Is Your Clients’ Privacy Secure?

Nina L. Kaufman, Esq.

Nina L. Kaufman, Esq.

Nina L. Kaufman, Esq., owner of Ask The Business Lawyer, is an award-winning business attorney, speaker, and Entrepreneur Magazine online contributor. She saves consulting and professional services companies time, money, and aggravation by serving as their outsourced legal counsel.

Posted on June 30, 2015 in IP & Social Media

If you collect customer data, you have to comply with a growing batch of laws addressing privacy and security.

What information do you collect from your clients and customers? Full names? Social Security numbers? Driver’s license numbers? Credit card numbers? IP addresses? Birthdays? Congratulations–your business is now subject to the new and growing batch of laws concerning information privacy and security.

Identity theft–more technically known as the theft and misuse of “personally identifiable information” or PII–is a burgeoning business for criminals. According to the research firm Javelin Strategies, identity theft rose 11 percent between 2008 and 2009–and that follows a 22 percent rise from 2007 to 2008. More than 11 million Americans are known to have been affected.

As a result, 47 states throughout the United States have enacted or are considering data privacy and security legislation. And there’s no size exemption–like a “get out of jail free” pass if your company has fewer than “X” number of employees. Every company that collects PII, from the solo online infopreneur to the national semiconductor manufacturer, has to comply.

The Law, at a Minimum
State laws concerning data privacy essentially have two components:

  1. If there’s a breach of information security, you have to notify your clients within a reasonable period of time.
  2. You need to have a privacy policy that you post (online and off, where applicable).

Sounds simple enough, but there are hitches. First, states may have specific rules about how and within what time frame you’re required to notify customers that your system has been hacked. If you don’t follow those rules, you could get into trouble.

Also, privacy policies aren’t meant to be sexy new forms of marketing. They’re policies. If you don’t adhere to them, you could be held liable for deceptive practices in some states. Another kicker: If you’re based in, say, Nebraska, but have clients or customers from states such as California and Massachusetts, you may have to follow their more stringent laws in addition to Nebraska’s own.

How could this happen? Easily. Jane Smith, a Massachusetts resident, signs up for your e-zine and provides her birth date as part of the information you collect. Or John Roe, a California resident on vacation, stops in your café for lunch and provides his credit card information. If you don’t comply, you could be on the hook for statutory penalties, damages to the customer and a tarnished business reputation (often, more difficult to restore than anything else).

How to Prevent Data Breaches
Contrary to what many entrepreneurs think, many data breaches are reasonably preventable. They’re not always caused by some rogue hacker in a formerly Eastern bloc country tapping away at a computer keyboard. Here are just a handful of ways your data can be compromised:

  • You toss out–without shredding–hard copies of documents containing PII.
  • You leave your iPhone in the back seat of the cab on your way to a networking meeting.
  • You sell your old computer equipment on eBay without scrubbing the hard drive.
  • You use a public Wi-Fi connection in Starbucks while working on your laptop.
  • You don’t get around to updating your antivirus software, and a keylogging malware program ends up on your computer.
  • Your computers aren’t password protected, or you use a ridiculously common password (like “1234”).
  • Someone lifts the flash drive from a USB port in your netbook.

Action Steps
The more customers use credit cards and share personal information (especially online), the more these privacy and security laws will grow in complexity. You should take smart steps now, which include working with your legal counsel and IT professionals to address the following:

  1. Look at the all the PII you’re collecting. Do you really need it to run your business?
  2. Follow the flow. Examine how you collect PII–how this information flows into your company–and where it resides (Laptops? PDAs? Flash drives? External hard drives? Cloud computing?).
  3. Consider the right IT solutions to protect this information, such as strong firewalls, data encryption and password controls.
  4. Review your privacy policies and procedures to make sure they reflect the technology you’re actually using.
  5. Speak to your vendors to find out what security procedures they put in place when they’re hosting your information, and ensure that’s it’s on a par with your policies.

Those in the identity theft arena like to say it’s not a matter of “if” your data will be breached; it’s “when.” Only time will tell if that’s being alarmist. But if you have procedures in place for handling a breach, you’ll be in a great position to weather the crisis and restore your company’s footing–and customer confidence–quickly.

To get the latest posts delivered right to your inbox, enter your email in the box below:

back to top