Need Legal Help? Call Now!

Earlier this month,, an online ammunition retailer, sent out an e-mail to  customers disclosing the theft of consumer information including e-mail addresses and passwords. The e-mail provided a link to a password reset page and offered assistance to stop possible SPAM from anyone who might have purchased the list.

It’s a remarkably pro-active response from a small business in light of the fact that no credit card numbers, firearm owner identification information or driver licenses seem to have been compromised. But it raises once more the problem of online data security and the risk that hacker attacks pose to small businesses.

The business risk is fairly obvious. Customers concerned about data breaches will stop buying, and other merchants will market from the stolen list. The legal risk is harder to define because the law has not yet caught up to online hacking.

Preventative Moves by Small Businesses

Although public attention has focused on the recent huge data breaches at Target, Home Depot or JPMorgan, most actually occur at the small business level. Four years ago, the U.S. Secret Service and Verizon Communications Inc.'s forensic analysis unit responded to a combined 761 data breaches, 63 percent of which were at companies with 100 employees or fewer. In 2011 Visa estimated that about 95 percent of the credit card data breaches it discovers are on its smallest business customers.

Since cyber security measures can also be expensive, most small businesses divide data into levels of sensitivity, and spend the greatest resources protecting at the top of the list. In descending level of priority, these are generally:

  • Highly confidential data, the disclosure of which could seriously and adversely impact the company, business partners, vendors and/or customers in the short and long term. This includes include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information, for those in the healthcare business.
  • Sensitive business information  intended for use only within the company. This might include financial reports, internal audit reports, product designs, partnership agreements, marketing plans, email marketing lists and employee performance evaluations.
  • Information intended only for internal use, disclosure of which may be undesirable but not expected to have a lasting impact on the company, employees, business partners or vendors.

Legal Protections for Consumers

Federal and state laws tend to reach the top category only. Relevant federal laws are both ancient in cyber security-years and piecemeal. The Fair Credit Reporting Act of 1970 has some elements of data protection, the Gramm-Leach-Bliley Act of 1999 deals with financial institutions and the Health Insurance Portability and Accountability Act of 1996 focuses only on medical data. Many are calling for a modern, comprehensive overhaul of federal data protection law.

States have therefore stepped into the vacuum. Most have adopted breach notification statutes that may also impose legal liability on merchants for negligent storage and handling of data in addition to the costs of notification.

California’s breach notification law (Cal. Civ. Code §1798.82) has recently been amended to extend protection into the second lower category, covering email addresses, which in combination with a password or security question and answer that would permit access to an online account. One reason that AmmoToGo’s response to its security breach was notable was because it voluntarily embraced this standard, even though not legally required in Texas.

Further, since online retailing is international, merchants should also be aware that the European Union and United Kingdom have also enacted laws that impose a considerably higher standard for data protection.

The Risk of Civil Lawsuits

Consumers, themselves, may sue based on the theory that publicizing private information about an individual is a tort and that companies that recklessly fail to protect data should be liable even if the victim hasn’t suffered a monetary loss. These are increasingly taking the form of class action lawsuits.

The Role of a Privacy Policy

Whether an online merchant must post a privacy and security policy and what that  policy must cover is a matter of state law, to the extent that it is regulated at all.  In California, which is highly protective of privacy rights, the California Online Privacy Protection Act requires commercial websites that collect personally identifiable information to post a policy.

In general, however, companies are free to establish their own rules. As a business matter, it is reasonable to assume that consumers wary of the destructive potential of data breaches will look for one.

Once a company posts a policy, however, it must adhere to its terms at risk of being charged with fair trade violations according to the U.S. Federal Trade Commission. Businesses that market to minors should take particular note of the provisions of the Children’s Online Privacy Protection Act.

AmmoToGo's response to the theft of consumer information may be a leading indication of the direction businesses should consider for the future.  While it is certainly necessary to protect consumer financial and health data, the net of protection should probably be cast more widely, to include other sensitive business information, including e-mail marketing information lists, performance reviews and other data containing information about customers or employees. The business and legal risks from these third parties may be as great as the risks from competitors who access illegally acquired trade secrets.




Protect your business with an on demand legal team

Learn More About General Counsel Select
Legally Sound | Smart Business
A podcast covering business in the news with a legal twist by Pasha Law PC
Legally Sound Smart Business Cover Art

Legally Sound | Smart Business covers the top business stories with a legal twist. Hosted by attorneys Nasir N. Pasha and Matt Staub of Pasha Law, Legally Sound | Smart Business is a podcast geared towards small business owners.

Download the Podcast

Google Podcast Subscribe Apple Podcast Subscribe

Ready to discuss representation for your business?

Pasha Law PC is not the typical law firm. No hourly rates and no surprise bills are its tenants. Our firm's approach is an ideal solution for certain select businesses.

Give us a call at 1-800-991-6504 to schedule an assessment.


Fill out the form assessment below and we'll contact you promptly to find the best time for a consultation with a Pasha Law PC attorney best suited for your business.

Please provide your full name.
Please provide the name of your business.
Please provide a valid email address.
Your phone number is not long enough.
Please provide a valid phone number.
Please provide a zip code of your business.
Please provide a short description of your business.
Please provide the approximate number of employees of your business.
Please provide the approximate number of years you have been in business.