Data Security Guide:Communicating Your Data Security Program to Your Customers

Telling your customers that you have a data security policy in place will both build their trust and differentiate you from your competitors.

Getting Started

There is a sensible line to walk when communicating your data security plan. You need to a) Decide how much you communicate (too much detail will help criminals); b) Ensure your communication is accurate, and c) Put what you promote into action on an ongoing basis.

1. Information to share.
2. Information NOT to share

Checklists

1. Information to share.
   • Obtain a third-party seal that verifies your small business uses an appropriate level of security to protect your website, or your Internet transactions. This can be a visual tool to communicate to customers that you have qualified for a level of certification — which is something some customers may look for.
   • Make sure that whatever information you communicate to your customers about how you protect their data is accurate and is up-to-date. For example, if you tell consumers that you keep their information on computers that you own, and then you contract with another company to provide off-site computer storage space, make sure that you reflect your new practices in your public policies.
   • Tell customers what you will do in the event that you discover that their information has been lost or stolen. 
2. Information NOT to share.
   • DO NOT share detailed information about your security systems. Remember, criminals see what your customers see, and they can use public information about your security systems to evade them (e.g., the encryption software you use, or where you store documents).
   • DO NOT tell customers that there is no risk of ID Theft, or that their information is “100% safe.” No matter how hard you try to protect customer information, there is always a chance that someone may obtain and misuse it.
   • DO NOT guarantee or promise that customers’ information can never be lost or stolen unless you tell customers what you will do if that promise is broken.

U.S. Legal Requirements

Generally small businesses are not required under federal or state law to make public how they protect information.
If a small business chooses to publish information concerning how it protects the sensitive personal information that it keeps, how it spots identity theft, how it responds when data is lost or stolen, or how it disposes of data, the Federal Trade Commission Act and consumer protection statutes in almost every state and territory prohibit the business from making false or deceptive statements.