But even if you are successful shielding your digital files, in addition to your customer’s private information, you might want to consider whether it would be prudent to establish a privacy policy. And what that means exactly is up to you.

Statutory assistance
In response to the recently announced data breaches at major US retailers, a bipartisan duo has introduced the Data Security Act (DSA) into Congress. If passed as written, companies that accept credit or debit cards for payment will be required to establish policies and mechanisms to protect consumer data from cyber hackers. In addition, the legislation requires businesses to:

•Investigate breaches
•Endeavor to secure data targeted by cyber thieves
•Tell customers and the federal government about data infiltration
•Notify credit reporting agencies if the breach impacts more than 5,000 customers.

Currently, nearly every state and Washington, DC maintains their own laws governing data breaches. However, if Congress passes the DSA or similar legislation, one set of laws will control, streamlining the process for businesses to recover from data breaches.

On top of the DSA, the chairperson of the Senate Judiciary Committee introduced the Personal Data Privacy and Security Act (PDPSA) January 8, 2014.  Sen. Patrick Leahy (D-Vt.) has introduced similar legislation in the past four Congresses, without success. One of the main objectives of the PDPSA is to stiffen criminal penalties for computer hacking. If passed as written, it would also establish stringent Federal data breach notification laws.

Of the PDPSA, Fernando Pinguelo, a partner with the New Jersey’s Scarini Hollenbeck who also chairs the firm’s Cyber Security & Data Protection Group, says the law limits the liabilities of small businesses for data breaches in certain situations. ‘This limitation of liability is important because it serves to shield businesses from some of the burdens of compliance,” says Pinguelo. That’s especially useful for companies without additional resources to properly respond to such breaches.

What you can do
While you might think your small business is not a likely target for data breaches, it’s just that complacency that increases the chances that it might be. Retail giant Target spends millions on data security and encryption, yet it still suffered a data breach that could impact 110 million people. 

“Any company that collects personal information needs to have a publicly-available privacy policy,” says Dino Tsibouris, a privacy attorney in Columbus, Ohio. He suggests small business owners take “reasonable measures to protect their customer information” by using data services with measurable and reliable security procedures or hiring consultants to oversee the implementation of such a system.

Tsibouris also suggests that businesses who request customer email addresses “should secure them in their company network and not put them in databases that are accessible without password protection. However, most data breach laws don’t have requirements governing storing of email addresses because an email address isn’t a helpful tool for identity theft. If they store names and account numbers, then the laws apply,” he says.

---

Tami Kamin Meyer is an Ohio attorney also licensed in the state’s two federal districts and the U.S. Supreme Court. She is also an oft-published writer whose byline has appeared in Better Homes and Gardens, The Rotarian, Corporate Secretary, The ABA Solo Practitioners newsletter and Ohio Magazine, to name a few. She penned a study guide about filing personal bankruptcy that was published by Quamut, a division of Barnes and Noble, in 2007.