As if conducting business over the internet weren’t challenging enough, there is a new, critical factor to consider. On Sept. 23, customers of online retailers Thrive Cosmetics were informed through an email that the sales platform they use to process transactions had experienced a data breach about one week earlier. That platform is Shopify.

Started in 2004, Shopify originally targeted sales of snowboarding gear. Now it has grown into one of the most prominent sales platforms, hosting more than 325,000 online shops for both individual sellers and huge companies like Google and Tesla.

Being big has its ups and downs. You can count security issues as a down, especially when the etiquette of online security and fraud procedures are still essentially in development. When mega-retailers such as Target joined banking giant Capitol One, food delivery service DoorDash, and even credit reporting agency Equifax as victims to one of a series of massive data breaches exposing various ranges of customer information, each responded in a manner ranging from timely to unacceptably delayed. The public and media outlets took rightfully gratuitous swipes.

Shopify’s recent breach raises questions of whether there has been transparency at all. The company has not responded to media inquiries for further details on how many customers were affected and what level of data was exposed. Shopify ultimately confirmed the breach more than a week after it happened, explaining that two “rogue members” lifted customer data from at least 100, but less than 200, merchants.
​
Information released indicates that only names, addresses, and order details were accessed. But follow-up reporting and information from merchants shows the last four digits of credit cards were included in the breach.

Seasoned ecommerce merchants likely have studied up on the various legal aspects and regulations related to the collection of consumer information, financial and otherwise. There are laws in place, both in the United States Code and in individual state statutes, with rather harsh consequences for violators.

Others of you who are small-time sellers might have given a thought to this issue, but not taken the time or effort to determine whether you are in compliance. That’s a big mistake.

Data protection is shaping up to be one of the most pressing factors of online activity in the 21st Century. Even with the advanced efforts from private entities developing new technologies as quickly as they can, it all goes awry when cracks form and bad actors create new and different reasons for these same virtual guardians to patch a new hole.

Online merchants face complicated, unusual challenges due to the lack of visibility and control over external services administering their websites, including the type and volume of data that is being collected. Even if you believe you have an agreement with a third-party, that doesn’t mean it isn’t farming out some of its duties to a fourth party with no such contractual relationship.