5. Communicating Your Data Security Program to Your Customers
Information to share.
Obtain a third-party seal that verifies your small business uses an
appropriate level of security to protect your website, or your Internet
transactions. This can be a visual tool to communicate to customers
that you have qualified for a level of certification — which is something
some customers may look for.
Make sure that whatever information you communicate to your customers
about how you protect their data is accurate and is up-to-date. For example, if you tell consumers
that you keep their information on computers that you own, and then you contract
with another company to provide off-site computer storage space, make sure that you reflect your new practices in your public policies.
DO NOT share detailed information about your security systems. Remember,
criminals see what your customers see, and they can use public information
about your security systems to evade them (e.g., the encryption software you use,
or where you store documents).
DO NOT tell customers that there is no risk of ID Theft, or that their information
is “100% safe.” No matter how hard you try to protect customer information,
there is always a chance that someone may obtain and misuse it.
DO NOT guarantee or promise that customers’ information can never be lost
or stolen unless you tell customers what you will do if that promise is broken.