Protecting Customer Data
By Susan Buckner, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed June 06, 2024
Editorial Note: We earn a commission from affiliate partner links on FindLaw. Commissions do not affect the editorial integrity of our legal content.
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
These days, almost every business needs to have cybersecurity measures in place. The days when identity thieves rummaged through dumpsters for credit card slips are gone, replaced by exotic data scraping and packet sniffers that pull information from your servers.
Business owners are responsible for protecting customer data from theft or misuse. Credit card numbers, Social Security numbers, and other personal data are prime targets in a data breach. Data protection technology evolves faster than you realize, so security measures put in place last year could be obsolete this year.
Read on to learn ways to assess and update your data protection systems.
Review the Sensitive Information Your Business Keeps
Small businesses may not be as vulnerable to hackers as large corporations, but today, nobody is safe from cyberattacks. Reviewing your data can help locate what data you have and what vulnerabilities exist.
Personally identifiable information (PII) is any data that can distinguish a person's identity online. PII is trivial information, such as "What is your favorite pet?" Apps gather this information, and thieves use that data to answer security questions in another account.
Business owners should review their information base periodically. What information is stored? Is it compliant with data privacy storage laws?
If You Don't Need Data, Don't Keep It
When paper files were the norm, storage was at a premium. Paper files take up space. Once electronic files became common, the amount of sensitive data available to cybercriminals soared because it is easy to keep and overlook.
The best way to keep sensitive data safe is to eliminate it when you're done using it. Do not retain credit card information without permission from the customer and secure encryption. Encrypt employee tax information and store it in a secure server.
Securing Sensitive Data
Data theft has come a long way since the phishing scams of the 1990s. Phone scammers still exist, as do the "Nigerian princes" of the early email days. These old methods have given way to sophisticated virus injection methods, spyware and malware, packet sniffers, and data scraping. Some criminals no longer bother with stealing data. Ransomware attacks use viruses to freeze a system and then threaten to wipe or dump the data unless the business pays the ransom.
A good data security plan protects your entire plant: physical, electronic, personnel, and business practices. The best way to keep data out of the wrong hands is by ensuring all your people know what those are.
Physical Security
- Keep sensitive documents and data in a locked location. Limit access or require keycards or passwords to remove items from storage.
- Log out of computers at the end of the workday. Shut down all wireless peripherals like printers.
- Offsite storage facilities should have entry logs or keycard access.
- Your IT manager should check in-house computers for extraneous flash drives or Wi-Fi connections plugged into your system.
Electronic Security
- Use data encryption for all sensitive or high-risk information. Encryption uses a code of algorithms and ciphers to protect data. Without the encryption key, the data is unreadable. If your type of business keeps personal information, such as a medical office, consider encryption for data protection.
- Multifactor authentication. Unlike two-factor authentication, which requires customers to use a temporary password, multifactor authentication requires a password and a code sent to the user's phone or answering security questions.
- Password management should run in tandem with authentication systems. Strong passwords are encouraged, but frequent changes and random passwords may result in employees writing them on their desks. This defeats the purpose of passwords.
- Remote access means the in-house device must be left on, or the remote device can switch on the business computer. You should consider additional security in both cases.
- Maintain firewalls and antivirus software. Some automatic software updates, such as Microsoft, will disable firewalls to install certain updates. The firewall may not switch back on after the update. Run full antivirus scans regularly and clear any quarantined programs according to recommendations.
Employee Training
- Prevent security risks at the outset by conducting thorough background checks on employees who will handle sensitive data.
- Have a clear written policy for your company's data management policies.
- Have regular training on security standards and policies. Ensure all employees are current on security software use and reporting.
- Have a policy on social media posts. Although you cannot restrict what employees do on their own time, you can limit the release of company information.
Dispose of Unneeded Customer Data
Identity theft remains a major problem today. Consumer data is readily available in the trash, although old flash drives and hard drives have replaced credit card receipts. Use proper disposal methods to protect customer and business data after using it.
- Have a policy about faxes, community printers, and other documents. Do not let documents sit around a printer room unattended. If they are not delivered immediately, destroy them.
- Shredders should be accessible and dumped frequently. Use industrial-strength shredders that handle CDs and disks rather than cheap business models.
- Wipe or reformat hard drives, laptops, and other storage devices before disposal. Hard-drive data destruction services will ensure 100% data removal.
Have a Data Security Response Plan in Place
The Federal Trade Commission (FTC) recommends that all businesses have a data security breach response plan. Like any other disaster, planning helps ensure you aren't caught off guard. The FTC has several business guides for developing a security plan if you need assistance. Studies have shown it takes up to 277 days to locate and contain a data breach, so you need a plan to protect your bottom line.
- Secure your business operations. Lock down the compromised computers and change any access codes. Disconnect the computer from the internet and Wi-Fi immediately.
- Gather an investigation team. They should have the security tools necessary to investigate and seal the data breach.
- Contact law enforcement. This may include the FBI or other agencies.
- Notify customers and affected businesses. All states have laws that require you to tell your customers and clients if you have had a breach and damage to customer information.
Contact an Attorney if You Have Additional Questions
By following the above suggestions, your company can protect customers' data in most cases. But nothing is foolproof. If you need more information or want additional advice, contact a business and commercial law attorney in your area.
FindLaw will earn a commission if you purchase business formation products through these affiliate links.
Meet FindLaw's trusted partner LegalZoom, an industry leader in online business formations
Kickstart your LLC in minutes!
Join the millions who launched their businesses with LegalZoom.
LLC plans start at $0 + state fees.
Prefer to work with a lawyer?
Stay up-to-date with how the law affects your life

Learn more about FindLaw’s newsletters, including our terms of use and privacy policy.