Protecting Your E-commerce Business

Do you have a blossoming e-commerce business selling goods or services over the Internet? An Orange County business attorney can explain various methods by which you can protect your business from hackers; liability; prosecution for non-compliance with federal, state, or local laws; and other dangers.


Probably the biggest concern facing every e-commerce business owner is security. Is your website secure from hackers? You can be held liable if customer data is unlawfully accessed. What can you do to protect yourself?

First, you must determine the best practices in your industry for securing a website and for data storage. The best way to achieve this is by hiring a cyber-security expert or other consultant who is well versed in the subject matter. You can also search online or ask similar online business owners who they recommend.

The security expert will likely suggest you have a layered approach to security, specifically focusing on your online checkout solution.  If you are handling your own transactions and accept credit or debit cards, you will need to become well versed in PCI Data Security Standards to reduce your liability. These standards, which were created by the top credit institutions around the world, are a uniform set of rules by which an online seller should structure his or her payment transaction system in order to protect consumers against credit card fraud or data theft. If you will be receiving online card payments, you will want to find a security expert who is familiar with the PCI Data Security Standards. Be aware that PCI Data standards are changing effective October 31, 2016, so even if your payment systems are current, you will have to update them before October to remain compliant.

Furthermore, a security expert will probably suggest that you or your IT guy closely monitor your network traffic and update your site and underlying software on a regular basis. Disciplined adherence to basic security principles is often the best defense.


Who wrote the privacy policy and terms and conditions pages on your website?  Were they reviewed by your attorney? Many e-commerce businesses simply post generic terms and conditions that aren’t tailored to the needs of the business. If a lawsuit is brought, a court often will hold the business to the terms and conditions stated on the webpage.  Therefore, it is critical that the information be accurate and in the business owner’s favor.

The statements made on your website can subject you, as the owner of an e-commerce business, to liability. Your first step, before posting up your website pages, should be to have your Orange County business attorney review the pages to make sure no statements are made that could subject you to a lawsuit.

One of the most important terms on that page is the limitation of liability. This term limits the liability that you could possibly owe to a consumer or third parties if there is a claim that you’ve committed some type of negligence or misconduct. Typically, an attorney will try to limit any liability to the value of your transaction with a customer.  This way, for example, if you make a $2 sale to a customer, you will  not be liable for millions of dollars if someone decides to sue. Your Orange County business attorney will know what limits of liability are reasonable and will be upheld by a court of law.

It is also extremely important to have a regularly updated and accurate privacy statement on your website. Your attorney can draft a detailed privacy statement for you, using the information provided by your security consultant. As mentioned above, you need to adhere to a commercially reasonable standard of security for your website and data storage.  Your privacy policy will summarize the standards you follow and disclose whether you share your customers’ data and with whom.


Various federal laws and regulations affect your e-commerce business, even if you only do business in the state of California.

  • Federal Trade Commission Regulations

Your website (and any print materials and emails) must be compliant with Federal Trade Commission (FTC) regulations. The FTC enforces federal consumer protection laws and has investigation and prosecutorial powers against businesses that make false and misleading statements through product descriptions, pricing, or services. Thus, if you send unsolicited ads to customers via email, you must state clearly that the email is an ad. Then, you must include an email address to which they can send requests to opt out of those unsolicited emails. The opt-out email address must remain active for 30 days after you send the original emails. The physical address at which your e-commerce business receives mail also must be listed in the email so that anyone who receives it can contact you by mail, if they prefer. Be sure that every statement in the email is accurate, including the header, subject line, the email address you sent it from, your domain name, and your IP address.

If you have a complaint from a client that something on your website or an advertisement was inaccurate, address it immediately, and then make a record of the incident. Attach printouts of any webpages or emails subject to the complaint.  If the FTC investigates you later, you will be glad to have a clear record of what happened.

  • Telephone Consumer Protection Act

Most business owners know that this Act prohibits robo-telemarketing calls to potential or current customers; however, you may not know that it also prohibits unsolicited spam texts.  Furthermore, text messages sent to individuals that have given their permission must always include opt-out information.

  • Children’s Online Privacy Protection Act

Under this statute. If your website targets children 13 years old or younger, federal law dictates that you must get consent from a parent or guardian before collecting any data from that child. Also, you may not share any data with third parties, even if you elicit parental permission to collect it. To show you are compliant with this law, add a disclosure to your privacy policy stating what steps you have taken to adhere to it.

  • Health Insurance Portability and Accountability Act

Most people are familiar with HIPPA because of the forms that they must sign at their doctors’ offices.  However, HIPAA can also affect e-commerce businesses if the website deals in any way with healthcare transactions or information about those transactions. If healthcare figures into your e-commerce business at all, ask your business attorney if HIPAA is implicated.

  • Gramm Leach Bliley Act

If your e-commerce business has any financial components, you must follow the special standards dictated by the Gramm Leach Bliley Act to protect client data. This is above and beyond commercially reasonable website and data storage security standards. Additionally, you must tell your clients what types of data you collect, and customers must be able to opt out of having their information shared. Ask your Orange County business attorney what steps you should take to be Gramm Leach Bliley compliant.

Contact Us

These are just a few of many considerations that an e-commerce business owner must take into account in order to protect his or her business. Our Orange County business attorneys can discuss other concerns with you, specific to your particular industry. Call us, at 949-861-2524, to schedule a free, confidential case evaluation.


Posted in