It should also cover your security practices.
Why is a security clause so important? Because both governments and your customers expect one.
Keep reading to learn why you need one, how to build one, and see six examples of security clauses currently in use by well-known businesses.
In a word - yes. It's always a good idea to have a security clause.
The GDPR is one law that seemingly requires you to use the clause.
According to the GDPR, you must meet minimum privacy and security practice requirements. Article 32 of the law provides some leeway regarding what measures you take and leaves you free to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."
These measures might include:
- Regular testing and evaluation of security measures
- Resiliency measures
- Back-up and restoration measures
Adding Security Clauses for Public Trust
Although laws like the GDPR do require the clause in a roundabout way, security is also on the minds of the general public.
In a study published by the Pew Internet Center in 2017, 52 percent of people thought private businesses were "somewhat" prepared to prevent cyberattacks. That's better than the 12 percent who think American businesses aren't at all prepared, but it also gives away a certain level of skepticism that consumers have towards businesses that collect data.
People around the world are also more aware of the major cyberattacks than you think. For example, the 2011 Target credit card breach reached huge numbers of Americans. Forty-seven percent of those asked about it in 2016 said they heard "a lot" about credit card scandal.
Moreover, privacy and security are now more closely related than ever before. And both customers and companies consider them to be almost one in the same.
When Facebook revealed that it shared huge amounts of private data with other companies through hidden agreements, the world heard both about the story and the consequences for those who data was involved. By the end of 2018, even Microsoft and Apple knew enough was enough and called for more effective national privacy standards.
The bottom line: people are more aware than ever of the risks of giving out their data. They want you to protect it, and governments increasingly believe it is up to businesses to safeguard the data they use.
Adding a security clause is both good form and a real asset in a digital world that still acts too much like the Wild West at times.
Writing a Security Clause That Works
Here's the good news about a security clause: it doesn't have to be complex. You don't need to outline your entire cybersecurity operation within it. Most businesses retreat from providing any more information than the barebones industry-standard data protection mechanisms, and this is ok.
In fact, some big businesses go as far as to include a security clause and then note that it violates company practice to reveal any potential security practices.
Generally, you should recognize that the nature of your business changes the nature of your clause. You want a more reassuring security clause if you collect highly-sensitive or protected personal information, like Social Security numbers, credit card details, or information about children.
If you only collect email addresses for a newsletter, the details of the clause become less vital. But you still should have one.
Here are a few helpful examples from some businesses.
Because HSBC is a bank and collects information like Social Security numbers, it adds an addendum that describes the protections it uses to keep them safe, such as limiting access to qualified team members to complement the technical protections:
US Bank uses a security clause similar to HSBC. However, it also adds a very helpful disclosure: no data storage can ever be 100 percent secure despite your best efforts. The statement is important for both transparency and managing expectations. You can use the best security available, but there are no guarantees.
US Bank also provides a contact resource for those with personal security concerns directly within the clause:
Finally, US Bank notes that it uses security mechanisms that customers may directly experience during a transaction. For example, your bank card may be declined automatically if US Bank's software believes the transaction is unauthorized.
US Bank directs customers to additional agreements and security documents. These are unnecessary if you don't work with the kind of information used by banks and other financial institutions.
It is the first of our examples to disclose to using encryption, security controls for external attack, and internal security policies to prevent accidental disclosures from internal sources. Again, these descriptions are not informative for any potential attacks, but they do provide reassurance to customers.
Adding a self-help section within the security clause is rare but helpful and gives customers an excellent security resource in the face of phishing or other attacks. It provides basic safety hygiene (like using secure passwords and logging out). It also confirms that TGI Friday's will never ask for payment details via email.
Betterment is a robo-investor that deals with the same information as a traditional bank like HSBC.
Unlike the first two banks, it goes further in describing its privacy and security protection practices:
According to Betterment's security clause it:
- Uses the strongest available browser encryption
- Implements systematic processes
- Stores all data in secure facilities
- Limits access to information on a need-to-know basis
- Requires third-parties to comply
- Continues to protect data even when customers close accounts
However, Betterment also notes that it's up to customers to protect their physical computer as well as their account details to prevent any breaches that come from their computer or account.
Betterment provides more detail than the other two banks, but it doesn't give any data practices away. In fact, it covered all the bases the other banks left out like limiting access and specifically requiring third-parties to protect data.
As a result, Asana says it uses technical and organization measures to protect information but acknowledges that there's no such thing as an absolute in cybersecurity:
Macy's provides a very short security clause that similarly states that it does its best to prevent data breaches and uses appropriate safeguards:
Choosing not to disclose security details is Macy's right. Attackers won't learn much about what Macy's specifically does, which is good. Customers, on the other hand, would prefer to know that Macy's cares for its data, particularly in the wake of scandals like the Target card or Home Depot scandals, which revealed thousands of credit card numbers.
It leaves out the note that no security system is ever 100 percent secure. But the language of the clause promotes that on its own. Rather than making guarantees, Google says "we work hard," which allows room for error or security breaches without necessarily making Google liable.
You don't need to give away your security practices in their entirety. Indeed, simply stating that you comply with regulatory standards and do your best to protect all data works just fine.