Yesterday, Erin Andrews won $55 million in a lawsuit dealing with a few different hotel chains and a stalker. I’ll get more into the details of that shortly. However, in the meantime, I want to start by telling you what this has to do with you.
When you are running a business, you are likely to gain access to sensitive customer information. This might be their social security number, their financial information, or even just the fact that they are using your product or service.
When you gain this information, you need to take some steps to properly protect it. Because if you do not, and it gets out, you risk angering and losing a customer, gaining a bad reputation, and, as in this case, losing a lawsuit and being out a whole lot of money in the process.
The Erin Andrews Story
Erin Andrews is an ESPN correspondent that you have probably seen on the sidelines of many an NFL game. In 2008, she was staying in a Marriott hotel in Nashville, Tennessee. A man, Michael Barrett, was staying in the room beside her.
Knowing the celebrity was in the room next to him, the man filmed her in her hotel room, creating a naked video of her, which he then posted on the Internet. In circa 2009, Andrews became aware of the video.
Barrett was arrested, and, as it turned out, the Nashville hotel was not the only one in which he had been staying at the same time as her, nor was the posted video the only one he had made. In fact, because he went from state to state with her, he actually ended up getting charged for interstate stalking.
He was later sentenced. But that was not the end of the story. Andrews filed a civil case against Barrett, the Marriott, and a couple of other hotel chains where the stalking took place. Yesterday, a jury came back with a ruling in her favor.
Why the Hotels Were Found Liable
As far as I know – and nobody I have heard has alleged otherwise so I have reason to believe it is true – none of the hotels knew Barrett was stalking Andrews. None of them were acting in cahoots with the man or knowingly help him perform his inappropriate goals. So how were they found liable?
It is not a coincidence that Barrett was staying in the room next door to the correspondent on several occasions. No, it was very intentional. Before booking his travels, Barrett would call ahead to the hotels and double check to make sure Andrews would be staying there. On learning that she would be, he would request a room right next to hers. And they complied!
As you can imagine, this is not the best way to protect a customer’s personal information.
Why Should You Care?
There are many reasons for you to take the proper steps to protect your customers and clients.
- Customer satisfaction should be one of your top goals, and that satisfaction is derived from more than just having a great product or service. Your customers need to be able to trust you to treat them right, and that means keeping any personal information they give you safe.
- Apart from any opinion about an individual customer, your reputation as a whole should be considered. Online reviews, such as through Yelp, make it easy for anybody to see how you are doing before they ever even think of using your company. So, having marks against you for not knowing when to keep quiet can really hurt your business.
- The safety and security of your company can depend on it. When you do not properly protect personal information, employees and customers can be hurt because of it. In the Erin Andrews case, think of what else could have happened. With the information her stalker received, he already violated her in a sexual manner. But he could have also hurt her physically. But even apart from personal attacks, not safeguarding information can lead to other types of security breaches. For example, if you do not take the steps to protect information, it may be easier for a hacker to take.
- You may end up with legal liability for your failure. Just like the Marriott in this situation, if you fail to take the steps you need to take to protect personal information, then you might find yourself on the wrong side of the law in an expensive lawsuit.
10 Ways to Protect Personal Information
Now that we have established why it is important for you to protect the personal information that your customers and clients trust you enough to provide, we need to look at just how you can do that.
There are many things you can do to protect and safeguard this information. However, for starters, here are ten places to begin.
1: Have set policies.
One of the best places to start is by coming up with a policy on the matter. This way, employees can clearly see what is expected of them from the day they start. It also allows customers to see what they can expect from your service. So if you do not have one already, think about creating a policy that states what information is going to be protected and how you and your staff will work to protect that information.
2: Enforce your policies.
A policy is only a bunch of words. They mean next to nothing without you actually following through with them. Once you have a policy, make sure you enforce it. If you see someone violating it (e.g., an employee giving out a customer’s room number without permission), then take the right steps to discipline them for their lack of discretion.
3: Give away as little information as needed.
Sometimes it might be necessary to give some personal information up. For example, a request from the government might require you to give out phone records. However, make it a habit to give out information only when needed.
And, if you are going to give out information, make sure you are upfront about it before it is ever given to you. Studies have shown that, when it comes to using a customer’s information, transparency is important. This means, not only telling people, but not trying to hide it. A few years ago, Google drew heat because they were giving out information to app developers. Their policy actually did state they would do this, but it was buried so that people would not notice. Google’s reputation is strong enough to withstand the criticism, but do you want to risk that for yourself?
4: Hire the right people.
Erin Andrews was not the only star to have troubles with a company giving out their information. Last year, singer Iggy Azalea (she’s so Fancy) claimed that a Papa John’s driver gave out her home phone number. As you might guess, she was not amused. Both of these stories show you why hiring the right people is so important – and not just if you have celebrity clientele.
There are limitations to what you can do when you hire someone. For example, depending on the state you are in, how you can conduct and use a background check might be restricted. Similarly, whether or not you can make a hiring decision based off of a criminal charge might be limited. However, while staying within the confines of the law, make sure you are doing the steps that need to be done to hire trustworthy employees who will not leak information.
5: Train, train, train.
Now that you have a policy that you are planning to enforce and you have hired people that are going to be trustworthy, make sure you do some training. This should be done when an employee starts, as well as periodically thereafter and whenever something in the policy changes. Make sure employees know what is expected of them and how they should be handling the personal information given to them.
6: Get rid of unneeded information.
This one is pretty simple. Sometimes, you need to store information. There are records you have to keep and records it is just smart to keep. However, if the time comes that you do not need the personal information anymore and there are no laws telling you you have to keep, then don’t. Get rid of personal information when it is no longer necessary to keep it. This way, if you are hacked, there is a lot less information to get.
7: Get rid of data in the correct manner.
Don’t just throw a list of social security numbers in the trash. When you do get rid of information, make sure you do it in the correct manner. Data breach laws, of which almost every state has one, sometimes tell you just how you need to get rid of personal information when you destroy it. This often requires you to redact the information or somehow make it unreadable to anyone who might stumble across it.
8: Keep private information as private as possible.
As is the case of Azalea’s Papa John’s driver, sometimes – in order to run your business – you will have to share a customer’s personal information with your employees. That is why it is so important to hire trustworthy people. However, even with a reliable staff, try to keep personal information on as much of a need to know basis as possible. After all, the fewer people who know, the fewer people there are to spill the beans.
9: Store information in a safe manner.
When you have personal information that you just cannot get rid of, make sure you take the right steps to secure it safely. This might mean to keep the information in an encrypted or redacted form. Make it where the information is hard to read unless you have the key, and that way it is less likely to be taken and used in an incorrect manner.
10: Have a good security system.
As I have discussed a few times above, your duty to protect personal information is more than just not giving out a hotel room number or phone number. Personal information can be stolen through someone hacking your system. So, make sure your system is fully secure. If someone is trying to hack you, you should be able to figure this out as soon as possible to stop them and curtail damages.
What You Need to Do
It might be too late for the hotels in this situation, but it does not have to be too late for you. Make sure you are taking the right steps to protect your customer’s information, and avoid finding yourself liable for your negligence.