Earlier this month, AmmoToGo.com, an online ammunition retailer, sent out an e-mail to customers disclosing the theft of consumer information including e-mail addresses and passwords. The e-mail provided a link to a password reset page and offered assistance to stop possible SPAM from anyone who might have purchased the list.
It’s a remarkably pro-active response from a small business in light of the fact that no credit card numbers, firearm owner identification information or driver licenses seem to have been compromised. But it raises once more the problem of online data security and the risk that hacker attacks pose to small businesses.
The business risk is fairly obvious. Customers concerned about data breaches will stop buying, and other merchants will market from the stolen list. The legal risk is harder to define because the law has not yet caught up to online hacking.
Preventative Moves by Small Businesses
Although public attention has focused on the recent huge data breaches at Target, Home Depot or JPMorgan, most actually occur at the small business level. Four years ago, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit responded to a combined 761 data breaches, 63 percent of which were at companies with 100 employees or fewer. In 2011 Visa estimated that about 95 percent of the credit card data breaches it discovers are on its smallest business customers.
Since cyber security measures can also be expensive, most small businesses divide data into levels of sensitivity, and spend the greatest resources protecting at the top of the list. In descending level of priority, these are generally:
- Highly confidential data, the disclosure of which could seriously and adversely impact the company, business partners, vendors and/or customers in the short and long term. This includes include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information, for those in the healthcare business.
- Sensitive business information intended for use only within the company. This might include financial reports, internal audit reports, product designs, partnership agreements, marketing plans, email marketing lists and employee performance evaluations.
- Information intended only for internal use, disclosure of which may be undesirable but not expected to have a lasting impact on the company, employees, business partners or vendors.
Legal Protections for Consumers
Federal and state laws tend to reach the top category only. Relevant federal laws are both ancient in cyber security-years and piecemeal. The Fair Credit Reporting Act of 1970 has some elements of data protection, the Gramm-Leach-Bliley Act of 1999 deals with financial institutions and the Health Insurance Portability and Accountability Act of 1996 focuses only on medical data. Many are calling for a modern, comprehensive overhaul of federal data protection law.
States have therefore stepped into the vacuum. Most have adopted breach notification statutes that may also impose legal liability on merchants for negligent storage and handling of data in addition to the costs of notification.
California’s breach notification law (Cal. Civ. Code §1798.82) has recently been amended to extend protection into the second lower category, covering email addresses, which in combination with a password or security question and answer that would permit access to an online account. One reason that AmmoToGo’s response to its security breach was notable was because it voluntarily embraced this standard, even though not legally required in Texas.
Further, since online retailing is international, merchants should also be aware that the European Union and United Kingdom have also enacted laws that impose a considerably higher standard for data protection.
The Risk of Civil Lawsuits
Consumers, themselves, may sue based on the theory that publicizing private information about an individual is a tort and that companies that recklessly fail to protect data should be liable even if the victim hasn’t suffered a monetary loss. These are increasingly taking the form of class action lawsuits.
Whether an online merchant must post a privacy and security policy and what that policy must cover is a matter of state law, to the extent that it is regulated at all. In California, which is highly protective of privacy rights, the California Online Privacy Protection Act requires commercial websites that collect personally identifiable information to post a policy.
In general, however, companies are free to establish their own rules. As a business matter, it is reasonable to assume that consumers wary of the destructive potential of data breaches will look for one.
Once a company posts a policy, however, it must adhere to its terms at risk of being charged with fair trade violations according to the U.S. Federal Trade Commission. Businesses that market to minors should take particular note of the provisions of the Children’s Online Privacy Protection Act.
AmmoToGo's response to the theft of consumer information may be a leading indication of the direction businesses should consider for the future. While it is certainly necessary to protect consumer financial and health data, the net of protection should probably be cast more widely, to include other sensitive business information, including e-mail marketing information lists, performance reviews and other data containing information about customers or employees. The business and legal risks from these third parties may be as great as the risks from competitors who access illegally acquired trade secrets.