Welcome to a special two-part blog series for jewelry businesses, aimed at helping you understand data use, cybersecurity and privacy in broad terms.
Part 1
Cybersecurity basics
The questions you should be considering with your teams and lawyers
One of our industry’s greatest assets is data. When used strategically, data can provide retailers with insights on which areas of stores customers spend the most time in, provide suppliers with insights on which products are in highest demand by region, and allow all businesses with websites and social media pages to measure which posts and products garner the most engagement. The list goes on. But with the power of data gathered from your individual businesses and purchased from third parties comes the responsibility to use it properly and protect it from falling into the wrong hands. These responsibilities are both ethically and legally required. With the recent proliferation of privacy, data and cybersecurity laws across the world and a rapidly evolving legal landscape, gone are the days of operating your business obliviously. The Jewelers Vigilance Committee (JVC) is here to help!
In this two-part series, we are first going to cover some of the basic questions you should be asking your lawyer, service providers and business partners about data, cybersecurity and privacy. Second, we will dive into some of the cybersecurity, data and privacy policies you should consider implementing in your businesses to promote the highest levels of legal compliance and ethics. By asking the below questions, educating yourself and your teams on the relevant legal landscape, and implementing compliant business practices, not only will you minimize your legal liability, but you will differentiate your business as one that customers can trust. Shall we begin?
How do I protect my business from cybercriminals?
Cyber-attacks are malicious, deliberate attempts to access, steal, alter, disable or delete information of a person or organization through unwelcomed or unauthorized access to this information. As we all know, these attacks are clever and ever-present, and criminals have recently set their sights on the jewelry industry. Thus, to minimize your business’s vulnerability to cybercriminals, you should be actively engaging with cybersecurity professionals. With the help of professionals, you can assess and minimize your vulnerabilities, train your employees on phishing, spoofing and other common cyber scams, and proactively prepare your business for any potential cyber-attacks.
With the rise of cybersecurity and privacy laws worldwide, how do I know if I am subject to these laws?
This is a question for your lawyer and/or another service provider that specializes in this practice area. By now, we have all heard about the European Union’s General Data Protection Regulation (GDPR) in many of our industry’s news outlets and on the cookie banners and privacy policies that pop up on most websites, but did you know that the GDPR may apply to your business even if you have no physical presence in the EU? The same goes for California’s Consumer Privacy Protection Act and other US state laws passed or awaiting legislative approval. Check out the International Association of Privacy Professionals’ US State Privacy Legislation Tracker at iapp.org/resources/article/us-state-privacy-legislation-tracker for more information on US laws.
Once you ask a professional the above question, you will learn that your business must thoroughly document and analyze where it has physical locations, ships goods, provides services, receives web traffic, and more. Your business will also have to survey how it collects data, where this data is stored, and how this data is used and shared internally and externally. Additionally, you will have to consider whether the data you collect and store is necessary to perform the functions of your business. One requirement common to cybersecurity and privacy laws worldwide is the need to incorporate data protection principles in all aspects of your business, so the answer to the above question is intertwined with that of question one.
While all this may appear daunting, with the help of qualified professionals, developing a cybersecurity legal compliance framework and plan now will save you hours of headaches and thousands in legal fees and fines later, as well as sparing you bad press.
Are there any immediate steps I can take on my own now to move my business closer to ethical and compliant data use and in line with cybersecurity and privacy laws?
In thinking holistically about the health of your business, there are a few easy steps you can take on your own to position yourself for success.
First, join the JVC at jvclegal.org and enjoy the many perks of membership in this prestigious trade organization. JVC members enjoy access to the jewelry industry’s legal experts for guidance on a variety of topics, networking opportunities, and abundant resources to improve the health and ethics of the jewelry industry.
Second, inform your staff members of the need to regularly update their hardware and software, even on personal devices, because security patches that fix known vulnerabilities are often contained in updates.
Third, start noting where you keep data, particularly sensitive data such as employee data, customer information and financial documents. Also, note who in your organization or vendors has access to your data and assess whether those with access actually need it.
Fourth, read the articles on jvclegal.org. One of my recent articles, “Covid-19 Cyber Attacks on the Rise: Protect Yourself and Your Business,” contains additional easy steps you can take to protect yourself and your business from cybercriminals, and you can read it for free!
Miya Owens is associate counsel and director of mediation at the Jewelers Vigilance Committee (JVC). Nothing written in this article or series should be interpreted as legal or professional advice.
Image: Jewelers Vigilance Committee (JVC) Article from the Rapaport Magazine - January 2022. To subscribe click here.