Privacy, Security and Compliance for SMBs: Part 1

By Jennifer Schiff | Posted September 25, 2006

Here is a troubling statistic from the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization: Since February 2005, the data records of more than 93 million U.S. residents have been exposed due to security breaches. While many of these breaches occurred at financial institutions and universities and were the result of hacking, many were also due to stolen computers and occurred at smaller businesses and organizations.

Companies of all sizes need to take precautions to keep customer data safe and secure, but how much security is enough? Does the size of your business matter, and what is an organization's responsibilities regarding its customers' privacy? We spoke to several experts to learn what steps you can take to ensure that you're in compliance with the latest privacy laws and how you can protect your business — and your customers — in the event of a security breach.

Who Needs Protection?
The short answer is everyone. "What we've seen from the security breaches at the largest companies in the country [think ChoicePoint and Bank of America] is that high-profile breaches make for headlines — and for unhappy customers," explains Nina Kaufman, a small-business attorney, e-commerce entrepreneur and founder of Wisecounselpress.com.

But it's not just large companies that need to be concerned with the security and privacy. No matter what size business you run, "If you use a computer or wireless device that connects you to the Internet or an intranet, you are vulnerable to a breach and subject to compliance with state and federal privacy regulations," says Kaufman.

Luckily, there are several simple, relatively inexpensive measures you can take to help protect sensitive data and ensure that your business is in compliance with privacy legislation.

Know the Law
As of June 2006, 31 states have laws or statutes on the books that protect consumers in the event of a security breach — and more bills are making their way through state legislatures and Congress.

The first state to enact such legislation was California, back in July 2003. Known as Civil Code Sec. 1798.80-1798.82 (or California SB 1386), it requires businesses, agencies and individuals to notify consumers of any breach "in the security, confidentiality or integrity of unencrypted computerized personal information held by a business or a government agency."

While you might think the law affects only California businesses, think again. The law applies to any business or person doing business with a California resident. It pays to be informed since most other states now have similar laws. Good sources of online security and privacy information are industry-specific trade associations, your local Chamber of Commerce, your IT solution provider (if you have one) or a small-business attorney.

"Most industry associations recognize that one of the values they bring to their members is keeping them up to speed with what's going on from a technology or legislative standpoint, and how it might impact their business," explains Russell Morgan, the president of the Information Technology Solution Provider Alliance (ITSPA), a national, nonprofit organization of technology consultants.

Online Security Tips
from the Privacy Rights Clearinghouse