Manage Subscriptions · Subscribe Now · F.A.Q.'s
HOME · Tuesday, May 13, 2008
Accounting, Management & Legal
Merchants Liable For Data Breaches
Protecting customers' data a 'solemn legal responsibility'
By: Jennifer D. Meacham
Comments: 2
What do online merchants Art.com, Geeks.com and Bananas.com have in common? They're three in a small, but growing, list of ecommerce sites hacked for their customer's credit card data.
Not only are there legal ramifications for not protecting customers' private data, but breached companies also stand to lose an average of $128 in business per compromised record. That's according to a 2007 survey of 35 breached merchants by Ponemon Institute, an independent privacy-management-research firm in Michigan.
It's the Federal Trade Commission that sets guidelines for e-merchants holding customer data. Merchants must "protect the security, confidentiality, and integrity of personal information collected from or about consumers." Ones that don't take "reasonable steps" to do so, can be required by the FTC to submit to, and pay for, security audits for up to 20 years-even without a security breach.
Since 2002, the commission has charged 20 companies for breachable data. The FTC can't impose fines or pursue legal action, but it can refer cases to the Department of Justice for criminal charges or damages, a move it's made only once.
Security compliance
To comply with FTC guidelines, all sensitive customer data such as credit card numbers, credit verification codes, or log-in identifiers must be:
1. Encrypted by a "validated cryptographic module that has been approved by the National Institute of Standards and Technology," an agency of the U.S. Department of Commerce.
2. Protected by a periodically-changed password with a minimum of six characters, including upper and lower case letters, numbers and, if possible, symbols.
3. Transmitted using a secure connection. The FTC doesn't stipulate how secure a network must be, only that it's encrypted.
4. Destroyed when no longer needed. All businesses, including e-merchants, are required to "properly dispose of" private consumer data pursuant to the "Disposal Rule" of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
The FTC also looks at these factors when considering charges against an e-merchant. Merchants should:
- Refer requests for customer information to designated individuals in the company trained to safeguard personal data.
- Make secure transmission automatic when collecting information online from customers.
- Caution customers against transmitting sensitive data, like account numbers, via email or in response to unsolicited email or pop-up messages.
- Check with software vendors regularly to get and install patches that resolve software vulnerabilities.
- Use anti-virus and anti-spyware software that update automatically.
-Maintain up-to-date firewalls, particularly if using broadband Internet connection.
- Regularly ensure that unused server "ports" are closed.
- Use an up-to-date intrusion detection system to alert of any network attacks.
- Insert a dummy account into customer lists and monitor the account to detect any unauthorized contacts or charges.
Additionally, FACTA stipulates that merchants may include no more than the last five digits of the card number, and must delete the card's expiration date, from any electronically printed credit or debit card receipts given to its customers. This law does not apply to transaction records the merchant retains. Meanwhile, merchants should never store card verification codes.
Breach of contract liability
An e-merchant's online privacy policy is considered an online contract between the store and its customers. If outside parties are given access to the information claimed as private-whether by accident, outsourcing or hack-"breach of contract law" allows consumers to sue and collect damages including reasonable attorney's fees.
Under this law, a suit brought by the New Jersey's Division of Consumer Affairs resulted in a December 2001 settlement between Toys R Us and the state of New Jersey. It required Toys R Us to pay a $50,000 fine and revamp its privacy policy to indicate that customer information would be passed along to a third-party marketing firm. Two class action suits calling for damages for every customer whose data was passed along were filed around the same time.
Privacy policies also put legal bite to anti-hacking provisions. In a 2000 New York district court case, upstart domain registrar Verio.com used automated software to download data on Register.com's existing domain customers. Since automated downloads were specifically prohibited in Register.com's online privacy policy, the court found that Verio's downloading "lacked authorization" and thus was illegal under the Computer Fraud and Abuse Act of 1984.
In all, merchants who collect and maintain customer information have a solemn legal responsibility to protect that data at all costs. Just as consumers go to great lengths to protect their identity, e-merchants should go to even greater lengths to protect the data entrusted in their care.
