Today, Amy B. Goldsmith joins us to discuss website privacy policies and privacy practices for small business.
Amy is a co-chair of the Intellectual Property Group at Tarter Krinsky & Drogin. She partners with clients to provide practical legal advice and connections to grow their businesses. A strategic advisor, she guides clients in all stages of their development from idea conception and protection, to funding, manufacturing and enforcement. She designs privacy policies, terms of use, end-user license agreements and software as service agreements that make sense for each business and helps clients navigate the complexities of privacy and cybersecurity. (You’ll find contact information for her below.)
What mistakes do you see small businesses making with their privacy or security policies?
Some small businesses may acquire their policies from dubious sources online. The policies that a business uses should be matched with the actions that the business has actually taken or will take. A policy may say “we have implemented this security protocol” but if the business hasn’t done so, this representation isn’t accurate. Plus, that policy may not be compliant with NY’s new SHIELD Act or any other laws to which the business is subject. SHIELD mandates certain security safeguards if a business holds the personal information of New Yorkers, whether or not the business is located in New York.
What are the documents that small businesses should have in place related to privacy and security?
At a minimum, a Privacy Policy and Terms of Use which are posted publicly on the business website, plus the documents that implement SHIELD: Written Information Security Program, Cyber and Information Security Policy, Incident Response Plan, and Business Continuity and Recovery Plan.
Are there different concerns for small businesses based on size? (Say, solopreneurs vs. $2m to $5m vs. $50m to $100m businesses.)
SHIELD defines a small business as fewer than 50 employees, less than $3 million dollars in gross annual revenues for the last three years or less than $5 million dollars in total assets. The law asks: does the small business’s security program contain reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers?
So from our perspective, whether the business is small or large, the question is whether the policies that are implemented are “right-sized” for the business and its operations.
How has the NYS Shield Act had an impact on small businesses?
SHIELD mandates that small businesses actually put security safeguards in place, prepare written policies, and train their employees regarding what to do if there is a security breach. The goal is to protect against breaches such as hacking and have an action plan that complies with SHIELD if a breach is suspected or occurs.
Is there any hope for some consistency across all of the competing regulations? NYS Shield Act, GDPR, CCPA, etc.
In my opinion, a federal law on privacy and security isn’t likely to be enacted, and even if it were enacted, it may not overrule separate state laws. Internationally, a business will be subject to separate national or even provincial laws depending on whether the business collects personal information from residents of a particular nation or province.
Beyond the policies, do you have recommendations for small businesses about their internal processes?
SHIELD requires the appointment of an Information Security Coordinator, who can be someone internal, such as an employee of the business, or a resource external to the business, such as an outsourced consultant. It’s important for a small business to designate one (or a group) of people who have the last word on cybersecurity for the business.
Who in the organization should be overseeing these efforts?
In some businesses, the Information Security Coordinator may be the CIO.
Are there any resources you would point a small business to if they’re interested in doing their homework / making their conversations with you more productive right from the start?
The Better Business Bureau has helpful links.
# # #
Thank you to Amy for answering some of the questions we hear frequently from our clients when we suggest the addition of privacy language to their website. Want to learn more? Here’s how to reach Amy:
For legal advice on privacy policies and practices – and more – contact Amy via LinkedIn or email. And you can learn more about Amy and her firm, Tarter Krinsky & Drogin.
You can reach us for more information on building a website that is a strong marketing tool and respectful of your audience’s privacy.
