With the battle over data privacy between Apple and the Department of Justice at the forefront of the news cycle, business owners across the country are likely asking themselves: what responsibilities do I have in protecting sensitive customer data?
Firstly, the government has enacted a number of statutes and regulations to further their interest in ensuring that business owners protect sensitive customer data. From the Gramm-Leach-Bliley Act, to HIPAA, to Sarbanes Oxley, there are numerous laws which give the government the ability, in certain circumstances, to impose monetary fines and legal costs if a business fails to safeguard this information.
Additionally, consumers expect their data to be protected. A Pew Research Center survey found that over half of internet users believe – incorrectly – that the mere existence of a privacy policy means that a business will keep their personal information confidential¹. Customers may feel betrayed and stop doing business with a company if they learn of a cybersecurity breach. For example, one study found that as many as 36% of retail customers will shop less frequently at a retailer that has experienced a security breach².
Finally, in addition to potential penalties that may be imposed by the government and a loss of business, a breach of customer data will bring about other costs. A business will likely experience increased expenses for IT professionals, public relations efforts, insurance premiums, and legal assistance as it seeks to mitigate the damages caused by the breach. Aside from the monetary expenditures, a business’s reputation will also be at stake.
A business owner should consider taking the following steps to protect their business:
-
Delegate responsibility now to individuals who are likely to be involved in a response effort. Do you have the necessary personnel within your business to respond, or will you need to seek outside assistance?
-
Create a plan for how you will notify customers. While the relevant laws do specify how customers should be notified, you will want to produce a notice which is both legally compliant and also customer-friendly.
-
Follow the FTC’s “10 Practical Lessons” for businesses³.
-
Consult an attorney to gain an understanding of what legal and regulatory duties apply to your specific industry.
¹ Aaron Smith, Half of Online Americans Don’t Know What a Privacy Policy Is, PEW RESEARCH CTR. (Dec. 4, 2014), https://perma.cc/A7R5-JWZ2.
² Interactions Finds 45 Percent of Shoppers Don’t Trust Retailers to Keep Information Safe, PR NEWSWIRE (Jul. 1, 2014), https://perma.cc/QQ36-ANN3.
³ Start with Security: A Guide for Business, FEDERAL TRADE COMMISSION (Jun. 2015), https://perma.cc/F52J-NYQE.
