Adam Myers
Hello and welcome to our podcast Tales from the CyberLab. My name’s Adam Myers, I’m joined today by Bridget Green from LegalEdge. Today we’re discussing E-Commerce Law and Security – and what a session we have lined up, which I’m really looking forward to. So welcome, Bridget. Can you just tell us a little bit about your role and what you do at LegalEdge?
Bridget Green
Yes, absolutely. So I am a lawyer by trade. I qualified in private practice but moved in-house pretty shortly after having qualified. And I’ve worked predominantly for my entire career with consumer facing e-commerce businesses. Currently I work as a fractional in-house lawyer for a number of SMEs all within the e-commerce space.
Adam Myers
Amazing. Yeah. Yeah. I actually did a live hack very recently at an e-commerce event, and we sort did how we did things like SQL injection hacks and whatever. And it was a really interesting session. I learned quite a lot from what ethical hackers are actually able to do and demonstrate. So I guess e-commerce – it’s a huge cyber target and we see that, and I guess we’re going to run through why we’re seeing a rise in this, but we think seeing things like such as payment fraud rise, the exfiltration of data that is then sold on the dark web. If you gain access to an e-commerce site, you can do things like change pricing, gain access with privileged access and malware in surgery.
We saw a big hack if anyone joined some of our events where we can demonstrate how that happened. So today to be a really interesting topical conversation, I hope a lot of people gain a lot of insight from the podcast today, so looking forward to it. So I guess the first topic, sort of assessing the e-commerce landscape is from a legal perspective, what are the biggest risks for e-commerce businesses when it comes to cyber threats?
Bridget Green
So I think I’d say there were sort of four key heads of cyber attacks that e-commerce businesses regularly encounter. One would be payment fraud. So effectively criminals stealing your customer’s payment details at the point of sale on your website or via your app. A second would be phishing. So that is where criminals pose and trick your staff into sharing data, whether it’s bank accounts, et cetera, by posing as, say your payroll department or one of your senior leaders, a third is ransomware.
So that is where third parties use malicious software to effectively block the functionality of your site. So to effectively stop you being able to trade, to make sales and then hold you to ransom, literally demand a sum of money to be able to release your business back to you. And finally, one that everybody pretty FA with is web hacking, which is effectively where hackers will sort of infiltrate the backend of your systems and steal large quantities of your customer data.
Adam Myers
And if anyone does actually want to see that live in person, as I said, we do do the live hack and we have based one around an e-commerce setup and it’s a do shop and we simulate how we can maybe put malicious code into those attacks as well. And we also, I think just to add onto to that, what I’m seeing is a big rise in DDOS attacks as well. So I think being in the industry 10, 15 years ago, that’s definitely on the rise and I see that more and more in the news. So yeah, very interesting. Those four key areas that you mentioned.
Bridget Green
Yeah, absolutely. And I think the big thing that brands are facing is the consequential reputational risk. The idea being that if you’re selling something to a customer online, that customer really has to trust your processes. They’re giving over their financial data, they want to know that they’re doing it, they’re giving it to somebody with a safe pair of hands. So there’s the reputational element and then obviously the financial one of loss sales or fines or class actions that can be brought against you if you fail to meet your obligations to them as a brand.
Adam Myers
Yeah, definitely. Yeah. And do you have any sort of real world examples that you’ve seen this in at all? I dunno if you’re exposed to that or you’ve seen some of these in.
Bridget Green
Yeah, you know what, a lot of it is managed by your – if you are in a big enterprise with sort of long reaching arms, it’s often managed by the cyber security teams. But certainly in my history, I’ve seen ransomware used quite a lot against companies where they do literally demand a sum of money in order to release data back to you or release access to your systems back to you Historically, often brands would pay that ransom because the impact would be so consequential for them and their business.
The other one that I see regularly that’s perhaps lower level, but you do see it a lot, is just emails that purport to be from your payroll team asking you to update your bank details and they’re just trying to steal your personal data. And I think the risk there really is having a sophisticated enough employee base that they’re able to recognise it and not share that data and open the company up to real risk.
