Someone's Stolen My Email Database! What Do I Do Now?!?
I had a frantic client call me this week (OK, that’s not true. He emailed me, but you get the idea).
He had just found out that his site was the victim of an attack. The attacker stole all of the email addresses kept in his database, both opted in and not opted in.
The attacker then proceeded to use a false header (that falsely indicated that he was my client) and sent an email to all of the email addresses that he had stolen. (No, I don’t know the sex of the attacker, but I’m calling the attacker “he” for convenience.)
Even worse, the attacker set up the email so that anyone replying to the email would automatically email everyone else on the list. Ouch!
So, what do you do if this happens to you?
The very first thing you do is to contact the Federal Bureau of Investigation (FBI) in your area and ask to speak to the Computer Crimes Division. You need to report the crime that has taken place. Make no mistake about it. This is criminal.
The next thing you do is that you compose an email to the entire list (both opted in and not opted in) explaining what has happened, the steps that you’re taking to rectify the problem and assuring them that the email was not from you and that they should ignore the email altogether.
You then need to contact the appropriate people to find out how the criminal broke in to your database. Right after that, you need to “plug the hole” and figure out a way to make your system more secure.
While you’re at it, you should seriously think about your privacy policy and data retention policies. Make sure you have them and that you’re following the guidelines for protection your customers’ information that you’ve set forth therein.
If you don’t have a privacy policy, get one. If you don’t have a data retention policy, draft one. If you don’t know what a data retention policy is and/or why you should have one, you can check out my guest blog here about data retention policies.
Well, what’s the worst that can happen, right?
You really want to know? I’m warning you, it’s not pretty.
Let me give you your nightmare scenario.…
You might think that the worst case scenario is that you’re caught by your ISP or even by the FTC for violations of the CAN-SPAM Act.
But that’s not it. Though I’d rather give myself a frontal lobotomy with a home kit than to deal with the FTC again...
The real nightmare scenario is that you had emails go into the State of California. You see, to the government or even to your ISP, it’s easy enough to prove what happened. It’ll cost you, but it can be done.
But, under California Business & Professions Code § 17529.5, the State of California gives a private right of action to consumers who receive unsolicited commercial emails with falsified header information. And it’s a $1,000 hit per email.
Let me say that again.
California residents who receive an email from what appears to be you with false header information can sue you in small claims court for $1,000 PER EMAIL. And what they have to prove to be successful is minimal. You have the burden of proving that you didn’t send or sanction the sending of the emails.
I'm not saying that you're actually liable. You're not. You could meet the burden of proving that you didn't send or authorize them, but it would be unbelievably costly to defend all of those suits. If they were filed in small claims courts all over California, you'd have to fly to each location and defend each one.
Well, couldn't you just ignore them then? What's the worst that could happen?
The worst that could happen if you didn't defend is that you could be found liable in all of those suits. And that adds up. Fast.
Let’s say that your database had only 10,000 email addresses that were stolen by your friendly, neighborhood criminal. And since there are 50 states, let’s assume that the email addresses were evenly distributed (which, of course, they’re not). So that makes 200 email addresses in California.
At $1,000 per email, that’s $200,000. What if you had 20,000 email addresses? Or 50,000? Or even 100,000?
Are you starting to see how this could really ruin your day?
Don’t let this happen to you. Make sure your databases are secure. Make sure all of your customer information is as secure as you can make it.
And if it does happen, do whatever you can to mitigate the damages.... Quickly!
He had just found out that his site was the victim of an attack. The attacker stole all of the email addresses kept in his database, both opted in and not opted in.
The attacker then proceeded to use a false header (that falsely indicated that he was my client) and sent an email to all of the email addresses that he had stolen. (No, I don’t know the sex of the attacker, but I’m calling the attacker “he” for convenience.)
Even worse, the attacker set up the email so that anyone replying to the email would automatically email everyone else on the list. Ouch!
So, what do you do if this happens to you?
The very first thing you do is to contact the Federal Bureau of Investigation (FBI) in your area and ask to speak to the Computer Crimes Division. You need to report the crime that has taken place. Make no mistake about it. This is criminal.
The next thing you do is that you compose an email to the entire list (both opted in and not opted in) explaining what has happened, the steps that you’re taking to rectify the problem and assuring them that the email was not from you and that they should ignore the email altogether.
You then need to contact the appropriate people to find out how the criminal broke in to your database. Right after that, you need to “plug the hole” and figure out a way to make your system more secure.
While you’re at it, you should seriously think about your privacy policy and data retention policies. Make sure you have them and that you’re following the guidelines for protection your customers’ information that you’ve set forth therein.
If you don’t have a privacy policy, get one. If you don’t have a data retention policy, draft one. If you don’t know what a data retention policy is and/or why you should have one, you can check out my guest blog here about data retention policies.
Well, what’s the worst that can happen, right?
You really want to know? I’m warning you, it’s not pretty.
Let me give you your nightmare scenario.…
You might think that the worst case scenario is that you’re caught by your ISP or even by the FTC for violations of the CAN-SPAM Act.
But that’s not it. Though I’d rather give myself a frontal lobotomy with a home kit than to deal with the FTC again...
The real nightmare scenario is that you had emails go into the State of California. You see, to the government or even to your ISP, it’s easy enough to prove what happened. It’ll cost you, but it can be done.
But, under California Business & Professions Code § 17529.5, the State of California gives a private right of action to consumers who receive unsolicited commercial emails with falsified header information. And it’s a $1,000 hit per email.
Let me say that again.
California residents who receive an email from what appears to be you with false header information can sue you in small claims court for $1,000 PER EMAIL. And what they have to prove to be successful is minimal. You have the burden of proving that you didn’t send or sanction the sending of the emails.
I'm not saying that you're actually liable. You're not. You could meet the burden of proving that you didn't send or authorize them, but it would be unbelievably costly to defend all of those suits. If they were filed in small claims courts all over California, you'd have to fly to each location and defend each one.
Well, couldn't you just ignore them then? What's the worst that could happen?
The worst that could happen if you didn't defend is that you could be found liable in all of those suits. And that adds up. Fast.
Let’s say that your database had only 10,000 email addresses that were stolen by your friendly, neighborhood criminal. And since there are 50 states, let’s assume that the email addresses were evenly distributed (which, of course, they’re not). So that makes 200 email addresses in California.
At $1,000 per email, that’s $200,000. What if you had 20,000 email addresses? Or 50,000? Or even 100,000?
Are you starting to see how this could really ruin your day?
Don’t let this happen to you. Make sure your databases are secure. Make sure all of your customer information is as secure as you can make it.
And if it does happen, do whatever you can to mitigate the damages.... Quickly!
posted by Deena B. Burgess, Esq. at
9:44 PM
Links to this post:
Create a Link
<< Home