It is important for any business to understand the nature of risk associated with the conduct of its operations. This is true for online companies, as well as for more traditional person-to-person retail operations in a brick-and-mortar store. Attempting to operate a business without exercising what is often called “due diligence” with respect to pertinent laws always carries considerable risk, as failing to observe such laws, whether the business owner was cognizant of the law or not, can entail a great deal of inconvenience and expense. The old adage that “ignorance of the law is no excuse” remains pertinent.
All companies that process electronic payment and customer identification information are vulnerable to some degree, especially in the modern age when computer hacking is a daily risk for many corporations. Risks specific to online operations are at greater risk in that all transactions are conducted online. Some types of business operations, especially in the healthcare industry, where protection of customer personal information is of paramount legal and moral importance, there is usually an attempt to the extent possible to keep confidential information offline, or, at a minimum, secured within an intranet. Violation of privacy laws are a serious reputational and legal matter for hospitals, for example, and the more business, financial or other, conducted online, the greater the risk of inadvertent exposure.
In addition to the risks associated with the accidental exposure of confidential customer information, online business operations are at greater risk of website tampering by competing companies, by criminals, and by dissatisfied former customers. A component of the aforementioned hacking risk involves the posting of critical information about a company on its own website, for example, in the “comments” section usually at the bottom of a page. Such comments can cause serious damage to a company’s reputation, as information on the internet is spread widely very quickly and can be difficult or impossible to counteract. Unwarranted negative comments, or even those justified by circumstances, represent a level and type of risk not usually experienced by brick-and-mortar operations that are not on the internet.
As noted above, electronic payment systems carry a higher level of risk than when customers pay by cash or check, or by credit card in face-to-face transactions. This is not to say that fraudulent activities involving cash and checks do not occur; clearly, they do. The more a company depends upon online payment systems to operate, however, the greater its risk of being defrauded or having its accounts hacked by criminals. There is also an elevated risk of government surveillance of online payment processing, especially when transactions cross international borders.
In its efforts at tracking terrorist organizations after the attacks of September 11, 2001, the US Department of the Treasury Office of Terrorism and Financial Crimes, for example, was discovered to be “eavesdropping” on the operations of the Society for Worldwide Interbank Financial Telecommunications (SWIFT), the Belgium-based operation through which many of the world’s financial transactions are processed. One may or may not object to such intrusions in the privacy of an industry known for discretion, but if the United States could do it, so probably could other governments.
Another risk of online business is falling afoul of tax laws. Online businesses routinely conduct transactions that cross state boundaries, and each state has its own laws pertaining to corporate and consumer taxation. Companies must, therefore, be knowledgeable of the laws of each state in which it is doing business, irrespective of where those companies are headquartered. Similarly, transactions that cross international borders involve a risk of violating the laws of whatever other country is party to the transaction.