Data Security Overview

 

Your Company’s Data Security and Your Customers’ Protection

Businesses of all sizes, including small businesses are responsible for compliance with customers’ data security and privacy laws. Those businesses that don’t comply face fines and/or lawsuits.

 

Who should be concerned about security and privacy?

Customer data is a key currency of today’s information-based economy—so regardless of your industry, you probably collect, store, and share information about your customers. This data may include Social Security numbers, driver’s license numbers, mailing addresses, e-mail addresses, telephone numbers, credit card numbers, and bank account numbers. If you use any of this type of information, you need to keep reading.

 

Security breaches could damage your business

Your good reputation could be significantly compromised by data security breaches. Security breaches can erode consumer trust and, ultimately, hurt your bottom line.

 

Small businesses are MORE at risk than large businesses

Some may think that large businesses are most at risk for identity theft and fraud—but that’s not the case. Security applies to every business that collects and stores customer information. Small businesses are a particularly attractive target because they often don’t have the strong data security protections that large businesses have.

 

Compliance isn’t a choice

Regardless of whether you think you’re at risk for data theft, you’re legally required to take proactive steps to prevent it—no matter how small your company is.

For example, all small businesses must comply with the Fair Credit Reporting Act (FCRA) when seeking to obtain consumer reports, such as credit reports and employment reports, about potential customers and employees.

Other requirements vary by business type. Small financial businesses, for example, must comply with the federal Gramm-Leach-Bliley (GLB) Privacy Rules and Safeguard Rules—and companies that need to com-ply include those that might not necessarily think of themselves as financial, such as automobile dealers, tax planners, and some travel agents.

As a small business owner or manager, it’s your responsibility to stay current on privacy and security laws affecting your customers—so establish good security and privacy practices now.

 

Firewalls are not enough

You might think that the right combination of hardware and software will prevent data security and privacy exposures—but technology is just one piece of the security and privacy equation.

Consider this scenario from the Better Business Bureau: You’ve equipped your computer with the latest network security software. But one day a customer calls your business to ask what credit card you have on file for his account. He gives his name and address to an employee who then looks up the information on your computer. Your employee reads the credit card number to the caller. But the caller isn’t really a customer; he’s a criminal who found the name and address of one of your customers in the trash. Indeed, in small and medium businesses, the greatest data security risk might not be technology, but the uneducated end user.

The point is, it’s not just about good technology. Effective security and privacy policies and proper employee training are also essential.

 

Creating a security and privacy policy

A security and privacy policy tells your customers how you will treat their personal information. In essence, it explains how you will collect it, how you will use it, and how you will keep it secure.

Once you have a written policy that accurately describes your intended treatment of customer data, you’ll want to communicate it to your customers. For example, you could distribute it on paper by posting it on a sign in your office, giving customers a written copy when they complete a transaction with you, or mailing it as part of a promotional piece. Alternately, you could distribute it online by posting it on your web site, and if your customers have agreed to receive e-mail notices from you, send it to them via email.

Communicating your privacy policy to your customers will increase the trust they have in your business—because when they know that you plan to use their information carefully, they will be more likely to share it with you.

 

Resources to help you write a privacy policy

Need help writing an online privacy policy? Consider these two sources of assistance: the Better Business Bureau’s Privacy Planner and the Direct Marketing Association privacy policy generator.

 

Employee education is paramount

Employees who handle customer information should play a significant role in protecting that information: In its 2009 data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.

Think about all the different ways your business collects, stores, and uses customer information. Now list who handles or has access to the information. Anyone who appears on your list should play a significant role in protecting sensitive information.

Conducting background checks can help you assess the character of prospective employees (or current employees, if you didn’t do a back- ground check before hiring them).

Next, employees should have access only to the information necessary to do their jobs. When you control employees’ access to information, you significantly reduce the risk of data exposure.

Finally, employees with access to information also need to be properly trained to follow your security and privacy policies and practices.

 

Act quickly when a breach occurs

If a data security or privacy breach occurs, you’ll want to alert appropriate law enforcement officials immediately so they can investigate the incident. This could include local police, state authorities, or even the FBI. Additionally, you’ll want to alert your credit card processor and your acquiring bank, as well as the three national consumer reporting agencies. You will also have to alert your customer(s).

 

Let Parachute help

You may shy away from security tools and practices because of the perceived cost, but you can prevent many threats easily. Data-loss protection (DLP) systems and e-mail monitoring programs are available at a low cost.

Because we invest in continuous training on the relevant technologies, as well as stay abreast of the business and policy issues, Parachute can help you review the available technology and come up with a comprehensive solution that fits your business. Contact us today for more information.