Privacy, Security and Compliance for SMBs: Part 1

Here is a troubling statistic from the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization: Since February 2005, the data records of more than 93 million U.S. residents have been exposed due to security breaches. While many of these breaches occurred at financial institutions and universities and were the result of hacking, many were also due to stolen computers and occurred at smaller businesses and organizations.

Companies of all sizes need to take precautions to keep customer data safe and secure, but how much security is enough? Does the size of your business matter, and what is an organization’s responsibilities regarding its customers’ privacy? We spoke to several experts to learn what steps you can take to ensure that you’re in compliance with the latest privacy laws and how you can protect your business — and your customers — in the event of a security breach.

Who Needs Protection?
The short answer is everyone. “What we’ve seen from the security breaches at the largest companies in the country [think ChoicePoint and Bank of America] is that high-profile breaches make for headlines — and for unhappy customers,” explains Nina Kaufman, a small-business attorney, e-commerce entrepreneur and founder of

But it’s not just large companies that need to be concerned with the security and privacy. No matter what size business you run, “If you use a computer or wireless device that connects you to the Internet or an intranet, you are vulnerable to a breach and subject to compliance with state and federal privacy regulations,” says Kaufman.

Luckily, there are several simple, relatively inexpensive measures you can take to help protect sensitive data and ensure that your business is in compliance with privacy legislation.

Know the Law
As of June 2006, 31 states have laws or statutes on the books that protect consumers in the event of a security breach — and more bills are making their way through state legislatures and Congress.

The first state to enact such legislation was California, back in July 2003. Known as Civil Code Sec. 1798.80-1798.82 (or California SB 1386), it requires businesses, agencies and individuals to notify consumers of any breach “in the security, confidentiality or integrity of unencrypted computerized personal information held by a business or a government agency.”

While you might think the law affects only California businesses, think again. The law applies to any business or person doing business with a California resident. It pays to be informed since most other states now have similar laws. Good sources of online security and privacy information are industry-specific trade associations, your local Chamber of Commerce, your IT solution provider (if you have one) or a small-business attorney.

“Most industry associations recognize that one of the values they bring to their members is keeping them up to speed with what’s going on from a technology or legislative standpoint, and how it might impact their business,” explains Russell Morgan, the president of the Information Technology Solution Provider Alliance (ITSPA), a national, nonprofit organization of technology consultants.

Online Security Tips
from the Privacy Rights Clearinghouse
• The best way to protect the personal information your business collects is to store it on computers that are not connected to the Internet.
• If you own an e-commerce business, it is essential that you provide a secure environment. Use Secure Socket Layer (SSL) technology to encrypt and protect information customers send to your Web site.
• Make sure you have a proper firewall in place.
• Make sure you have the latest anti-virus and anti-spyware software installed across the network.
• If you send e-mail to customers regularly, hide the address list by placing it in the BCC line or by investing in a broadcast e-mail program or service. This protects your customers’ privacy and prevents people from using the list to send spam.

That’s why Morgan highly recommends that small and medium-sized business owners join an industry association in their particular area of expertise. “While there might be a fee involved,” he says, “the information you receive can be priceless.”

Indeed, as Sara Radicati, the president and CEO of the Radicati Group, an independent market-research firm, explains, “Compliance is going to vary tremendously from industry to industry. If you own a small business in the financial sector, then you probably have to worry more about legislation compliance than, say, a business in the retail sector.”

The Gramm-Leach-Bliley Act, a.k.a. the Financial Modernization Act of 1999, is an example of legislation specific to financial companies.

Similarly, if you are in the health care sector, you need to be aware of the privacy provisions set forth in the Health Insurance Portability and Accountability Act, known as HIPAA. “Compliance really depends more on your industry than your company’s size,” states Radicati.

Another way to stay current on the latest security software and privacy legislation is by establishing a good relationship with an IT solution provider who is well-versed in security issues. “A lot of information floats around in the IT industry, so having a good relationship with a solution provider can help you stay on top of what’s going on,” explains Morgan. An experienced IT solution provider can also perform a security audit, to make sure you are properly protecting sensitive data.

How do you find someone to perform a security audit? We’ll cover that subject tomorrow in Part 2, along with tips on what to do if your company experiences a security breach.

Jennifer Lonoff Schiff writes about business and technology and contributes regularly to

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.