Back to all blog posts

SMB privacy: no free pass

Like larger enterprises, small and medium businesses (SMBs) collect personal information about their customers, employees, vendors and other stakeholders; it is just part of doing business. Establishing an SMB privacy program would be very beneficial for these businesses, but for the majority of SMBs the thought of protecting personal information is not a priority. At least one recent survey  found that over 70% of the SMBs questioned did not realize they had regulatory obligations to protect personal information.

While  legislative bodies, the Payment Card Industry (PCI) Security Council, and other regulators recognize that SMBs have limited resources and “cut them some slack”, SMBs do not have a free pass on protecting information. For example,

  • legislation, such as Massachustts 201 CMR 17.00, require security safeguards be put in place that are appropriate for the size and scope of the business;
  • businesses with a small number of credit card transactions may still be required by their banks to maintain some level of PCI compliance; and
  • fines levied for data breaches are generally not scaled based on company  revenues;

SMB privacy challenges and risks

Stemming from limited financial and labor resources, an SMB cannot afford to dedicate staff to a privacy function. In fact the informal research I have done has shown that it is not unusual that the responsibility for privacy in an SMB is unassigned. As technology, regulations, and your business evolve the practices you have established need to evolve as well. Without responsibility assigned, an SMB’s privacy practies cannot respond to changes and improve if they even existed in the first place.

Also, SMBs are often operated with a limited number of formal policies and procedures. Without direction on privacy matters employees must make their own judgments. Frequently a staff member will think they are doing the right thing, but it may put the business at risk.

For example, I often see the practice of an employee keeping a list of credit card numbers for frequent customers. Placing a credit card on the list makes it easier for that customer to place an order. If the paper with that list or the computer on which the list is stored is stolen you have a data breach.

Clearly risks to an SMB’s bottom line exist due to fines from regulators or attorneys general. There is also a top line risk due to to the brand damage done from the news of a data breach. A large enterprise may be able to sustain this downturn in business, but an SMB may not.

Even without a data breach there is a risk that an SMB will lose business to a competitor due to the lack of a privacy program. The frequency that larger businesses are asking for information about their vendor SMBs privacy program is increasing. If an SMB privacy program is not in place the customer may look for another vendor.

A new discussion group…

I invite you to join a recently started discussion group on LinkedIn called Privacy for SMBs. This group has been set up to share conversations, ideas, and concerns to help the SMBs protect their stakeholder’s personal information. Sharing ideas, concerns, and news will help us all to improve the protection of personal stakeholder information across SMBs,

…and a webinar

Also, a highlight of Privacy Ref’s Data Privacy Day Champion activities is a webinar the firm will provide on “Kick-starting a Data Privacy Program.” The webinar will take place on January 28, 2013 from 1:00 PM to 2:00 PM EST. Those with strong interest are urged to register early as limited seats are available. For more information, or to register for the webinar, please visit