Ask anyone what comes to mind when they think ofTJX, and they’ll almost certainly mention the infamous data breach earlier this year that exposed more than 45 million customer credit and debit cards to hackers.
That’s the kind of publicity most companies can do without, but it’s also the inevitable result of being a large, well-known company and experiencing a breach of security.
“There is a significant brand equity component in privacy and security practices,” Alan Chapell, president ofChapell & Associates, told the E-Commerce Times.
“The carrot is that when consumers trust you, they are more likely to give you their information, and data is the engine that drives many businesses,” Chapell said. “The stick side is that if they don’t trust you, they are much less likely to patronize your business.”
Part 1 of this two-part series discusses what startup e-commerce firms can do to make sure that customer data stays safe and that they stay out of hot water. This installment takes a look at the problem from the enterprise perspective.
Ahead on the Curve
Larger companies tend to be better-versed in the rules and regulations governing privacy and security practices today, such as the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley (GLB) Act and statutes on unfair and deceptive business practices.
They also tend to be further along in becoming compliant with the Payment Card Industry Data Security Standard (PCI DSS) established by a consortium of the major credit card companies. Whereas only 19 percent of small companies — with fewer than 20,000 e-commerce transactions per year — were PCI-compliant in a February survey, 55 percent of larger companies were, RSA reported.
“I don’t know of any big organization in e-commerce anymore that doesn’t at least have privacy and security statements,” Chapell said.
Under the Spotlight
Big companies may be better prepared, in general, but they are also a bigger target — both for hackers and for lawyers.
“If I’m a bad guy, I don’t want one customer’s credit card information — I want lots of people’s information,” Mark Rasch, former head of the Justice Department’s computer crime unit and managing director of technology forFTI Consulting, told the E-Commerce Times. “The bad guys really want to go after the companies with the most data.”
Such companies tend to be the bigger ones — the Amazons, the eBays, the PayPals — and also the ones with the deeper pockets. That, in turn, makes them a more lucrative target for lawsuits.
“Right now, the legal landscape is such that privacy litigation is a high-yield target base for class-action lawyers,” Timothy Carroll, an attorney with Vedder, Price, Kaufman & Kammholz, told the E-Commerce Times.
Big companies are also more unwieldy, and they tend to take longer to respond to breaches and other security events. That, in turn, can increase their liability, Rasch added.
Then there are the regulatory and other penalties that can be imposed by agencies like the Federal Trade Commission (FTC). “The likelihood of dollar fines goes up when you’re a big name,” Rasch said. “You get made an example of.”
TJX may be the most recent high-profile example of a major security breach, but there have been many others, as the FTC’s online case files attest. Perhaps the best-known of those is theChoicePoint breach, in which the company electronically delivered information on 265,000 people to identity thieves posing as officials in legitimate debt collection, insurance and check-cashing businesses.
The result? The company had to pay US$10 million in civil penalties plus $5 million in consumer redress, Jessica Rich, assistant director in the FTC’s division of privacy and identity protection, told the E-Commerce Times.
Daring to ‘Care’
The FTC has been very broad in interpreting the deceptive trade practices statute, so that “even a statement like ‘we care about your privacy’ is enough to create liability,” Rasch warned.
To wit: AfterGuess Jeans andPetco both fell prey to hackers, the FTC pursued actions against the companies themselves, Rasch pointed out. Looking back further,Eli Lilly became a target several years ago after it accidentally released thee-mail addresses of nearly 700 subscribers to itsprozac.com e-mail alert.
Basic privacy and security practices may already be in place at most large companies, but that doesn’t mean the effort is finished.
Security as Journey
First, keeping statements current is just as important as creating them in the first place. “The real challenge is continuing to update them,” Chapell said. “I’ve seen some that were two to three years old. Maybe the company’s business has stayed the same over that time, but it seems unlikely.”
Data governance and annual assessments are not enough, either. “The truth is that this is a journey, not a destination,” Rasch explained. “Whenever you start something new, you must ask yourself: What are the privacy, security and regulatory implications of this?”
Indeed, it’s critical for the IT and legal groups within a company to be in close touch, Carroll said.
Check Your Partner
Making sure business partners are secure is another challenge. “Any business can be liable for the action of its business associates,” Chapell said. “If it’s believed that somebody downstream from you was doing the wrong thing, and you knew or should have known about it, you may get soaked.”
Within the firm, it’s not always easy ensuring that the best-laid security and privacy plans are followed at all levels of the organization.
“You may be doing everything right, but then it turns out there’s one employee who, for reasons unknown, keeps a customer database on their laptop, and the laptop ends up getting stolen,” Chapell said. “Even if you do great on nine things, you can still fall down on the 10th.”
The Blog Factor
Privacy and security issues associated with technologies like cell phones and employee blogs also remain to be tested. “We’ve seen employee blogs used to the detriment of the company by disclosing sensitive information — protected by HIPAA or other like requirements — for all the world to see,” Carroll said.
Ultimately, whatever the potential financial consequences of security problems, companies should remember that customers are what’s really at stake.
“The truth is that the rate of fraud is not substantially higher now in the e-commerce world than it was before,” Rasch concluded. “The dollar value is higher, but the rates are not. This is not so much about reducing fraud as it is about increasing customer confidence.”