Over the last several weeks, many businesses have become more reliant on a virtual business model due to COVID-19. Now, those businesses face a myriad of unexpected privacy and cybersecurity issues. We encourage businesses who have made the transition to an online presence to implement the following steps:
1. Update Privacy Notices
As your business model evolves, your privacy policies should as well. Providing a clear and accurate explanation of your data collection, sharing and retention policies can reassure customers and clients that you are handling their personal information responsibly and may help minimize regulatory enforcement risk. Consider some scenarios where your privacy notices may need to be updated:
-
If you are offering online or mobile app products or services for the first time, do your customers or clients know whether the information they share with you will be exposed to third parties, sold or used for marketing purposes?
-
If you have transitioned from conducting meetings with clients in person to using a video conferencing platform like Zoom or Skype, do your clients know if those calls are being recorded or if the video conferencing service has access to your calls?
-
If you typically have your customers or clients sign sensitive documents (e.g., tax documents) but are now using e-signatures, do your clients know what steps you are taking to ensure that those documents are transmitted securely and whether they are being shared with third parties?
Updating your privacy statement is especially important if you do business in California or outside the United States. The California Consumer Privacy Act (CCPA) and the Global Data Protection Regime (GDPR) require businesses who fall under their scope to make a number of highly specific disclosures in their privacy statements. Please note that your business may be subject to the CCPA and GDPR even if you are based outside of California or Europe.
2. Update Vendor Contracts
Is your business starting to share more personal information with existing or new vendors in order to support new online or electronic capabilities, such as online sales, video conferencing, electronic document sharing or app-based educational tools?
Making sure necessary privacy and security terms are included in vendor agreements is an important step in protecting personal information for which your business is responsible. These terms can also limit risk should a vendor mishandle the information or violate its privacy obligations. Data sharing agreements should also clearly describe a vendor’s authorized uses for the data in addition to any other limitations, such as limitations prohibiting the vendor from sharing your information with third parties.
3. Update Data Collection and Storage Practices
Is your business receiving personal information from customers online for the first time? Have you determined what types of personal information are necessary for you to carry out your business? Do you have procedures in place for safeguarding the information?
One step that businesses can take to shield themselves from liability is to simply limit the amount of data being collected. Collecting and storing large amounts of personal or proprietary information that is not necessary for a business purpose will make your business a more desirable target for hackers and could subject you to heavy penalties if your customers’ personal information is compromised in a data breach.
Businesses must also ensure that they are adequately safeguarding the personal information that users share with them. There are a number of steps you can take to increase your protection of personal information:
-
Implement end-to-end encryption for all sensitive information
-
Institute multi-factor authentication protocols
-
Install effective antivirus and cybersecurity software
-
Limit the number of employees who can access personal information.
4. Update Internal Policies and Educate Employees
A key way to minimize your business’s risk of liability is to have a written policy that details the way your business handles customer information. This should be communicated clearly to your employees so that they are aware of how to handle personal and confidential information. If your workforce is new to remote work, remind them not to use personal devices for anything work-related and to opt for personal hotspots rather than public Wi-Fi when working outside of their homes.