This article originally appeared in Shot Business on November 26, 2018.
Have you developed ways to keep customer data out of the wrong hands?
Conscientious firearms dealers understand their responsibility to safely secure their inventory. They do this in a variety of ways, from installing alarm and surveillance systems to locking up firearms every night when the store closes. But in one key area—data protection-—many shops don’t fully understand the threat of cyber theft.
“If EU citizens can access your website and mobile apps, chances are you need to stay compliant. Demonstrating reasonable care is key, and you can do so by showing that you have a reliable consent mechanism, and a clear privacy policy that details how you use the data and your legal basis for its collection.”
Since January 2017, there have been at least 14 security breaches that have hit major retailers across the United States, according to Business Insider Intelligence. Such breaches are a serious threat to both brands and customers, and they can affect a customer’s trust in those brands. Big names such as Saks Fifth Avenue, Lord & Taylor, Target, Best Buy, and even Panera Bread have been targeted by hackers.
Stolen credit card data and other personal information can seriously damage a retailer’s brand and reputation. According to a study conducted by KPMG, 19 percent of customers said they would completely stop shopping at a retailer after a breach; 33 percent said they’d at least take an extended break from shopping there.Many smaller shops may think that because they aren’t a major brand, the risk is lessened. Unfortunately, these days retailers at all levels can find themselves in the crosshairs of cyber criminals.
“Small mom-and-pop operations often think that because they are small, they aren’t a target, but that isn’t the case,” says John J. Clark, principal and founder of PCI Services, LLC, and a Security Consultant team member for the National Shooting Sports Foundation. “As a small gun shop, you may not have the infrastructure to put up a strong defense, and this is what cyber attackers look for. In many cases, you won’t even know if there was a breach, as smaller shops often don’t have an IT [information technology] team to monitor for these types of attacks.”
The firearms industry should heed these warnings, as it isn’t just credit card information or employee data—such as Social Security Numbers—that could be at risk. Gun shops that keep digital records of transactions might often have NICS data on their computers. That data contains Social Security Numbers, addresses, and, in some cases, even customer fingerprints.
“That type of information is worth so much more than a credit card number, which sells for a couple hundred dollars on the dark web,” says Ian Eyberg, CEO of NanoVMs. “The dark web is the part of the internet that can’t be easily accessed by normal web browsers, and where there is, sadly, a thriving illicit marketplace. Credit card data is good only until its theft is discovered. When that happens, it’s no longer valuable.”
Eyberg notes that firearms purchasers must provide much more information to complete the sale than would, say, the purchaser of a toaster at Target. “Such information can be used for identify theft,” he says. And the real worry here is that this information can be captured by more than one person. “Data that shows up on the dark web can go through many brokers. It isn’t just one mysterious hacker in the Ukraine. It literally is people all over the world.”
Due Diligence
Cyber-security researchers suggest that data needs to be protected at all times. When it comes to firearms retailers, the same level of due diligence paid to secure the actual firearms should be applied to customer information in both paper and digital forms.
“First and foremost, gun shops need to ensure they are conducting business in compliance with ATF regulations, including point-of-sales (POS) solutions that are designed specifically for gun shops,” says Charles King, principal analyst at technology research firm Pund-IT. “Being vigilant is something many gun shop owners deeply understand, so making the best use of security technologies, including firewalls, should be entirely natural for them.”
Many firearms retailers may not think of the digital component of the Firearms Transaction Record, including Form 4473, which is filled out when a person purchases a firearm from a Federal Firearms License (FFL) holder. However, in response to the Government Paperwork Elimination Act (GPEA), along with requests from the firearms industry, the ATF developed the e-Form 4473, which was designed in part to help eliminate errors in completing the form. It is now provided free of charge and runs on a retailer’s computer with either Windows and Mac OS X support.
“That form includes a lot of personal identification information, including a Social Security Number and date of birth,” says Clark. “If you store that electronically, you need to have backups.”
Clark says responsible gun dealers take proper steps to lock up guns and other at-risk inventory. Data should be treated in the same manner. “Digital information needs to be secured as well,” he says.
