5. Communicating Your Data Security Program to Your Customers

U.S. Legal Requirements

Generally small businesses are not required under federal or state law to make public how they protect information.

If a small business chooses to publish information concerning how it protects the sensitive personal information that it keeps, how it spots identity theft, how it responds when data is lost or stolen, or how it disposes of data, the Federal Trade Commission Act and consumer protection statutes in almost every state and territory prohibit the business from making false or deceptive statements.

Only 10% of US small businesses have a formal Internet security policy.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.