Cyber Security & the Marketplace Fairness Act/Remote Transaction Parity Act


Recent breaches in the last year have shown the perilous state of information security.  Frankly, the bad guys are winning.  A few recent breaches of note:

  • Target
  • Home Depot
  • Anthem Blue Cross
  • U.S. Office of Personnel Management

A quote from the Washington Post on the recent US OPM breach that contained very sensitive information regarding their top secret clearance applications:

“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”

China is suspected as the culprit in this and other breaches.  These breaches target both civilian and military companies and commercial data is highly prized in these targets.  The skill level of these “advanced persistent threats” or APTs is high.  The attacks are stealthy and frequently successful.

You know who else will have a big, fat bulls-eye on their back?  Certified Solutions Providers.

Why might China or hackers target a CSP?  Because they will be a large collection point for sales data across the entire US economy.  The more data in one place, the more rewarding the target is.

Taxcloud estimate in their promotional video that their market is 3.5 million retailers.  It might be more, especially as the states reduce the small business exemption level over time (their goal is zero exemption, long-term).

Right now there are 6 CSPs and I know that Taxometry is in the works.  That’s a pretty small number of providers to store data.  So what data will the CSPs be storing for the states?

  • Order-level transaction data
  • Item level transaction data (the tax category or TIC for each item purchased)
  • Item level description – a description of what was purchased and/or the part # of what was ordered
  • What exact address did these items ship to (because zip code alone isn’t enough)
  • Retailer information for the sale, such as the shipping address
  • Since there is a 3 year statute of limitations under the Remote Transaction Parity Act, at least 3 years, but likely more, of all transaction data for every single item ordered would need to be stored by CSPs.

I’m not suggesting credit card data would be stored by the CSPs, it won’t be.  But if a bad guy or nation state is looking for a lot of commercial data, it’s easier to target one or more CSPs than individual retailers one by one.  Reverse lookups from address to name are trivial and available.  Recent headlines have shown that the bad guys out there are winning the fight and a skilled group or nation state would probably view this small number of companies an interesting target.

Update: Amusing that the L.A. Times just had an article this morning (6/17/2015) with Rep. Chaffetz complaining about the poor security while his bill actually helps sow the seeds of a future possible issue.  From the Times:

“Intelligence officials are concerned that Chinese intelligence services or others could use the sensitive information, which can include medical histories and other personal details, to blackmail or otherwise recruit spies in the U.S. government and to design carefully tailored emails to infect computers of federal workers with access to secret files.

Chinese officials deny being behind the incursion.

During a contentious congressional hearing about the massive digital theft of personnel files, lawmakers ripped into the officials in charge of securing the networks.

“You failed. You failed utterly and totally,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told the officials.””

Marketplace Fairness Act – Big Data Privacy Concerns

The Marketplace Fairness Act (MFA) would allow for a concentration of  big data that raises privacy concerns and would be a ripe target for hackers.

As it stands now, states don’t have detailed information about purchases made, by who or what was purchased in any detail.  Typically, an online retailer located in one state would submit a monthly or quarterly summary of purchases.

  • Total Sales
  • Taxable Sales
  • Exempt Sales (out of state, for resale, to government agencies, etc..)
  • Sales Tax Collected

So the retailer fills out this form along with payment for that period’s sales tax collected.  The only time the state has access to detailed sales information is in the event of a sales tax audit.  But the data would still be local to the retailer.  Other states would have no access to this data, as a single-state retailer isn’t required to collect sales tax in other states.

How will this change under the Marketplace Fairness Act?

  • Data will be concentrated in a small number of locations – Certified Solutions Providers (CSPs)
  • Currently 6 companies are certified
  • Data will be for all states with sales tax
  • Data will contain items/types/values of item purchased
  • Data will contain shipping address of order
  • Data will contain retailer info
  • Unprecedented aggregation of shopping data per location
  • States (and hopefully not hackers) will have access to this data which they didn’t in the past.

Assuming I was wearing a black hat and had access to this data, there’s a LOT of things that could be done with it.  Sorting by store would be easy.  Or by address to see what things or types of things people in a household buy.  Some types of items are more sensitive than others, such as items of a medical or an adult nature.  And it’s trivial to tie shipping addresses to people or families with publicly or commercially available tools online.

This is truly big-data, but not in a good way.  The Marketplace Fairness Act will allow a significant concentration of data across numerous states, retailers and consumers that has never existed before.