SMALL BUSINESSES PRIVACY CONSIDERATIONS February 2013 1 How Privacy Impacts Your Business • Legislative • Technological • Trust Two Primary Considerations Employees Customers Hiring Information Collection Policies Information Storage Termination Information Destruction Potential and Current Employees Initial Considerations • • Does your company run background checks on potential employees? • Does your company permit or encourage employee use of personally-owned devices (e.g., smartphones, tablet computers, laptops) in the company network or to conduct company business? • Does your company train employees on various privacy and security issues? Does your company monitor employee use of email and/or other employee online activity at work? FIPP 1 and 4 Background Checks Is your company performing background checks on potential employees? Issues to Consider Why You Should Care Best Practices How are you obtaining the information? Your company could run afoul of various discrimination laws or obtain false information. Use reputable companies. If using social media, insulate the hiring decision maker from the person performing the check. Do not ask for social media passwords or friend potential employees. How are you safeguarding the information? Your company is responsible for the data it gathers. Secure physical information and only share with those who need to know. Also make sure electronic information is secure. How are you disposing of the information? The company you use for the background check may be a consumer reporting agency under the FCRA. See Appendix Item A on Document Destruction. FIPP 1 and 4 Fair Credit Reporting Act (“FCRA”) Is your company performing credit checks on potential employees? Issues to Consider Why You Should Care Best Practices How are you obtaining the information? Avoid violating the FCRA. Use reputable companies and obtain consent from the prospective employee. How are you safeguarding the information? Your company is responsible for the data; see FTC Disposal Rule (Appendix A). Secure physical information and only share with those who need to know. Also make sure electronic information is secure. How are you disposing of the information? FTC Disposal Rule. See Appendix A regarding Document Destruction. FIPP 1, 3 and 4 For more information visit: http://www.ftc.gov/os/statutes/fcrajump.shtm Policies Does your company have: Security policies? Email policies? Privacy policies? Social media policies? FIPP 1 and 4 Employee Monitoring Does your company have an employee handbook? Issues to Consider Why You Should Care Best Practices Do you have cameras in the workplace? Without notice to employees, you may be violating employees’ privacy by recording them. Make sure you have an employee handbook that tells employees how they will be monitored in the workplace. Do you monitor employee emails, computers, telephone calls, SMS or IM messages? Without notice to employees, you may be violating employees’ privacy by recording them. Make sure that all company policies are applied equally. Do your employees take work out of the office? Your company has a duty to protect the information. See Appendix B for some sample policy language. FIPP 1, 2 and 4 Bring Your Own Devices Does your company allow employees to use their own devices? Issues to Consider Why You Should Care Best Practices Does your company allow employees to use their own devices for company work? Your company has a duty to protect company and customer information. Create a policy that includes what is and is not allowed as well as employee responsibilities. Should your company create a use policy? Your company wants to ensure that only the employee is using the device. Create an acceptable use policy. Should your company provide support for the end-user? If there is a problem with a mobile device, the employee may go to an outside source to fix the problem and inadvertently expose company or customer data. Have a policy in place whereby your company’s IT department will handle the problem or consider having an acceptable and vetted professional to handle company issues. Should your company have a policy violations clause? Consider what employees cannot do with information so that if an issue arises, your company is prepared. Consider if violations should be treated differently, and if so, apply the penalties evenly across the board. See Appendix C for more information. FIPP 1 and 4 Cloud Computing Does your company store information in the cloud? Issues to Consider Why You Should Care Best Practices Does the cloud company securely store the information? Your company is responsible for the data it transmits. Research the company. Does the third-party securely dispose of the information? Your company is responsible for the data it transmits. Have a contract. Who will have ownership of the data? Your company needs to ensure full ownership and rights to your data. Do not settle for anything less than full ownership and rights. Is the third-party following the laws your company is required to follow? Your company is responsible for the data. Use a well-known company. In what type of format will the data be stored? Your company needs to be able to access your data in a readable form. Request back-up or access to data archives in a common readable format. Does the third-party have a disaster recovery plan? Your company is responsible for the data it transmits. Do not select your third-party partner based on lowest price. Where is the third-party storing the information (in the U.S. or abroad)? Your company may not have access to the data or the data may be subject to foreign laws if stored in another country. Use a company with servers located in the U.S. FIPP 1 and 4 Employee Training Security Privacy Take Stock. Know what personal information your company has in its files and its computers. Privacy By Design. Scale Down. Only keep the information the company needs for its business. Simplified Choice. Companies should give Lock It. Greater Transparency. Protect the information that your company keeps. Privacy should be built in every stage of business development. consumers the choice to decide what information is shared. Companies should disclose use of information. Securely Dispose. Properly dispose of the information your company no longer needs. Plan Ahead. Create a plan for responding to security incidents. See Appendix B for sample language. FIPP 1 and 4 See Appendix D for sample language. Customers Initial Considerations • Does your company collect customer information? - What types? - Financial - Health • Does your company have policies in place about what your company does with customer information? • How does your company store customer information (both physically and electronically)? • • • How long does your company need customer information? How does your company dispose of customer information? Does your company collect information from children? FIPP 1, 2 and 4 Policies What to do with a customer’s personal information Identify the purposes of the data use. Limit retention of information. Obtain consent. Make sure information is accurate. Limit collection of information. Have safeguards in place. Limit use of information. Be open about the information you collect. Limit disclosure of information. Allow customer access to his or her own information. FIPP 1, 2, 3 and 4 Email Does your company use email in its business? What to do Why You Should Care Why do you care? Identify the message as an ad. Don’t use false or misleading header information. Each separate email that violates CANSPAM is subject to penalties up to $16,000.00!!! Tell people where you are located. Don’t use deceptive subject lines. Tell people how opt out. Monitor third-parties acting in your company’s behalf. Establish requirements for commercial messages. Honor opt-out requests promptly For more info visit: http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business FIPP 1. 2 and 5 Mobile Apps Does your company use mobile apps? Issues to Consider Why You Should Care Best practices Does your app have a privacy policy? The collection and use of customer data has to comply with various laws. Have a policy in place. Is your company collecting information? Your company is responsible for the data it collects. Read the policies from the companies your company works with. What does your company do with the information it collects? Depending on the data you have, determines what you can do with it. Get consent from customers to store their information with a third-party. Does your company use third-party apps to connect customers to your business? You need to make sure third-parties follow the same laws your company is required to regarding customer data. Keep customers informed. Does the third-party app maker have a secondary right to use the data it collects? Your company is responsible for the third-party’s use of that data. Thoroughly review the contract; use providers who do not use your data. Are your customers aware that data in transit is not secure? Avoid liability for a breach in the transmittal. Warn your customers. FIPP 1 and 2 Third-Parties Does your company transmit information to third-parties? Issues to Consider Why You Should Care Best practices Does the third-party securely store the information? Your company is responsible for the data it transmits. Research the company. Does the third-party securely dispose of the information? Your company is responsible for the data it transmits. Have a contract. Does your company have a right to audit? Your company should be able monitor the third-party’s work. Get consent from customers to store their information with a third-party. Is the third-party following the laws your company is required to follow? Your company is responsible for the data. Use a well-known company. Does the third-party have a secondary right to use the data it transmits or stores? Your company is responsible for the third-party’s use of that data. Thoroughly review the contract; select providers who do not use your data. Does the third-party have a disaster recovery plan? Your company is responsible for the data it transmits. Do not select your third-party partner based on lowest price. Where is the third-party storing the information (in the U.S. or abroad)? Your company may not have access to the data or the data may be subject to foreign laws if stored in another country. Use a company with servers located in the U.S. FIPP 2 and 4 Law Enforcement Are you required to turn-over information to law enforcement? Considerations… Best practices What information is your company required to turn-over? Call an attorney! Is your company willing to fight such information requests? Does your company have to refrain from notifying the individual whose information is being requested? Is your company required to possibly take-down information from a website? FIPP 2 and 4 Strategic v. Operational Strategic Responsibilities Operational Responsibilities Create a vision that is privacy focused. That will help shape and determine how your company will