Security Clauses for Your Privacy Policy

Your Privacy Policy covers every aspect of your data use from obtaining consent to the collection of the data and right up to erasure of it.

It should also cover your security practices.

A security clause in a Privacy Policy tells users and regulators that security is a priority for your organization. Like the rest of your Privacy Policy, the clause should match your actual security practices rather than being too minimalist or too aspirational.

Why is a security clause so important? Because both governments and your customers expect one.

Keep reading to learn why you need one, how to build one, and see six examples of security clauses currently in use by well-known businesses.

Do You Need a Security Clause in Your Privacy Policy?

In a word - yes. It's always a good idea to have a security clause.

What is more, if a law requires you to have a Privacy Policy in the first place, then you are also likely legally obligated to have a security clause.

The GDPR is one law that seemingly requires you to use the clause.

According to the GDPR, you must meet minimum privacy and security practice requirements. Article 32 of the law provides some leeway regarding what measures you take and leaves you free to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

These measures might include:

• Encryption
• Pseudonymization
• Regular testing and evaluation of security measures
• Resiliency measures
• Back-up and restoration measures

While the legislation doesn't specifically state that you should include your security practices in your Privacy Policy, it is a good idea. Not adding a security clause is a red flag to European countries (and their citizens). By noting that you take the appropriate measures, you tell regulators that privacy is a concern and you take the right steps to address it.

Adding Security Clauses for Public Trust

Although laws like the GDPR do require the clause in a roundabout way, security is also on the minds of the general public.

In a study published by the Pew Internet Center in 2017, 52 percent of people thought private businesses were "somewhat" prepared to prevent cyberattacks. That's better than the 12 percent who think American businesses aren't at all prepared, but it also gives away a certain level of skepticism that consumers have towards businesses that collect data.

People around the world are also more aware of the major cyberattacks than you think. For example, the 2011 Target credit card breach reached huge numbers of Americans. Forty-seven percent of those asked about it in 2016 said they heard "a lot" about credit card scandal.

Moreover, privacy and security are now more closely related than ever before. And both customers and companies consider them to be almost one in the same.

When Facebook revealed that it shared huge amounts of private data with other companies through hidden agreements, the world heard both about the story and the consequences for those who data was involved. By the end of 2018, even Microsoft and Apple knew enough was enough and called for more effective national privacy standards.

The bottom line: people are more aware than ever of the risks of giving out their data. They want you to protect it, and governments increasingly believe it is up to businesses to safeguard the data they use.

Adding a security clause is both good form and a real asset in a digital world that still acts too much like the Wild West at times.

Writing a Security Clause That Works

Here's the good news about a security clause: it doesn't have to be complex. You don't need to outline your entire cybersecurity operation within it. Most businesses retreat from providing any more information than the barebones industry-standard data protection mechanisms, and this is ok.

In fact, some big businesses go as far as to include a security clause and then note that it violates company practice to reveal any potential security practices.

Generally, you should recognize that the nature of your business changes the nature of your clause. You want a more reassuring security clause if you collect highly-sensitive or protected personal information, like Social Security numbers, credit card details, or information about children.

If you only collect email addresses for a newsletter, the details of the clause become less vital. But you still should have one.

Examples of Security Clauses in a Privacy Policy

What does a security clause look like? Like all other clauses in your Privacy Policy, it depends on the nature of your business. When you collect vast amounts of data, you need a more comprehensive clause.

Here are a few helpful examples from some businesses.

HSBC's Privacy Policy security clause is rather brief, but it makes a point. Its reassuring in that HSBC takes information "very seriously" and says it complies with applicable legal standards.

Because HSBC is a bank and collects information like Social Security numbers, it adds an addendum that describes the protections it uses to keep them safe, such as limiting access to qualified team members to complement the technical protections:

US Bank uses a security clause similar to HSBC. However, it also adds a very helpful disclosure: no data storage can ever be 100 percent secure despite your best efforts. The statement is important for both transparency and managing expectations. You can use the best security available, but there are no guarantees.

US Bank also provides a contact resource for those with personal security concerns directly within the clause:

Finally, US Bank notes that it uses security mechanisms that customers may directly experience during a transaction. For example, your bank card may be declined automatically if US Bank's software believes the transaction is unauthorized.

US Bank directs customers to additional agreements and security documents. These are unnecessary if you don't work with the kind of information used by banks and other financial institutions.

TGI Fridays, a restaurant group, has a strikingly clear section on security in its Privacy Policy:

It is the first of our examples to disclose to using encryption, security controls for external attack, and internal security policies to prevent accidental disclosures from internal sources. Again, these descriptions are not informative for any potential attacks, but they do provide reassurance to customers.

Adding a self-help section within the security clause is rare but helpful and gives customers an excellent security resource in the face of phishing or other attacks. It provides basic safety hygiene (like using secure passwords and logging out). It also confirms that TGI Friday's will never ask for payment details via email.

Betterment is a robo-investor that deals with the same information as a traditional bank like HSBC.

Unlike the first two banks, it goes further in describing its privacy and security protection practices:

According to Betterment's security clause it:

• Uses the strongest available browser encryption
• Implements systematic processes
• Stores all data in secure facilities
• Limits access to information on a need-to-know basis
• Requires third-parties to comply
• Continues to protect data even when customers close accounts

However, Betterment also notes that it's up to customers to protect their physical computer as well as their account details to prevent any breaches that come from their computer or account.

Betterment provides more detail than the other two banks, but it doesn't give any data practices away. In fact, it covered all the bases the other banks left out like limiting access and specifically requiring third-parties to protect data.

Asana's Privacy Policy is a return to the basics. Because Asana collects information like names and email addresses, it doesn't need to worry about financial threats. Its biggest concern would be the loss of intellectual property or proprietary content uploaded or described by users.

As a result, Asana says it uses technical and organization measures to protect information but acknowledges that there's no such thing as an absolute in cybersecurity:

Macy's provides a very short security clause that similarly states that it does its best to prevent data breaches and uses appropriate safeguards:

Choosing not to disclose security details is Macy's right. Attackers won't learn much about what Macy's specifically does, which is good. Customers, on the other hand, would prefer to know that Macy's cares for its data, particularly in the wake of scandals like the Target card or Home Depot scandals, which revealed thousands of credit card numbers.

The final example comes from Google's Privacy Policy. Google embraces the spirit of the GDPR and provides the most transparency out of all the security clauses noted here. The clause specifically names ways that Google protects user data and describes what happens if a risk to a user's account is detected.

It leaves out the note that no security system is ever 100 percent secure. But the language of the clause promotes that on its own. Rather than making guarantees, Google says "we work hard," which allows room for error or security breaches without necessarily making Google liable.

Summary

Both regulators and your customers expect you to include details about your security practices in your Privacy Policy. It ensures both that you have security and privacy on your mind, and it is particularly important when you collect personally identifiable information, like Social Security numbers.

You don't need to give away your security practices in their entirety. Indeed, simply stating that you comply with regulatory standards and do your best to protect all data works just fine.