Keeping it Legal – Privacy Policy & PCI Compliance

One of the most overlooked aspects of a website are the legal disclaimers such as the Privacy Policy and Terms of Use. This article is designed to help you put together these important web documents to keep you in compliance with federal law as well as Google (and other Search Engine’s) best practices.

Privacy Policy

The Privacy Policy is extremely important. It details in writing how you collect, treat and use the information you receive from customers and those who visit your website. Not having a Privacy Policy affects your SEO rankings, and more importantly, it is required by the Federal Trade Commission (FTC) for all online businesses located in the United States. Your privacy policy need to include the following element:

* How you collect information from the visitors of your website and customers
* You must describe details of what information you collected from your visitors ad customers
* You must convey and explain what you do with all that information. How it is stored and the location of the storage.
* You must give instructions for how visitors or customers can change or remove the information.
* Disclosure of other parties you would share information with.

The Better Business Bureau has a sample policy which can be found here:

PCI Standards

If your website is an E-Commerce website or you allow you clients or customers to pay by credit card, you must also comply with the Payment Card Industry Data Security Standard. Failure to comply with the standards can result in fines up to $500,000 per incident or possible cancellation of your merchant credit card processing account. While all businesses must follow these standards, if you make fewer than 20,000 transactions per year, validating (i.e. proving) your compliance is optional.

The PCI standards require your business to do the following:

* Protect data that is stored with you.
* Implement security systems and applications such as firewalls and antivirus software.
* Have a firewall at all times to protect data
* Use anti -virus software and have it updated regularly
* Have your own unique system and security passwords
* Encrypt transmission of cardholder data and other sensitive data across all public networks
* Restrict employee business access to data based on the needs and job description of your employees
* Track and monitor all access to network resources and cardholder data
* Maintain an information security policy

Hot Legal Issue Of The Day – Right To Privacy

While a number of topics are currently being discussed in the United States, one of the most controversial is that of the right to privacy. This hot button issue is made more complex in a post 9-11 environment. We struggle to find and maintain a balance between personal rights and public safety.

Most people would vigorously defend the right to privacy, feeling that the accessibility of too much personal information is not only an invasion, but morally wrong, and unconstitutional. After all, prior to September 11th, the United States had not been subjected to the overt terrorism that had plagued other countries.

The events of September 11th pervaded our false sense of security and caused us truly question if the enemy was in a far off country or our next door neighbor. In our post 09/11 world, the government’s responsibility to protect Americans has taken on new meaning. In an aggressive effort to protect us from the threat within, the government has adopted a “by any means necessary” approach even if that means listening in to phone calls, reading emails, reviewing library records or scouring through websites. The recent foiled plot of airline bombings in Britain is an example of how invasion of privacy can in fact keep us safe. The individuals stopped for this heinous crime were discovered first by a tip but second from police monitoring private activity which included phone calls.

In the instance where a terrorism plot is averted because of the invasion of privacy there can be no argument to the validity of the practice. Yet, we also know that innocent people have had their privacy invaded when they did not pose a threat to national security.

The national debate over privacy has repercussions on a smaller level as well. Corporations and employees struggle with privacy issues in the workplace. Companies also are seeking to protect themselves from a different kind of terrorism – that of legal and financial exposure caused by the actions of its employees, whether innocent or intentionally malicious.

Privacy is legally protected by the Constitution of the United States, and at the very core of America’s existence. As politicians, voters and special interest groups debate these constitutional issues, employees and employers seek to understand the rules of engagement within business.

Does an employee have privacy rights at work? How far can employers go in monitoring the activities of employees to ensure that they are protected from liability?

Employers not only have a right to monitor the activities of employees but a responsibility. Computer activity, including e-mails and phone calls can be monitored by the employer. In fact, some degree of monitoring is recommended. Emails are discoverable in legal action exposing employers to a great degree of risk. Even if the employer has a policy that expressly states that personal emails are allowable, the company still has a right to monitor individual emails.

Phone calls, except those placed on designated “for personal use” phones, can also be monitored. Call center and customer service employees are routinely monitored for quality assurance and training. There are however, federal and state regulations which must be adhered to which in many locations including notifying parties that the call is being monitored. Most employees will need to place or receive a personal call from work at some point in time. However, as a best practice, employees should use pay phones or cell phones when they must conduct personal business during the work day.

As we seek to balance privacy and protection on a national stage, we will undoubtedly make adjustments on a more personal level. We have already become accustomed to much of our lives being monitored through security cameras, electronic tracking and internet use so it is possible that what is now viewed as invasion will simply become normal. In the interim, it is wise to assume that what happens in Vegas, may not stay in Vegas!