Samantha Bradshaw
Your customer list is gold; How to guard it like it is
Updated: Feb 1, 2022
Every small business knows that its customer lists are pure gold. It doesn't matter if you run a photography studio, are a business coach, make dragon scale jewelry on Etsy or luxury service provider.
Your email list, your sales call notes, your customer preferences, your VIP clients...all of them took 10s and 100s (even thousands) of hours to put together and literally make you money.
But what would you do if your customer list was stolen? You might need to start over. Or worse, ask each customer for that information again and explain what happened to it.
Let's talk about how you can guard your customer list against all potential foes, past and present.
First things first, who are you protecting your customer list from?
You might think no one is interested in your CRM data, your email list, or your curated collection of VIP clients. But there are more folks out there than you know that would LOVE to take a peek.
Hackers love easy targets

You might think your business isn't big enough for thieves (aka hackers), but you are. And even if you weren't, you still have to protect your customer list. Protecting the information isn't just for big companies. It’s also needed if you are a small business owner. Plus small businesses make for easy targets because they typically don't invest the resources to protect their digital data.
Disgruntled employees (or contractors) can make for nasty farewells
Hackers aren't the only ones that may want to steal your customer lists. Employees can download copies of your customer on their way out the door. Particularly after a bad parting or if they think they have some right to that information. It can also be outsiders who are contractors or service providers you share the information with, thinking they are acting in your best interest, but without any protection to ensure they are.
You are probably legally required to
Virginia recently passed a law called the Virginia Consumer Data Protection Act. If you meet certain criteria, this law requires that you protect personally identifiable information. Surprise surprise, your customer list has personally identifiable information about your people.
In California, there is a data privacy law that may apply to you if you collect data from Californian residents or do business in California.
There are more of these laws popping up each year. At some point as your business grows, it will become legally required for you to make sure you protect that information or risk pretty steep fines that you don't want to deal with.
Its the right thing to do
72% of consumers, according to a PWC survey in 2020, believe companies are the best option to protect their data, not the government.
Make of that what you will. But it means your customers, including the ones currently on your list expect you to protect their information, not only for your own financial benefit but also for their data protection.
But how do you actually protect that customer list gold?

Limit access to the data
Not everyone in your business should have access to all of the information you collect. Your staff, for example, may not require the same level of access to tools they use.
Consider this: do your copywriters need access to the same data as your product marketing team?
Probably not.
So use the team member permissions in each piece of software you use to set up that level of access.
Fewer folks accessing your customer list means fewer people you have to supervise doing shady shit with sensitive info. It means fewer access points for someone to get hacked.
It means less risk.
Use a password manager (with 2FA or MFA)
Speaking of getting hacked, lazy passwords are almost guaranteed to get hacked. If someone wanted your client list and your password is yourdogsname2021, they are gonna get your customer list.
It doesn't take a genius to guess through a few combinations of that until they get it right.
Changing 1 master password or revoking general access to a set of passwords is Infinitely easier than changing or revoking access to 100 individual passwords.
The most important thing about password management is that it's a security measure with legitimate benefits beyond just protecting your customer lists: using a strong, unique password on every site helps prevent higher-level hacking. I personally use BitWarden. It's cheap, effective, and trustworthy.
Have employees sign contracts that protect your customer lists
You'll want to make you have a few VERY specific clauses or agreements that anyone that has access to your customer lists signs on day 1! Those are:
Non-solicitation clauses just say employees can't solicit your customers or other employees.
Non-disclosure or confidentiality agreement that stops employees from using or disclosing confidential client information which they got or had access to while they were working for you.
Have written policies on confidentiality and have employees acknowledge the policies in writing. This can be in an employment or services contract, or an employee manual, you just ask everyone to sign.
You can get into trouble pretty quickly with these parts of the contract that restrict your team member's ability to work outside of your company. Be sure to talk to a lawyer familiar with laws in your state (cuz it REALLY matters for this) to make sure you aren't setting yourself up for any multi thousand dollar fines from the department of labor.
Make your customer list a trade secret

Customer lists can be a trade secret under the federal Defend Trade Secrets Act (DTSA). Since federal laws apply in every state, including Virginia, these are great places to start. Under the DTSA, the employer can file a trade secrets claim in federal court. The court can enter a preliminary injunction barring the salesperson from contacting anyone on the customer list. Legalese translation: A judge can say your sales person can’t contact their customers. This in a way acts like a reasonable non-compete, without risking the trickiness of most states not really allowing most non-competes anymore.
To prove the customer list is a trade secret, you have to show three things:
the customer list has “independent economic value”
it is not “readily ascertainable” by competitors
the employer took “reasonable measures” to keep it secret
If you followed the steps above, you probably already took reasonable measures. Did you avoid sharing the information publicly, require employees to sign confidentiality agreements, and have good passwords on all software and hardware? Those things are typically enough.
What about element no. 1, “independent economic value”? That’s a harder one. But it’s usually going to follow from element no. 2. If the customer list is not readily ascertainable by a competitor, that’s a good sign it has independent economic value. If it was readily ascertainable, it wouldn’t have much value.
Ultimately, you have to just take steps to increase the chances of being able to protect a customer list as a trade secret. Those steps can include the following:
Have employees sign non-disclosure agreements;
Have written policies on confidentiality and have employees acknowledge them in writing;
Get it on paper. Under the GTSA, a company cannot claim the information in an employee’s head as a trade secret;
Add non-public customer info to the list—past purchases, to future plans, to personal information (birthdays, family information, personal preferences, etc.);
Include non-public contact information;
Mark the customer list as confidential;
Restrict access to the customer list to those who need to use it;
Keep separate lists for customers and for potential customers; and
Be able to estimate how long the customer list took to create.
Summary: the more you make it SUPER clear, “this information is confidential and privileged,” the more likely a court would protect the information as a trade secret.
What NOT to do
Some information out there may say that you can simply put up a non-compete clause in the contracts for your employees.
In Virginia, you CANNOT do that unless the employee makes more than $60K a year or so in 2021. That number increases a bit every year, so be careful here. If you even have a non-compete clause in your contracts that Virginia has banned, you are subject to pretty nasty fines in the range of 10K and up from the Virginia department of labor.
So make sure you spend some time with a lawyer to see if you can or should use non-competes. Even still, non-competes have to be reasonable. Meaning they can't last forever. They can't say someone can't work anywhere in the state. They have to make sense.
You're better off going with ANYthing else I talked about above.
Your customer list is gold.
You know that, and so do the bad guys (and the angry folks). So be smart about how you protect it against all potential foes - hackers, disgruntled employees (or contractors), or even an overly eager competitor.
Don't wait until there's a problem to start thinking about how to protect it.
If you follow the blog's advice on these matters, your list will be safe and sound - like a dragon guarding its gold!
**Disclaimer: This is only general information, not legal advice specific to your situation, and does not create a client-attorney relationship. If you need legal advice, please contact a lawyer in your area.