Adam Myers
Yeah, we do do phishing simulation training through our control platform as well, and we kind of teach that, but also just from talking to various finance teams, where I’ve worked is setting up manual processes as well for that type of attack where you might just double check on teams, for example, did you actually send me this invoice for payment? And sometimes just putting those sort of analogue and manual processes in just really help with the example that you actually mentioned.
So very prevalent that we see those type of attacks. Just trying to, I guess the social engineering side and pretending to be someone and impersonate is often how they would get around those systems as such. So yeah.
Bridget Green
Yeah, no, I think that’s right. And I think to be fair, I think I’ve seen a sort of a shift in employee knowledge and people are better these days at recognising it. There’s a lot more out there in the news and just generally about how to protect in your personal life against these things, and they bring that into the office and they’re better now identifying, but things slip through the net and definitely in every business I’ve ever worked for, something’s got through the net and there’s been risks.
Adam Myers
Yeah, definitely. I think the human side of cyber security can often be your biggest defence if you get it right through training. So yeah, really interesting that you mentioned that point. Just moving on to the second topic, which I think is quite relevant for a lot of organisations, especially those transacting through websites and whatnot, is I guess payments and PCI DSS compliance.
So from your perspective, how important is PCI DSS compliance and what are the legal implications if an e-commerce business doesn’t meet those standards, for example?
Bridget Green
Yeah, so PCI DSS is effectively a set of rules and security standards that companies need to use in order to protect payment card transactions effectively, stopping criminal, stealing their customer’s details. It is fundamental, I think if you are running an e-commerce site that you comply with this series of standards, there is a regulatory body called the PCI Security Standards Council, and they do not have the power actually, unlike a lot of regulators to fine a company directly if they failed to comply, but they have passed on compliance to payment card brands and acquiring banks.
They have the power to find businesses that don’t comply with these sets of standards. And those are pretty chunky fines. I think it’s something between 4,000 pounds to a hundred thousand pounds a month or something if you’re failing to comply with those standards. And those fines can escalate if you are a repeat offender in effect, and they can also increase their transaction fees. So it becomes harder and harder for you to trade as a business. Any e-commerce site with a reputation will be complying.
It’s actually not as difficult as all that to comply because most people outsource that responsibility, their payment providers like PayPal or Stripe or somebody, industry experts who take on the compliance regulation. So it’s actually easier to, it sounds very scary and it’s a scary body of technical requirements, especially if you’re a startup, but you generally just pass the technical compliance onto somebody else. That doesn’t mean that you divest yourself of all legal compliance, but providing you are engaging with an upstanding well-known provider, you should be okay.
Adam Myers
Yeah. Again, just like listening to you talk, then there’s obviously a lot to it, and I guess for businesses understanding where they should start that journey, I know that, and we do a various assessment through our penetration testing team in terms of PCI DSS compliance and how we can maybe help on that journey as well and sort of getting you ready for those assessments and whatnot.
So very interesting. But yeah, I think you touched upon a few things there, which is really interesting for me to listen to. And I guess in terms of the fines and breach risks, you mentioned that they’re quite some hefty fines, aren’t they? From what you said, was it £4,000 pounds?
Bridget Green
So anywhere between £4,000 pounds to £100,000, but £100,000 a month would be a very, very serious breach. And they’re levied by the payment card brands themselves. So whilst they may fine, if you are an SME, if you are not co-op or someone, the reality is they’re more likely to either increase your transaction fees or just stop working with you, which would effectively bring your business to a grinding halt. So it’s not something to be ignored at all.
But the best form of defence for a smaller growth company is to engage a third party who is well renowned for their security compliance. And as they grow, it becomes more of an issue as you grow as a business and you might want to in-house some of those responsibilities, then you’re going to have to have a cyber security team and experts internally who really understand the technical measures required to comply.
Adam Myers
Yeah, sounds like a top tip there and takeaway, doesn’t it? That’s sort of the third party element and introducing that as businesses can maybe take away from that at that point, which is very interesting and I’ve learned a lot there. So thank you very much. So we’ll talk a little bit around contracts and supply of security. So I guess things like supply chain as well as we see this on the rise more and more the rise of exploiting weaknesses within the supply chain. So I guess the next topic is when e-commerce businesses work with a third party provider, how can they protect themselves legally through contracts in that space?
