FAQ's from Small Businesses on This Topic
Q: How can incorporating data security and privacy into my business operations help my business grow?
A: Surveys show there is direct relationship between customer trust and business patronage. Also, customers are more willing to give businesses information about themselves, if they know the business will handle the information the right way and keep it secure. That information may help you tailor your marketing campaigns as well as your products and services so they are attractive to your clientele.
Q: Does my small business have to comply with the same laws and regulations that affect "big business"?
A: In most cases, yes. Businesses of all sizes - not just the big corporations - are held responsible for complying with federal and state customer data security and privacy laws. If your small business does not comply with the laws that you are required to follow, you may face with fines or lawsuits. For more information on which laws may affect your business, see Chapter 1 of "Security and Privacy - Made Simpler".
Q: I already have a firewall installed on my business PC. Isn't that enough to protect the data on the computer?
A: Technology, such as a firewall, is just one piece of the security and privacy equation. Effective policies, along with proper employee security training and business-wide implementation, are additional areas of security that require your attention.
"Security and Privacy - Made Simpler" offers information and tips on many kinds of high-tech and low-tech security options available to small businesses.
Q: What are security and privacy policies and why do I need them?
Q: Do identity thieves steal customer information from small businesses?
A: Yes. In fact small businesses are an attractive target for ID thieves because they frequently do not have the strong data security protections that big businesses have in place. This is all the more reason to develop a strong data security and privacy plan. See Chapter 3 of "Security and Privacy - Made Simpler" for more information on how to develop a security and privacy plan, and Chapter 6 for specific information on how to fight ID theft as a small business owner.
Q: What role do employees play in customer data security and privacy?
A: Employees who handle customers' personal information should also play a significant role in protecting that information. Each of your employees should have access only to the sensitive information necessary to do their specific jobs. When you control employees' access to information, you significantly reduce the risk of data exposure.
Your employees need training for how to protect the privacy, confidentiality and security of personal information. For tips on employee security training, see Chapter 7 of "Security and Privacy - Made Simpler".
Q: Do I need to perform a background check on perspective or current employees?
A: A large number of identity thefts originate in the workplace. Exercising care to hire honest employees is one of the best ways to help secure your business and reduce the risk of identity theft or fraud to you or your customers. Conducting background spot-checks can assist you in learning and assessing the character pattern of prospective employees (or of your current employees - if you did not use a background spot-check before hiring them).
Q: I don't store customer data electronically. Is data security an issue for my small business?
A: ID thieves and other fraudsters operate using both high-tech and low-tech methods so data security applies to every business that collects and stores customer information. Criminals are after credit card numbers, Social Security numbers, driver's license information and numbers, mailing addresses, e-mail addresses, and telephone numbers. If this information is kept on paper in your business, it must be kept securely in a locked area.
Q: If customer data is lost or stolen from my small business, who should I tell?
A: If a breach occurs, alert appropriate law enforcement officials immediately so they can investigate the incident. Talk to a lawyer to get advice on which law enforcement authorities you should contact. This could include local police, state authorities, or even the FBI. The major credit card companies also advise that you immediately contact your credit card processor and your acquiring bank.
It is also recommended that you alert the three national consumer reporting agencies and the bank or company that you hire to process your payment cards.
Q: If customer data is lost or stolen from my small business, do I have to tell my customers?
A: Twenty-three states have laws that require customer notification in the event personal data is lost, stolen, or inadvertently disclosed, and these laws may expand to a national level soon. Many states require you to notify your customers of any data breach. Other states require notification when harm to potential victims is likely.
Q: My small business does some business internationally. Am I required to follow international data and security laws?
A: Over 50 nations have personal data protection laws that regulate the handling of consumer information by businesses. Most data protection laws apply to all businesses that handle customer information, regardless of size. Even a company with no physical presence in another country - but which engages in international business-to-consumer e-commerce - is often required to comply with these laws. See Chapter 14 of "Security and Privacy - Made Simpler" for more information on global transactions.
Q: I've heard of the National "Do Not Call" list. Do small businesses have to comply?
A: If you make telemarketing calls or use the services of outside telemarketers to make calls on your behalf, federal and state "Do-Not-Call" list laws apply to small businesses.
Companies that do not comply can be fined for each violation. State attorneys general also can sue violators, and individuals can file personal actions in state courts. See Chapter 15 of "Security and Privacy - Made Simpler" to find out what you need to do to be in compliance.