For startup e-commerce companies, protecting customer data doesn’t always come naturally. Small matters such as getting a business idea out of the starting gates and into the race — not to mention winning those very first customers — tend to overshadow the many liabilities associated with collecting and storing customer data.
However, liabilities they are, no matter how big the company or whether it realizes it or not.
“It’s sort of like those old Mickey Rooney movies, where they would get five or six people together and say, ‘Let’s put on a play’,” Mark Rasch, former head of the Justice Department’s computer crime unit and managing director of technology for FTI Consulting, told the E-Commerce Times. “People often think all they need are coders and a Web site, and the business will run itself.”
Alas, that’s not quite the case, as companies sometimes learn the hard way.
‘If It Moves, Sue It’
Regulatory, civil and injunctive penalties can do a company in, as can the compensatory or tort damages from being sued. “There are dozens of companies out there that went out of business because they failed to protect customer data,” Rasch noted.
Say, for example, a small firm collects 10,000 customer names and credit card numbers, then it gets breached. Information gets sold to criminals who then use the data to buy products at retailers such as Best Buy, for example, for ultimate sale on the black market.
In addition to penalties, the Federal Trade Commission (FTC) or other bodies could apply, the list of those who might sue is a long one: the banks that issued the credit cards, since they have to reissue them at the not-insignificant cost of about US$30 each; all 10,000 customers, for each of whom the company’s liability could extend beyond their individual credit limits; Best Buy’s merchant bank; and the insurers for each institution involved, Rasch explained.
“There’s an old rule of law school that says, ‘If it moves, sue it,'” he said.
“When you look at the cost of protecting the data compared with the cost of not protecting it, it becomes a no-brainer,” Rasch added. “But most young companies don’t go through that analysis. What they don’t understand is that the bad guys are out trolling for weak sites — they have automated tools, and they will find you.”
‘Reasonable and Appropriate’
In recent years, increasing focus on customer data liability has resulted in myriad new laws and regulations, many of them coming from the FTC.
“The FTC views it as an important business obligation to protect sensitive data, because that data can be used to perpetrate identity theft and other harms,” Jessica Rich, assistant director in the FTC’s division of privacy and identity protection, told the E-Commerce Times. “While the laws to ensure this may have different requirements, what they all require is reasonable and appropriate security for information.”
The size of the business, the nature of its operations and the sensitivity of the data all determine which laws apply.
The Fair Credit Reporting Act (FCRA), for example — the FTC’s oldest privacy law — is designed to ensure that credit reporting agencies implement reasonable procedures governing the sensitivity of data that may be reported, as well as who the data may be sold to and how it is ultimately disposed of, Rich said.
Under the Gramm-Leach-Bliley (GLB) Act, also known as the “safeguards rule” that governs all non-bank financial institutions, organizations must provide reasonable security and privacy for customer data, including developing a data-security plan, putting somebody in charge of security, performing risk assessments, developing safeguards to address those risks and overseeing service providers, Rich explained.
Under Section 5 of the FTC Act, the commission also enforces a statute prohibiting unfair or deceptive business acts and practices, Rich said. The statute has been used in data security cases when companies falsely claim they have reasonable data security in place.
Credit Companies Step In
Penalties under that statute and GLB include consumer redress or orders mandating security measures, Rich said. Under FCRA, the FTC can get civil penalties as well, she added.
There are also other acts, such as the Health Insurance Portability and Accountability Act (HIPAA) governing healthcare organizations, that may affect companies doing business online, but the one causing the greatest flurry of activity lately may be the Payment Card Industry Data Security Standard (PCI DSS) established by a consortium of the major credit card companies.
“With the Internet and online shopping, companies are seeing identity theft and fraud cases not in hundreds of dollars per incident, but in rising numbers of incidents and higher costs per incident,” Andre Muscat, director of engineering for security provider GFI, told the E-Commerce Times.
Designed to help stave off the increasing incidence of credit card fraud and hacking, PCI DSS requires that companies processing, storing, or transmitting credit card numbers comply with certain guidelines or risk losing the ability to process credit card payments. Firewalls, antivirus technology and regular audits are among the requirements.
“PCI is just the first step in convincing people to realize that security is a part of doing business in this information-connected age,” Muscat explained.
The rule applies to companies large and small, but in February, less than 20 percent of e-commerce companies processing fewer than 20,000 transactions per year were PCI-compliant, according to an RSA survey.
So what’s a mom-and-pop e-commerce firm to do to make sure that customer data stays safe and that the company stays out of hot water?
Companies also need a good security policy, explaining how data is protected, he added.
The steps and technology implementations that should follow are tough to generalize, Rasch said, because they depend so much on the industry, the type of data and the “regulatory regime” that applies.
One critical measure that should not be forgotten, though, is to vet the practices of business partners, Alan Chapell, president of Chapell & Associates, told the E-Commerce Times. “Many startups tend to go with whoever seems to be good, and they neglect to make contractual provisions to ensure those guys are doing the right thing.”
Small Firm, Big Target
A good primer may be the FTC’s new “Protecting Personal Information: A Guide for Business,” which is aimed primarily at small businesses, Rich said.
Ultimately, there’s a common misperception that data breaches affect only large firms, Muscat noted, when in fact smaller companies are generally less prepared. “It’s often much easier for hackers to attack the smaller guys,” he said.
“As a small company, I may not know any of this,” Rasch concluded. “I’m just the idea guy, and have potentially outsourced almost everything else. Unfortunately, what you can’t outsource is the liability.”