John W Dozier Jr spoke at the annual Internet Retailer conference in June on data protection and managing the liabilities that can arise. Faced with a data loss, an online retailer or marketer or other business entity is often faced with notification laws, liability to banks for losses, FTC and State Attorney General investigations, and class action lawsuits. Given these exposures, most online businesses simply cannot survive to live another day. So John W Dozier Jr offered four suggestions to avoid and manage the risk of data loss.
1) Beware the Wolf in Sheep's Clothing: While your biggest concern may be the loss of credit card information, the fact is that much litigation is coming from inside jobs. Maintain your data internally on a "need to access" basis, and be vigilant in guarding against employee and contractor misappropriation. Don't let those with access to your data do any affiliate marketing on the side, for instance, and have strong written contracts with employees and contractors that will discourage the "borrowing" of your data.
2) Use Salt Liberally: Place your own (preferably fictitious) personally identifiable information in your databases so if they are stolen you will be the recipient of the end use of the data. Banks have been doing this for years. It's called "salting". Sprinkle into your databases information like an anonymous email address so if your data is stolen you'll get an email if someone decides to spam with it.
3) Put it on the Other Guy: No, don't just blame someone else. That's nothing new. Actually anticipate this issue arising and guard against assuming liability brought about by others. Make sure you have indemnification provisions in your web development, web hosting and other third party contracts so if the access is not your fault, you can look to a third party for reimbursement of your losses.
4) Under Promise, Over Deliver: Make sure that your privacy practices are well understood internally and are accurately set forth in your privacy policy. Make sure that your privacy policy provisions do not conflict with your User Agreement and other contracts. And then make sure that your website content is consistent with your Privacy Policy and privacy practices. This is where you will get nailed by the Federal Trade Commission and others even if the loss was not due to your own neglect. Don't promise more than you are prepared to deliver. And in doubt, under promise. For most businesses, you can offer up no promises about data security in your privacy policies and avoid this contract based obligation. Other laws may apply if you have a data loss, but at least you will have limited your exposure.
John W Dozier Jr specializes in the law of the web representing businesses. John was the architect of e-commerce solutions for American Express, Citicorp and Sears, and Dozier Electronic Commerce Solutions, a venture backed, award winning E-commerce business John founded in 1994, transmitted millions of personally identifiable information financial transactions daily through its systems.
Comments