Symantec, the American IT security company, recently released its 2015 Internet Security Threat Report that summarizes the number and types of threats and vulnerabilities seen in 2014. The report also analyzes trends and provides insights from security experts about what we can expect from an Internet security standpoint moving forward in to 2015. The conclusion: online retailers must take proactive and preventative measures to safeguard their customers' personal information.
Data Breach Trends from 2012 to 2014
Even though the number of "mega breaches" (defined as more than 10 million identities disclosed) decreased from 2013 to 2014, the total number of reported breaches increased during the same period of time. The number of reported breaches has increased from 156 in 2012 to 312 in 2014, an increase of 100 percent in just three years. Even though healthcare is the most attacked sector with 37 percent of the total number of reported incidents in 2014, due to the enormous amount of personal information and health information health care providers collect and store on behalf of their patients, other sectors must remain vigilant in their efforts to protect customer information.
The retail sector reported 11 percent of the cyber incidents in 2014 but alarmingly, over 59 percent of identities exposed during the same period; percentages that likely will continue to increase as more retailers sell their goods online and more security vulnerabilities are found in e-commerce and associated shopping cart software solutions. With this in mind, businesses that sell products online and deal with customer financial data must employ basic safeguards to improve the protection of their customers' personal information.
Gaps in Online Retail Security
1. Not Confirming Transactions. Asking a customer if he or she wants to proceed with the transaction can help minimize the number of accidental or inadvertent purchases made through an online store or app. If your company sells product(s) through an app, consider requiring your customers to type their account password to confirm the transaction before the transaction is processed.
2. Not Sending E-mail or SMS Receipts. Following up with your customers after a transaction has been processed helps customers keep track of the purchases made using their accounts. A confirmation e-mail or text message sent to the customer's registered e-mail address or mobile number will provide the customer notification for both authorized and fraudulent transactions. These notifications must be sent contemporaneously with the transaction (or shortly after it is completed) to enable the customer to fight back against fraud the moment it happens.
3. Not Requiring Strong Passwords. Not requiring customers to register their accounts with strong passwords provides a big gap in cybersecurity upon which hackers can quickly capitalize. While a business can't stop customers from recycling passwords they have used for other, unassociated accounts, a business can control the content and complexity of the password they use for its website or app. A minimum number of characters with requirements for uppercase and lowercase letters, numbers, and special characters can provide additional security for its customers' personal information. Also requiring customers to periodically change their password helps protect against breaches.
4. Complacency. Applying the industry's best practices and staying attuned to emerging threats will help protect a business's online store and its customers' personal information. Being aware of hackers' latest efforts to steal personal data, patching vulnerabilities when they are discovered, and using the recommended type and amount of encryption are just a few examples of how you can proactively help protect your customers' personal information.
Summary and Takeaways
- Requiring that customers to confirm the transaction before it is completed can minimize accidental or unintended purchases
- Sending e-mail and/or text receipts for the transaction will help customers fight fraudulent transactions
- Strong password policies help protect customer accounts
- Keep up to date with industry best practices and apply that knowledge to your online store or app
For More Information
Polsinelli attorneys understand how important protecting customer personal information should be to a business. For more information, please contact the authors, a member of the Privacy and Data Security practice, or your Polsinelli attorney.