Why and How Your Business Should Protect Sensitive Customer Data

With the battle over data privacy between Apple and the Department of Justice at the forefront of the news cycle, business owners across the country are likely asking themselves: what responsibilities do I have in protecting sensitive customer data?

Firstly, the government has enacted a number of statutes and regulations to further their interest in ensuring that business owners protect sensitive customer data. From the Gramm-Leach-Bliley Act, to HIPAA, to Sarbanes Oxley, there are numerous laws which give the government the ability, in certain circumstances, to impose monetary fines and legal costs if a business fails to safeguard this information.

Additionally, consumers expect their data to be protected. A Pew Research Center survey found that over half of internet users believe – incorrectly – that the mere existence of a privacy policy means that a business will keep their personal information confidential¹. Customers may feel betrayed and stop doing business with a company if they learn of a cybersecurity breach. For example, one study found that as many as 36% of retail customers will shop less frequently at a retailer that has experienced a security breach².

Finally, in addition to potential penalties that may be imposed by the government and a loss of business, a breach of customer data will bring about other costs. A business will likely experience increased expenses for IT professionals, public relations efforts, insurance premiums, and legal assistance as it seeks to mitigate the damages caused by the breach. Aside from the monetary expenditures, a business’s reputation will also be at stake.

A business owner should consider taking the following steps to protect their business:

  • Delegate responsibility now to individuals who are likely to be involved in a response effort. Do you have the necessary personnel within your business to respond, or will you need to seek outside assistance?
  • Create a plan for how you will notify customers. While the relevant laws do specify how customers should be notified, you will want to produce a notice which is both legally compliant and also customer-friendly.
  • Follow the FTC’s “10 Practical Lessons” for businesses³.
  • Consult an attorney to gain an understanding of what legal and regulatory duties apply to your specific industry.

¹ Aaron Smith, Half of Online Americans Don’t Know What a Privacy Policy Is, PEW RESEARCH CTR. (Dec. 4, 2014), https://perma.cc/A7R5-JWZ2.

² Interactions Finds 45 Percent of Shoppers Don’t Trust Retailers to Keep Information Safe, PR NEWSWIRE (Jul. 1, 2014), https://perma.cc/QQ36-ANN3.

³ Start with Security: A Guide for Business, FEDERAL TRADE COMMISSION (Jun. 2015), https://perma.cc/F52J-NYQE.

As the law continues to evolve on these matters, please note that this article is current as of date and time of publication and may not reflect subsequent developments. The content and interpretation of the issues addressed herein is subject to change. Cole Schotz P.C. disclaims any and all liability with respect to actions taken or not taken based on any or all of the contents of this publication to the fullest extent permitted by law. This is for general informational purposes and does not constitute legal advice or create an attorney-client relationship. Do not act or refrain from acting upon the information contained in this publication without obtaining legal, financial and tax advice. For further information, please do not hesitate to reach out to your firm contact or to any of the attorneys listed in this publication.

Join Our Mailing List

Stay up to date with the latest insights, events, and more

Check all areas of law you are interested in receiving e-newsletters and alerts about:(Required)
This field is for validation purposes and should be left unchanged.

Our Practices



Our Industries