skip to main content

Emerging from the COVID Bubble: Five Data Security Actions Every Company Should Take Today

October 8, 2021

Peter McClelland, CIPP/US

Ward and Smith

View Full Article

It is no secret that during the COVID-19 pandemic, technology, data, and the interconnectedness of our digitized world were a lifeline to North Carolina businesses.

Companies that were told they could not have customers in stores or employees in the office were able to pivot and sell their products and services online. Remote work allowed employees to shelter in place and keep their livelihoods going by being able to contribute to their teams without the fear of infection.

It truly was a miracle for so many, but without taking the proper steps to protect a business’s data in the long term, that miracle may wind up bringing serious harm to a company in the future.

There are five actions all North Carolina businesses should take today to maximize their data security position in an economy exiting the COVID-19 pandemic.

#1: Protect Personal Information

Protecting personal information is not just good business practice; it is the law. Having unreasonably lax data security protections can lead to devastating consequences for a business as they grapple first with the cost of getting a malicious actor out of their systems; second with the legal compliance costs of notifying individuals and vendors about the information that was stolen; and then possibly third with lawsuits and class actions that allege the business should have done more to protect the information.

“Personal information” is also a broader category of data than many might think, and can include your full name, email address, street address, and phone number, in addition to more sensitive information like an account number or a social security number.

Working with an expert to close gaps—both technological and human—in a data protection program is a vital step for protecting a business from these problems.

#2: Review Your Privacy Policy

The very websites that businesses rely upon to let consumers, prospective employees, and everyone else know about their products, services, culture, and values often collect personal information. This information can be incredibly helpful for businesses looking to improve their online presence and hone their direct marketing. However, the business could have legal exposure if their Privacy Notice and Terms of Use—the agreements that will govern the website user’s use of the page and the business’s use of any personal information—are not tailored to the business’s goals.

North Carolina businesses should review their Privacy Notice and make appropriate adjustments in light of how they are using information post-pandemic.

#3: Review Your Online Presence and Marketing Practices

A patchwork of federal and state laws across America can make it easy for marketing efforts to run afoul of legal requirements. New developments can impact who a business can call or text about their products and services, what content may be required in the body of a marketing email, and when a business has to get additional consents before using a person’s information at all.

For example, not getting proper consent before texting prospective customers can result in class action lawsuits. Not appropriately managing opt-out requests can result in regulatory investigations and enforcement actions. And operating a website that cannot accommodate consumers with disabilities—such as visual impairment—has resulted in lawsuits against North Carolina businesses.

Businesses should conduct a comprehensive review of their online marketing to ensure the accessibility, data privacy, and consent practices are in place for content, both new and old.

#4: Consider the Residence of Your Customers

There is no overriding federal data privacy law, so a business has to consider laws in all states or countries that could apply to them. Just because a business is headquartered in North Carolina does not mean only North Carolina privacy laws govern the customers of that business.

The myriad of laws governing privacy and data security is especially concerning for companies with customers or employees in multiple states because the laws that apply are determined by the residence of the people affected. And importers and exporters may also have to comply with foreign laws, which often contradict American industry standards. That means that it is easy for even a small company to have to navigate a maze of different rules and regulations.

Carefully examine what data privacy rules are applicable in each of the locations where you have customers, and develop a strategy to handle data that limits the liability in each state or country.

#5: Invest in Human Capital

While there are strong, practical tech solutions that can help an organization navigate online data security and protect personal information, the most important risk to address is the human element.

The lessons businesses learned from the pandemic about moving products and services online, having employees work remotely when needed, and perfecting their ability to adapt will serve them well. But as we bring the lessons learned in the last eighteen months back into a world that is more “normal,” it is important to have an expert on any business’s team to guide that human element to a solid foundation.

Make sure you have a team, or at least a team member, keeping abreast of the privacy and data security considerations that may impact your business or your customers. Educate your workforce on data security issues, and take the time to bring these issues into the regular conversation at work. Strengthen your internal policy and process so that data security is part of your company culture.

With these five priorities, North Carolina businesses will mitigate risk with a current post-pandemic data privacy and security posture.

THIS ARTICLE FIRST APPEARED IN THE AUGUST 2021 EDITION OF BUSINESS NORTH CAROLINA.

--
© 2021 Ward and Smith, P.A. For further information regarding the issues described above, please contact Peter N. McClelland, CIPP/US.