For beauty business news, beauty store owners turn to Beauty Store Business. Beauty business trends, beauty business profiles and more!
Issue link: http://beautystorebusiness.epubxp.com/i/103399
Beauty & The Law Keep Your Customer Information Safe & Secure And keep your beauty business in compliance with state data-security laws at the same time. by Jean Warshaw 58 February 2013 | beautystorebusiness.com ADOPT A DATA-SECURITY PLAN NOW California, Connecticut, Nevada and Massachusetts have laws requiring retailers that collect personal information to take steps to protect that information. "Personal information" means a person's first name or first initial and last name together with a credit- or debit-card number, Social Security number, driver's license number, state ID card number, bank or financial institution account number or pin numbers or passwords for financial accounts. Most beauty businesses will have a credit-card number if they have any personal information. needs to access personal information, keeping data in a secure place and restricting physical access, monitoring access, testing the security systems and implementing a company policy on data security. Massachusetts has an even more detailed laundry list of requirements. It requires everyone who has personal information about a Massachusetts resident to have a written information-security plan. The security plan can be less sophisticated for small businesses. But if your beauty business is large, your plan will need to be more detailed and have greater protections for personal If your beauty business accepts customers' credit cards, you need to know state laws. What if your beauty business isn't in one of those states? You still need to comply if you have collected personal information from any person who lives in those states because you may be doing business in one or more of those states even if you don't have a traditional brick-and-mortar store there. For a more detailed discussion of when you can be sued in a distant state, see my column, "Beware of the Long Arm of the Law," March 2012, BSB, page 52. Nevada requires anyone who does business in Nevada and accepts credit or debit cards to comply with the Payment Card Industry Data Security Standard. It's a detailed, rigorous program for data security, and is available through pcisecuritystandards.org. It requires a laundry list of security measures, including using a computer firewall, setting unique passwords, taking steps to keep data secure, using encryption for sending personal information over the Internet, using anti-virus software and keeping it up-to-date, restricting access to personal information to people who need to know it, assigning unique passwords to each employee or person who information. The plan has to name one employee who is in charge of security. Your business has to consider how your customers' personal information could fall into the wrong hands and evaluate how to prevent that. You need to consider how to train employees, whether employees will follow the procedures and how you can monitor whether employees are following the rules. Massachusetts requires security policies for storing and accessing personal information, disciplining employees who violate your rules and making sure that employees who leave can no longer access your records. If you give personal information to outside companies that provide services to you, you need to take steps to hire companies that comply with the law, and they have to agree in writing to comply. You need to restrict access to records and keep them in locked facilities or cabinets. You need to monitor compliance, and review your procedures annually. And when you change business practices, you need to make sure the procedures are still protecting personal information. Finally, you have to review any security breach and fix any gaps in your procedure. Image courtesy of Barry Burns BEAUTY STORE BUSINESS RAN AN IMPORTANT article in the January 2012 issue on the dangers computer hacking poses to your business. "Don't Get Punked!" by Joe Dysart is also available online at beautystorebusiness.com. The article suggests steps to improve the security of your computerized data. Data theft can be a problem for your business because your customer lists and pricing policies are critical information that you don't want leaked. But it's also a nightmare for consumers who have given you their credit-card numbers and other personal information that could be used by identity thieves. Identity theft is a growing problem that struck more than 600,000 people in 2011, according to the U.S. Department of the Treasury. In response to the huge number of identity-theft cases, some states have passed laws requiring businesses to take security steps to minimize the risk of losing sensitive consumer data, and most have laws requiring businesses to notify customers if there has been a security breach. If your beauty business accepts customers' credit cards, you need to know state laws. Many of these laws apply to your paper records as well as to your computer records. To help you figure out what to do, this column will describe the laws that require businesses to have a data-security plan even if they have not had any security leaks. Then it will describe the laws that kick in after you learn about a security leak and require you to notify customers and sometimes state agencies. It's very difficult to comply with all of the state laws on this critical topic. Because there is no federal law that governs retailers' handling of personal information, the states have jumped in to protect their own citizens. The result is a patchwork of requirements. Each beauty business should review the laws in the states where it sells to consumers and come up with a security procedure that fits the business and meets the requirements of all those states.