Chances are, your business collects personal information about customers, employees and/or partners. This means you have an obligation to protect that information. Failure to do so could lead to legal issues or even bankruptcy. Unfortunately, many businesses have found themselves in these situations over the past several years.
Jane Hils Shea, technology and data privacy attorney for Frost Brown Todd said in an email interview with Small Business Trends, “The frequency and extent of data breaches is at an all-time high in terms of both number of breaches and number of individual records compromised, and the expenses associated with data breach response is increasing.”
Here’s what your small business needs to know about personal information and how to protect it.
What Is Personal Information?
Personally identifiable information or sensitive personal data can be anything that is used to identify an individual’s personal identity. For instance:
- Name
- Social Security Number
- Contact Information
- Payment Information
- IP Address
There’s a good chance that your business collects some of this information about your customers already. Any time someone pays with a credit card or signs up for your email list using their name and contact info, you gain access to personal information.
This means you need to have policies in place to protect this information and let customers know exactly how you intend on using this data. Here’s what you need to know.
Why Is Personal Information Important to Your Small Business?
There are laws and regulations that require businesses to meet certain standards when it comes to storing and protecting personal information. In most cases, you’re bound by the actual language that you use in your own privacy policies. So it’s important that you outline exactly how you plan on using any personal information you collect and have customers agree to that policy when they do business with you. However, there are other standards that apply to specific industries as well.
Shea says, “An online business that collects personal data about persons located in the U.S. is primarily bound by the promises made in its website privacy policy. IF a business is a part of the financial services or healthcare industries, it could be subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) or the Health Information Protection and Portability Act (HIPAA). If it collects data about children under 13 it could be liable under the Children’s Online Privacy and Protection Act (COPPA).”
Payments are another major area where businesses need to focus their security efforts. Shea explains, “Businesses that accept credit cards should be certain they comply with the Payment Card Industry Data Security Standards (PCI-DSS). All businesses that take payment by credit card are required by their card processing agreement to have implemented and to maintain the PCI-DSS.”
Online businesses also need to be aware of international laws or those that focus on personal information from customers outside the U.S., like the GDPR laws that went into effect for the EU earlier this year.
When it comes to protecting personal information, the Fair Credit Reporting Act’s Identity Theft Rules require certain businesses to have written identity theft protection programs. And many vendor service agreements also require businesses to implement industry standard security procedures as part of their contract agreements.
How Can Your Business Protect Personal Information?
There are many steps you can and should take to protect the sensitive data and personally identifiable information you collect about customers, employees, and vendors. Your exact plan will depend on what data you actually collect. But there’s one essential principle that applies to basically every business.
Shea says, “The cardinal rule and the first step for a business to take to protect against data breaches is to “know thy data”. A strong information security program begins with a data inventory and a data map. This exercise tells a business what personal data it collects and processes about its customers and its employees, and identifies where in its system it is located so it can best protect that data. Further, it should understand how the personal data is processed and transmitted, how long it is retained, and what its data destruction obligations are.”
She also offered a handful of concrete steps you can employ. For example:
- Delete all data from your system that you don’t use or need to keep for legal or compliance reasons.
- Develop a Data Breach Response Plan.
- Develop a business resilience plan and back up essential data in a reliable cloud server.
- Add encryption for the transmission and storage of sensitive personal information.
- Train employees on security awareness.
- Require employees to use strong passwords, two-factor authentication and other preventive security practices.
- Check with your vendors about their security measures and practices.
- Use EMV chip card technology to reduce the risk of card fraud.
Photo via Shutterstock