Security Clauses and Your Privacy Policy

One of the top issues consumers are concerned with when accessing and using websites is security. They are concerned about the storage, use, and protection of their important personal information.

As a business, providing your clients with a security clause not only builds credibility for your company, but also protects you from future liability.

However, how important is a security clause in an overall Privacy Policy and how can you create one?

Is a Security Clause Legally Required by any Laws?

One of the most important parts of your Privacy Policy that may not be obvious is a security clause.

In the United States, state laws will govern whether you should include a security clause. State laws such as the CCPA ("California Consumer Privacy Act"/amended by the CPRA ("California Privacy Rights Act") require that companies must take "basic steps" to keep your information safe, and these disclosures should be stated in their Privacy Policy.

Another U.S. law, COPPA, (the "Children's Online Protection Privacy Act") that protects the rights of children online, includes a section stating that a company must protect and secure confidential information collected through reasonable efforts:

The European Union's GDPR ("General Data Protection Regulation") that protects EU residents' online rights states in Article 32 that companies must protect the private information of their users from fraud, loss, unauthorized use, and more through reasonable actions:

Many of the laws that companies must comply with aim to protect the personal information of consumers. The laws may not explicitly state that you need to include a security clause in your Privacy Policy, but it is highly recommended to include one. The security clause acts as another disclosure to your clients about your protection practices and provides you another layer of protection if any issues arise.

User Trust and Transparency

Inclusion of a security clause in your Privacy Policy creates trust and adds to transparency with your users. The goals of laws like the GDPR and CalOPPA are not only to protect the private information of online users, but also to create a transparent relationship between consumers and companies.

Including a security clause clearly lays out the level of care and practices your company takes to protect your users' data.

Amazon includes a specific section in its Privacy Policy about the security steps, software, and encryption methods it uses to protect users' information, creating a trust between both of the parties:

However, as we all know, the transfer of information on the internet is never 100% safe. There are ways hackers who can access the information or data can be simply lost, no matter the security measures that may put into place.

Including a statement to your users about this possibility creates a transparent disclosure by the company and shows honesty.

The TV and movie streaming website Hulu includes a paragraph in its clause that clearly states it can't guarantee that nothing will happen to the data, but that the company takes reasonable methods to prevent illegal access to information and suggests users also take additional steps to protect themselves:

By referring readers to the FTC's website and a page with resources about privacy, identity and online security, Hulu is helping its own customers stay safer online in general, which really helps make the company seem trustworthy.

How Your Type of Business Affects Your Security Clause

Not every business is the same or is ran the same way. This also applies to the disclosure of security policies and what information is collected.

For example, a gaming app might only collect email addresses and a name, whereas a loan operator may collect your Social Security Number and financial information. With such diverse data types, the type of security and disclosures in a security clause may also be different.

The online gaming company King Games collects information that would require less security measures such as data based on the use of games and additional information collected from surveys and social media.

In its Privacy Policy, it states that most of the data it collects includes device information, location and game play information:

In contrast, the bank Wells Fargo collects more sensitive information such as credit information and Social Security Information:

While both businesses would benefit from a security clause, you can see how the one with Wells Fargo would be more necessary and also likely far more robust.

A company that collects more sensitive information will require a higher standard of protection then a company that collects only email addresses.

The GDPR even mentions that the level of security should be "appropriate" to the type of information that is collected. Additionally, the standard of care typically used is the reasonable and accepted standard of care that is in your business' industry (seen here in Article 32):

An example of an online company that collects both simple and sensitive information, such as email addresses and credit card information, is the travel reviews website TripAdvisor. Its security clause lays out its extensive internal practices in place to protect the information:

Take stock of your individual business practices and what types of information you collect. Keep in mind you should always be collecting the minimum and only what's necessary. If you collect more sensitive data, your security clause will surely be more detailed, in depth and appreciated by your customers.

Examples of Security Clauses

As mentioned above, every security clause is unique to your own company. No one clause fits all here. Tailoring your clause to your company's business helps create trust with your user and forms a clear relationship while maintaining accuracy.

These clauses don't have to be very specific as to every security measure and procedure that is taken. In fact, most businesses just include a general security clause that states they protect your information through reasonable practices.

An example of a simple and short security clause comes from the online gaming company Big Fish. The clause hits the main points of protecting users' info from theft and fraud through "reasonable measures," but also reminding the user that the protections are not foolproof.

Although, even if you collect more secure information such as Social Security Numbers, your security clause does not have to be extremely long or very specific.

The student loan company Navient collects very sensitive information such as bank information for processing repayments. However, its security clause is quite short. It makes sure to inform users that the company uses the standard of care in the industry, and does all it can to protect the information:

On the other side, USA Today, a news outlet that collects only emails, names, birthdays, and what you post on blogs, includes just as simple but effective of a security clause. It doesn't go into great detail about the specific security practices, but just enough to create a trust with the user:

Apple provides a longer than normal security clause. However, what makes this clause stand out is the use of clear and simple language to explain the security practices, which creates less confusion and allows the user to understand better:

An example of a security clause that gives general statements but also puts some of the responsibility of the protection of information on the user can be seen from The Guardian. The clause lays out the company's commitment to protect its users' data, but also reminds the user to create secure passwords and that using an online company does have its own risks:

Capital One offers a good example of a security clause for companies that collect financial information and Social Security Numbers. This clause is more specific and includes disclosures of "authentication procedures" to further protect the more sensitive information. It even includes a link to a dedicated Fraud and Identity Theft Prevention page. The inclusion of additional procedures adds to the company's credibility:

Lastly, one of the largest security clauses can be seen from Google. Google goes more in-depth into the programs and software it uses to protect its users' information. Since so many people use Google and there is a constant flow of data, including these various practices can give a consumer piece of mind when using the site and services:

Summary

Security clauses help protect your company against future claims for the mishandling of personal data. They also help you create a transparent relationship with your users. Let's recap some of the main points you should remember when drafting your security clause for your Privacy Policy.

• Is a Security Cause Legally Required?
  • While a particular clause may not be legally required, it is highly recommended
  • Laws such as the GDPR and CalOPPA require companies to take reasonable care when handling personal information
• Create Trust and a Transparent Agreement
  • The inclusion of a security clause in your Privacy Policy is a clear disclosure of your practices and gives your company credibility
• Your Business May Affect Your Clause
  • If you gather highly private data (i.e., SSN) your security clause may be more detailed
  • If you collect only email addresses, your clause may be more general
  • The level of protection is determined by the data you keep
• Examples of Security Clauses
  • Not every clause is the same
  • The information included doesn't have to be specific
  • Include a reminder that no security system is foolproof and encourage users to take steps to keep their own information secure as well