9. If Third-Parties Request Personal Data — How to Respond


Requests from Individuals Authorized by Your Customers

  • If your customer indicates that he/she wants someone else to see the information that you keep about the customer, consider that third-party as now "authorized."
  • However...if you receive a request from a third-party (e.g. a family member, attorney, or health care provider) for information about your customer...
    • Require written authorization. (e.g., a consent form, or a power-of-attorney) which has been signed and notarized by your customer.
    • Carefully read the written authorization. Make sure that the written authorization encompasses the type of information that you maintain about the individual.

Requests from the Government

Consider the following:

  • Don't assume that a government request is “authorized.” Just because a request comes from the government does not mean that the government is “authorized” to obtain personal information.
  • Try to comply with the request without providing personal information. Sometimes government agencies request documents that include personal information without realizing it.
  • If you and your attorney decide to comply with a government request, consider asking the government if you can delete the personal information that may be in the document.

Requests from Other People

  • Other people, companies, or organizations that request personal information about your customers generally are not considered "authorized." For such requests, consider:
    • Requiring a formal request — in writing.
    • Consulting with your attorney.
    • After consulting with your attorney, and/or the customer, respond to the request in writing and keep a copy of your response.
  • If you receive a subpoena from an attorney do not assume that the request is "authorized."
    • The mere fact that someone issues a subpoena does not mean that you must provide the information that they request.
    • Immediately consult your attorney who can help you decide how to respond to the subpoena.

Only 28% of small businesses provide training to employees about Internet safety and security.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.