Privacy: Protect Your Customers’ Personal Information

A federal bill recently introduced in the U.S. Senate by Diane Feinstein (D-Calif.) would require any institution that owns, licenses or collects personal information to notify the individuals to whom the information belongs if those data are believed to have been acquired by an unauthorized person.

Given both the recent flurry of this type of legislation and data breaches at a number of institutions in recent months, Jerry Cerasale, senior vice president of government affairs for The Direct Marketing Association, offered the following advice at his session “Legislation and Privacy Issues: Protect Your Company and Manage Your Risk” at the Annual Catalog Conference held last month in Orlando, Fla.:

1. Have a written security plan. “Know ahead of time what you’re going to do if a security breach takes place,” said Cerasale. Specific areas to address are action strategies for whether data are stolen outright, sold by employees or mishandled by contractors, he noted. “Don’t forget to include protection for your employees’ information,” he said.

2. Spend the resources for security. “Invest both the time and money necessary to protect the personal information in your care,” said Cerasale. Not only is technology important, but proper training for your employees who handle sensitive information is a must, he said. “It’s also necessary to review and update both your security plan and technology from time to time,” said Cerasale. “If the plan isn’t up-to-date, it may not be good enough.”

3. Make sure your suppliers and business partners have similar security plans in place. Any entity authorized to touch your customers’ data should have policies in place to protect those data, said Cerasale.

4. Know what information you really need. “Do you really need to collect a customer’s social security number or driver’s license number?” asked Cerasale. “Probably not.”