Privacy, Security and Compliance for SMBs: Part 2

By Jennifer Schiff | Posted September 26, 2006

In Part 1 of our two-part series, we discussed the responsibilities small businesses face in keeping their customers' personal data safe, and experts offered advice on how to stay compliant with various state and federal security regulations. Today, we'll look at how security audits and privacy assessments can help ensure that you're protecting sensitive data, and we'll discuss what you can do if your company ever experiences a security breach.

Security Audits
How do you find someone to perform a security audit? If you already have a relationship with an IT solution provider, start by talking with them. If you are looking for an IT provider in your geographic area and need a little help, you can contact the Information Technology Solution Provider Alliance (ITSPA) by e-mailing findapartner@itspa.net. You can also visit ITSPA's Web site as well as the Computing Technology Industry Association (CompTIA), a global IT trade association with more than 20,000 members in 102 countries. You can also contact security software vendors to find out if they have a certified partner in your area who can perform a security audit.

"The thing you want to make sure of, whether you choose a security software vendor, a solution provider or a hardware vendor, is that they cover all of the components of a security audit," says Russell Morgan, president of ITSPA. "That means that they're going to look at your network, the way you secure your applications and how you protect your hardware. And it should be a physical audit as well as a networking type audit."

A physical audit is important, as security breaches often occur when someone steals a piece of unprotected equipment — such as a laptop, a desktop or even a server.

"Everybody's pretty good now about knowing that they need to stay on top of anti-virus software and spyware and things like that," says Morgan. "But the most simple security breaches are physical ones: you've got a person with a laptop who doesn't have it password protected. If that laptop's lost or stolen, somebody now has the potential to access all of your customer information. If you have a small server with sensitive data in an area that's not secure, someone can walk in, pick it up and walk out with it."

So in addition to performing a security check of your network and software, it's also critical to password-protect laptops and keep servers containing sensitive data in a secure location.

The person performing the security audit should also provide you with a prioritized list of recommendations, so that you know which issues you need to tackle right away and which ones you can address when your budget allows. Morgan also recommends budgeting for an annual security audit as new security and privacy threats constantly emerge and evolve.

How much does a security audit cost? It really depends on the size of your business. Morgan says no more than $2,000 — and he considers that the high end of the scale. "I've seen assessments in the $500 - $1,000 range," he says. "But you ought to be able to know exactly where you stand for less than two grand."

Perform a Privacy Assessment
The other key step to protecting your business in the event of a security breach is performing a privacy assessment. According to Nina Kaufman, a small-business attorney, e-commerce entrepreneur and founder of Wisecounselpress.com, a privacy assessment "involves looking at exactly what kind of information you are collecting and how you are storing it."

An attorney familiar with legislation pertaining to your industry as well as state and federal privacy laws should perform the assessment, which is similar to the security audit. As with the security audit, the attorney should make a thorough assessment of your privacy measures and provide a list of recommendations.

The cost, says Kaufman, could range anywhere from $750 to $3,000 — depending on where your business is located, the industry, the size of your business and the amount of information you are collecting. But that's small change compared to incurring a fine — which could cost your business more than $100,000 — or losing the trust of your customers.

Establish a Privacy Policy
An attorney can also help you create a privacy policy, which should be posted on your home page, with links to it on other pages. A clear, well-thought-out privacy policy addresses customers' concerns and can protect you in the event of a security breach. According to the Privacy Rights Clearinghouse, "Having a privacy policy on your site indicates that your organization has taken a proactive approach by establishing guidelines for protecting privacy and sticking to them."

The Privacy Rights Clearinghouse recommends that your privacy policy include the following:

  • The type of information you collect and who has access to that information, e.g., if you share data with third parties and, if so, how and why
  • How you collect information, e.g., if you plan to use cookies or other information-gathering techniques, you should explain this in your privacy policy
  • Who you collect information from and why
  • How you use the information, how long you retain it, how consumers can update or remove it, and how you protect it from illegitimate access
  • Who visitors can contact regarding privacy concerns and how long it usually takes your business to comply with a request for information removal

In addition to an external privacy policy, it is also essential that all companies that conduct business online or use e-mail have an internal privacy policy as well, which is clearly posted or accessible.

"Many small businesses tend to overlook educating their employees," says Sara Radicati, the president and CEO of the Radicati Group, an independent market-research firm. "Larger companies are typically more thorough about educating employees and defining the difference between good and bad Internet and e-mail behavior. One of the best ways a small business can protect itself is to issue clear policy guidelines to employees about searching the Web, properly handling e-mail and so on."

Online Security and Privacy Resources
(click on the link to go to the resource site)