Along with installing firewalls and virus protection, and regularly scanning the business computers for infections, one of the simplest ways to protect a shop’s computer is simply by making it off-limits. That means not allowing the shop computer to be used for random web browsing by employees, and certainly not by customers. And if that computer is used to archive information—such as copies of the e-Form 4473 transactions, payroll, and other sensitive information to run the shop—it should be completely off-limits to those who do not need to use that computer.
“You have to trust your employees to do certain tasks on the computers, just as you may trust them with the safe deposit box,” says Eyberg. “It really comes down to asking yourself, ‘Do they really need to use the computer to do that task?’ There is no reason to give them access if they don’t really need it.”
Take Five
Cyber-security often is thought of as being static. But according to the retail specialists at Hall-N-Hall consulting (hallnhall.com), the reality is quite a bit different. Cyber-security must continually adapt to the constantly changing world of cyberspace. Here are five takeaways for you to consider.
- Up-to-Date Business-Class Firewall: Many stores we visit during our security and compliance consultations have installed a good firewall. However, many have failed to install the latest updates.
- Separate Wi-Fi Service for Guests: Believe it or not, a lot of stores share their Wi-Fi with their guests. This is a huge security risk and could easily endanger your entire operation. Having a separate Wi-Fi with its own terms of service protects you in case someone does something malicious using your internet connection.
- Up-to-Date POS and PCI: Make sure your point-of-sale (POS) terminals comply with the latest payment card industry (PCI) compliance rules. Part of being PCI-compliant is ensuring that customer credit card information is protected. Regular software updates help you to stay PCI compliant.
- Protect Credit Card Information: We’ve seen instances where a store’s team members will write down credit card information. This should never be done, as it provides the potential for a security breach.
- E-Store Security: If you have an e-store, make sure the site is secure by using a good SSL (secure socket layer certificate). An SSL ensures that all data transmitted between the web server and browser remains encrypted. We’ve seen some stores use WordPress with plug-ins from third parties, which is not the way to go.
Are You GDPR Compliant?
Most gun shop owners probably never ship a firearm to Europe. Without the right export license, that situation would be something that rarely, if ever, presents itself. But what about accessories or the occasional T-shirt or clothing to a customer in the U.K. or Germany? If so, then you need to think about the General Data Protection Regulation (GDPR) that went into effect earlier this year.
“This is something that nobody has really addressed,” says John J. Clark, principal and founder of PCI Services, LLC. “The GDPR is something all businesses in the U.S. should be thinking about, and determining whether they fall under it.”
The GDPR is a regulation in European Union law regarding data protection and privacy for all individuals within the EU, as well as the European Economic Area. The goal of this legislation is to provide control to citizens and residents over their respective personal data. Retailers, manufacturers, and other vendors in the U.S. can be affected by it.
“The GDPR applies to any company that collects and processes personal information on EU citizens,” says Chris Olson, CEO of the Media Trust, a provider of transparency and ad verification solutions to more than 300 companies in the online and mobile advertising ecosystem. “If EU citizens can access your website and mobile apps, chances are you need to stay compliant. Demonstrating reasonable care is key, and you can do so by showing that you have a reliable consent mechanism, and a clear privacy policy that details how you use the data and your legal basis for its collection.”
For businesses of all sizes, this means enacting that policy across the organization, as well as with your digital vendors, who must acknowledge the policy.
“You also need to document what personal data you and third parties process, who within your organization and among your web of direct and indirect vendors collects and processes the data, and with whom you share the data,” says Olson.
The key to this EU regulation is data, and even if you don’t have customers in Europe but correspond with individuals who live there, you may need to be GDPR compliant.
“If you need to send an email to someone in Europe, you’re going to have to be sure you are following the GDPR guidelines,” says Ian Eyberg, CEO of NanoVMs. “We only need to look at the past fines that the EU has leveled on American companies. GDPR is very real, and I would pay attention to it.”
For American retailers, this could also be a portent for similar laws in other parts of the world, and retailers and manufacturers alike should expect a more regulated environment. Japan and South Korea, where privacy is extremely important, are following suit, and comparable regulations are already coming to America.