Privacy Ref Blog

SMB privacy: no free pass

Like larger enterprises, small and medium businesses (SMBs) collect personal information about their customers, employees, vendors and other stakeholders; it is just part of doing business. Establishing an SMB privacy program would be very beneficial for these businesses, but for the majority of SMBs the thought of protecting personal information is not a priority. At least one recent survey  found that over 70% of the SMBs questioned did not realize they had regulatory obligations to protect personal information.

While  legislative bodies, the Payment Card Industry (PCI) Security Council, and other regulators recognize that SMBs have limited resources and “cut them some slack”, SMBs do not have a free pass on protecting information. For example,

SMB privacy challenges and risks

Stemming from limited financial and labor resources, an SMB cannot afford to dedicate staff to a privacy function. In fact the informal research I have done has shown that it is not unusual that the responsibility for privacy in an SMB is unassigned. As technology, regulations, and your business evolve the practices you have established need to evolve as well. Without responsibility assigned, an SMB’s privacy practies cannot respond to changes and improve if they even existed in the first place.

Also, SMBs are often operated with a limited number of formal policies and procedures. Without direction on privacy matters employees must make their own judgments. Frequently a staff member will think they are doing the right thing, but it may put the business at risk.

For example, I often see the practice of an employee keeping a list of credit card numbers for frequent customers. Placing a credit card on the list makes it easier for that customer to place an order. If the paper with that list or the computer on which the list is stored is stolen you have a data breach.

Clearly risks to an SMB’s bottom line exist due to fines from regulators or attorneys general. There is also a top line risk due to to the brand damage done from the news of a data breach. A large enterprise may be able to sustain this downturn in business, but an SMB may not.

Even without a data breach there is a risk that an SMB will lose business to a competitor due to the lack of a privacy program. The frequency that larger businesses are asking for information about their vendor SMBs privacy program is increasing. If an SMB privacy program is not in place the customer may look for another vendor.

A new discussion group…

I invite you to join a recently started discussion group on LinkedIn called Privacy for SMBs. This group has been set up to share conversations, ideas, and concerns to help the SMBs protect their stakeholder’s personal information. Sharing ideas, concerns, and news will help us all to improve the protection of personal stakeholder information across SMBs,

…and a webinar

Also, a highlight of Privacy Ref’s Data Privacy Day Champion activities is a webinar the firm will provide on “Kick-starting a Data Privacy Program.” The webinar will take place on January 28, 2013 from 1:00 PM to 2:00 PM EST. Those with strong interest are urged to register early as limited seats are available. For more information, or to register for the webinar, please visit https://www1.gotomeeting.com/register/426265136.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on January 12, 2013 by Bob Siegel
Tags: , , , , ,

« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

October 30, 2017

PSR 2017 in Review
After a long trip from the northeast to San Diego, I finally made it to another exciting Privacy, Security, and Risk Conference from the IAPP. With GDPR on the horizon, the air was thick with discussion of this regulation in effect in May of next year. Even more so, a lot of questions received at the Privacy Ref booth were focused on this law, or preparing a privacy program through assessments data mapping. Overall, a great show with a few major themes. Continue reading this post...

The key to effective privacy training
I spend a lot of time facilitating privacy training. Whether it is directly for our clients or on behalf of the IAPP or their training partners, there are common elements to a successful educational event. Continue reading this post...

Other Recent Posts

PRIVACY REF