Running head: A LEGAL EXAMINATION OF A PROPOSAL 1

A Legal Examination of a Proposal

Christopher Richmond

BSA 310

July 30th, 2012

Jack Davis
A LEGAL EXAMINATION OF A 2
PROPOSAL

o Keep your analysis focused on the requested concerns, not the

project itself. Your paper should focus on making management
aware of the issues that must be addressed in the new system and
should not directly cover the implementation process.

o Include in your description how this information system has an

effect on the organizational structure.

o Frequent Shopper Program (Revenue Increase) Kudlers new

initiative is tracking purchase behavior at the individual customer
level and providing high value incentives through a partnership with
a loyalty points program. The customer purchase behavior patters
will help Kudler refine its processes and offerings to best satisfy
their valued customers. Price is not the primary differentiating factor
for Kudler consumers; these consumers are focused on quality and
finding specialized items. Therefore, rather than providing everyday
discounts to the customers for their purchase frequency like lower
end markets, Kudler has partnered with a loyalty points program to
provide customers with points which can be redeemed for high end
gift items, airline first-class upgrades, or other specialty foods.

o Historically, Kudler Fine Foods has tracked information such as dollar value and
profit margin per transaction, dollar sales and profit levels by day, and dollar
sales and profit margins by item. However, in an effort to leverage the
information to create a more intimate relationship with their customers, the
firm is integrating a system to track customer purchase behavior over time.
The firm is in the process of developing this system now.

POINTS

o Data

Customer Purchases

Information Sharing

Opt Out Provisions

Data Selling

NTN

System Integrity What happens if system goes down

A LEGAL EXAMINATION OF A 3
PROPOSAL

Frequent Shopper Program

Customer Name

Address

Purchase History

Phone Number (for reference)

Legal

Privacy

Information Security

State Law

Federal Law

o HIPPA

o Sarbanes Oxley

o Computer Security Act 87

Data forms

How it is secured

Ethical

Intrusiveness

Alienating

Customer Sameness (Equal treatement)

Information Security

Liability concerns

Identity Theft
A LEGAL EXAMINATION OF A 4
PROPOSAL

Cost
A LEGAL EXAMINATION OF A 5
PROPOSAL

Legal Examination of a Proposal

Introduction

The road to hell is paved with good intentions. This is an important philosophy to

keep in mind when examining a projects goals, and structure. However, for a business

to remain competitive it must adapt to meet the needs and expectations of its

customers. A business however must conduct itself in accordance with the legal and

moral behavior expected of it. Failing to do so can result in lost sales, fines, and in some

cases jail time. Customers and regulators will not likely be concerned with intent if a

system, and subsequently the information stored on it, are compromised. In order to

assist Kudler Fine Foods implement a successful customer rewards program, this

document will explain the various legal, ethical, and security concerns that must be

addressed.

Overview (Project Description, Goals, What Must Be Addressed)

The program that Kudler Fine Foods is working to implement will collect

customer shopping data and use this to track behavior and also to reward customers

using a 3rd party reward program that will give customer high value incentives. A

program of this type requires a variety of systems working together such as registers,

central databases for storing customer personal information and activity, and software

that Is capable of adding records, removing records, editing records, and evaluating the

records to determine rewards.

Information Security (Discuss what Data is, Hackers, Business Opponents Law)

*Example!
A LEGAL EXAMINATION OF A 6
PROPOSAL

A business will generally not be hailed for not selling a customers data, or having

the least security breaches. They do however get all the responsibility of any fallout

from a breach.

In order to support an overall information security program Kudler must

implement an information security policy. Simply stated the goals of the security

program are to deter, detect, and defend. Data kept by the business must be kept

secure, The goals of information security are to ensure that data is accessible by those

who need it, when they need it, and to prevent unauthorized individuals from accessing

this information.

What is Data

o Three Ds

Why

o Legal dangers

State Law

In some cases state laws outside of your current

location may place requirements on that data based
on the state the person is from. An example is the
Massachusetts law 201 CMR 17.00. It was passed in
2008 and requires all business who own or license
information on a resident of Massachusetts keep their
information secure, regardless of the medium the data
is stored in.

