With identity theft on the rise, a number of states have passed regulations designed to improve consumer privacy by increasing the requirements for businesses to protect customer data and, in some cases, disclose how they use customer data.
For instance, the California Consumer Privacy Act requires companies with more than $25 million in revenue, or that have personal information for at least 50,000 people, to disclose to customers who ask the data they’re collecting, and to request that their personal information not be sold.
This may require companies with California customers to change their data practices, such as creating a dedicated system for handling consumer data as well as defining policies for responding to requests. Since the law is based on the location of the customer, and not the business, companies across the United States will likely have to adjust their data policies.
Similarly, the Fair and Accurate Credit and Transactions Act (FACTA) requires businesses to destroy personal information obtained from customers and employees before it can be discarded. And company that obtains personal information about an employee or customer must destroy any information it no longer needs such as:
- Social Security numbers
- Financial account information
- Driver's license information
- Medical histories
For example, you may have:
- Received customer credit card information during a sale
- Checked a customer's credit report before offering a loan or extending credit
- Acquired employee bank account information to make direct payroll deposits
- Checked Social Security numbers, references, and credit history for potential employees
No matter how you have received them, if you decide to throw documents away, you must destroy them first. But that's just the start. To protect information you don't plan to dispose of:
- Secure files, documents, and electronic data. Lock up documents when not in use. Limit access to only those employees who need access. Password-protect computers and electronic files. Shred any document you don't need to save.
- Encrypt files or data you store or send via the Internet.
- "Wipe" your electronic files. Simply hitting "delete" doesn't permanently delete electronic information. A wiping program must be used to permanently delete unnecessary electronic data.
- Reward employees who identify security issues or potential threats. Make it everyone's job to keep customer information – and employee information – safe and secure.
- Develop a response plan in the event data is compromised. Determine ahead of time who to notify (banks, lawyers, law enforcement, customers, credit bureaus, etc.) Take action immediately; your customers would rather hear about problems – and what you plan to do to overcome the problem – from you rather than from someone else.
What happens if you don't protect customer information adequately? You could face:
- Civil liability. The victim could be entitled to recover actual damages sustained if his or her identity is stolen as a result of your lack of action and lack of security precautions. Or you could be required to pay statutory damages of up to $1,000 per violation.
- Class-action lawsuits. If a number of people are affected, they may be able to bring class-action suits and get punitive damages.
- Federal fines. The federal government could fine you up to $2,500 for each violation.
- State fines. States can fine up to $1,000 for each violation.
Fines and lawsuits aside, protecting your customer's personal information is just good business.