Privacy. While it has always been an issue for both individuals and companies, privacy has taken on a whole new level of meaning and importance in today’s world. Companies of all shapes and sizes–not just tech-centric– can no longer view their customer’s privacy as an esoteric side issue. All companies must be prepared.
This is why I was so excited to bring in Lily Li, founder of Metaverse Law, experts in data privacy and cybersecurity laws that you need to be aware of and how they can impact your business. And believe me, it can impact your business in a big way.
First of all, what exactly is cybersecurity in terms of your business? Cybersecurity at its most basic is the privacy statement you put on your website and your critical customer communications. In the past, many smaller to mid-sized companies–along with their customers–who weren’t specifically in data or data-related products, didn’t pay too much importance to these privacy statements (we’ve all clicked through a hundred!).
Those times are over.
Due to major customer data breaches and scandals like Cambridge Analytics, customers are now much more aware of how their privacy and personal data is being used or misused. Echoing this, many states have now passed new laws geared towards consumer-data protection that are placing more responsibility on businesses. Consumers will now have the right to know how you are using their data, and this is a big compliance burden for businesses because now you have to categorize how you are using their data.
One of these major laws that will probably affect you is the California Consumer Privacy Act. This new law coming into effect this January has a minimum threshold to apply to you: a business needs to be collecting at least 50,000 customer records or more per year, but the reality is that many businesses will easily hit that number with their website visits and social marketing campaigns alone.
So how might this new law affect you and your business?
One of the big aspects of California’s new law is that it has a private right of action for data breaches, and so if there is a data breach of information that is not redacted or non-encrypted, someone could sue for $100 to $750, per consumer per incident.
So let's say you have 100,000 customer records, in the case of a data breach, that hundred thousand can become a million-dollar payout on the low end and $7,500,000 on the high end. “And that doesn't even include the legal fees in terms of defending yourself against a class action. So that's the potential universe of damages, just from statutory damages, says Li”
For small to mid-sized companies (though all companies really) this can be a devastating if not final death-blow for your business.
It’s important to note that these data collection laws apply internationally as well. So even if you are a California-based company, if you do a lot of data collection (for example website views) coming from Europe or Canada, you are still affected by those consumer protection laws in those countries.
So how to be prepared?
2. Instill the level of suspicion in all your employees about suspicious emails.
“80% of hacks are caused by people just clicking on emails that they shouldn’t be,” says Lily. “So if you do training on how to protect against these fishing emails, you are already doing something major.”
It sounds simple, even obvious, but the consequences of clicking on the wrong email can be disastrous. That wrong email could lead to your website being down for several days to even weeks, meaning you won’t be able to sell anything and have difficulty communicating with your customers. You might need to hire tech people to come bail you out and build new systems, potentially new design and branding, and a whole host of major problems and costs– just from one email.
3. Prepare by training your employees, having manuals, and keeping relevant records.
“Under the CCPA, there is a specific requirement that you have individuals at your organization who are trained at how to respond to consumer requests for information. It’s important to keep records of this training, so that later on if you have an investigation from a regulatory agency or if you’re in a lawsuit, you can show the proactive steps you have taken.”
4. Crisis plan: have a game plan for the worst-case scenario in your business.
Be prepared, but don’t just think about the fear of lawsuits. Recognize that customer information is one of the most valuable assets in your business and it would be wise to know and use it well.
“Just take a few simple steps and you can save yourself a lot of hassle later on,” says Lily, and I agree wholeheartedly.