Data Protection Principles for the Small Business Owner

Closeup image of hands on a laptop keyboard with multiple superimposed images of locks floating around the keys.Every business collects, generates, and stores data that is valuable to the operation of their company. According to the law, any personal information a company generates or uses must be protected by that company, and there are restrictions on how the information can be used.

As a small business owner, you may not realize that you possess information you are legally responsible to protect, and that you are just as responsible for handling it as a large business would be. Inappropriate use or loss of personal information could lead to legal action, fines, loss of reputation, and in extreme cases, bankruptcy.

Generating Data

The process of protecting digital data begins at the moment it is collected, whether a customer provides it verbally and a staff member enters it into a database, or whether an online or paper form is completed. Digital data may be more challenging to control than you think because the data could become vulnerable to theft at any point during collection, transfer, or when it is accessed.

Some of the laws that enforce the protection of personal data for any size of business are:

  • The Gramm-Leach-Bliley Act (GLBA)
  • The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of Personal Health Information (PHI)
  • Fair and Accurate Credit Transaction Act (FACTA)
  • Sarbanes-Oxley Act (SOX)

Protecting Digital Data

When personally identifiable information (PII) like names, addresses, Social Security numbers, health insurance information, and credit card data is collected from a customer or patient, it could end up being accessed by a variety of different employees—and ultimately in the hands of an information thief. Here are a few recommendations for protecting data that is “on the move”:

  • Using SSL Certificates and HTTPS protocol on sites that collect sensitive data is one way of encrypting data being transmitted to and from a website.
  • Another option is to add encryption using a Virtual Private Network (VPN).
  • Encrypting files before they are transferred from one computer to another is also an option. Encrypted files can be safely sent as an email attachment.

Stored data, including archival data, must also be protected. Private information can be exposed and stolen through the following means:

  • A phishing scam aimed at stealing usernames and passwords.
  • Theft of a computer or hard drive.
  • Discarding computers, hard drives, or other electronic media that may still contain data. Keep in mind that erasing or deleting the information on a hard drive does not actually destroy the information. In fact, i-SIGMA found that 40% of used devices sold on the secondhand market still had (PII) on them.

Preventative measures you can take include:

  • Encrypting data while it is being stored.
  • Using strong passwords containing a combination of letters, numbers, and symbols and changing it frequently. Every user should have their own username and password to access company systems and software so that if a breach happens, the source can be detected.
  • Discarded computer media should be destroyed by a reputable shredding company.
  • Regularly back up all data on external storage devices and have them stored in an offsite media vault to ensure your stored media is protected against theft, temperature and humidity fluctuations, fire, and natural disasters.
  • Utilize an offsite media storage and rotation service that will rotate your backup media so you always have the most current data available for a swift data recovery.

Small Businesses Are Primary Targets

Forbes indicates that small businesses are targeted by cyberattacks more frequently than larger companies. An employee of a small business with less than 100 employees will experience 350 percent more phishing attempts than an employee of a larger company. Small business staff are often given more access to information and may not have been trained in information security tactics.

Storing and Disposing of Electronics

Devices that contain any private information should be protected during their useful life, when in storage, and when disposed of, they should be destroyed. Never store old computers, laptops, electronics, or phones. When devices have been removed from service, have a hard drive and media destruction service physically destroy them so that no one can obtain access to any remaining information stored on them.

Don’t set your small business up for a data breach or breaking a state or federal privacy law that will result in legal action, fines, and a ruined reputation. Work with a local, reputable shredding company that meets your data protection needs.

Docusafe provides a full suite of information management, data vaulting, and shredding services to businesses of all sizes in New Jersey, New York, and Pennsylvania. For more information or a quote, call us at 888-264-7367 or complete the form on this page. We’re standing by to help!

Request Your Quote

When You're Ready, Let's Talk!