The Dangers of Weak Cybersecurity in Network Marketing

    Thomas Ritter is an associate attorney at Thompson Burton PLLC. His practice area focuses primarily on cybersecurity law, which includes an assortment of data protection and privacy-related matters, and a wide-variety of business transactions. He assists diverse businesses from well-established companies to early stage start-ups.

    A review of this past year’s news cycle illustrates the paramount importance of strong data security. Yahoo, Equifax, Uber, and the list could go on and on. These companies fell victim to data breaches. In turn, they all faced public relations nightmares not to mention ongoing congressional and regulatory investigations. Today’s cyber landscape is relatively straightforward — where any abundance of consumer information exists, cyber thievery is sure to follow. Enter network marketing companies. Primed with and in possession of valuable information attractive to hackers, data security should be of paramount concern to network marketing executives. So why isn’t it?

    In Part One of this two part series, I’ll explore the ramifications of a data breach for network marketing companies. In Part Two, I’ll give practical tips and advice on ways to both prevent and mitigate the legal consequences of a data breach.

    Big Money Behind Personal Information

    Stolen consumer information is big business these days. Take Justin Lie, CEO of global online fraud management company CashShield, word for it: “A stolen credit card alone is worth $1 in the black market. This number multiplies 5x with each added associated [piece of] information to that credit card number.” Using simple math, a credit card with a person’s address attached to it is worth $5. Add on an email address and phone number, and suddenly the sales price jumps to $125. As Mr. Lie explains,

    With more information, hackers can create a fuller profile of an individual, allowing them to make fraudulent purchases online, create multiple bank accounts, or event steal one’s tax refund.

    With information fetching top dollar on the black market, it’s a no brainer for a hacker to target MLM companies in possession of large cache of sensitive data.

    With Third-Party Providers Doing all the Work, Why Worry?

    Network marketing companies inevitably receive (and in some instances personally possess) a wide array of personally identifiable information. From distributor and consumer names to addresses, social security numbers, and even credit card numbers, these puzzle pieces of information represent lucrative money-making opportunities for hackers. With such valuable information in hand, why don’t more executives lose sleep over inadequate data protection?

    Executives mistakenly rely upon the following notion: When my company outsources most (if not all) business processing functions (e.g., payment transactions, replicated websites, and more) to third-party providers, the liability over a possible data breach falls on the shoulders of these third-party providers, right? Right? Wrong! Companies cannot completely shift responsibilities concerning data security (or any lack thereof) to service providers. The words found in almost every network marketing company’s privacy policy exemplifies this principle:

    We acknowledge your trust and are committed to take reasonable steps to protect Personally Identifiable Information you provide online from loss, misuse, and unauthorized access. We employ physical, electronic, and managerial processes to safeguard and secure your information.

    These very words reflect a company’s alleged commitment to the protection and security of sensitive information, regardless of whether that information is in the hands of third-party providers. If a third-party provider suffers a breach concerning the information of your customers, guess who failed to follow the above promise? Having set the record straight that companies cannot entirely pass the buck off to third-party providers, you may now be asking yourself, “Yeah, but what’s the worst that could happen from a data breach?” A lot, actually.

    (1) State Actions

    Forty-eight states, including the District of Columbia, have data breach notification laws. These laws require companies to notify affected consumers, sometimes regulators, and in certain instances credit bureaus of the unauthorized disclosure of one’s personal information. Each different data breach notification law pertains to that particular state’s residents. Practically speaking, this means companies who possess information about people and consumers across the United States potentially subject themselves to all 48 data breach notification laws. Dizzy yet?

    While most of the laws contain similarities, different obligations nonetheless exist. For example, Florida requires companies to give notice within 30 days from the discovery of a breach. This is significantly shorter than Connecticut’s notice provision, which requires notice within 90 days from the date of discovery. Eighteen different state laws require that companies give notice to state regulators — most often the Attorney General — in the event of a data breach. In fourteen states, the notification statutes allow individuals harmed by a breach to bring a lawsuit seeking damages under consumer protection laws.

    The statutory maize of data breach notification is a complex exercise best boiled down to the following (simplified) elements: (1) did the breach contain personal information which necessitates notification to consumers; and (2) in addition to consumers, does an obligation exist to report to regulators and/or credit bureaus.

    (2) FTC Actions

    Almost as probable as you having heard that the Russians — yes, the RUSSIANS — enjoy computer intrusion, *NEWSFLASH* the Federal Trade Commission likes to involve itself in network marketing affairs. However, what if I also told you that in addition to its role on the MLM beat, the FTC polices data security. In fact, the past few years have featured none other than several dozen enforcement actions over companies’ failure to secure personal data. Similar to how it constructs pyramid allegations,” the FTC uses Section 5’s (of the FTC Act) “unfair or deceptive acts or practices” to regulate authority over inadequate data security. With the FTC as the de facto governing authority over both network marketing and data security, a network marketing company’s failure to protect data represents the perfect target.

    One of the FTC’s favorite types of data security complaints involves ones which arise out of security violations in contradiction of privacy policies. In plain english, the FTC pursues companies who make cybersecurity promises that ultimately are not kept. For instance, an enforcement action against Twitter originated from the promise made in the company’s privacy policy which stated the use of “administrative, physical and electronic measures designed to protection your information from unauthorized access.” Does that promise look familiar (here’s a hint: see almost universally used policy language found in nearly every network marketing company’s privacy policy cited above)? Beset by numerous hacks, the FTC charged Twitter with deception over the false promises it had made.

    When you analogize the poor practice of data security in an industry already susceptible to regulatory action, the prediction that the FTC pursue a MLM over the failure to safeguard its information doesn’t seem so farfetched.

    What should you do?

    Stay tuned for Part Two.  In the meantime, be sure your network marketing company, and by extension their chosen I.T. provider, is employing measures to keep your data secure.  This is certainly an area where an ounce of prevention is worth a pound of cure.  If network marketing companies can recognize the risk that comes with inadequate cybersecurity, there are practical, affordable and easily executable tips to be done. In Part Two of this series, we will start simple with the things you can do right now and the questions you can ask your providers.

      Thomas Ritter is an associate attorney at Thompson Burton PLLC. His practice area focuses primarily on cybersecurity law, which includes an assortment of data protection and privacy-related matters, and a wide-variety of business transactions. He assists diverse businesses from well-established companies to early stage start-ups.