8. Doing Business Abroad — Data Security Issues to Consider

U.S. Legal Requirements for Overseas Transactions

Different countries take different approaches to data protection and information security.

For example, the European Union considers any information relating to an identified or identifiable person to be protected "personal information."

Among other things, privacy laws in the European Union restrict companies from transferring personal information from member states of the European Union to countries, like the United States, that the European Union considers to have inadequate data protection laws.

As a result, a small business may have to take special steps to transfer personal information from the European Union to the United States — even if that information is being transferred within the small business.  It will have to consider how to maintain the security of that information in accordance with applicable laws of the EU and its member states, as well as the United States.

One simple method for a US companies to receive multiple data transfers from all member states of the European Union, plus Switzerland, is to join the US-EU and US-Swiss Safe Harbor programs operated by the US Department of Commerce.  Participating businesses must self-certify their compliance with seven Safe Harbor Privacy Principles, including a security principle that requires “organizations creating, maintaining, using or disseminating personal information” to take “reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

Only 28% of small businesses provide training to employees about Internet safety and security.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.