I follow quite a few small to midsize business (SMB) accounts on Twitter, and noticed that many this week had joined a chat about data privacy for small business (#chatDPD). The topics ranged from the Internet of Things (IoT) to what SMBs know about data privacy.
One tweet in particular caught my eye. It was from AT&T Small Business (@ATTSmallBiz) and it said “Security & privacy must work together, but privacy includes how data is used by your biz and vendors.”It struck a chord with me because I recall a recent event where AT&T found that a breach in its data systems was caused by a vendor whose employee accessed accounts “without authorization.” Of course, I’m sure the person Tweeting was aware of the instance, but their tips and views on the privacy chat definitely hold true for both large enterprises and SMBs.
One other thing @ATTSmallBiz pointed out was how SMBs may have policies to guard against cybersecurity issues, but they may not be as detailed or strong as they should be. Also, small businesses may not have IT staff to reinforce such policies. @ATTSmallBiz said:
“Fewer resources dedicated to security + implicit trust between management & staff may create false sense of security.”
So true. Even among the smallest business with the most tightly knit staff, concerns over data privacy should still be present. One wrong move (inadvertent or on purpose) by an employee with access to sensitive data and the business’ reputation could be on the line. Just look at the damage caused by the Target data breach to see how catastrophic such an instance could be on a brand or company’s reputation. That thought was reiterated by Rebecca Herold (@PrivacyProf):
“It takes only one #privacy breach to completely lose trust and lose your business.”
Herold identifies one other issue that SMBs may have with data privacy: Not understanding what should be private. She Tweeted “I have 200+ clients that are small to midsize & I’ve spoken 2 100s more; most care about #privacy but don’t know WHAT 2 care about.” This could be a huge issue for even the smallest business. If employees aren’t sure which data should be kept private and which data can be shared or used for other purposes, all data is at danger of being shared improperly.
Educating employees on types of data and how it can or cannot be shared is key. IAPP (@PrivacyPros), a global information privacy community, offers a suggestion for a good primer for privacy for SMBs: “#SmallBiz with privacy questions should read this from @omertene and @marcGroman before anything else.” The post gives good insight into information management and even recommends privacy training for new businesses. It provides six “down-and-dirty tips to help safeguard your data.”
- Appoint someone to be responsible for data privacy and security.
- Learn what data your organization collects and why it is being collected.
- Ensure that all employees are sensitive to data privacy and know whom they should come to with questions or issues.
- Find out whether any laws govern the sensitive data that you may be collecting and be sure you are complying with such laws.
- Check out self-regulatory associations and even if it’s not financially feasible to join, try to “benchmark your practices against the requirements of the self-regulatory framework.”
- Don’t just copy another business’ privacy policies. Make sure your privacy policy covers your business needs and spells out specifics on data retention, data sources, and website data collection.
Another great source for privacy information as cited in this post is the FTC’s Business Resources page. It provides a section on privacy and security and breaks it down into categories including data security, consumer privacy, children’s privacy and credit reporting.