Here's a holiday gift for anyone whose business depends on keeping customer or client data secure: the Frankfurt Kurnit Technology Group's list of six essential steps for data security.

Create an accurate, tailored privacy policy and stick to it. Why? Three reasons: 1) consumers expect credible businesses to have privacy policies, and they judge businesses based on those policies; 2) the FTC may cite you for withholding information from consumers about how their personally identifiable information is collected, stored and used; and 3) there are federal and state laws that require you to provide certain types of disclosures to consumers about privacy. Having a privacy policy that you are not following, or that is not specifically tailored to your company, is worse than having no policy at all.

  1. Do not share your customers' personally identifiable information. You may only do so 1) as provided by law (e.g., in response to a lawful subpoena); 2) with customer consent; 3) for external processing (e.g., a payment processor or shipping facility) with notice to consumers, in accordance with your privacy policy; and 4) in case of a sale of your company or transfer of assets -- provided you warn people in your privacy policy that this may occur.
     
  2. Transfer data securely. When transferring personal data, secure it using encryption and password protection. If you are sending a file via email, do not include the password in the same message. Consider not even sending the password by message at all: make a phone call to deliver the password.>
     
  3. Do not store information longer than necessary. One of the core concepts of privacy and data security is the data lifecycle. You should dispose of customers' personally identifiable information, and particularly payment information, as soon as you no longer need it for a legitimate business purpose. Do not just store information to store it.
     
  4. Dispose of information as completely as possible. When you dispose of personally identifiable information, you must destroy it as completely as possible. If a "dumpster diver" or hacker can resurrect your data, then you have not properly disposed of it. Use a secure method to wipe your file system clean. Just clicking and dragging data files into a "recycle bin" or the "trash" on your computer screen is not enough.
     
  5. Make a breach plan. Creating a privacy and data security team along with a breach plan is a critical step in any comprehensive privacy and data security program. Company executives should know whom to call and what to do in the event of an incident. Your company should have access to legal counsel, a forensic data security company, and thorough internal policies. Making a breach plan after a breach has occurred is too late.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.