Few e-retailers are prepared to notify consumers of a loss of card data

Compliance is complex because laws vary by state, says a new survey.

Don Davis

Only 21% of online retailers are prepared to notify consumers in the event of a data breach that exposes cardholder data, according to a new survey sponsored by insurance agency Jacobson, Goldfarb & Scott Inc.

61% of the 300 e-retailers surveyed said they were not prepared to notify consumers and 18% were not sure.

Preparation is important because notification rules vary by state, with 46 states and the District of Columbia each having their own laws, says Barry Cooke, vice president of technology at JGS, which sells insurance policies for web retailers.

“Education is key,” Cooke says. “Retailers should put a contingency emergency response plan in place. Put something on paper about what they’re going to if and when they’re breached.”

The average cost to a U.S. retailer for each consumer whose data was exposed was $133 in 2009, according to a survey released last year by Ponemon Institute. That survey covered both online and offline merchants. The total cost of a data breach for all organizations surveyed by Ponemon was $6.75 million, with $500,000 of that related to notifying consumers that their data had been stolen by criminals.

JGS also surveyed retailers on three other risks.

Asked if they were financially prepared for a data center outage 31% said yes, 42% said no and 27% were not sure.

The survey also asked e-retailers if they were named on suppliers’ liability insurance policies, to protect them in case a consumer files a damage lawsuit. Only 12% said yes, 48% said no and 40% were uncertain.

Asked if they were moderating comments and reviews posted by consumers on their e-commerce sites, 57% of the web retailers said yes, 22% said no and 21% were unsure. Cooke says retailers potentially could be sued for slander or libel in the event a consumer posts an inaccurate allegation on a retail site.

He also notes retailers have been successfully sued because consumers recommended a product for a purpose for which it was not intended. For example, there’s a case going to court next month in which Target.com is being sued because a consumer recommended a wicker basket as a toy chest, a shopper bought the basket on Target.com and used it to store toys, and the shopper’s 18-month-old daughter was seriously injured when the lid of the basket fell on her.

“Wicker baskets are not meant for kids, especially not as toy chests,” Cooke says. “Items meant for children say they’re for ages two to five, or five and up.” By not taking down that recommendation from a consumer, Target.com exposed itself to the risk of a lawsuit, he says.


Data breach, liability insurance policies, Online shopping, payments security