In the July issue, we reviewed several ways to protect yourself and your business from lawsuits and claims involving invasion of privacy. In addition to protecting your customers “physical and personal privacy” when tanning at your salon, your business also has a legal obligation to protect their personal information including credit card and Social Security numbers, bank account numbers and all related info.
There are state and federal laws, including Federal Trade Commission regulations that require businesses to play an active role in the identification, mitigation and prevention of identity theft and/or the misappropriation of what is considered personal data.
“Identity theft,” which is one of the most flagrant forms on privacy invasion, means a fraud committed or attempted using another person’s personal data without authority to do so.
NOTE: In many cases, the fact that the business owner took measures to properly train staff and design their business to ensure privacy, helped to limit their liability for such claims.
Let’s continue the discussion with the methods you can use to protect your customers’ personal and financial info.
- Who has access to your customers’ data?
All staff who have access to your customers’ personal info should be trained on how to handle it and keep it confidential. They should also be required to sign a Non-Disclosure Agreement (or similar statement) that acknowledges understanding of what is considered to be confidential, and the procedures used for protecting such info.
- How is your customers’ personal info stored and protected?
Make a list of all computers, laptops, mobile devices, flash-drives, discs, home computers, digital copiers and other equipment used to store sensitive data – and who has access to those devices.
Hard copies of cash and credit card receipts, etc. should never be left on or behind the sales counter. They should be transferred to a secure area immediately after processing.
EFT membership forms and applications contain a wealth of vital personal info. Whether recorded and stored electronically or manually, you must have procedures in place for protecting their content.
Many data compromises happen the old-fashioned way: through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee.
Store paper documents or files, as well as thumb-drives, etc. containing personally identifiable info under lock and key. Limit access to staff with a legitimate business need and control who has a key.
Require that files containing personally identifiable info be kept in locked cabinets, except when an employee is working on the file. Remind staff not to leave sensitive papers out on their desks when they are away from their workstations.
Require staff to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
Implement appropriate access controls for your building. Tell staff what to do and whom to call if they see an unfamiliar person on the premises.
If you have devices that collect sensitive info, like PIN pads, secure them so that identity thieves can’t tamper with them. Also, inventory those items to ensure that they have not been switched.
- Employee Information & Job Applications
In addition to protecting your customers’ info, you must also protect your staff’s information. Job applications contain Social Security numbers, addresses, cell phone numbers, etc.
Glaring Example of Privacy Invasion:
A “gourmet coffee shop” employee spent two years operating a scheme out of a location inside the Cleveland Hopkins International Airport. During a two-year period, she stole personal info provided on job applications and used it to apply for and abuse 65 different credit cards and rack up to a total of $115,000 in fraudulent charges!
Customers and staff have an expectation of “privacy” when they share their personal data with you. And you, as the business owner, are legally bound and obligated to protect such information.
In the event that staff or a customer reports any act that could be construed as privacy invasion, it is your responsibility to document it and take appropriate corrective actions. Be sure that your business insurance policy covers privacy invasion and that the coverage is sufficient to handle the cost of potential claims and litigation.