Data asset protection is traditionally associated with industries and entities that develop or store particularly sensitive information, like tech companies, hospitals, law firms, and government entities. However, data asset protection should be a priority for all businesses, including those in the wine industry.
Many businesses in the wine industry, including wineries and wine shops, store various consumer data, such as addresses, birthdays, email addresses, and phone numbers. Wine club memberships, for example, are a cornerstone of many wine businesses. Unlike many retailers in other industries that may be able to delete consumer information after one-off transactions, the recurring nature of wine club shipments and club communications means wine businesses must store the addresses they collect from their customers, along with sensitive data, like credit card information, long after initial collection.
Along with sensitive financial information, much of the data collected is less sensitive—such as customer emails—but nonetheless governed by legal privacy requirements in most of the United States and in many international jurisdictions as well. Beyond consumer information, wine industry businesses also store their own sensitive data, such as proprietary intellectual property, as well as personal employee information.
As such, it is crucial for wine industry businesses to understand data privacy laws and cybersecurity issues, and to implement policies that protect the business from inadvertently violating consumer privacy laws or falling prey to myriad cybersecurity threats. It is also important to have a policy in place for what should happen if a breach does occur.
Below, we have compiled some of the most frequently asked questions we have received from companies in the wine industry regarding data privacy and cybersecurity, along with answers to help guide your consideration of your company's data asset policies and procedures.
What is "Data Privacy" and Why Should I Take Steps to Protect It?
The rise of digital marketing has made customer data an integral part of winery operations. However, collecting and managing personal data carries legal obligations. California's Consumer Privacy Act (CCPA), for example, applies to for-profit businesses with annual revenues of greater than $25 million or personal information of greater than 100,000 California data subjects. Numerous other states have similar legislation that may be relevant to a given business, depending on where it is located/has assets and/or where it does business. While they each have unique aspects that require specific attention, state privacy laws share some basic principles to keep in mind.
Key privacy practices include:
- Establishing a Clear Privacy Policy: Companies must generally disclose what types of data they collect, the purposes for which each category of data is used and with whom they share the data, as well as disclosing certain rights consumers have with respect to their data. These disclosures are generally contained in an online privacy policy, and wineries with an online presence should create a privacy policy outlining these details. They must ensure it is easily accessible on their website, usually by posting a link to the policy on the homepage or in a persistent footer throughout the site.
- Obtaining Consent for Data Collection: Most privacy legislation in the U.S. requires companies to honor consumers' opt-out requests. That is, so long as the privacy policy contains the necessary disclosures, a company may collect users' personal information without express permission to do so. But while it is generally not legally required, obtaining express consent, when collecting email addresses or other personal information, builds customer trust. This can be done through opt-in forms on websites and during event registrations.
- Implementing Data Security Measures: Data breaches can harm a winery's reputation and result in legal consequences. To protect customer data, wineries should use encryption and secure servers and conduct regular security audits. Implementing multi-factor authentication for internal systems adds an additional layer of security.
- Respecting Customer Data Rights: Customers generally have rights to access, transfer, or restrict the use of their personal data under various privacy laws. Moreover, consumers often have a "right to be forgotten." That is, consumers may request that the business delete their information. Wineries should ensure they have systems in place to comply with data access or deletion requests promptly.
Note, however, that if the business has a valid basis for holding such information (e.g., tax law or warranty requirements), the business is permitted to keep such information even after a deletion request. But that information must not be used for any purpose other than the specific purpose that excepted it from an otherwise valid deletion request.
What About Cybersecurity- What Steps Can I Take to Prevent a Breach?
With the increasing reliance on digital records, wineries face cybersecurity threats, like data breaches and ransomware attacks. Here are steps they can take to safeguard their systems:
- Use Secure Payment Systems: Secure payment platforms with encryption ensure that customer transactions are safe. For online sales, wineries should partner with reputable payment processors that comply with Payment Card Industry Data Security Standards (PCI-DSS).
- Secure Wi-Fi Networks and Use VPNs for Remote Access: Secure network access prevents unauthorized access to winery systems. Employees who access systems remotely should use Virtual Private Networks (VPNs) to protect sensitive data from potential interceptors.
- Provide Regular Software Updates and Patch Management: Outdated software is a common entry point for hackers. Wineries should prioritize regular software updates, including patches for all systems and applications.
- Require Employee Training on Cyber Threats: Human error is often the weakest link in cybersecurity. Regular training can help employees recognize phishing emails, avoid suspicious links and practice safe password management.
What Systems Should I Have in Place to Address a Breach After It Occurs?
In the event of a data breach, a well-prepared response plan is critical. This plan should include:
- Immediate Incident Response Steps: The winery should designate an internal response team, set procedures to contain the breach, and assess the scope of the compromise.
- Notifying Affected Individuals: Depending on legal requirements, wineries may need to notify customers of data breaches, especially if sensitive personal information is involved.
- Reviewing and Improving Security Measures: After addressing a data breach, wineries should evaluate their security protocols and strengthen any weak points to prevent future incidents.
Taking the time to think about data privacy and cybersecurity issues now, before a problem arises, could help prevent a problem from occurring in the first place. Even if an issue does arise, having a policy in place to address it will enable a business to comply with any applicable legal requirements and potentially even mitigate the extent of the breach.