Bridget Green
Yeah, I think this is the biggest risk, especially in the e-commerce space because as e-commerce grows, you see an awful lot of third party providers that e-commerce platforms outsource to because they can’t in-house all that level of expertise and service providers. So as a structure, e-commerce sites and technicals infrastructures are quite complicated. They use a lot of third parties, and those third parties are often the core weaknesses within their business. And I think the thing to understand is that there’s a cure interplay here between a compliance from an IT security perspective and then the legal bit that sits alongside it. So that’s often two separate teams within your business or two separate individuals who take responsibility for this. So the sort of front end of it is the due diligence element and it’s the cyber team, the IT team people who understand what good cyber security looks like, who can then interrogate what the third party is doing to ensure that they’re meeting basic requirements and they’re utilising appropriate technical measures to protect the business.
And then they then pass on to the legal team who will put things within the contract to manage that risk. So that will be things like provisions that say that that third party must comply with data protection law, that they must have a baseline cyber security processing that if they do breach the contract or they do breach the law and it results in your business losing money, how much of that financial liability are they going to take and how you would manage that. So what their responsibilities, if there was an incident were how quickly they have to report to you, what they have to tell you, et cetera. It’s quite thorny.
And I think the biggest difficulty for businesses that I see is, again, in that SME space, if you are a big company: an M&S or a Co-op – you are going to have both the sophistication, the internal resourcing and the commercial legal clout to be able to negotiate with third party providers to land to get where you need to be to really protect the risk within your business. But what you see for smaller providers is that they don’t either, they don’t have the expertise to really understand what those third parties are doing with data or with your systems, or they don’t have the legal clout, commercial clout to be able to say, actually, no, we don’t accept your standard terms. We need this in order to be able to contract with you. And that is, it’s a problem that there’s no easy solution to.
That takes a commercial pragmatic approach to risk, and it takes a really good understanding of where your core risks are and where your baseline positions on certain issues are to make sure that you’re really targeting your approach and that you don’t effectively mean that you can’t partner up with third parties because their terms don’t work for you. So that’s the risk. But then even with all that under your belt, you still see the likes of M&S getting these huge breaches caused by contractors, caused by third parties, and they do have all the resources in the world. So I think it’s really important that businesses understand that there’s no version of the world where they have no risk and that they completely eliminate all risk of cyber-attacks. There’s always going to be a risk.
They’re very sophisticated, they’re continually growing in their sophistication. It’s just about really understanding the risks that apply to you and taking reasonable commercial efforts to manage them in line with the size and the cloud that you have as a business.
Adam Myers
Yeah, very interesting. I guess it’s similar with acquisition for example. We see that a lot where you might be going through an acquisition of a business and merging businesses together. And again, it’s a similar thing when you go in in terms of the risks associated, what you need to look at from those cyber responsibilities.
And we do actually provide our Threat Detect platform, which is a really good way of looking for no vulnerabilities against domains, IP addresses and whatnot. And it might just be a starting point along with the various assessments that you mentioned there in managing risk across supply chains, and I think it applies in that space as well to maybe acquisitions.
Bridget Green
Yeah, it is a multifaceted approach basically, and it’s the case that you need to be aware of the risks to then make sure that multiple areas of your business are then taking the steps they need to, and whether that’s outsourcing to lawyers or having somebody internally who can manage all the different strengths, but it doesn’t sit within the legal team exclusively, and that’s the tricky bit.
You’ve got to make sure as an internal lawyer that you have really good relationships with the people who have the knowledge and the expertise and the relationships and who are entering the contracts, et cetera, to make sure that you can get into a position that you’re comfortable with. It may not be the perfect position, but one that you are comfortably managing businesses’ risk.
Adam Myers
Amazing. Yeah, amazing advice there. Very interesting. We go into our next topic, which is I guess around building resilience from a proactive legal and cyber perspective. So what legal steps should e-commerce businesses take to proactively prepare for cyber incidents and not just to react to them? I see this quite a lot where a lot of people won’t even test their incident response plan, they get breached or hit, and it’s probably an action where they’ve just never tested that response plan. So I guess what do you see there and how organisations can go about that?
