As a small-business owner, you might think that only large companies need privacy policies. Think again. Small firms also need privacy policies if they collect nonpublic personal information (NPPI) from customers (any information beyond what's available in a phone book) and if the business generates financial transactions with consumers.
The Gramm-Leach-Bliley Act of 1999 (GLBA) provides protection against misuse of consumer NPPI in the context of financial transactions, such as a purchase or mortgage application. The Federal Trade Commission issued a set of guidelines for businesses complying with GLBA in 2000; the guidelines cover security issues—from physical security precautions, such as locking filing cabinets, to electronic security, including password protection and data encryption. The consequences for failing to comply range from fines to possible revocation of one's business license.
No company is too small to attract scrutiny. Greenspoon Marder worked with a small-business client with 12 employees that faced litigation after a customer complained to the state attorney general. That small business sold 20,000 customer names to a third party without giving customers notice nor the opportunity to opt out. The matter was settled out of court, but should serve as a cautionary tale for other small businesses.
Most important, establish procedures that implement that policy for both physical security and information (or electronic) security. Building access codes and document-shredding would be covered by procedures for physical security. Information security procedures would address issues such as network firewalls, user authentication and key encryption of data.
Finally, monitor and limit how data leaves your system. Put logs in place to monitor databases and ensure that customer data cannot be accessed without a clear and documented path. Ensure that user passwords can't be easily guessed. Narrowing down how the world outside can access your corporate computer system is critical to the security of customer data.
The work of protecting customer data is never done. But the payoff from the effort will make customers more confident that your company will treat their personal information with respect and care. That goes a long way toward becoming a trusted partner.