As many lawyers with business clients are aware, laws applicable to the protection of personally identifiable information (PII) seem like large, gray clouds hanging over customer and business transactions – both ominous and yet undefined.
Given the changes associated with the protection of PII, the question becomes how best to comply.
But an even more preliminary question each firm should ask – in actuality, should deeply assess – is what information does it need to keep in its systems on its customers?
Why over What
The bare fact of the matter is that the less data a firm has in its servers, the less likely it is to be a target of data thieves.
Eric A. Johnson, Mitchell Hamline 1994, is the in-house counsel for a group of family-owned companies in River Falls, where he specializes in herding cats.
In this age of privacy laws, it may be helpful for a company to look at customer data initially from the perspective of a breach, instead of from the needs of marketing. Asking “why do we need this data?” instead of “what data do we need?” may be the better question.
The justification for this, is that the penalties are so draconian, especially given the fact that the penalties generally apply per person per violation.1
The obvious target of data thieves are entities storing lots of personal data, especially financial data. Studies have shown that financial data is the primary target data thieves are looking to steal, followed by passwords and credentialing data.2
Mitigating Chance of Loss
One area where companies should look to reduce their data footprint is payment transactions. If a company collects all of the data from a credit card, and then keeps it, it can then be stolen. If your business client uses a payment platform, like PayPal®, Venmo®, or Square®, then all of the credit card data is collected and processed by a third party, and the only thing your client sees is the money.
If there is a concern about credentialing data or authentication information, determine if your client’s business needs to have accounts where customers sign in. Many business are trying to monetize their web presence or to otherwise encourage customers to come back repeatedly and buy online. Online accounts are becoming ubiquitous. If your client is in this situation, assess exactly what information the business needs to readily identify customers.
But remember, if just an email address and a password are all that is required, your client may still have authentication data and may still have PII.
For instance, if I worked for the State Bar of Wisconsin with an email address of email@example.com, that email address constitutes private data under many laws.3 The combination of first and last name along with the name of the employer gives significant information to someone with bad intent. Combine such an email address with the password customers created for their online accounts, and it becomes evident why even collecting simple information can set a company up for a violation of data privacy laws.
Which Customer Data Should You Keep?
Once customers establish a relationship and order from a business, each business stores that customer history. Businesses often think that a customer’s history of orders is the best way to establish that long-term, close business relationship that keeps the customer coming back for more. Depending on the type of business, however, order history could also prove problematic.4
Customer sales history also raises the issue of data retention. How often should data on a customer’s prior purchases be deleted? How should a company treat an ongoing customer’s data versus a one-and-done?
Business should also look closely at data retention obligations and determine just how long is long enough to keep data. Remember, the theft of stored data from long-ago transactions can exacerbate claims resulting from a data breach.
Have a Conversation
As part of any effort to protect customer data, a business should talk to experts in data retention and protection. Issues such as encryption at rest, encryption in transit, and cloud encryption are all issues a business will want to learn more about, in order to assess what is best for each business and its customers.
Such a conversation should also include the benefits/detriments of the sale of customer data. Many businesses earn significant sums from third parties on the sale of the data they learn from and keep on their customers. But, in order to earn such sums, the data sold must be of value – which likely means it is detailed and includes PII, making it all the more attractive for data thieves.
Thus, in order to have data to sell, companies must spend significantly on the tools to keep such data protected. An open and honest conversation with your business clients about the return on such sales, given the overhead costs associated with keeping it safe, could prove helpful.
Conclusion: Critical for Clients, Good for Business
Many clients may balk at spending time and money securing customer data, especially in the business-to-business world. Those clients should be reminded that efforts made to secure customer data will result in overall system security.
And they should also be reminded that it was an outside contractor, in a business-to-business setting, that led to one of the largest thefts of PII, when an HVAC contractor opened the door to Target Inc.’s, vast customer database, including payment data.5
Most businesses recognize that proving up system security is now required in order to bid on large commercial projects and virtually any government request for proposal. This means that, in order for a client’s business to grow, it is critical to pay attention to customer data and to protect it as best as is commercially reasonable.
Even in this modern age it remains true that what’s good for the customer is good for business.
Reserve your spot for the upcoming CLE session, Navigating Diversity and Inclusion: Perspectives on Accountability from Companies and Employees, available to section members for the discounted tuition of $20. This presentation is April 20, 11:45 a.m. - 1 p.m., and features panelists Derek Hawkins of Amazon; Larry Leverett of Johnson Controls; William Sulton of Gingras, Thomsen & Wachs; and moderator Nadelle Grossman of Marquette University Law School.
This article was originally published on the State Bar of Wisconsin’s Business Law Blog. Visit the State Bar sections or the Business Law Section webpages to learn more about the benefits of section membership.
1 See, for instance, Illinois statute 740 ILCS 14/20 (negligent violation $1,000 per instance; reckless violation $5,000 per instance under Illinois Biometric Privacy Act).
2 See Touch Support, Industry Insights: Most Commonly Stolen Types of Data, March 4, 2015.
3 See GDPR.EU, How does the GDPR affect email?
4 See CSO, The 15 Biggest Data Breaches of the 21st Century, Jan. 8, 2021.
5 See KrebsonSecurity, Target Hackers Broke in Via HVAC Company, Feb. 5, 2014.