ADDITIONAL RESOURCES
SANS Institute
"The 20 Most Critical Internet Security Vulnerabilities": Sans.org/top20
Scanning tools and services to monitor network vulnerabilities: Sans.org/top20/tools.pdf
Open Web Application Security Project
"The 10 Most Critical Web Application Security Vulnerabilities": Owasp.org
Breach notification requirements, state by state: Perkinscoie.com/files/upload/securitybreach.pdf
Sample breach notification letter:
Ftc.gov/bcp/edu/pubs/business/idtheft/bus59.shtm
Alphabetical list of validated crypt graphic modules approved by the National Institute of Standards and Technology:
Csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
FTC Guide for Business: "Protecting Personal Information"
Ftc.gov/infosecurity
Blinklist | Del.icio.us | Furl | Ma.gnolia | Newsvine | Spurl | Reddit | Technorati
Published on Thursday, April 17, 2008
Comments:
Penny, the Federal Trade Commission spells out that merchants who outsource their data (whether for protection or disposal) must have a contract with the outside agency. The contract must spell out that the outsourced provider must follow all of the same privacy and security rules. This doesn't protect you from liability Penny. However, it does give you someone to sue to recover damages if the data is breached.
Posted by: Jennifer D. Meacham
Monday, April 28, 2008
Ecommerce Articles
- Browse All Articles
- Browse our complete archive of ecommerce articles.
- Accounting, Management & Legal
- Ecommerce articles related to managing a small business including ecommerce accounting, business strategy and legal considerations.
- Conversion & Usability
- Online business articles about converting web site visitors into customers and how to gauge and improve your business website's usability.
- Development & Programming
- Articles to help designers, developers and programmers create successful, search engine friendly ecommerce websites and improve existing ones.
- Hosting, Infrastructure & Software
- Articles for ecommerce businesses about ecommerce web hosting, business infrastructure, business strategy and helpful ecommerce & small business software.
- Interviews & Profiles
- Interviews with prominent ecommerce business personalities and profiles of successful online businesses.
- Inventory & Shipping
- Ecommerce articles about inventory management, ecommerce order fulfillment and product shipping considerations.
- Marketing & Revenue Growth
- Articles relating to online marketing, email marketing and using the Internet to growing your business.
- Search Engine Optimization
- Search engine optimization articles for ecommerce business owners, strategists, marketers and developers.
- Shopping Carts & Online Payments
- Articles covering ecommerce shopping cart platforms and options for choosing an online payment gateway.
- Training & Education
- Tutorials and articles providing training and education for ecommerce business owners and developers of ecommerce websites.
Search Articles
Ecommerce Community
- Ecommerce Blogs
- Read our blogs about ecommerce topics written by industry professionals.
- Community Forum
- Connect with other ecommerce professionals to trade advice and answers in our community forum.
- Podcasts
- Check out our ecommerce podcasts covering topics ranging from interviews to tutorials.
- RSS Content Feeds
- Subscribe to our RSS feeds and have fresh ecommerce content delivered to you.
Ecommerce Resources
- Free Email Newsletter
- Sign up for Ecommerce Notes, our free email newsletter for ecommerce business owners and developers.
- Ecommerce Directory
- Browse our directory of ecommerce products and services, or submit your own listing in our directory.
- Ecommerce Glossary
- Familiarize yourself with terminology or submit terms to help others with our Ecommerce Glossary.
- Events Calendar
- Find out about upcoming ecommerce events or invite other ecommerce professionals by posting your own event.
- Press Releases
- Browse ecommerce related press releases and post your own press release for distribution.
- Ecommerce Store & Back Issues
- Pick up back issues of Practical eCommerce magazine along with other merchandise from Practical Ecommerce
About Practical eCommerce
- Frequently Asked Questions
- Look at frequently asked questions regarded using our website, subscribing to our magazine and more.
- Advertising Information
- Information about advertising in Practical eCommerce magazine, on our website, or in our email newsletters.
- Editorial Sharing
- Learn about options for sharing our content with your visitors, customers or employees.
- About Us
- Learn more about Practical Ecommerce magazine and meet our staff.
- Contact Us
- Contact Practical Ecommerce at any time for more information. We'd love to hear from you.
Copyright 2007 Confluence Distribution, Inc. and Practical eCommerce.
All Rights Reserved.
If I outsource my payment services or information collection to an entity such as Paypal, who ensures protection, am I liable for a breach of their system which results in the exchange of information about my customers??? Hm...
Posted by: Penny
Tuesday, April 22, 2008