Bridget Green
Yeah, so one thing we did touch on at the beginning is that I also have, I wear an HR hat a lot of my time, and I think actually a lot of this falls within that interplay again between and cyber, IT teams and HR teams, because it really all comes down to the understanding of the employee base, what they understand, what they know, whether they’re following the internal rules that you’ve got and how at the forefront of people’s minds is. So yes, obviously a baseline position is you’ve got to have an incident response plan.
What do you do if you get an attack? Who do you contact within the team? Who’s going to do, how do you isolate and minimise the risk? And then how do you gather the information that you need to say, talk to regulators with it about et cetera. And you need internal policies and training and monitoring to make sure that people are not just reading it when they join a company, putting it in a drawer and forgetting ever existed, and then just carrying on their daily lives, which is what I see an awful lot of businesses doing.
The other element is that due diligence piece. So we talked about when you’re entering into a relationship with a third party, you’ve got to do your due diligence first before you think about contracts. Again, you need to be able to evidence your due diligence if there’s been an incident. So the regulators that may come and look at you and see, are you actually taking the steps and doing sensible things to prevent an attack? And the only way to do that is to be able to slap down a big file on their desk and say, well, look at all the things we’ve been doing.
We’ve been doing penetration testing. We asked all of these questions of our suppliers. We said this was our baseline. We use multi-factor authentication. Whatever it is, you need to keep records and keep them close at hand so that you can get to ’em quickly in the case of an issue. And that’s it really. Again, it’s not really, it is about doing what you can to prevent an attack, but it’s also being prepared in the event that there is an attack so that you can sort of ward off claims from customers, regulators, et cetera.
Adam Myers
Yeah, I like the evidence side of things that you talk about that that’s something new I’ve learned to being able to demonstrate that and share that you have gone through things like an annual penetration test or you may be introduced a new system that potentially might from a development or vulnerability of introduced risk into the business. So again, just being able to demonstrate that you might have done an application test, for example, it’s key that you can do that and keeping note of that.
Bridget Green
Yeah. And if you think about it from a sort of a data protection, not just cyber security, but a protection of your people’s personal data, the law actually requires you to do certain things. You’ve got to keep a record of where you’re sharing personal data. You’ve got to keep a record of the measures that you’re using and that you’re not keeping the data too long, et cetera.
So there are laws there that specifically require specific things. Cyber security attacks a slightly to the side of that, but it’s the same principle. You’ve got to be able to report to the regulator for data breaches within a pretty short shrift – within 72 hours. You’ve got to give them a lot of information about it. So you want to have that at your fingertips so that you at least look like you’re on top of things.
Adam Myers
Yeah, definitely. And I guess just from, say you were to post-incident, there’s some learnings there, isn’t there from maybe some of your customers that you’ve had and the role of transparency, what’s your view on that if there is an incident and how you share that and talk to your customers or?
Bridget Green
Yeah, I mean, it’s a case by case. As a lawyer, I can’t say that transparency is always necessarily where we would go, but from a reputation perspective, and given the knowledge that your average person has now compared to say, five, 10 years ago, I think you are going to do better. If you are cards on the table, we have this breach. We actually do take this really seriously. We’ve taken learnings, we are doing this, we’re investing this in our investment structure, in our infrastructure, sorry, et cetera, then I think you’re going to manage your reputation, the reputational risk better.
But equally, again, if you’re in that SME space, there is risk that you will be taking on as a company because it’s inevitable. You cannot do business in this world without taking some risk on, and it’s not that you shouldn’t be transparent, but you are going to manage your message to customers at the end of the day. And that’s just hands on heart the reality of the situation. So you will need PR people on board to help you in the event of a big breach because they will help you craft that message.
Adam Myers
Yeah, very good advice there. So yeah, good take on that posting response as well, which is brilliant. Just going into our final topic, so what are some of your top legal and cybersecurity tips for e-commerce owners who want to strengthen their protection?
Bridget Green
So it starts with, as everything always does with a risk assessment, right? It’s about understanding where your risk lies. And there are a trillion companies out there that would offer cyber risk assessments for you. And again, it’s something that you need to do as you grow intermittently. So where your risk sits may shift as your infrastructure shifts.
