In the digital age, information is shared regularly and seamlessly more than ever as businesses collect personal information from their consumers during the course of their daily activities. Businesses of all sizes should have a vested interest in adopting privacy policies that promote the responsible handling of personal information. But small businesses, in particular, need to be aware of the fact that they are often an easier target for hackers because they typically don’t invest as many resources in cybersecurity.
Case in point: the 2013 Target data breach. The hackers who obtained credit and debit card information from 40 million Target customers during the busy holiday shopping season reportedly gained access to Target’s systems through a small business that supplied refrigerating, heating and air conditioning systems for the massive retailer.
This is a prime example of why it is so important for small to mid-sized businesses to be aware of what data they collect and maintain, how they continue to use this data, and how they will respond to breaches.
Beyond data breaches though, there are several other reasons to adopt robust data privacy practices. Not only are such practices legally required in some states, but adopting data privacy practices builds consumer trust and prevents lawsuits and regulatory fines. In addition, good data privacy practices also make businesses more valuable by limiting risk to their owners and potential investors. The potential purchase price of a business can even be slashed due to imperfect data privacy practices.
What does personal information include?
Personal information typically includes anything used to identify an individual, including a person’s:
Name
Address
Email address
Phone number
Social Security Number
Credit card information
Financial records and credit information
IP address
Date of birth
Relationship status
Medical history
Biometric data (e.g. fingerprints, retinal scans)
Data Privacy Best Practices
Businesses should adhere to the following consumer data privacy practices to best protect themselves.
Only collect the minimum personal information required
Collecting more personal information than needed poses additional risks in the event that information is compromised. Do not collect information that is not needed to perform the business function.
Protect the data that you collect
Follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access. This may include encryption or cybersecurity software if the information is stored online. If the information is stored in paper copy, this may include locking file cabinets and file rooms.
Limit access to this information to only those employees who need to access the information to perform their job duties. Use login identification and passwords to provide an additional layer of identification to help keep hackers from being able to simulate users. Dual-factor authentication is also a useful tool in limiting access to personal information.
Adopt a privacy policy display
Almost every state requires companies that collect personal information to have a privacy policy display on their website. While there are no specific requirements on where to locate the privacy policy, it is recommended to make it accessible and visible to users, such as in a pop-up or in the website’s footer.
The privacy policy should include:
Legal business name
Business location
Contact information
Types of information collected from website visitors
How visitor information is collected
How visitor information is used
How visitor information is protected
How a user can opt-out of collecting and sharing information
Whether or not the business sells information to any third party. If so, in what way will the information be used? (e.g. email newsletter services, affiliate websites, or advertising networks)
Use multiple layers of security and use updated security hardware and software
Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats. Many software programs will automatically connect and update to defend against known risks. Spam filters promote safety when using email by weeding out malware and phishing scams that usually target businesses directly. Use firewalls to prevent attacks and prevent personal information from escaping.
Train employees on privacy practices
Employees are often responsible for the handling of personal information. Train employees on the proper handling, protection, and disposal of customer data. Educate employees on both company data privacy policies and all pertinent privacy laws and regulations. The goal should be to ensure employees are able practitioners of simple, basic privacy principles regarding data consent, access, choice, handling, and use. Discuss privacy and cybersecurity risks and ways to avoid these risks.
Consider consulting with an attorney
There is no universal federal privacy law. This has resulted in a patchwork of federal, state and local laws on how to appropriately handle and dispose of customer’s sensitive information. These laws may vary by location, industry, and even by the type and size of a business. It is prudent for a small or mid-sized business to consult legal counsel regarding the sharing and disposal of consumer information to determine which laws apply and whether its practices are acceptable.
Adopting data protection best practices is an important way to help businesses and their consumers avoid becoming victims of a cybersecurity breach, face potential financial and legal consequences and lose the trust of their customers.
