Computerized graphic eye blue

Protect Customer Personal Information: A Guide for Businesses

Here is an in-depth report on fundamental steps for businesses to protect customer personal information, focusing on requirements and best practices in New York, California, Massachusetts, and the US Virgin Islands:

I. Determining if Your Business is Required to Protect Customer Personal Information

Before implementing cybersecurity measures, it’s crucial to understand if your business is legally obligated to protect customer personal information (PI). Requirements vary by state and territory:

New York

Under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act):

  • Applies to any person or business that owns or licenses computerized data including private information of a New York resident
  • No minimum threshold for number of customers or revenue

California

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to businesses that:

  • Have annual gross revenue exceeding $25 million
  • Buy, sell, or share personal information of 100,000 or more California residents or households
  • Derive 50% or more of annual revenue from selling or sharing California residents’ personal information

Massachusetts

Massachusetts 201 CMR 17.00 applies to all persons that own or license personal information about a Massachusetts resident.

US Virgin Islands

The Virgin Islands Data Breach Notification Law applies to:

  • Persons and businesses that conduct business in the territory
  • Own, license, or maintain covered information of Virgin Islands residents

II. Understanding What Constitutes Personal Information

Before one can protect customer personal information, one must understand the definition of personal information varies slightly by jurisdiction:

New York

Private information includes:

  • Social Security number
  • Driver’s license number or non-driver ID number
  • Account, credit or debit card number (if usable to access an individual’s financial account)
  • Biometric information
  • Username/email address in combination with a password or security question answer

California

Personal information includes:

  • Identifiers (e.g., name, address, SSN, driver’s license number)
  • Characteristics of protected classifications (e.g., race, gender)
  • Commercial information
  • Biometric information
  • Internet or network activity information
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences drawn from other personal information

Massachusetts

Personal information includes:

  • First name and last name or first initial and last name
  • In combination with any of:
  • Social Security number
  • Driver’s license number or state-issued ID number
  • Financial account number, or credit or debit card number

US Virgin Islands

Covered information includes:

  • First name or first initial and last name
  • In combination with any of:
  • Social Security number
  • Driver’s license number
  • Account number, credit or debit card number (with any required security code, access code, or password)

III. Step-by-Step Guide to Protect Customer Personal Information

Step 1: Conduct a Data Inventory and Risk Assessment

  1. Identify all personal information your business collects, processes, and stores.
  2. Determine where this data is located (e.g., on-premises servers, cloud storage, employee devices).
  3. Assess potential risks and vulnerabilities to this data.

Step 2: Develop and Implement a Written Information Security Program (WISP)

  1. Create a comprehensive policy document outlining your data protection measures.
  2. Include procedures for:
  • Collecting, storing, and using personal information
  • Employee training on data security
  • Incident response in case of a breach
  • Regular security audits and updates

Step 3: Implement Strong Access Controls

  1. Use role-based access control to limit data access to employees who need it.
  2. Implement strong password policies, including:
  • Complex passwords with a mix of characters
  • Regular password changes
  • Two-factor authentication (2FA)

Step 4: Encrypt Sensitive Data

  1. Use industry-standard encryption for data at rest and in transit.
  2. Implement 256-bit encryption for emails containing sensitive information.
  3. Use file-level encryption for data stored on computer hard drives.

Step 5: Secure Your Network

  1. Install and maintain firewalls to protect against unauthorized access.
  2. Use a Virtual Private Network (VPN) for remote access to company systems.
  3. Regularly update all software, including operating systems and applications, to patch security vulnerabilities.

Step 6: Train Employees on Data Security

  1. Conduct regular cybersecurity awareness training for all employees.
  2. Cover topics such as:
  • Recognizing phishing attempts
  • Safe browsing practices
  • Proper handling of sensitive data
  • Reporting potential security incidents

Step 7: Implement Data Minimization Practices

  1. Only collect personal information that is necessary for your business operations.
  2. Regularly review and delete unnecessary data[3].
  3. Implement data retention policies that comply with legal requirements.

Step 8: Secure Physical Access to Data

  1. Implement physical security measures to protect servers and devices containing personal information[1].
  2. Use locked cabinets for paper documents containing sensitive data.
  3. Implement a clean desk policy to ensure sensitive information is not left unattended.

Step 9: Manage Third-Party Risks

  1. Conduct due diligence on vendors who have access to your customer data.
  2. Include data protection clauses in contracts with third-party service providers.
  3. Regularly audit third-party compliance with your data security requirements.

Step 10: Develop and Test an Incident Response Plan

  1. Create a detailed plan for responding to potential data breaches.
  2. Include steps for:
  • Containing the breach
  • Assessing its scope and impact
  • Notifying affected individuals and relevant authorities
  • Conducting a post-incident review
  1. Regularly test and update your incident response plan.

IV. Compliance with Specific State Requirements

While following the steps above will provide a strong foundation for data protection, be aware of these specific state requirements:

New York (SHIELD Act)

  • Implement reasonable administrative, technical, and physical safeguards.
  • Conduct regular risk assessments.
  • Train employees in security practices and procedures.

California (CCPA/CPRA)

  • Provide notice to consumers about data collection practices.
  • Implement processes to respond to consumer requests regarding their personal information.
  • Obtain opt-in consent for processing sensitive personal information.

Massachusetts (201 CMR 17.00)

  • Designate one or more employees to maintain the information security program.
  • Identify and assess reasonably foreseeable internal and external risks to security.
  • Develop security policies for employees relating to the storage, access, and transportation of records containing personal information.

US Virgin Islands

  • While specific cybersecurity requirements are not currently detailed in the breach notification law, following best practices outlined in this guide will help ensure compliance.

By following these steps and staying informed about evolving regulations, businesses can significantly enhance their protection of customer personal information and reduce the risk of data breaches and regulatory non-compliance.