AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE: BE PROACTIVE TO PROTECT PRIVATE INFORMATION IN CYBERSPACE
Stories of massive “data breaches” are far too common these days. Several national retailers recently all suffered data breaches that threatened to expose consumers’ private information. These data breaches will potentially cost the retailer significant sums of money to compensate their customers for their losses as well as defending numerous lawsuits relating to the breaches. These retailers utilized cyber security practices to prevent such a breach, yet it happened anyway. The lesson is: if it can happen to them, it can happen to you. The small business owner in California must take every precaution to protect their clients’ information.
The Information Practices Act AND YOUR BUSINESS
The small business owner in California, or anywhere in the United States for that matter, engages in some fashion of electronic monetary transactions. From the convenience store owner who accepts credit and debit cards for purchases ranging from gasoline to cigarettes to your favorite pizza parlor who now has a mobile app to offer their valued customers even greater convenience, our economy is inextricably intertwined with electronic transactions. Offering an electronic payment option was once a matter of convenience. Now it is a matter of necessity to remain competitive in today’s marketplace. Remaining competitive by offering electronic transactions obligates the small business owner to protect their customers’ account information, address, phone number, and other sensitive information.
California’s Legislature recognized the potential growth of electronic transactions when it passed the “Information Practices Act of 1977”(The Act). The Act memorializes and re-confirms an individual’s right to privacy is “personal and fundamental” and is protected by the Constitution of California and the United States Constitution. The Act confers a statutory right to the citizens of California to be free from “being threatened by the indiscriminate collection, maintenance, and dissemination of personal information.” The Act further recognizes that the increasing use of computers and other technology increases the risk that personal, private information will be disclosed or shared. The Act obligates business owners and governmental agencies and bodies alike to protect private consumer information.
The Act is extensive and is intended to be all-encompassing. It provides for a private civil remedy to redress privacy breaches, or unauthorized disclosures of private information. Also, the Act allows for the collection of costs and reasonable attorney’s fees. The Act further delineates a business person’s obligations to protect sensitive consumer information by imposing a requirement that a business “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The Act additionally imposes notification requirements upon the business for a data breach. The notice requirements are quite lengthy and are not optional: they may only be suspended if law enforcement determines such notification will impede a criminal investigation.
The above discussion barely scratches the surface of this critical issue of doing business in the digital age. There are several steps a business person can take to comply with their affirmative duty to protect against data breaches and disclosure of private consumer information. Some simple suggestions are changing passwords frequently and having up-to-date anti-virus and anti-malware protection programs which are updated regularly. For computerized checkouts, having a system that adheres to the Payment Card Industry Data Security Standard will help protect against unauthorized disclosure of private account information.