BBB Business Tip: Data privacy for small businesses

Protect Your Data from a Cyberattack 

The possibility of a cyberattack by a foreign country has gone from being the stuff of science fiction to a common threat that we hear about in the news media almost daily. While it may seem like there is nothing a small business can do to thwart a cyberattack, there are some best practices that can help you be better prepared for the possibility.

To reduce the risk of cyber threats, review your data security practices and be sure to follow these security must-dos:

• Use SSL encryption to transmit financial or other sensitive data.
• Avoid using Social Security Numbers for identification—if you must handle this data, store and transfer it securely.
• If you process credit cards, ensure that you are PCI compliant, or outsource this process to a reputable PCI service provider. 
• Never send sensitive personal data by email unless it’s encrypted.
• Implement strong password policies and do not permit shared passwords.
• Don’t forget physical security—implement a clean desk policy, and lock file drawers and doors.
• Dispose of data responsibly. Keep data only as long as you need it
  
  

Take Stock of What Data Your Business Collects

If you collect data that can be linked to a specific customer, computer, or device, consider it personal data. Pay particular attention to how you store and share sensitive data such as social security numbers, credit card or other financial information, and location data. Review the following for your business: 

• How data is collected (e.g., via email, regular mail, online collection).
• Where it’s stored (e.g., PCs, networks, mobile devices, USB sticks, cloud service providers, file cabinets).
• Who has access to it (e.g., all employees or only employees who need it, vendors, contractors).
• Who it’s shared with (e.g., advertisers and marketers, business partners).

Reduce your risk of exposing sensitive data in a cyberattack by collecting less data in the first place. Be sure to gather and store only the data you need to run your business and meet legal requirements. You may be able to eliminate data you don’t need simply by changing default settings in your online forms or database software. 

Pay attention to Special Data Categories

Certain kinds of data collection and use are subject to specific legal requirements. Be aware that you will have additional compliance obligations if your business engages in certain common practices:

• Collects personal data from children under age 13 (see the Children’s Online Privacy Protection Act)
• Extends credit to its customers, participates in credit decisions, or operate as a financial institution (see the Red Flags Rule and the Gramm-Leach-Bliley Act)
• Uses customer data for email marketing (see the CAN-SPAM Act)
• Uses consumer reports (e.g., credit reports) for background checks and credit decisions or furnishes information to consumer reporting agencies (see the Fair Credit Reporting Act)
                    

Know Your Advertising Responsibilities

Like many small businesses, you may be looking to online advertising to generate revenue. Be aware that if your website allows ad networks to serve interest-based ads, sometimes called targeted ads or online behavioral ads, or to collect data for use in this type of advertising, it is subject to the Digital Advertising Alliance's Self-Regulatory Principles. The Principles require that consumers receive notice and choice when served ads based on their web browsing activity. Ad networks usually provide this notice by placing a distinctive icon inside or near an interest based ad.

By clicking on the icon, consumers are taken to a site with information on online behavioral advertising and are given the option to opt out of receiving targeted ads. If the ad network does not use the icon, the website owner must link to the opt-out page (separate from the main website privacy policy link) on the pages of the website where the ads are served or the advertising data collection occurs.

Selling Internationally

If your website collects personal data from overseas consumers or business partners, be aware that multiple privacy laws may apply to the processing of that data. Pay particular attention to the data requirements of the European Union (EU) and Switzerland, which prohibit the transfer of their citizens’ personal data to countries, including the United States, that do not meet EU and Swiss “adequacy” standards for privacy protection.

To assist US businesses in bridging this privacy divide, the US Department of Commerce, the European Commission and the Swiss Data Privacy Commissioner created the US-EU and US-Swiss Safe Harbor Frameworks. The Safe Harbor program enables U.S. businesses to receive EU and Swiss consumer data after self-certifying to the Commerce Department their compliance with seven Safe Harbor Privacy Principles. Most US businesses regulated by the Federal Trade Commission are eligible for this program. To get the benefits of Safe Harbor membership, you must:

• Review your business’s privacy practices and verify their compliance with the Safe Harbor Privacy Principles. Verification can be done as a self-assessment or performed by a third party.
• Develop a Safe Harbor-compliant privacy policy to display on your website after self-certification.
• Identify an independent dispute resolution mechanism that offers low-cost and accessible privacy complaint handling for European citizens whose data you collect. BBB EU Safe Harbor, a program operated by the CBBB, offers this service and can help you with self-certification. Other providers are listed on the Department of Commerce website.
• Complete the online self-certification form on the Commerce Department website.
  
  

Create a Privacy Culture

Last but not least is creating a culture of privacy at your business. Promote privacy as a core value in your business by ensuring privacy policies and procedures are clear and consistently enforced. Identify employees who must have access to customer data to do their jobs and make sure they’re trained and accountable. In your business, this could include receptionists, sales representatives, repair technicians or delivery staff, as well as account managers and bookkeepers. Employees who don’t need access to personal data should never see it. Train your employees using examples related directly to the tasks they perform. Post simple written guidelines and reminders. Require new employees to sign an agreement to follow your company’s privacy and security standards. Finally, designate a privacy contact your employees can go to with questions and concerns.

Make sure your internal practices and procedures align with and tie back to your public privacy policy—if they don’t, you may risk federal or state liability. Review one against the other at least annually, or whenever you make a change in your use of personal data, and update as needed. 

For more Information 

Check out the National Cyber Security Alliance’s tips for businesses. You can find more data security tips from the BBB at “Data Security – Made Simpler.” (bbb.org/data-security)

Hear BBB’s privacy and security professionals discuss data privacy issues on our “Better Business > Better Series” podcast series. Make sure to subscribe to the series on your mobile device or listen to it on the web.

Businesses should check out BBB’s Five Steps to Better Business Cybersecurity (BBB.org/cybersecurity). Ask the BBB in your area about programs for business leaders and employees (BBB.org/bbb-locator).