Merchants Liable For Data Breaches
What do online merchants Art.com, Geeks.com and Bananas.com have in common? They’re three in a small, but growing, list of ecommerce sites hacked for their customer’s credit card data.
Not only are there legal ramifications for not protecting customers’ private data, but breached companies also stand to lose an average of $128 in business per compromised record. That’s according to a 2007 survey of 35 breached merchants by Ponemon Institute, an independent privacy-management-research firm in Michigan.
It’s the Federal Trade Commission that sets guidelines for e-merchants holding customer data. Merchants must "protect the security, confidentiality, and integrity of personal information collected from or about consumers." Ones that don’t take “reasonable steps” to do so, can be required by the FTC to submit to, and pay for, security audits for up to 20 years-even without a security breach.
Since 2002, the commission has charged 20 companies for breachable data. The FTC can’t impose fines or pursue legal action, but it can refer cases to the Department of Justice for criminal charges or damages, a move it’s made only once.
To comply with FTC guidelines, all sensitive customer data such as credit card numbers, credit verification codes, or log-in identifiers must be:
- Encrypted by a “validated cryptographic module that has been approved by the National Institute of Standards and Technology,” an agency of the U.S. Department of Commerce.
- Protected by a periodically-changed password with a minimum of six characters, including upper and lower case letters, numbers and, if possible, symbols.
- Transmitted using a secure connection. The FTC doesn’t stipulate how secure a network must be, only that it’s encrypted.
- Destroyed when no longer needed. All businesses, including e-merchants, are required to “properly dispose of” private consumer data pursuant to the “Disposal Rule” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
The FTC also looks at these factors when considering charges against an e-merchant. Merchants should:
- Refer requests for customer information to designated individuals in the company trained to safeguard personal data.
- Make secure transmission automatic when collecting information online from customers.
- Caution customers against transmitting sensitive data, like account numbers, via email or in response to unsolicited email or pop-up messages.
- Check with software vendors regularly to get and install patches that resolve software vulnerabilities.
- Use anti-virus and anti-spyware software that update automatically.
- Maintain up-to-date firewalls, particularly if using broadband Internet connection.
- Regularly ensure that unused server ports are closed.
- Use an up-to-date intrusion detection system to alert of any network attacks.
- Insert a dummy account into customer lists and monitor the account to detect any unauthorized contacts or charges.
Additionally, FACTA stipulates that merchants may include no more than the last five digits of the card number, and must delete the card’s expiration date, from any electronically printed credit or debit card receipts given to its customers. This law does not apply to transaction records the merchant retains. Meanwhile, merchants should never store card verification codes.
Breach of contract liability
In all, merchants who collect and maintain customer information have a solemn legal responsibility to protect that data at all costs. Just as consumers go to great lengths to protect their identity, e-merchants should go to even greater lengths to protect the data entrusted in their care.
Consider these additional resources to help fight, detect data breaches.
Open Web Application Security Project