Protecting Your E-Commerce Business From Data Breach Liability
Data breaches pose a significant risk to e-commerce companies. Although the internet has opened up an entirely new world, allowing entrepreneurs to make money online from the comfort of their own homes, it has also opened up potential serious new hazards of which all companies should be aware.
Businesses store a variety of different types of sensitive customer data, including:
- Email and mailing addresses
- Phone numbers
- Passwords, and
- Credit card information
At minimum, a data breach can result in serious lack of trust on behalf of your customers. A worst case scenario involving sensitive financial information being leaked could be disastrous for a company. Unfortunately, data breaches are increasingly common – one insurer found that 47% of small businesses experienced a data breach between 2017 and 2018, while 44% of those businesses faced multiple breaches.
Here are some steps you can take to ensure that your company minimizes your risk of data breach liability.
Limit Collection of Customer Data
A great way to avoid potential serious consequences of a data breach is to limit what data you actually collect from customers. Many ecommerce businesses can get away with only having a customer mailing list, and do not need to collect names, birthdates, or phone numbers in order to notify their customers of new items in stock.
It is also a good idea to refrain from storing customer credit card information. Yes, it can be extremely convenient for customers to login and check out without having to re-enter payment details. However, by storing this information, you are setting yourself up for serious potential consequences if this information is leaked.
In fact, storing credit card data is a violation of the PCI Security Standards Council, an international group that creates standards for payment account security. These standards are adopted by every branded credit card company, worldwide.
If you want customers to be able to store credit card information, you can consider working with a third-party payment system, such as PayPal or Amazon Pay, which outsources the security risk to another entity altogether.
Use a Trusted E-Commerce Platform
You should also ensure that your website is hosted on a secure platform. Every web-hosting company should give information regarding customer site security so you can understand how your customer data will be safe.
For example, Wix.com uses Transport Layer Security, which is “the standard security technology for establishing an encrypted link between a web server and a browser.” By using a trusted and seasoned platform, you are getting the benefit of experience from thousands of other users. This will only serve to keep your customers safe.
Use SSL Authentication for Online Checkouts
By using Secure Sockets Layer (SSL) authentication, you will authenticate the identity of your business and encrypt data being sent from your customer to you. This prevents hackers from obtaining the data while it is in transit. Using SSL authentication is another requirement businesses must follow in order to be PCI compliant.
Keep Your Software Up to Date
You should regularly monitor your site and keep all patches and applications up to date. Older versions of particular programs may have “back doors” for hackers to sneak through. It can be annoying to reinstall security updates every time a new leak or bug is found, but by regularly updating, you will make yourself less of a target to hackers.
In addition, you should also use anti-virus software on all company computers and run virus scans on a regular basis. This software should also be regularly updated so that it can catch the latest threats as soon as possible.
Limit Access to Sensitive Data
Another way to protect your customer data is to limit who has access to it. Put a password on your sensitive files to prevent someone from accidentally stumbling into them. If it is not necessary to keep this data on your company’s internal network, consider storing it on a single computer.
Consider which employees have a need to know sensitive information, and then restrict access accordingly. You should also conduct employee training and have policies in place so that your staff does not email, text, or send private customer information through online chat programs, which may become compromised.
Regularly Backup Your Site
If your site is hacked or disabled, you do not want to have to start over completely from scratch. Having weekly or monthly backups saved will let you easily restore your site to what it was before the breach occurred.
Have Your Customers Use Strong Passwords
If you have an option for customers to login to access your site, you need to make sure they use strong password with a combination of numbers, letters, and symbols. By forcing customers set strong passwords, you are helping them keep sensitive data secure.
Invest in Small Business Cyber Insurance
Finally, in order to give yourself greater protection in the event of a data breach of your e-commerce store, you should consider investing in small business cyber insurance. These policies can cover the cost of notifying your customers, investigating the breach, and purchasing credit monitoring services for any customers who were affected by the breach.
Having a trusted insurance carrier to fall back on if the worst happens can help save you a lot of stress and demonstrates to your customers that you are doing everything you can to fix any damage caused by the breach. It is an excellent way to maintain goodwill among your customer base if a breach occurred.
Additionally, even if you are not currently dealing with a data breach, an insurance carrier can help alert you to updated best practices and new security threats as a way to avoid being hacked altogether.
This article is for informational purposes only and does not provide legal advice. Revision Legal has significant experience assisting e-commerce owners through selling their businesses, including negotiating deals, drafting purchase and sales agreements, and assisting with all manners of intellectual property transactions. In order to schedule an appointment with an internet lawyer, contact us today with the form on this page, or call us at 855-473-8474.