Businessman on blurred background using antivirus to block a cyber attack 3D rendering

Malley’s Chocolate Data Debacle – How Sweet it Ain’t

Share this article

The history of American commerce is small business. Some of them grow to become very big businesses, and as you have seen over the years, it’s amazing how many Fortune 500 companies from 20 years ago, are no longer around in their former form. {Only 60 of the 1955 Fortune 500 remain operating}

It is true that: Every small business is in the cross hairs of cyber-crook-ery.

And it is also true that: A Small Business has fewer cash resources on hand to deal with a data breach.

Ergo, a breach can kill a small business including yours.

Maybe you are a mom and you received a box of chocolates from your offspring on Mother’s Day. Or, maybe you presented a box of sugary bliss to the mom(s) in your life.

Over in Cleveland, chocolate is unsweetened bitter-root for one small business where the headline read:

Malley’s Chocolates’ website hacked, 3,400 online customers’ card information breached

“It was awful,” Malley’s Chairman and co-owner Mike Malley said in an interview. “We take our customers’ privacy and security very seriously.”

If you take the time to read the full article (and the comments) on you’ll see some factoids that are, unfortunately, all too common in the growing scourge of SMB’s data disasters.

  1. The breached firm in this incident was notified about the breach by customers (or law enforcement, or the FBI or a reporter in other cases)
  2. The breached firm probably messed up its breach response as it relates to Ohio statutes.
  3. Apparently, the breached firm didn’t know what payment card date elements it needed to protect (like the security code?)
  4. In this era of booming e-commerce, no business can afford to be offline for even a few minutes, this incident caused the affected chocolatier to be fully off-line for four days.
  5. The article mentions one of the costs to this small business beyond being knocked offline – the cost of a call center to answer alarmed customers concerns. It does not mention the cost of the data breach notice letter mailings, and any Identity Theft or Reputation Management services the breached firm may also need to cover in an effort to regain customers TRUST. It also doesn’t mention any penalties or fines with which the firm may be confronted in terms of compliance with the PCI standards. How do these costs square with cash on hand?

Query – this is a sweet little business. Has grown to 23 locations. It’s a real American success story.

Presumably, the firm uses outside professionals – maybe a CPA, and a law firm, and an insurance agency, and an IT consulting firm, and perhaps it belongs to an association of independent business owners.

Is it possible that all those professionals and/or associations didn’t provide solid advice and counsel about data breach readiness, response and resilience?

Did the owner ignore the advice to further harden defenses?

We can’t know, nor can we know the minds of the reported 3,453 card owners who apparently lost control of their own payment card information thru no fault of their own. Will they forgive, or will they vote with their fingers and silently move their sweet tooth elsewhere?

Malley’s is back on line and no doubt garnered Mother’s Day orders. But, if one visits the e-commerce section of the business today to place an order and wonders about security while in the order placement process, one will find this message under the FAQ’s section:

“Is this a secure site?
Absolutely! This site is protected using the “Internet Standard” SSL 128 bit encryption.”

Be #CyberAware.

Kevin Keane, Esq
VP of Global Business Development and General Counsel at RPM Color Research, LLC
Kevin Keane, has more than 3 decades of experience facilitating success for entrepreneurs. He has been the president of a franchising company and the CEO of an international trade association. He is an attorney with a deep expertise in cyber law and privacy; franchising and licensing. He is a start company specialist and an investor and Board member in an array of cybersecurity and technology start-ups. Keane writes and speaks frequently on topics of interest, including such diverse areas as Augmented Reality, data breach preparation and response, and Interactive Retail. Keane is considered that rare lawyer who actually understands marketing. He speaks to hundreds of small business owners each year, in his patented fast, funny and furious manner.

Share this article