The attention and lawsuits – and executive suite changes – relating to the highly-publicized 2013 data security breaches experienced by Target and by Neiman Marcus serve as a pointed reminder of the need to attend to data security throughout a company’s operations, both online and offline.  What can a business do to guard against similar breaches, what should it do to prepare for one, and what must, can, or should it say in a privacy policy?

More than 45 states now have breach notification laws on the books.  However, even if a company’s website has changed little over the past few years, the law has.  For example, user names and email addresses were not defined as “personal information” by California’s breach notification law until January 1 of this year, although they may meet the definition of personal information under other laws (such as the federal Children’s Online Privacy Protection Act).  This effectively converted a law meant to deter identity theft and financial fraud into a more general data protection statute.  This also means that a privacy policy that does not classify email addresses and user names as personal information is out of date.

Reviewing a privacy policy can provide a good opportunity for a company to address the risks of data security and how to provide notification to consumers in the event of a data security breach.  When was the last time the company reviewed the cybersecurity of your website, payment systems, or other electronic systems?  Does it have a plan to address cyber attacks?  To address data breaches?

Related Posts: