SMALL BUSINESSES
PRIVACY CONSIDERATIONS
February 2013
1
How Privacy Impacts Your Business
•
Legislative
•
Technological
•
Trust
Two Primary Considerations
Employees
Customers
Hiring
Information Collection
Policies
Information Storage
Termination
Information Destruction
Potential and Current Employees
Initial Considerations
•
•
Does your company run background checks on potential employees?
•
Does your company permit or encourage employee use of personally-owned
devices (e.g., smartphones, tablet computers, laptops) in the company
network or to conduct company business?
•
Does your company train employees on various privacy and security issues?
Does your company monitor employee use of email and/or other employee
online activity at work?
FIPP 1 and 4
Background Checks
Is your company performing background checks on potential employees?
Issues to Consider
Why You Should Care
Best Practices
How are you obtaining the
information?
Your company could run afoul of
various discrimination laws or obtain
false information.
Use reputable companies. If using
social media, insulate the hiring
decision maker from the person
performing the check. Do not ask for
social media passwords or friend
potential employees.
How are you safeguarding
the information?
Your company is responsible for the
data it gathers.
Secure physical information and only
share with those who need to know.
Also make sure electronic information is
secure.
How are you disposing of the
information?
The company you use for the
background check may be a consumer
reporting agency under the FCRA.
See Appendix Item A on Document
Destruction.
FIPP 1 and 4
Fair Credit Reporting Act (“FCRA”)
Is your company performing credit checks on potential employees?
Issues to Consider
Why You Should Care
Best Practices
How are you obtaining the
information?
Avoid violating the FCRA.
Use reputable companies and obtain
consent from the prospective employee.
How are you safeguarding the
information?
Your company is responsible
for the data; see FTC
Disposal Rule (Appendix A).
Secure physical information and only
share with those who need to know.
Also make sure electronic information is
secure.
How are you disposing of the
information?
FTC Disposal Rule.
See Appendix A regarding Document
Destruction.
FIPP 1, 3 and 4
For more information visit: http://www.ftc.gov/os/statutes/fcrajump.shtm
Policies
Does your company have:
Security policies?
Email policies?
Privacy policies?
Social media policies?
FIPP 1 and 4
Employee Monitoring
Does your company have an employee handbook?
Issues to Consider
Why You Should Care
Best Practices
Do you have cameras in the
workplace?
Without notice to employees, you
may be violating employees’ privacy
by recording them.
Make sure you have an employee
handbook that tells employees how
they will be monitored in the
workplace.
Do you monitor employee emails,
computers, telephone calls, SMS or
IM messages?
Without notice to employees, you
may be violating employees’ privacy
by recording them.
Make sure that all company policies
are applied equally.
Do your employees take work out of
the office?
Your company has a duty to protect
the information.
See Appendix B for some sample
policy language.
FIPP 1, 2 and 4
Bring Your Own Devices
Does your company allow employees to use their own devices?
Issues to Consider
Why You Should Care
Best Practices
Does your company allow employees
to use their own devices for company
work?
Your company has a duty to protect
company and customer information.
Create a policy that includes what is
and is not allowed as well as employee
responsibilities.
Should your company create a use
policy?
Your company wants to ensure that only
the employee is using the device.
Create an acceptable use policy.
Should your company provide
support for the end-user?
If there is a problem with a mobile device,
the employee may go to an outside
source to fix the problem and
inadvertently expose company or
customer data.
Have a policy in place whereby your
company’s IT department will handle
the problem or consider having an
acceptable and vetted professional to
handle company issues.
Should your company have a policy
violations clause?
Consider what employees cannot do with
information so that if an issue arises, your
company is prepared.
Consider if violations should be treated
differently, and if so, apply the penalties
evenly across the board.
See Appendix C for more information.
FIPP 1 and 4
Cloud Computing
Does your company store information in the cloud?
Issues to Consider
Why You Should Care
Best Practices
Does the cloud company securely
store the information?
Your company is responsible for the data
it transmits.
Research the company.
Does the third-party securely dispose
of the information?
Your company is responsible for the data
it transmits.
Have a contract.
Who will have ownership of the data?
Your company needs to ensure full
ownership and rights to your data.
Do not settle for anything less than full
ownership and rights.
Is the third-party following the laws
your company is required to follow?
Your company is responsible for the data.
Use a well-known company.
In what type of format will the data be
stored?
Your company needs to be able to access
your data in a readable form.
Request back-up or access to data
archives in a common readable format.
Does the third-party have a disaster
recovery plan?
Your company is responsible for the data
it transmits.
Do not select your third-party partner
based on lowest price.
Where is the third-party storing the
information (in the U.S. or abroad)?
Your company may not have access to
the data or the data may be subject to
foreign laws if stored in another country.
Use a company with servers located in
the U.S.
FIPP 1 and 4
Employee Training
Security
Privacy
Take Stock.
Know what personal information
your company has in its files and its computers.
Privacy By Design.
Scale Down.
Only keep the information the
company needs for its business.
Simplified Choice. Companies should give
Lock It.
Greater Transparency.
Protect the information that your company
keeps.
Privacy should be built in
every stage of business development.
consumers the choice to decide what information is
shared.
Companies should
disclose use of information.
Securely Dispose.
Properly dispose of the
information your company no longer needs.
Plan Ahead.
Create a plan for responding to
security incidents.
See Appendix B for sample language.
FIPP 1 and 4
See Appendix D for sample language.
Customers
Initial Considerations
•
Does your company collect customer information?
-
What types?
- Financial
- Health
•
Does your company have policies in place about what your company does
with customer information?
•
How does your company store customer information (both physically and
electronically)?
•
•
•
How long does your company need customer information?
How does your company dispose of customer information?
Does your company collect information from children?
FIPP 1, 2 and 4
Policies
What to do with a customer’s personal information
Identify the purposes of the data use.
Limit retention of information.
Obtain consent.
Make sure information is accurate.
Limit collection of information.
Have safeguards in place.
Limit use of information.
Be open about the information you
collect.
Limit disclosure of information.
Allow customer access to his or her own
information.
FIPP 1, 2, 3 and 4
Email
Does your company use email in its business?
What to do
Why You Should Care
Why do you care?
Identify the message as an ad.
Don’t use false or misleading header
information.
Each separate email that violates CANSPAM is subject to penalties up to
$16,000.00!!!
Tell people where you are located.
Don’t use deceptive subject lines.
Tell people how opt out.
Monitor third-parties acting in your
company’s behalf.
Establish requirements for commercial
messages.
Honor opt-out requests promptly
For more info visit: http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business
FIPP 1. 2 and 5
Mobile Apps
Does your company use mobile apps?
Issues to Consider
Why You Should Care
Best practices
Does your app have a privacy policy?
The collection and use of customer
data has to comply with various laws.
Have a policy in place.
Is your company collecting information?
Your company is responsible for the
data it collects.
Read the policies from the companies
your company works with.
What does your company do with the
information it collects?
Depending on the data you have,
determines what you can do with it.
Get consent from customers to store
their information with a third-party.
Does your company use third-party apps to
connect customers to your business?
You need to make sure third-parties
follow the same laws your company is
required to regarding customer data.
Keep customers informed.
Does the third-party app maker have a
secondary right to use the data it collects?
Your company is responsible for the
third-party’s use of that data.
Thoroughly review the contract; use
providers who do not use your data.
Are your customers aware that data in
transit is not secure?
Avoid liability for a breach in the
transmittal.
Warn your customers.
FIPP 1 and 2
Third-Parties
Does your company transmit information to third-parties?
Issues to Consider
Why You Should Care
Best practices
Does the third-party securely store the
information?
Your company is responsible for the
data it transmits.
Research the company.
Does the third-party securely dispose of
the information?
Your company is responsible for the
data it transmits.
Have a contract.
Does your company have a right to
audit?
Your company should be able monitor
the third-party’s work.
Get consent from customers to store
their information with a third-party.
Is the third-party following the laws your
company is required to follow?
Your company is responsible for the
data.
Use a well-known company.
Does the third-party have a secondary
right to use the data it transmits or
stores?
Your company is responsible for the
third-party’s use of that data.
Thoroughly review the contract;
select providers who do not use your
data.
Does the third-party have a disaster
recovery plan?
Your company is responsible for the
data it transmits.
Do not select your third-party partner
based on lowest price.
Where is the third-party storing the
information (in the U.S. or abroad)?
Your company may not have access to
the data or the data may be subject to
foreign laws if stored in another country.
Use a company with servers located
in the U.S.
FIPP 2 and 4
Law Enforcement
Are you required to turn-over information to law enforcement?
Considerations…
Best practices
What information is your company required to
turn-over?
Call an attorney!
Is your company willing to fight such information
requests?
Does your company have to refrain from notifying
the individual whose information is being
requested?
Is your company required to possibly take-down
information from a website?
FIPP 2 and 4
Strategic v. Operational
Strategic Responsibilities
Operational Responsibilities
Create a vision that is privacy focused. That will
help shape and determine how your company will
interact with customers, legal, social and ethical
issues.
Figure out what information your company is
collecting, where it is stored, how it is being
protected and how it is being disposed.
Develop an overall master plan to ensure that the
company’s efforts are all headed in a common
direction.
Talk to and train employees about best practices;
and create policies that will protect employees
and customers.
Identify the human, financial and other resources
allocated to achieve your company’s goals.
Develop a plan to implement your company’s
policies and practices.
Coordinate with those in charge of operations to
make sure your company is following a unified
vision.
Conduct a risk assessment to assess your
policies and mitigation strategies.
FIPP 1, 2, 3 and 4
In Summary
•
•
•
What is private information?
The Five Pillars of Privacy.
Small businesses have obligations to protect the privacy of:
-
•
Potential and Current Employees; and
Customers.
Breach:
-
What can happen to your company?
How should you protect your company?
FIPP 1, 2, 3 and 4
Call to Action
1. Assessment
• Examine your company from the ground up.
• This includes all your files, policies, data, employee training records, etc.
• Identify and remediate any compliance gaps with applicable laws.
2. Privacy by Design
• Imbed privacy into your data management processes.
• Embed privacy into each initiative or service before it launches.
• Going forward, always consider why your company is collecting the data it does,
keeps it only as long as necessary, and safely disposes of it.
FIPP 1, 2, 3 and 4
Appendix A – Document Destruction
•
“Company shall retain records for the period of their immediate or current use, unless longer
retention is required by law or to comply with contractual requirements. Such records outlined in this
policy include, but are not limited to: paper, electronic files, and voicemail records regardless of
where the document is stored, including network servers, desktop or laptop computers and
handheld computers and other wireless devices or telephones with text messaging and/or instant
messaging capabilities. Hardcopy documents will be destroyed by shredding according to the
document retention schedule. Electronic copies will be destroyed by proven means to destroy such
data according to the document retention schedule.”
•
Helpful resources
-
FTC Disposal Rule: http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf
FTC: http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-newrule-tells-how
The Watershed Institute:
http://www.thewatershedinstitute.org/resources/publications/FinalDocPolicy.pdf
FIPP 1, 2 and 4
Appendix B – Security
•
Helpful resources
-
SANS Institute – www.sans.org
- This website contains a number of sample security policies, including for computers,
emails, HIPAA, mobile and wireless.
- View a primer on developing security policies: http://www.sans.org/securityresources/policies/Policy_Primer.pdf
InfoSec Reading Room:
http://www.sans.org/reading_room/whitepapers/awareness/ultimate-defense-depthsecurity-awareness-company_395
FIPP 1 and 4
Appendix C – BYOD Policy Considerations
•
•
•
It is important for your company to create a BYOD policy before allowing any employee to BYOD.
For more information: http://www.citrix.com/site/resources/dynamic/additional/byod_best_practices.pdf.
Policies should include:
-
•
Employee responsibilities for devices;
Eligibility requirements and limitations for devices;
Limiting applications and/or data access;
Reservation of the right to wipe company data and/or the entire device;
A disclaimer of any liability of loss of personal applications or data;
Any other restrictions including but not limited to the use of browsers, wireless or other services;
Payment for the devices.
Security policy considerations include:
-
Require use of whole device password and/or requirements for when passwords must be changed;
The process for handling lost/stolen devices;
Timeline requirements for reporting lost/stolen devices;
Enforcement of password and other security measures;
Repair and/or upgrade of devices;
Requirement to install software.
FIPP 1, 2 and 4
Appendix D – Privacy
•
Helpful resources
-
-
FTC:
- http://www.ftc.gov/opa/2012/03/privacyframework.shtm
- http://www.ftc.gov/privacy/coppafaqs.shtm
- http://business.ftc.gov/documents/bus55-getting-noticed-writing-effective-financial-privacynotices
- Video: http://business.ftc.gov/privacy-and-security
For mobile app developers visit: https://www.cdt.org/report/best-practices-mobile-applicationsdevelopers
FIPP 1, 2 and 4
Additional Resources
•
Illinois’s Personal Information Protection Act (815 ILCS 530/1):
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67.
•
Illinois’s Right to Privacy in the Workplace Act (820 ILCS 55/):
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2398&ChapterID=68.
•
Information Security and Security Breach Notification Guidance by the Illinois Attorney General’s Office:
http://illinoisattorneygeneral.gov/consumers/Security_Breach_Notification_Guideance.pdf.
•
Driver’s Privacy Protection Act (18 U.S.C. 2721-2725):
http://www.accessreports.com/statutes/DPPA1.htm.
•
•
The Privacy Act and The Freedom of Information Act: http://www.ssa.gov/privacyact.htm.
•
Cloud Computing and Privacy:
http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/pages/cloudcomputingandpriv
acy.aspx; http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-cloud.
Federal Communications Commission Cyber Security Planning Guide:
http://transition.fcc.gov/cyber/cyberplanner.pdf.