Penalties are structured in such a way to ensure that

the risks of being caught coupled with the financial
loss completely overshadow any gains a business
A LEGAL EXAMINATION OF A 7
PROPOSAL

might achieve purposefully or accidentally ignoring

the law.

The cost to business is quite steep; in 2010 the

average incident cost a business $7.2 million (Riddell,
2011)

Federal Laws

Spam laws

Optout?

o Ethical problems

Hurts the customer - Although the total financial cost

of identity theft was nearly $17.3 billion over a 2-year
period, nearly a quarter (23%) of identity theft victims
suffered an out-of-pocket financial loss from the
victimization. (Cite GOV)

Acting without explicit consent

Sharing data

Breach of customer trust

Loss of business

Customers expectation of privacy

Who would abuse it

o Hackers

o Business Opponents

o Identity Thieves

How they abuse it

A LEGAL EXAMINATION OF A 8
PROPOSAL

o Delete

o Distort

o Steal

How to protect it

o Passwords

o Authorizations

o Encryption

o Policy on handling data

o Properly transmit (plain text bad)

Reinforce business goals, policies

o Written agreements

o Consensus about dangers of abuse communicated to

employees

Data Considerations

Information for this system will go through a process; each step should be

examined and verified to ensure proper security procedures are being followed. The

basic steps that need to be considered are:

Gathering

Transmittal

Storing

Editing

Auditing
A LEGAL EXAMINATION OF A 9
PROPOSAL

Redemption

3rd Party Access

Input

How is the data collected? Application is filled out by the customer, and then the

information is input by the store associate. Applicant enrolls directly into a kiosk or

similar input system. Information is gathered verbally from a customer by the employee.

What assurances will be made to the customer to indicate their data will not be sold or

shared without their consent?

Transmittal

How information is transferred between systems and the state of the information

is an important aspect of data security. Will the information be transferred over intranets

only, over the internet? Will the local networks be hard wired or use wireless technology.

Is the information encrypted before transmitted and if so what techniques will it use?

Storage

What type of database will house the information? SQL or Access? How is

access to the database granted?

Edit

Who can modify the database? Who can see it? What information is displayed in

plain text? What information is obscured such as a customer account password to

access their reward system?

Auditing
A LEGAL EXAMINATION OF A 10
PROPOSAL

What type of reports will be ran to validate the information? What kind of logs will be

kept to track access to the site to look out for abuse and comply with legal inquiries?

What type of thresh holds might be set to warn administration about unusual activity?

Third Party

What 3rd parties will have access to the database and in what format? The third

party reward point company? The customer via an internet connection to check on

rewards?

Future Considerations

Will information be sold or shared with partner businesses?

We need to consider the points where information is touched and by whom.

Add Records

Modify Records

Remove Records

Evaluate records for reward

o Example

o Comparison, recent examples of data breach

Ethical

Information Security

Conclusion
A LEGAL EXAMINATION OF A 11
PROPOSAL

Although it is clich, it really has never been as important as it is now for a

business to protect itself by developing and implementing a strong and responsible plan

to protect the data it stores. Assessing these security concerns described will ensure the

rewards program is not a liability but an asset. Although it is virtually impossible to

eliminate all risk involved these steps will eliminate a great deal of the risk.
A LEGAL EXAMINATION OF A 12
PROPOSAL

References

Commonwealth of Massachusetts. (2012). 201 CMR 17.00: Standards for the

Protection of Personal Information of Residents of the Commonwealth.

Retrieved from http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

Element K Corporation. (2012). Security Awareness (Second Edition) (Part 1):

Protecting Information and Counteracting Social Engineering [Multimedia].

Retrieved from Element K Corporation, BSA310 website.

Langton, L., & Planty, M. (2010). Victims of Identity Theft, 2008. Retrieved from http://

www.bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=2222

Riddell, K. (2011). Security-Breach costs climb 7% to $7.2 Million per incident.

Retrieved from http://www.bloomberg.com/news/2011-03-08/security-breach-

Costs-climb-7-to-7-2-million-per-incident.html