We all enjoy invisible benefits from consumer protection laws every day. Consumer protection laws have been created to address a range of problems, from annoying telemarketing calls to predatory mortgage lenders and identify theft. For business owners, consumer protection laws can be a double-edged sword. Sure, they may protect your business from scammers and identity thieves, but they also create obligations that your business can’t afford to ignore. Consumer protection laws have undergone a lot of updating in the last few years, in response to the ways that technology has also changed. It can be hard to keep up with everything, but it’s important to review your legal obligations and data protection procedures at least once a year. Read on for an overview of what’s new that might affect your business.
Federal Consumer Protection Laws: New for 2023
FTC Safeguards Rule Is Now Effective
At the federal level, the expansion of the FTC Safeguards Rule is probably the biggest thing to happen to consumer protection laws in the last few years. I told you earlier this year about the updated FTC Safeguards Rule and that the compliance deadline was set for June 2023. Now that the expanded rule is in place, countless businesses are covered by it that weren’t covered by the rule when it was originally enacted in 2003.
To summarize the expanded FTC Safeguards Rule, it creates data security protection standards for businesses that the FTC considers “financial institutions.” That category now includes a broad range of businesses including mortgage lenders, collection agencies, car dealers, credit counselors, tax preparers and other financial advisors. Any business that the FTC considers part of this category is required to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information,” per the rule. The FTC says that a reasonable information security program should include nine essential components, which include a risk assessment and a written incident response plan.
If your business is newly subject to the Safeguards Rule, you’re probably wondering: how is this thing going to be enforced? The FTC has shared a lot of detail about the rule itself but so far nothing specific about enforcement or penalties for non-compliance. With the compliance deadline having just passed, it’s possible the FTC plans to crack down on enforcement in the near future. The bottom line is that we just don’t know how seriously they plan to take enforcement on the expanded rule. (It’s worth noting that FTC penalties can be tens of thousands of dollars per violation.)
The INFORM Consumers Act
This piece of legislation took effect in June. It’s unlikely to affect the way your business operates, but could help protect you from getting scammed when you buy things from online marketplaces like Amazon and eBay. For retail businesses, the bill could also potentially deter theft. The INFORM Consumers Act was created because there’s been a rise in thieves stealing merchandise from retailers and reselling it on third-party marketplaces. Now, those marketplaces are required to verify and share information about high-volume sellers. This transparency should make it harder for thieves to get away with these crimes, and protect consumers from buying stolen, defective or counterfeit goods.
State Consumer Protection Laws: New for 2023
As evidence of the growing attention on data protection and consumer privacy, several states including Virginia and Colorado have enacted new consumer protection laws this year. These laws are modeled after the General Data Protection Regulation (GDPR), Europe’s data protection law. They give residents the right to access their own private data that businesses store about them, and request that their data be deleted. Each state’s new consumer protection laws work a little differently, but they also give residents the right to opt out of having their data processed or sold by businesses.
Massachusetts isn’t among the states with new laws on the books this year. We already have some data protection laws in place, creating storage and data destruction standards for businesses that have access to private data about Massachusetts residents. Earlier this year, a bill was introduced to the Massachusetts State Legislature that would create a new Massachusetts Data Privacy Protection Act and expand protections for consumers. We’ll keep you updated on any legislative changes that affect Massachusetts businesses specifically.
Is Your Business in Compliance with Data Protection Requirements?
Concerns about FTC enforcement aside, every business should maintain strict standards for data protection and data destruction. As you know, allowing a breach of customer data or your business’s own private data could be disastrous for your business. Having to disclose a data breach to all the affected individuals can be a time-consuming and expensive process that hurts your reputation.
If your business is covered by the Safeguards Rule, it’s important to review the FTC’s full requirements for creating a reasonable information security program. Even if you’re not affected by any new consumer protection laws, here’s a quick overview of data security best practices for your business:
- Maintain a written data security policy that addresses both digital and physical data, as well as password policies, record retention policies and data destruction policies.
- Train all new employees on your data security procedures and refresh training for existing employees yearly.
- Review your shredding procedures to ensure that all obsolete sensitive data is stored in locked collection containers until it’s picked up by your shredding service.
- Maintain comprehensive records of document shredding and destruction of other sensitive materials.
- Use strong internal controls to prevent errors and internal fraud (for example, make sure that sensitive client data is only accessible to the employees who absolutely need access to it).
- Maintain a data breach policy that lays out next steps so you can act quickly if a breach ever does occur.
Contact Us for Help Ensuring Compliance with Consumer Protection Laws
Northeast Data Destruction helps businesses protect themselves and their customers from expensive data security mistakes. While we’re not experts on consumer protection laws, we know how to help your business protect its data. From documents to hard drives, ID badges and off-spec products, we can securely destroy anything your business can’t afford to expose. Contact me with any questions about our data destruction services.