Who to inform about online business not requiring authorization?
March 17, 2017 8:34 AM Subscribe
I found rather accidentally an online business does not require authorization to view Order Information if you know the Order number. The information includes billing address, shipping address, phone number, email address, item's ordered, and price paid. I'm going to contact the business, but who else should I contact? Is there some governing body in charge of verifying things like this? The BBB?
They use Norton Shopping Guarantee, PayPal, BBB Accredited business, not sure if any of these should be notified?
They use Norton Shopping Guarantee, PayPal, BBB Accredited business, not sure if any of these should be notified?
Response by poster: Sorry for the follow up, to narrow the scope of my question - I don't want to damage the business's reputation or anything, I'm specifically wondering if there is another entity to inform, such that this entity would then be responsible for ensuring the business fixes the problem.
posted by czytm at 8:56 AM on March 17, 2017 [2 favorites]
posted by czytm at 8:56 AM on March 17, 2017 [2 favorites]
Best answer: The BBB is a subscription service that the business pays to be a part of. They have no legal authority over what a business does or does not do.
You could contact your state dept of consumer affairs.
posted by vignettist at 8:56 AM on March 17, 2017 [4 favorites]
You could contact your state dept of consumer affairs.
posted by vignettist at 8:56 AM on March 17, 2017 [4 favorites]
Is there a reason you don't want to contact them directly? If it is a small business, they just might not be informed enough. Years ago I contacted a rather good sized business with similar information. They corrected it and everything was fine. A lot of businesses don't start out online, and can easily make (many) mistakes.
posted by Vaike at 9:21 AM on March 17, 2017
posted by Vaike at 9:21 AM on March 17, 2017
Best answer: There's a link to report data privacy concerns to the FTC on this page.
posted by praemunire at 10:56 AM on March 17, 2017
posted by praemunire at 10:56 AM on March 17, 2017
Best answer: such that this entity would then be responsible for ensuring the business fixes the problem
This isn't possible. You can report it to the relevant agency--IF there even is a relevant agency--but it's completely up to them whether they want to do anything about it.
I've filed complaints with the FTC where I handed them screenshots and cites to the rule that was clearly being violated, but nothing ever came of it.
But you can try. In addition to the FTC you can also try your state attorney general.
It would be helpful in making your complaint to check whether the retailer has a privacy policy and whether they are violating it. In addition, are you actually the harmed party (i.e. your info is susceptible)? That will strengthen your complaint and make it more of a tangible concern as opposed to just a random report.
posted by mama casserole at 11:01 AM on March 17, 2017 [1 favorite]
This isn't possible. You can report it to the relevant agency--IF there even is a relevant agency--but it's completely up to them whether they want to do anything about it.
I've filed complaints with the FTC where I handed them screenshots and cites to the rule that was clearly being violated, but nothing ever came of it.
But you can try. In addition to the FTC you can also try your state attorney general.
It would be helpful in making your complaint to check whether the retailer has a privacy policy and whether they are violating it. In addition, are you actually the harmed party (i.e. your info is susceptible)? That will strengthen your complaint and make it more of a tangible concern as opposed to just a random report.
posted by mama casserole at 11:01 AM on March 17, 2017 [1 favorite]
> I don't want to damage the business's reputation or anything
It's their carelessness in handling customers' personal information that is behind any risk of damaging their reputation -- this is all on them. You'd just be the messenger, if you chose to point it out. And I would report, first to them directly, and see what kind of response you're given.
Then review all the third-parties that they list like Shopping Guarantee, see exactly what those businesses and organizations say that their badge appearing on a site is supposed to guarantee. If you feel the site, as it exists now, doesn't meet that guarantee, call it to their attention, regardless of how the store responds. They should know that whatever screening and verification they do on sites that carry their seal of approval didn't cut it in this case.
posted by radwolf76 at 11:03 AM on March 17, 2017 [1 favorite]
It's their carelessness in handling customers' personal information that is behind any risk of damaging their reputation -- this is all on them. You'd just be the messenger, if you chose to point it out. And I would report, first to them directly, and see what kind of response you're given.
