In Blog, Privacy and Internet Law

Privacy is not just for big corporations.  Every business, from the neighborhood restaurant to the local bank to the family store, must be thinking about privacy.  Small businesses must be thinking about privacy for a variety of reasons, including reputation issues, data breach concerns and the possibility of cyber theft.

First, consumers are increasingly relying on peer review websites for making decisions about where they shop, dine and take their business.  According to one report, for every change in star rating on Yelp, businesses see approximately a 5 to 7 percent change in revenue.   Therefore, positive and negative reviews can have a significant impact on a business’s bottom line.  Businesses should encourage consumers to rate their services.   In the event of a bad review, businesses should respond and address the concerns of the consumer.  However, businesses should not follow the lead of the Union Street Guest House, in Hudson, N.Y., and fine guests for leaving bad reviews.  Such policies are counterproductive and cause more harm than good.  In addition, businesses should not attempt to write fake reviews on their own site.  Such actions could get businesses sanctioned by review sites like Yelp and can lead to government investigations and fines.  If a business does believe that a review is posted on the Internet falsely and maliciously, the business can file a libel or defamation complaint and seek to have the review removed.

It is easy for a small business to think that they are immune to data breaches or that a data breach would not impact their bottom line.  In reality, data breaches can occur at a small business just as they can occur at Target or Home Depot or any other Fortune 500 company. In fact, Visa has reported that 85% of data breaches occur at the small business level.  Small business breaches are often not the result of hacking or criminal acts but are caused by simple human error.  For example, a data breach can occur when a company mistakenly throws into the garbage documents containing names and corresponding social security numbers.  If a data breach occurs, small businesses under New Jersey’s Data Breach Notification Law are responsible for notifying the affected parties.  The costs of notification are significant and can financially damage or ruin a small business.  To mitigate the risk, small businesses should be implementing data security policies and considering cyber-liability or data breach insurance.  Data security policies must cover issues such as the use of passwords, the disposal of sensitive documents and computer equipment and employee training.  Cyber-insurance or data breach insurance policies cover the costs of notification and provide further protections, including liability protection and the costs of attorneys.

Small businesses must also be vigilant to protect their bank accounts.  If small businesses bank online, they must be careful to have secure passwords that cannot be obtained by criminals.  Individual consumer accounts are protected by the Electronic Funds Transfer Act.  Under the EFT, individuals who have money stolen from their personal bank accounts are responsible for only fifty dollars if the theft is reported to the bank within sixty days.  Businesses are not subject to the EFT Act and are not similarly protected.  Instead, business accounts are protected by the Uniform Commercial Code (UCC).  If banks can establish that the bank was not responsible for the breach (i.e. criminal stole business password), the bank may not liable to reimburse the business.  Accordingly, businesses should be vigilant about their accounts and ensure all passwords are secure and changed regularly.

Privacy law has implications for big business and small business alike because small businesses are not immune to reputational issues, data breaches and corporate thefts.  Instead of waiting to be breached, small businesses should be proactively addressing privacy and security concerns.

About the author: Andrew P. Bolson, Esq. is an attorney with Meyerson, Fox, Mancinelli & Conte, P.A. in Montvale, New Jersey. Andrew’s practice focuses on commercial and estate litigation, business law, real estate law, estate planning and privacy and Internet law.