Ask the Expert
Privacy and data security practices for small businessesApril 2011
Q: I’m a small business owner. How can I protect sensitive or customer data without breaking the bank? I don’t have the same resources as a large corporation, but I want to follow the highest security standards.
A: You don’t have to be a Fortune 500 company to follow an approach to data security called Privacy by Design (PbD).
Simply put, PbD is an intelligent and logical way to assess your operation and build a program around the fundamentals of privacy and data security. It doesn’t have to be complicated. It starts by taking a hard look at the data life cycle in your company—how that data is:
The key is to overlay each process with the best possible privacy and security practices. Privacy must be built in or designed into your company’s data stream. At each step of the data life cycle, you need to ask, “How can I best protect this data?” Do you use SSL when a customer signs into your website to transmit data? Does it enter your system encrypted? Do you keep it encrypted in storage?
Most businesses don’t take advantage of available tools that would help them protect data. For example, Microsoft Office Suite offers file encryption. There are built-in options in Microsoft and Apple’s operating systems. Excellent third-party encryption software such as PGP is also out there.
Whatever platform you use, be deliberate when dealing with data. PbD is a mind-set beyond the nuts-and-bolts lockdown of your data stream. It doesn’t matter how big or small your business is. If you handle sensitive or customer data, you need to be aware of all the risks and their corresponding security options. You need to make sure that the folks who work with you also understand the risks and are deliberate in their approach. As a company leader, you have to model strong privacy-focused behavior.
My experience is that most business leaders want to do the right thing. But unless they’re shown what the right thing is, and unless they see it clearly, they just don’t know better. You can never assume they’ve bought into a security-focused, privacy-focused mind-set unless you tell them about it and reinforce it. Privacy by Design is no different, whether you’re a Fortune 500 company or a fresh startup.
Brian McGinley, Identity Theft 911’s senior vice president of data risk management, has nearly 30 years of experience in risk management, security, loss management and compliance within financial institutions.
©2003-2012 Identity Theft 911, LLC. All rights reserved.