Protective Order

Robby Birnbaum
Associate Attorney

Thomas Salzman
IT Manager

As a small-business owner, you might think that only large companies need privacy policies. Think again. Small firms also need privacy policies if they collect nonpublic personal information (NPPI) from customers (any information beyond what's available in a phone book) and if the business generates financial transactions with consumers.

Federal and state regulations, statutes and case law govern how entities of all sizes treat private customer information. Any company that contacts consumers—via a Web site, a catalog or an office or retail outlet—must adhere to a written privacy policy with procedures that implement that policy. The company must provide customers with written notice of its privacy policy at the time of the transaction, as well as on an annual basis. In turn, customers have the right to opt out of sharing their personal data. These requirements apply to existing as well as new customers.

The Gramm-Leach-Bliley Act of 1999 (GLBA) provides protection against misuse of consumer NPPI in the context of financial transactions, such as a purchase or mortgage application. The Federal Trade Commission issued a set of guidelines for businesses complying with GLBA in 2000; the guidelines cover security issues—from physical security precautions, such as locking filing cabinets, to electronic security, including password protection and data encryption. The consequences for failing to comply range from fines to possible revocation of one's business license.

No company is too small to attract scrutiny. Greenspoon Marder worked with a small-business client with 12 employees that faced litigation after a customer complained to the state attorney general. That small business sold 20,000 customer names to a third party without giving customers notice nor the opportunity to opt out. The matter was settled out of court, but should serve as a cautionary tale for other small businesses.

Action Items

So, where to begin? The first step is to create a written privacy policy. You can craft a policy yourself, using established privacy policies as a working model. Have an attorney review the proposed policy for provisions relevant to your industry. This process should take only a few hours of an attorney's time and could help you avoid months of costly litigation later.

After documenting your privacy policy, give your customers ample notice of the policy at the time of any transaction (whether or not that transaction is consummated) and on an ongoing, annual basis.

Most important, establish procedures that implement that policy for both physical security and information (or electronic) security. Building access codes and document-shredding would be covered by procedures for physical security. Information security procedures would address issues such as network firewalls, user authentication and key encryption of data.

Finally, monitor and limit how data leaves your system. Put logs in place to monitor databases and ensure that customer data cannot be accessed without a clear and documented path. Ensure that user passwords can't be easily guessed. Narrowing down how the world outside can access your corporate computer system is critical to the security of customer data.

The work of protecting customer data is never done. But the payoff from the effort will make customers more confident that your company will treat their personal information with respect and care. That goes a long way toward becoming a trusted partner.