Melanie Wyne is a senior policy representative for the National Association of Realtors®. She can be reached at firstname.lastname@example.org.
Protect Their Privacy
With federal legislation in the works, now's the time to revisit your company's policy for dealing with sensitive customer data.
October 1, 2010
Having a policy in place for dealing with the sensitive personal information you collect from customers is more than just smart business. In most states, it’s the law, and soon, there may be a federal baseline requirement in place.
So if you don’t have a corporate policy regarding customer data—or haven’t revisited your policy in a while—now’s the time to take action.
In a survey conducted earlier this year by the NATIONAL ASSOCIATION OF REALTORS®, a quarter of REALTORS® said they collect Social Security numbers and 12 percent said they collect financial account numbers from customers.
More than 80 percent of practitioners weren’t sure whether their state had consumer privacy laws—even though nearly every state does.
State laws typically cover specific types of data, such as personal health or financial information, and spell out what businesses must do in the event of a security breach. (To see what’s in effect in your state, visit the National Conference of State Legislatures Web site.)
Hot Topic on the National Level
On top of those state laws, Congress and several regulatory bodies—including the Federal Trade Commission, Federal Communications Commission, and the U.S. Commerce Department—are working on new rules that will give consumers more control.
In the House, Rep. Bobby Rush (D-Ill.) has introduced the Best Practices Act, H.R. 5777, which establishes consumer privacy rights and sets forth obligations for companies that collect sensitive data. If the bill passes, businesses that collect names, postal and e-mail addresses, phone numbers, Social Security numbers, and information that’s classified as a “unique persistent identifier” (for example, your computer’s unique address) must include a notice that explains what information is collected, what it’s used for, and who sees it. Also, businesses must allow consumers to opt out.
Information that’s deemed sensitive—such as personal financial and health information—will be off-limits to you unless you get permission from your customer. Financial account information falls into this sensitive category.
How Can I Prepare?
The federal legislation is expected to move forward in 2011. But whether or not a new law results, privacy measures are likely to come out of the regulatory agencies. In the meantime, there are some common-sense steps you can take to get your policies in better shape.
The Federal Trade Commission says a sound data security plan is based on these five principles:
1. Take stock.
What types of customer information are in your paper files and on your computer? You probably have bank statements and forms with clients’ Social Security and driver’s license numbers. Understand how this information moves into, through, and out of your business.
2. Scale down.
If you don’t have a legitimate business reason to have sensitive information in your files or on your computer, don’t keep it.
3. Lock it.
Be aware of physical security, electronic security, and the practices of your vendors. Decide which information should be password-protected and who can access it.
4. Pitch it.
Dispose of what you no longer need, but do so in a secure way. Documents containing personal information should be destroyed.
5. Plan ahead.
Create a plan for responding to security incidents. How will you notify people? What agency will you notify? What other actions will you take?
The best time to start crafting a data security plan is the present. For more FTC resources on strengthening your policy, visit www.FTC.gov/infosecurity.
senior policy representative