What Do Small Businesses Need to Know about Data Privacy Law?
If you own a small business, you know the importance of creating and maintaining systems that allow your business to run smoothly. You have likely spent time and money building a system that performs well and maintains a good reputation with your clients or customers.
Today, it is essential that you take steps to address a concern that is on most consumers’ minds: cyber security. When a customer or client does business with you, they trust that you have the systems and safeguards in place to protect their sensitive personal information. You don’t want your personal information floating around the internet, and your customers don’t either. More importantly, it’s not just good business to protect customers’ personal information – it may be the law.
Personal information includes, but is not limited to:
● First and last name
● Social Security Number
● Driver’s License Number
● Account numbers, credit and debit card numbers
● Security Codes, Access Codes, Passwords that allow access to financial accounts
● Medical information
● Health insurance information
● User names, email addresses, passwords, security question answers
Personal information DOES NOT include information that is available through public record.
Privacy rules in the United States are a complex collection of federal and state laws, as well as regulatory guidelines and “best practices” put out by various governmental and nongovernmental agencies. There are laws that only apply to particular industries (such as financial services and healthcare), rules for doing business online, and special rules regarding specific forms of communication.
Even without laws telling you to do so, it is good business to keep the confidences of your customers. Security breaches expose your clients and customers to identity theft. Once a client’s information is out there, there is no way to get it back. Once the damage is done, trust in your business and its carefully-cultivated reputation may be shattered. Beyond bad PR, there may be real costs to your business in the wake of a security breach. You may need to spend money replacing client’s credit cards or other materials (if you are a financial services business), paying penalties and fees, paying for security monitoring for your customers in an attempt to regain their trust, and even hiring an attorney to defend your company against a civil lawsuit.
General Privacy Laws You Should Know About
There are a number of federal laws that you should be aware of and look into to see if they apply to your business:
1. Commercial Privacy Bill of Rights Act of 2011. This law allows the Federal Trade Commission (FTC) to require businesses that collect personally identifiable information to provide notice to customers about the reasons why the information is being collected, how it will be stored, and any privacy practices it utilizes. If your business is conducted online, it is likely that this law applies to you.
2. Federal Trade Commission Act (FTC Act). This law prohibits unfair and deceptive business practices. For the purposes of privacy, this means that the FTC Act forbids the unauthorized disclosure of personal information.
3. Financial Services Modernization Act (Gramm-Leach-Bliley Act) (GLBA). This law regulates the collection, use, and disclosure of financial information. It specifically applies to financial services businesses. Under GLBA, consumers have a right to be given notice about how their personal financial information is collected, how it is used, how it is protected, and when and why it may be shared.
4. Fair and Accurate Credit Transaction Act (FACTA). If your business uses consumer credit reporting, this law sets guidelines regarding the proper disposal of information containing consumer data.
5. Health Insurance Portability and Accountability Act (HIPAA). This law is not just limited to healthcare providers. It also applies to any subcontractors, data processors, or pharmacies that handle protected health information. These businesses are required to restrict access to this health information and includes limits on the electronic transmission of protected health data. The HIPAA Omnibus rule also requires covered entities to provide notice of a breach of protected health information is there has been any disclosure of that information not permitted under the privacy rules.
Most states have a security breach law that requires businesses to notify affected customers of any security breaches involving personal information. Some states’ laws also require certain preventative actions that can be taken to avoid potential security breaches.
Writing a Privacy Policy and Providing it to Customers
If you do not have a privacy policy for your business, it is important to create one. Meeting with an attorney is a great first step toward compliance. Even if your business does not fall into one of the categories that is legally required to provide a privacy policy to customers, it is still in your business’ best interest to create a policy and follow it. Be prepared to provide your privacy policy to customers or clients if they ask for it.
Creating Internal Data Privacy Guidelines for Your Business
Within your small business, it is also essential that you have an internal set of guidelines that outline how sensitive information is collected, how it is stored, who has access to this information, and how it will be destroyed when it is no longer needed.
Most businesses do not appropriately limit access to sensitive information, both among the staff and around customers and visitors. Take a look at how your business currently stores private information. Consult with an attorney or hire a records management services to perform an audit of your records storage system.
A good rule of thumb is to destroy any documents that you do not need for the course of business. If it’s not being used, don’t keep sensitive information hanging around. Make sure that your business has a clear information destruction policy. You can hire a shredding service to destroy documents for you, but make sure that the provider is certified by the National Association for Information Destruction.