Data Breaches – They Don’t Always Happen The Way You Think They Do

When most people hear of a Data Breach they think of some bad actor on the Internet using sophisticated software to infiltrate online computers. Like Facebook’s recent data breach, these get a lot of press and big Headlines.

However, in reality, these big news stories are only about 25% of the data breaches that occur. The other 75% breaks down into the three types of breaches I describe below:

1. The Former Disgruntled Employee. These employees used to have access to your customer data and are no longer with the company. However, before the company locked them out of their computers, these individuals took a copy of the company’s user data and are now trying to sell that data, use that data or just make big trouble for the company. Any release of the data they stole creates a data breach and expensive headaches for the company.

2. The Current Disgruntled Employee. These are the employees who feel the company never listens to them, that management is a bunch of fools who could be doing so much more if they would only listen to them, and they decide they are going to go into business and make the kind of money they really deserve. Before they leave the company, they take a copy of the company’s client list so they can announce that they have formed a new company to compete with their old company.

3. The Current Employee That Makes A Dumb Mistake. They make a data copy on a thumb drive for legitimate purposes or are working at a Starbuck’s and go to the bathroom without shutting down their computer. They then lose the thumb drive or someone gets on the unwatched computer and a copy of customer data is released.

I am sure you can think of many more scenarios that are either innocent or made by a guilty party. As I said above, these types of data breaches account for the vast majority of data breaches, but don’t make the headlines like the big company breaches do.

I noted above that a data breach is an expensive headache for the company. The headache is the damage to your brand, the ire of your customers, and the steps you need to take to make things right.

Every state and the entire EU now have data breach laws on their books. If even one person whose data is breached (or suspected of having been breached) you will need to contact the Secretary of State’s Office where that person lives and explain that you had a breach and what you are doing about it. Usually, they will expect the company to put some sort of rectifying program in place, such as buying Life Lock for every person affected (not a cheap proposition.) Further, the Secretary of State’s Office will usually levy a fine upon the offending company. It is in the company’s best interest to have these conversations handled by an attorney adding even more costs to the effect of the data breach.

The cost estimates I have seen on data breaches range from two million to six million dollars. The two-million-dollar price tag was for a breach of under 10,000 names. Obviously, a data breach is nothing you ever want to deal with.

Here is a helpful hint: All data breach laws make an exception for encrypted data as long as the encryption key is not part of the breach – so never put the encryption code on a computer. In today’s world, encryption is often just a matter of a few simple keystrokes. Both Windows and Apple operating systems offer encryption to your entire hard drive right in your settings.

Now, you just need to encrypt, keep the key off the computer, and make sure those who have the ability to un-encrypt are trained and monitored for compliance. Even when I make a copy to a thumb drive on my PC the computer will ask if I want to encrypt? – To which I always say yes!

There are many more actions you can take to secure your data. Please feel free to contact me with any questions or comments you may have.

Supreme Court Upholds Internet Sales Tax Laws

Last Friday, June 22, 2018, the U.S. Supreme Court in the case of South Dakota v. Wayfair overturned its decision in the “Quill” case requiring a physical presence in the state before the need to collect sales tax. Now states can require the collection of sales tax by any entity and e-commerce site that sells product into the state (with exceptions.)

This decision was heavily influenced by the growth of the Internet economy and its effect on the States’ ability to collect taxes for the general welfare of its citizens. The dissenters to the decision said it was up to Congress to act.

Meanwhile, if you are selling product over the Internet, you need to pay close attention to the sales tax rules of the states into which you are selling. The court took efforts to point out that South Dakota was trying to protect the small retailer from burdensome effects as it did not require the collection of the sales tax until certain milestones were reached (e.g. $100,000 in sales or 200 transactions.) Further, they relied on the fact that the South Dakota statute was not retroactive. Further, South Dakota is among the 20 States that have adopted the Streamlined Sales and Use Tax Agreement. This system standardizes taxes to reduce administrative and compliance costs: It requires a single, state-level tax administration, uniform definitions of products and services, simplified tax rate structures, and other uniform rules. It also provides sellers access to sales tax administration software paid for by the State. Sellers who choose to use such software are immune from audit liability.

There already exist companies who have created a niche practice of guiding e-commerce sites on sales tax issues for a fee. Further, here is a link to Internet Sales Tax: A 50-State Guide to State Laws: https://www.nolo.com/legal-encyclopedia/50-state-guide-internet-sales-tax-laws.html .

Finally, this issue is more of an accounting issue than a legal issue. You should have a long conversation with your accountant on how they can help you with this issue.