To judge solely by headlines, it would be easy to think only enterprise-level businesses need to worry about consumer data privacy laws.
The truth, however, is that the laws are getting stricter and the penalties stiffer – small businesses could lose everything if they fail to protect their customers’ personal information.
Read on to discover how data security laws affect your business and how you can keep your data safe without sacrificing (more) sleep.
You may be a small business, but your user data privacy obligations are often the same as the big players face.
In the United States, multiple data privacy laws govern areas such as:
· How you get consent from your customers to use and sell their data and sensitive information.
· How you notify them when your privacy policies change.
· The rights your customers have to access and request deletion of their data.
The key thing to know about data protection laws is that they generally apply to where your customers are located, not to where you are located.
For example, if you are headquartered in the United States but some of your customers are located in the European Union, then the European Union’s General Data Protection Regulation (GDPR) data privacy laws – and its potential 20 million euro fines – apply to your small business.
As of this writing, the United States does not have a federal "protection act" governing personal data privacy across the country. Instead, what the United States does have is a power vested in the Federal Trade Commission (FTC) to bring enforcement action against businesses to protect consumers against what the FTC refers to as “unfair or deceptive acts or practices.”
The FTC has a 20-year history of using this federal clout to bring enforcement actions against businesses that fail to comply with their own published privacy policies or who otherwise engage in “conduct injurious to consumers.” The FTC has also used this power over the years to penalize companies that fail to take reasonable precautions to prevent data theft.
To stay on the right side of FTC auditors, you’ll need to do two things:
1. Fulfill all data privacy obligations and promises that you make to your customers in your published privacy policies detailing how you collect, use and protect their information.
2. Maintain reasonable data protection procedures to protect consumer information from data breach or loss. (More on this further down.)
Your small business may be subject to data privacy laws that apply to all businesses in your state, and to any states where you operate.
This legislative landscape is like the country itself, a patchwork quilt from shore to shore. For example, Georgia’s only privacy laws relate to medical privacy. On the other end of the spectrum, California has very robust data privacy laws – but some only apply to bigger businesses.
Source: IAPP.org
Your small business may also be subject to privacy legislation that applies only to your specific industry. These laws govern both the types of data that you are allowed to collect and the types of individuals from whom you may collect data.
The most common legislation of this kind is the Health Insurance Portability and Accountability Act (HIPAA), the federal law that governs how organizations in the healthcare industry must protect patient data from being disclosed without patient knowledge or consent. Another, COPPA, addresses data protection for children under the age of 13.
Read Now: Compliance vs. Security - What's the Difference?
Data privacy affects multiple groups of people in your small business, from management to legal to marketing and more.
There’s one other job with a huge role in your data privacy efforts, though: IT. Here’s what your IT folks (or IT individual, or you) must do to ensure your small business is protecting customer data:
Keep your technology assets updated
Install anti-virus software
Guard your physical devices and records
Require multi-factor authentication
Minimize administrator privileges
Enable email encryption
Screen potential employees and contractors
Set automatic backups and encryption of data
Get cybersecurity insurance
If that list seems overwhelming, that’s because staying up to date on the latest technology and best practices for protecting customer data is a full-time job all by itself – and probably not one most small businesses can accommodate.
Unfortunately, many of these same small businesses never consider outsourcing this vital function to a managed security services provider (MSSP), thinking that it’s solely for enterprise-level companies.
The right firm will provide a wide range of cybersecurity consulting and fully managed cybersecurity services that protect your business and your customer data around the clock from today’s unrelenting attacks.
An outsourced MSSP provides the hardware, software, services, policies, procedures, audits and more to get you compliant and keep you compliant with the federal, state and industry sensitive data privacy laws that affect your small business. You have the time and bandwidth to grow your business, and your managed security provider keeps your customer data safe and your business on the right side of the law.
A managed security services company like Ntiva provides end-to-end protection for your customer data with cybersecurity risk assessments, intrusion detection and response, phishing prevention training, vulnerability scanning and remediation, IT governance, risk and compliance, and many other services.
If you need to stay on top of data privacy and protection for your small business, sign up for our free, biweekly Cybersecurity Livestream!