Here's a holiday gift for anyone whose business depends on keeping customer or client data secure: the Frankfurt Kurnit Technology Group's list of six essential steps for data security.
Create an accurate, tailored privacy policy and stick to it. Why? Three reasons: 1) consumers expect credible businesses to have privacy policies, and they judge businesses based on those policies; 2) the FTC may cite you for withholding information from consumers about how their personally identifiable information is collected, stored and used; and 3) there are federal and state laws that require you to provide certain types of disclosures to consumers about privacy. Having a privacy policy that you are not following, or that is not specifically tailored to your company, is worse than having no policy at all.
- Do not share your customers' personally
identifiable information. You may only do so 1) as
provided by law (e.g., in response to a lawful subpoena); 2) with
customer consent; 3) for external processing (e.g., a payment
processor or shipping facility) with notice to consumers, in
accordance with your privacy policy; and 4) in case of a sale of
your company or transfer of assets -- provided you warn people in
your privacy policy that this may occur.
- Transfer data securely. When transferring
personal data, secure it using encryption and password protection.
If you are sending a file via email, do not include the password in
the same message. Consider not even sending the password by message
at all: make a phone call to deliver the password.>
- Do not store information longer than
necessary. One of the core concepts of privacy and data
security is the data lifecycle. You should dispose of
customers' personally identifiable information, and
particularly payment information, as soon as you no longer need it
for a legitimate business purpose. Do not just store information to
store it.
- Dispose of information as completely as
possible. When you dispose of personally identifiable
information, you must destroy it as completely as possible. If a
"dumpster diver" or hacker can resurrect your data, then
you have not properly disposed of it. Use a secure method to wipe
your file system clean. Just clicking and dragging data files into
a "recycle bin" or the "trash" on your computer
screen is not enough.
- Make a breach plan. Creating a privacy and data security team along with a breach plan is a critical step in any comprehensive privacy and data security program. Company executives should know whom to call and what to do in the event of an incident. Your company should have access to legal counsel, a forensic data security company, and thorough internal policies. Making a breach plan after a breach has occurred is too late.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.