interact with customers, legal, social and ethical issues. Figure out what information your company is collecting, where it is stored, how it is being protected and how it is being disposed. Develop an overall master plan to ensure that the company’s efforts are all headed in a common direction. Talk to and train employees about best practices; and create policies that will protect employees and customers. Identify the human, financial and other resources allocated to achieve your company’s goals. Develop a plan to implement your company’s policies and practices. Coordinate with those in charge of operations to make sure your company is following a unified vision. Conduct a risk assessment to assess your policies and mitigation strategies. FIPP 1, 2, 3 and 4 In Summary • • • What is private information? The Five Pillars of Privacy. Small businesses have obligations to protect the privacy of: - • Potential and Current Employees; and Customers. Breach: - What can happen to your company? How should you protect your company? FIPP 1, 2, 3 and 4 Call to Action 1. Assessment • Examine your company from the ground up. • This includes all your files, policies, data, employee training records, etc. • Identify and remediate any compliance gaps with applicable laws. 2. Privacy by Design • Imbed privacy into your data management processes. • Embed privacy into each initiative or service before it launches. • Going forward, always consider why your company is collecting the data it does, keeps it only as long as necessary, and safely disposes of it. FIPP 1, 2, 3 and 4 Appendix A – Document Destruction • “Company shall retain records for the period of their immediate or current use, unless longer retention is required by law or to comply with contractual requirements. Such records outlined in this policy include, but are not limited to: paper, electronic files, and voicemail records regardless of where the document is stored, including network servers, desktop or laptop computers and handheld computers and other wireless devices or telephones with text messaging and/or instant messaging capabilities. Hardcopy documents will be destroyed by shredding according to the document retention schedule. Electronic copies will be destroyed by proven means to destroy such data according to the document retention schedule.” • Helpful resources - FTC Disposal Rule: http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf FTC: http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-newrule-tells-how The Watershed Institute: http://www.thewatershedinstitute.org/resources/publications/FinalDocPolicy.pdf FIPP 1, 2 and 4 Appendix B – Security • Helpful resources - SANS Institute – www.sans.org - This website contains a number of sample security policies, including for computers, emails, HIPAA, mobile and wireless. - View a primer on developing security policies: http://www.sans.org/securityresources/policies/Policy_Primer.pdf InfoSec Reading Room: http://www.sans.org/reading_room/whitepapers/awareness/ultimate-defense-depthsecurity-awareness-company_395 FIPP 1 and 4 Appendix C – BYOD Policy Considerations • • • It is important for your company to create a BYOD policy before allowing any employee to BYOD. For more information: http://www.citrix.com/site/resources/dynamic/additional/byod_best_practices.pdf. Policies should include: - • Employee responsibilities for devices; Eligibility requirements and limitations for devices; Limiting applications and/or data access; Reservation of the right to wipe company data and/or the entire device; A disclaimer of any liability of loss of personal applications or data; Any other restrictions including but not limited to the use of browsers, wireless or other services; Payment for the devices. Security policy considerations include: - Require use of whole device password and/or requirements for when passwords must be changed; The process for handling lost/stolen devices; Timeline requirements for reporting lost/stolen devices; Enforcement of password and other security measures; Repair and/or upgrade of devices; Requirement to install software. FIPP 1, 2 and 4 Appendix D – Privacy • Helpful resources - - FTC: - http://www.ftc.gov/opa/2012/03/privacyframework.shtm - http://www.ftc.gov/privacy/coppafaqs.shtm - http://business.ftc.gov/documents/bus55-getting-noticed-writing-effective-financial-privacynotices - Video: http://business.ftc.gov/privacy-and-security For mobile app developers visit: https://www.cdt.org/report/best-practices-mobile-applicationsdevelopers FIPP 1, 2 and 4 Additional Resources • Illinois’s Personal Information Protection Act (815 ILCS 530/1): http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67. • Illinois’s Right to Privacy in the Workplace Act (820 ILCS 55/): http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2398&ChapterID=68. • Information Security and Security Breach Notification Guidance by the Illinois Attorney General’s Office: http://illinoisattorneygeneral.gov/consumers/Security_Breach_Notification_Guideance.pdf. • Driver’s Privacy Protection Act (18 U.S.C. 2721-2725): http://www.accessreports.com/statutes/DPPA1.htm. • • The Privacy Act and The Freedom of Information Act: http://www.ssa.gov/privacyact.htm. • Cloud Computing and Privacy: http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/pages/cloudcomputingandpriv acy.aspx; http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-cloud. Federal Communications Commission Cyber Security Planning Guide: http://transition.fcc.gov/cyber/cyberplanner.pdf.