Privacy, Security and Compliance for SMBs: Part 2

In Part 1 of our two-part series, we discussed the responsibilities small businesses face in keeping their customers’ personal data safe, and experts offered advice on how to stay compliant with various state and federal security regulations. Today, we’ll look at how security audits and privacy assessments can help ensure that you’re protecting sensitive data, and we’ll discuss what you can do if your company ever experiences a security breach.

Security Audits
How do you find someone to perform a security audit? If you already have a relationship with an IT solution provider, start by talking with them. If you are looking for an IT provider in your geographic area and need a little help, you can contact the Information Technology Solution Provider Alliance (ITSPA) by e-mailing findapartner@itspa.net. You can also visit ITSPA’s Web site as well as the Computing Technology Industry Association (CompTIA), a global IT trade association with more than 20,000 members in 102 countries. You can also contact security software vendors to find out if they have a certified partner in your area who can perform a security audit.

“The thing you want to make sure of, whether you choose a security software vendor, a solution provider or a hardware vendor, is that they cover all of the components of a security audit,” says Russell Morgan, president of ITSPA. “That means that they’re going to look at your network, the way you secure your applications and how you protect your hardware. And it should be a physical audit as well as a networking type audit.”

A physical audit is important, as security breaches often occur when someone steals a piece of unprotected equipment — such as a laptop, a desktop or even a server.

“Everybody’s pretty good now about knowing that they need to stay on top of anti-virus software and spyware and things like that,” says Morgan. “But the most simple security breaches are physical ones: you’ve got a person with a laptop who doesn’t have it password protected. If that laptop’s lost or stolen, somebody now has the potential to access all of your customer information. If you have a small server with sensitive data in an area that’s not secure, someone can walk in, pick it up and walk out with it.”

So in addition to performing a security check of your network and software, it’s also critical to password-protect laptops and keep servers containing sensitive data in a secure location.

The person performing the security audit should also provide you with a prioritized list of recommendations, so that you know which issues you need to tackle right away and which ones you can address when your budget allows. Morgan also recommends budgeting for an annual security audit as new security and privacy threats constantly emerge and evolve.

How much does a security audit cost? It really depends on the size of your business. Morgan says no more than $2,000 — and he considers that the high end of the scale. “I’ve seen assessments in the $500 – $1,000 range,” he says. “But you ought to be able to know exactly where you stand for less than two grand.”

Perform a Privacy Assessment
The other key step to protecting your business in the event of a security breach is performing a privacy assessment. According to Nina Kaufman, a small-business attorney, e-commerce entrepreneur and founder of Wisecounselpress.com, a privacy assessment “involves looking at exactly what kind of information you are collecting and how you are storing it.”

An attorney familiar with legislation pertaining to your industry as well as state and federal privacy laws should perform the assessment, which is similar to the security audit. As with the security audit, the attorney should make a thorough assessment of your privacy measures and provide a list of recommendations.

The cost, says Kaufman, could range anywhere from $750 to $3,000 — depending on where your business is located, the industry, the size of your business and the amount of information you are collecting. But that’s small change compared to incurring a fine — which could cost your business more than $100,000 — or losing the trust of your customers.

Establish a Privacy Policy
An attorney can also help you create a privacy policy, which should be posted on your home page, with links to it on other pages. A clear, well-thought-out privacy policy addresses customers’ concerns and can protect you in the event of a security breach. According to the Privacy Rights Clearinghouse, “Having a privacy policy on your site indicates that your organization has taken a proactive approach by establishing guidelines for protecting privacy and sticking to them.”

The Privacy Rights Clearinghouse recommends that your privacy policy include the following:

• The type of information you collect and who has access to that information, e.g., if you share data with third parties and, if so, how and why
  
• How you collect information, e.g., if you plan to use cookies or other information-gathering techniques, you should explain this in your privacy policy
  
• Who you collect information from and why
  
• How you use the information, how long you retain it, how consumers can update or remove it, and how you protect it from illegitimate access
  
• Who visitors can contact regarding privacy concerns and how long it usually takes your business to comply with a request for information removal

In addition to an external privacy policy, it is also essential that all companies that conduct business online or use e-mail have an internal privacy policy as well, which is clearly posted or accessible.

“Many small businesses tend to overlook educating their employees,” says Sara Radicati, the president and CEO of the Radicati Group, an independent market-research firm. “Larger companies are typically more thorough about educating employees and defining the difference between good and bad Internet and e-mail behavior. One of the best ways a small business can protect itself is to issue clear policy guidelines to employees about searching the Web, properly handling e-mail and so on.”

Probably the best way to inform employees of your company’s internal privacy and technology-use policies is to clearly lay out all policies in an employee handbook.

You’ve Been Breached. Now What?
In the unfortunate event you do get hacked the good news, if there is good news, is that if you have a clearly posted privacy policy and you notify your customers in a reasonable time frame of any actual or suspected security breaches — including what steps they should take to protect themselves from fraud or identify theft — you are pretty much covered from a legal point of view.

The bad news: If you are found not to be in compliance with whatever privacy legislation applies to you, you could be fined tens or hundreds of thousands of dollars — and lose customers.

Outsourcing Anyone?
To avoid any missteps when it comes to security and privacy, many small and medium-sized businesses are turning to outsourcing. “That’s the direction in which all of this is moving,” says Morgan. “I think you’re going to see a trend to managed services, where small- and medium-sized business owners ultimately say, ‘I just don’t want to deal with this. I want to focus on my core business. I’m going to move to that managed service.'”

Radicati also sees benefits to outsourcing data-related services. “Outsourcing has certain advantages,” she says, “because you don’t have to purchase or maintain your own equipment or software. And, more importantly, you don’t have to worry about upgrading that equipment or software every year as new technologies and new regulations come along.”

However, as Kaufman cautions, just because you outsource applications and/or data storage to a secure data center or third-party provider does not mean you are not liable in the event of a security breach. If you do outsource to a managed services provider, she says, “It behooves you to speak to those service companies and ask what they do in the event of a breach. What privacy policies do they have? What protective measures do they take to ensure privacy?”

“I think most people understand that virtually nothing can ever be absolutely hacker-proof,” she adds. “But there are plenty of steps you can take to protect your customers’ privacy to the best of your abilities and to ensure that your business is in compliance with privacy legislation.”

Jennifer Lonoff Schiff writes about business and technology and contributes to SmallBusinessComputing.com.