By Burke Kappler

Thousands of corporate executives have read the Federal Trade Commission’s new publication, Protecting Personal Information: A Guide for Business, available at ftc.gov/infosecurity. They’ve picked up practical tips on how their company can secure and protect the personal information it keeps. But some business owners may still be wondering why data security should be at the top of their agenda. Two reasons show why your company should strive to safeguard personal information.

First, good security is just plain good business. Aware of the risk of identity theft, today’s customers are concerned about their privacy. As any business that has experienced a breach has learned, customers prefer companies that demonstrate a commitment to security. For the same reasons, customers will think twice before doing business with a company that has experienced a privacy glitch. Given this choice, many businesses find it more cost-effective to secure the information they have rather than try to repair the damage and rebuild consumer confidence after a data loss or breach.

The second reason to take proactive steps to secure data is that federal and state laws may require companies to implement reasonable information security practices. Depending on your business and the type of information you keep, these laws may apply to you, including:

Fair Credit Reporting Act — Also known as the FCRA, this law is designed primarily to protect the privacy of what it calls “consumer report” information — the details in a consumer’s credit report — and to guarantee that the information supplied by consumer reporting agencies is as accurate as possible. A consumer report contains information about individuals’ personal and credit characteristics, character, and general reputation. To be covered by the FCRA, a report must be prepared by a “consumer reporting agency,” a business that assembles reports for other companies. In your files right now you may have consumer reports on your employees if you’ve done background checks, perhaps as part of hiring. Or you may have consumer reports if you’ve needed to look into customers’ credit histories. You have a legal obligation to keep this information secure when it’s in your possession. But what about when you no longer have a legitimate business need to keep it? Scaling back on what’s in your files is a great idea as long as you show care in how you get rid of sensitive information like consumer reports. Under the FCRA, the FTC has issued a rule requiring companies to exercise care when pitching out consumer reports or information derived from them. Called the Disposal Rule, it requires businesses who have information covered by the FCRA to take reasonable measures when they dispose of it. Businesses that collect consumer credit information, credit reports, or employee background histories should be familiar with this rule and make sure they’re in compliance. (By the way, the FCRA was amended in 2005 by another law called the Fair and Accurate Credit Transactions Act, or FACTA. You may hear about FCRA or FACTA, but they both refer to the same law.)

Gramm-Leach-Bliley Act — Also known as GLB, this law applies to “financial institutions.” Companies need to know that as the law defines it, the term “financial institutions” is broad and includes more than just banks. It applies to businesses engaged in a wide range of financial activities, including, for example, car dealers, tax preparers, and even (in some cases) courier services. Businesses that are financial institutions and that are not regulated by other agencies may fall within the FTC’s Safeguards Rule. Among other things, this rule requires businesses to have reasonable policies and procedures to ensure the security and confidentiality of customer information.

Federal Trade Commission Act — The FTC Act prohibits deceptive or unfair trade practices. Under the FTC Act, businesses must handle consumer information in a way that is consistent with their promises to their customers (for example, what they say in their online privacy policy), and avoid data security practices that create an unreasonable risk of harm to consumer data.

Other federal laws — Other federal laws may affect a company’s data security requirements, including the Health Insurance Portability and Accountability Act (HIPAA), which applies to health data; the Family Educational Rights and Privacy Act (FERPA), which applies to student records; and the Driver’s Privacy Protection Act (DPPA), which applies to information maintained by state departments of motor vehicles.

State laws — As concerns over identity theft and data security have increased, many states have passed laws or regulations to protect their citizens. In addition to complying with federal laws, businesses should look to state laws to make sure they are in compliance.

If this seems complicated, don’t worry. Despite these different rules, the FTC has tried to develop a single basic standard for data security that strikes the balance between providing concrete guidance, and allowing flexibility for different businesses’ needs. The standard is straightforward: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable will depend on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.

If you have questions about how these laws affect your business, consider consulting with your attorney. Visit ftc.gov to learn more about the laws enforced by the FTC. Finally, be sure to get your copy of Protecting Personal Information: A Guide for Business at ftc.gov/infosecurity.

Burke Kappler is an attorney in the FTC s Bureau of Consumer Protection who specializes in data security investigations and enforcement.

 October 2007