4 Universal Legal Implications of e-Commerce Data Breach

Don’t be fooled—hackers and fraudsters don’t target large companies only. E-commerce is one of the top 5 most hacked industries globally with the number of data breaches increasing annually.

E-commerce’s very nature and operation make it an ideal target, because it collects personal identifiable information (PII) from its customers, including names, contact and mailing details, and financial information. Many e-commerce stores also use third-party plugins to improve customer experience. However, this gives hackers opportunities for infiltration via password guessing, phishing, or malware attacks.

Therefore, e-commerce stores are subject to many different data protection laws worldwide, each with its own specifications. But there are certain universal legal implications all e-commerce business owners should know.

» Unfamiliar with e-commerce data privacy? Discover how to overcome essential e-commerce data privacy issues

1. Notification

You must notify the individuals whose data was breached, the relevant regulatory authority to start an investigation, and other relevant parties. Some laws might make an exception on when an affected individual must be notified e.g., the General Data Protection Regulation (GDPR) considers the severity of the breach.

Laws can also vary regarding how affected parties are notified and time limits. E.g., GDPR requires notification within 72 hours, while the Health Insurance Portability and Accountability Act (HIPAA) mandates 60 days.

2. Response

The importance of having an effective response plan in place cannot be overstated. Moving quickly and decisively can help minimize the damage. Suggested actions to include in your response plan include:

• Containing the breach: Take immediate action to mitigate any further breaches and reduce the scope of the breach.
• Assessing the scope: Conduct a thorough assessment to determine the scope and impact of the breach.
• Notifying concerned parties and organizations: This includes notifying law enforcement agencies, the media, affected individuals, and other relevant parties or organizations.
• Reviewing and enhancing data protection measures: Study the incident and its impact on the organization’s existing data protection policies, procedures, and measures. Address any vulnerabilities.

Bulleted List

» Struggling to draft a response plan? Read this data breach response checklist

3. Fines & Penalties

Fines and penalties for a data breach depend on the severity of the attack and how much data was stolen. Data breaches not only incur monetary penalties for violating data protection laws but can also lead to reputational damage through public shaming. In any case, violating these laws can be severely disruptive and expensive. Here are some examples:

• Health Insurance Portability and Accountability Act (HIPAA) The fine amount is determined by how many medical records were exposed. Fines start at $50 per record and can go up to $50,000. Violators may also spend time in prison from 1 to 10 years.
• Gramm-Leach-Bliley Act (GLBA) Organizations may be fined up to $100,000 per violation, while officers and directors of those organizations may be fined up to $10,000 each. Individuals may go to prison for 5 years or less.
• Federal Information Security Modernization Act (FISMA) The penalties primarily apply to federal agencies and can be anything from a formal censure by Congress to a reduction in public funding.

Bulleted List

4. Litigation

Legal action can be taken by individuals, businesses, or other relevant parties whose data or interests have been compromised because of negligence on the e-commerce store owner’s part. This includes:

• Failure of notification This can place the affected parties in more danger and deny them the opportunity to take their own preventative measures, e.g., changing passwords or freezing credit cards.
• Failure to respond This includes not responding to both queries from affected parties or the data breach itself. By not investigating and addressing any vulnerabilities, the store and its clients remain easy targets for hackers.
• Failure to implement reasonable security measures This can be viewed as a breach of privacy and contract. Such PII wouldn’t be given to the e-commerce store if there wasn’t an agreement to protect this information.

Bulleted List

» How do you protect your store from data breaches? Implement these best practices

Conclusion

E-commerce businesses need to be aware of the potential costs and consequences of a data breach, including fines, litigation, and reputational damage. They should have clear response plans in place that include handling sensitive information, notifying affected parties and organizations, and reviewing and enhancing their data protection measures.

Organizations must also work closely with law enforcement agencies, media, and other relevant parties to ensure that their response is appropriate and effective. Ultimately, businesses need to take a proactive approach to data protection to mitigate the risk of a breach and minimize the impact when it does occur.

» Unsure how to respond to a data breach? Explore PieEye’s data breach protocol