Then review all the third-parties that they list like Shopping Guarantee, see exactly what those businesses and organizations say that their badge appearing on a site is supposed to guarantee. If you feel the site, as it exists now, doesn't meet that guarantee, call it to their attention, regardless of how the store responds. They should know that whatever screening and verification they do on sites that carry their seal of approval didn't cut it in this case.
posted by radwolf76 at 11:03 AM on March 17, 2017 [1 favorite]
It's a mom and pop business with a ten-year-old website. I can tell by the reference to "Norton Shopping Guarantee" and "BBB Accredited." Those badges typically appear next to the one that says "Works best with Microsoft Explorer 6."
There is no central agency that is going to make all mom and pop businesses comply to best practices (which even the biggest/best internet businesses don't entirely agree on).
There IS a standard on certain security practices, i.e. PCI compliance (https://www.pcisecuritystandards.org/). It has some force in that a major merchant is going to comply with it due to their merchant banking relationships, and an external audit is required. For most smaller businesses it's somewhere between "What's PCI?" and a handwave document (SAQ C) where you answer all the questions (self-report) on your site, tell your bank you've done the paperwork, and hope for the best.
Unless you've actually been damaged by this behavior in some way and have grounds for a suit, your sole remedy is to not buy from the site again. If you want to contact the business and let them know it does that, that's probably the best course, but expect to have an excruciatingly ignorant conversation...
posted by randomkeystrike at 12:34 PM on March 17, 2017 [5 favorites]
There is no central agency that is going to make all mom and pop businesses comply to best practices (which even the biggest/best internet businesses don't entirely agree on).
There IS a standard on certain security practices, i.e. PCI compliance (https://www.pcisecuritystandards.org/). It has some force in that a major merchant is going to comply with it due to their merchant banking relationships, and an external audit is required. For most smaller businesses it's somewhere between "What's PCI?" and a handwave document (SAQ C) where you answer all the questions (self-report) on your site, tell your bank you've done the paperwork, and hope for the best.
Unless you've actually been damaged by this behavior in some way and have grounds for a suit, your sole remedy is to not buy from the site again. If you want to contact the business and let them know it does that, that's probably the best course, but expect to have an excruciatingly ignorant conversation...
posted by randomkeystrike at 12:34 PM on March 17, 2017 [5 favorites]
your sole remedy is to not buy from the site again.
I would also suggest, that once you have received your product, if they haven't fixed the vulnerability, badgering them to change your own personal contact information for that order number in their database, so that if and when they do get hacked, you're not vulnerable.
posted by radwolf76 at 4:27 PM on March 17, 2017
I would also suggest, that once you have received your product, if they haven't fixed the vulnerability, badgering them to change your own personal contact information for that order number in their database, so that if and when they do get hacked, you're not vulnerable.
posted by radwolf76 at 4:27 PM on March 17, 2017
Understandable, but 9 out of 10 of these businesses would not know how to do that. Not even kidding.
posted by randomkeystrike at 5:58 PM on March 17, 2017 [2 favorites]
posted by randomkeystrike at 5:58 PM on March 17, 2017 [2 favorites]
There have been cases where the person informing a business of a similar issue has been accused of hacking the site. You are putting yourself at risk by letting them know, unless you can do so anonymously.
posted by Sophont at 8:56 PM on March 17, 2017 [1 favorite]
posted by Sophont at 8:56 PM on March 17, 2017 [1 favorite]
Seconding the suggestion to inform them anonymously. Y'know, just in case.
posted by gakiko at 1:23 AM on March 19, 2017
posted by gakiko at 1:23 AM on March 19, 2017
This thread is closed to new comments.
posted by schroedingersgirl at 8:50 AM on March 17, 2017 [1 favorite]