K&L Gates' Rob Pulham and Allison Wallace discuss the importance of data security.
With the popularity of online shopping growing daily, and new laws coming into effect in early 2018, now is the time for those operating in retail to ask themselves – am I keeping my customers' information safe?
What is personal information?
Under Australian privacy laws, personal information includes information or an opinion about an "identified" or "reasonably identifiable" person – for example, a customer's name, their address (both physical and email), phone number, gender, date of birth, employment details, and their credit card information.
This is the kind of information that is very useful to retailers, and the kind of information that is often collected when signing customers up for mailing lists, or when they place an order instore or online.
Why should I keep it safe?
A recent case involving a former employee of Showpo provides a timely example of why it's commercially important to keep customers' information safe.
One of Showpo's former graphic designers was accused of taking and passing on Showpo's customer database to her new employer, the rival online retailer Black Swallow, which then began sending promotional emails to the 306,000 customers on the list.
A New South Wales court ordered Black Swallow to pay Showpo $60,000.
Arguably no amount of money could win back a customer disgruntled by the fact the information they trusted you with was leaked to another company.
If losing customers' trust isn't reason enough to keep their information safe, it's also worth considering whether your
legal obligations require you to do so.
These can arise under legislation, contract or the law of negligence. Under Australian privacy laws, organisations doing business in Australia with an annual turnover of more than $3 million are required to comply with the Australian Privacy Principles (APPs).
The APPs require (with limited exceptions) that personal information is only used for the purpose for which it was collected for (for example, to ship an order) and kept securely (and not stolen by departing employees!).
If your business breaches the APPs it could face significant fines, and it could even be required by the Office of the Australian Information Commissioner (OAIC) to take specific steps to correct its privacy practices.
From February 2018, it will become compulsory for businesses bound by the APPs to notify the OAIC and affected customers if they become aware of an "eligible data breach".
This means that the OAIC and your customers must be notified if there has been any unauthorised disclosure of their personal information that would be likely to result in serious harm to the affected individual. This won't be a pleasant experience for any affected business.
How can I keep it safe?
Analysts, including Deloitte, have found that employees are one of the leading causes of data security issues in workplaces. While it's impossible to completely safeguard your business from rogue employees, there are measures you can take to ensure you are in the best position to protect customer information, prevent leaks, and respond adequately if they do occur, including:
- educating yourself and staff about what information your business collects and holds about your customers, why it needs to be protected, and the risks associated with it being leaked;
- putting in place privacy and confidentiality policies for staff to follow as part of their employment contracts;
- ensuring your agreements with third parties who handle customer information on your behalf place appropriate obligations on those third parties to protect it, and to notify you of any issues;
- ensuring customer information is stored on secure servers that can only be accessed by authorised individuals on a 'need to know' basis; and preparing and implementing a response plan to guide your actions in the event of a breach.
At the end of the day, your business may not have a legal obligation to keep customers' personal information safe – but if your customers expect you to do so, you could find your business in more trouble commercially than legally, if you break their trust.
For more information about issues relating to privacy and data protection please contact Rob Pulham, Senior Associate at K&L Gates (rob.pulham@klgates.com). This article is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.