden I’m thinking about them as a company again because, frankly, I’m pleased on how they responded and I think their other customers are also appreciated.
MATT: So, you think they did this on purpose then for people that haven’t purchase in a while?
NASIR: That’s all it is.
MATT: You get this email and you want to pay attention to it.
NASIR: Yeah, exactly. It worked on me. In fact, I’m probably the only one that received it. it may not even be news, just some social experiment for me only.
MATT: Possible. I hope that’s the case. It’d be interesting.
NASIR: Yeah, a lot of issues here. I mean, I’m sure on their privacy policy too they’ve described both in the privacy policy and this email that they don’t sell email addresses. And, also, a lot of businesses buy email lists. Forget about the – just to be kind of frank – the stupidity of buying an email list because I don’t think that’s a very effective way to market. But, besides that aspect of it is whether it’s an intelligent business move or not, the legalities are actually pretty-straightforward. I mean, you can buy an email list. I mean, there’s no law against spamming in itself. There is the CAN-SPAM Act which basically says you can spam but you have to do it in this way. The problem with buying lists is that you don’t know where the sources come from. So, if the source is, like, scraping the internet or stolen information, that’s not compliant with the CAN-SPAM Act. So, that’s something to think about when you’re thinking about buying an email list which I don’t think most marketers would advise anyway.
MATT: Yeah, and even with that, in California, there was a Court of Appeal case that just got ruled on – it must have been a week ago at the time we’re recording this – that kind of just expanded or broadened what email marketers could do.
NASIR: Because there was the question about the headers. Basically, that’s well-established, both in California and the Federal CAN-SPAM Act, that you can’t disguise your headers and so forth. But then, there was some nuances to that I don’t think I really paid attention to. I haven’t read the case in detail but I think what they’re talking about is, just because your “from” email is accurate but everything else is inaccurate, then you’re still not compliance. It’s kind of a subtle technical issue, but those that are trying to skirt the law, it’s actually a good thing to have a little bit more defined scope with that.
MATT: Question of the day. “Every quarter, we have to take care of some corporate stuff and many of my employees are required to work on the weekend. Some of the employees have voiced complaints but can I legally do this?”
NASIR: Okay. So, basically, this is a question about scheduling, and how and when can you make your employees work. Just like everything in employment law, from a conceptual point of view, usually, the employers can do everything they want unless it’s prohibited by law, right? I know that sounds funny but that’s really how you have to start it out because there are so many little small details that are prohibited that the answer to the question, “Can you do that?” “Yeah, always,” but the question is, when you do it, is it going to affect something else? Some of the things can come to mind is that, when you schedule something on the weekend then there might be some religious accommodation issues. You know, whether it’s someone going to church or a synagogue Saturday or Sunday, then requiring them to work may affect that. And so, how you address that is very simply – I mean, we talked about this in the past – by going through the reasonable accommodation process and having that communication with the employee. This doesn’t mean that you have to let them off; it just means that you have to go through this process if there’s a reasonable accommodation to let them do this or maybe it’s undue hardship on the business to not have that worker there at the time and they have to be on there on Saturday and/or Sunday.
MATT: And what makes this trickier too is I think the religious accommodations come into play because, typically, Saturday and Sunday are days that you would not be working and both days of the weekend can be big days for religious observance. So, it does make things a little bit trickier and, as an employer, you maybe make some reasonable accommodations for religious purposes and I think it’s a little bit more for religious purposes as opposed to something else. And there was also a federal case, it was recently said that employers may be required to make scheduling accommodations to attend purported religious activities or functions such as church food drives or community feeding ceremonies – that’s a little bit weirdly worded but – as long as the employee sincerely believes his /her attendance is a “serious component” of his/her beliefs.
NASIR: I don’t think I’ve been to a meeting ceremony.
MATT: Feeding ceremony. Is that what you said?
NASIR: Oh, is it feeding or meeting ceremony?
MATT: Feeding, yeah.
NASIR: Either one is weird.
MATT: Yeah, feeding ceremony.
NASIR: Feeding ceremony.
MATT: Not to get too off-track but, yeah, so that’s pretty broad.
NASIR: That’s pretty broad, yeah. But they mentioned that the employees have voiced complaints. Really, at the end of the day, it depends what the complaints are. I would assume, for most people, it’s going to be like, “Oh, we have to work the weekend,” it’s one of those kinds of complaints. But, if they’re more specific as like, “Hey, I have to go to church on Sunday,” or, “I have to go to the synagogue on Saturday,” or, “I have this food drive that is prescheduled on this day,” or something like that.
MATT: Yeah.
NASIR: Then, okay, that’s something to pay attention to. But, you know, if they’re just complaining, and, at the same time, again, remember, this doesn’t sound like this is a regular work week kind of schedule or workplace but, obviously, like, if you’re a restaurant and/or some kind of business that is really busy on the weekends like that, then maybe these kinds of religious accommodations aren’t as applicable to you because it may – or may not – have some undue hardship if you don’t have those employees available during those weekends.
MATT: Yeah, and a one-time occurrence every year is different than every single Saturday or Sunday.
NASIR: True.
MATT: So, factor that in.
NASIR: But I think the most important thing is communication with your employees and kind of working it out and see if you find a compromise or an alternative and so forth, and just being careful in this day and age with that kind of stuff. Also, remember, most likely, if they’re working on a Saturday or Sunday and they work through Monday through Friday then there’s going to be overtime implications to it as well if they’re non-exempt.
MATT: Yeah, definitely another consideration.
NASIR: And maybe even consider not doing it on a Saturday or Sunday. That’s annoying – to have to work on a Saturday and Sunday.
MATT: Yeah.
NASIR: What a terrible boss.
MATT: It happens. It happens. As long as it’s not on a Superbowl Sunday, I guess. That’d probably be the worst Sunday to do it.
NASIR: For some, that’s like a religious holiday.
MATT: Yeah, that’s true. Make the argument that football is religion. I guarantee people have done it.
NASIR: I’m sure it has happened in Texas. We’ll look it up. Okay, guys. Well, thanks for joining us.
MATT: Keep it sound and keep it smart.



Read More