You’ve got to be doing those risk assessments to prioritise your approach to managing your risk. There are really simple things that if a company isn’t doing or if your employer isn’t doing, then it should be raising alarm bells such as ensuring that all their employees have strong passwords, they use multifactor authentication, all of that sort of thing. And then in a purely legal sense, when it comes to the contract piece, I mentioned earlier that if you are a big enterprise player, then you can probably work off your own contracts and your own baseline terms and conditions.
But if you’re a smaller player, it’s very possible probable that you will go to a third party provider who will say, well, these are our terms and conditions. We’ve linked them to pricing. So if you are only paying this much, we are only going to offer you this much legal protection and there’s not a great deal you can do about that other than seek legal advice, whether from an internal legal person or externally to understand what your baseline positions should be.
IE, we should never contract with a third party who doesn’t at least offer X, Y, Z. And it’s something I see not happen an awful lot because you’ve got sales guys, commercial people who want to get the deal done, who want to use X, Y, Z company because they offer the best services, and it’ll come to legal and they’ll go, do you know what?
They’re really not standing behind these services. They’re not offering the level of protection that they really should. And I guess from a legal perspective, it’s about making sure that there is a bottom point and you’re not going to enter into a relationship that doesn’t achieve that, at least without sign off from somebody very senior within the business. So it’s about establishing those rules and making sure that your employees and your people really understand what those rules are and why they’re there so that they don’t then try and work around them and open the business up to risk.
Adam Myers
Yeah, it feels like we’re getting to a point where to trade and transact with organisations, you’re going to get to these points where hopefully in the near future where there is a standard that you have to make sure you follow when it comes to that. So that we protect each other in a way, isn’t it, through making sure everything is as we expect.
Bridget Green
Yeah, and I think are, there’s what we would consider standard positions for an industry. The problem that you have with say, software as a service industries is that they’ve sort of tied them up in the way that they have a baseline legal position, they all have that legal position, and they’re effectively reducing competition so that businesses can’t shop around. They all take that stance and that stance will be, will only take X amount of risk and you’ll have to bear the rest.
So yes, yes and no. I think that it’s work in progress. I think as AI develops for businesses, there’s going to be more of an alignment amongst legal terms and legal provisions so that businesses are working with great assurance as to what they get, but we’re not quite there yet.
Adam Myers
Yeah, AI is evolving at a rough rate. That’s literally just what we’ve been discussing around data loss prevention within AI and how it’s helping us grow as an organisation as well. So that was a big topic at Secure Tour, which we’ve just done those four locations. Just as well, you mentioned around the cyber, but a risk assessment – for our listeners who are listening in, it is a very interesting one. We do a cyber posture assessment, which is benchmarking your organisation against the NCSC’s 10 step guide for good cybersecurity practise. So that’s something I think I’d highly recommend.
It’s a free service that we take you through with our engineers, take about an hour or so, and then you’ll get a nice report that will just show where your strengths and weaknesses are and then benchmark you against the industry standards. So again, it’s something that any of our listeners can maybe reach out to us and we’ll make sure we can set you up with that. But it’s something definitely to start with. And just as Bridget was saying something that I think will really help a lot of organisations with their strategy in this year. So just as we wrap things up, this has been a really interesting podcast for me to learn as well. So it’s been brilliant. So thank you, Bridget. If there’s one piece of advice you could provide to e-commerce businesses in 2025, what would it be?
Bridget Green
I read a quote actually recently that, don’t ask me where, but it said that the new generation of cyber criminals doesn’t break down doors. It logs in through the front. And I guess the point they’re making there is that it’s not really traditional web hacking that is the biggest threat now for e-commerce. It’s this social engineering where they trick people, your employees, largely into giving them access.
And I think the biggest takeaway for me from that quote and from things that have happened recently with M&S and other big retailers, is that training and internal knowledge is absolutely key because as we mentioned earlier, it is going to be your employees who identify these things first often, and they are your greatest protection against these risks. So it shouldn’t be put away in a draw. It’s got to be something that everybody’s thinking about constantly, and that’s going to be your best form of defence.
Adam Myers
Amazing. What a great answer to wrap things up. So I want to just say a big thank you to Bridget for joining us and everyone who has joined in this episode of Tales from the CyberLab. I’m really looking forward to our next episode, which is going to be on Copilot and the adoption of AI, as we discussed at Secure Tour for any of our clients who joined us. So until then – stay secure.