Andrew T. O'Connor

Andrew T. O'Connor

Counsel
+1 617 574 4153
Share
Andrew T. O'Connor
Blog Posts: Retail Law Advisor

Are U.S. retailers keeping your data safe?

Sharing limited personal information with retailers has its benefits, including targeted ads, discounts, incentives, and coupons.  But at what cost?  Do the risks of disclosing your personal information to retailers outweigh the benefits to which time-sensitive consumers have grown accustomed? 

Many retail consumers no longer have personal connections to retail store personnel, and instead prefer using brick and mortar stores as showrooms for browsing and trying products before going online to make purchases.  Online consumers that generally feel more connected to retailers through social media, promotions and competitive offers are often willing to share information with retailers who can tailor shopping experiences to fit their needs.

With retailers being among the most vulnerable targets for cyber-attacks due to the lucrative information transmitted during retail transactions, protecting the security of consumers’ personal information should be at the forefront of retailers’ minds.  Whether on the cloud or through a point of sale system, most retail transactions result in the transfer of significant amounts of personally identifiable and payment information.  The same data is also often stored by retailers and used to target marketing campaigns.  Once hackers obtain this information it can be sold on the dark web and used alone or in conjunction with other previously hacked information to create profiles used for identity theft and fishing campaigns.

In order to make systems more secure, retailers need to be proactive and get ahead of hackers, instead of reacting to incidents as they occur.  However, retailers are not in the business of information technology governance and, as a result, generally take steps to comply with regulations only after they are enacted, or in reaction to a data breach incident, rather than planning ahead to determine how best to evade the next security threat.  Retailers do face unique challenges such as integration of endpoint security on point of sale systems, which are frequently run on older operating systems, thus making them susceptible to malicious code. 

With a goal of making sales, retailers are reluctant to include additional security measures that would add an extra step to a sale transaction that may risk frustrating or turning consumers away.  However, as more consumers cite cybersecurity and data privacy as an important factor when making purchases, can increased cybersecurity actually fuel growth?  Recent surveys show that when selecting a retailer, consumers cite cybersecurity and data privacy as important factors above discounts and brand reputation.  In addition, many consumers are willing to increase online spending with a retailer that assures them that their financial and personal information was safe, explained to them how their personal and financial information was going to be used, and assured them that their website and apps used the most advance security techniques.

With each U.S. state having its own set of data privacy laws that are constantly updating and evolving, it is important for online retailers to understand their responsibilities to protect personal identifying information of consumers and ensure additional protection measures as necessary.  The number of online retailers that consumers face can be daunting and overwhelming.  But retailers who can promote the fact that they take extra measures to protect the consumer’s personal information may make that retailer stand out among others and instill lasting confidence in consumers that can strengthen the brand’s reputation.