The Internet began revealing its dangerous side more than a decade ago. As one veteran business analyst remarked, "Personal information on the Internet started turning into asbestos, becoming highly toxic. People started discovering a lot of it around."
Identity theft emerged, of course, and began ruining lives. Now, the analyst notes, "There are more obligations than ever to report an 'asbestos spill' and more consequences if you don't."
So today, we know better than to put our customers, employees, and others at risk because of sloppy practices with personally identifiable information (PII) and other sensitive data.
Or do we?
A sizable number of U.S. small businesses still do not have privacy policies, or have ones too vague to be of any value. Meanwhile, companies of all sizes continue to scrimp on data security, or allow poorly trained employees easy access to sensitive information. Data breaches such as these compiled by the nonprofit Privacy Rights Clearinghouse are now legendary.
'Do unto others how you'd want them to do unto you'
If you run a small business, you likely handle some PII, even if it is simply the e-mail addresses you collect for newsletter distribution.
You owe it to your customers and employees to protect them from ID theft, scams, spam, fraud, and other toxic by-products of the Internet. And you owe it to your company and business partners to follow best practices, and the law, when it comes to collecting and storing sensitive business information.
"It doesn't have to be that complicated. If you think about the data that businesses collect about you, and you do unto others how you would want them to do unto you, you will have [privacy] top of mind," says Carolyn Hodge, vice president of communications for online privacy specialist TRUSTe.
Here are six tips to help you be smart and responsible when it comes to privacy.
1. Take inventory of the personal information you collect and store. Privacy analysts recommend compiling a written inventory of the PII you collect. PII generally includes names and contact information, physical addresses, e-mail addresses, credit card numbers, Social Security numbers, and the like. For example, does your Web site use cookies to capture info about who visits your site?
Know that any contracts and agreements you have with other businesses, and any trade secrets of other businesses that you may possess, also constitute sensitive information. Failure to protect such information could violate insider trading laws, among other statutes.
For more help, see this guide and tutorial from the Federal Trade Commission.
2. Analyze how safely you use and store this data. Believe it or not, many small businesses are known to store private information on their customer-facing Web sites, which could easily be hacked. Many others allow employees unfettered access to such data. Still others are nonchalant about sending spreadsheets containing PII unencrypted over the Internet via e-mail.
Store private information on password-protected internal sites, and limit employee access to only those with a legitimate need to know, experts recommend. If you must send PII or other sensitive information via the Internet, encrypt it through password-protected ZIP files, encrypted e-mail, or S/MIME, PGP, and similar applications. Don't make it easy for hackers by scrimping on data security.
3. Make sure you're complying with industry or federal laws. Strong privacy policies and practices may be mandatory if your business is governed by certain government or industry regulations. Here is a look at some of the statutes governing the privacy of information:
-
-
-
-
With its Security Standards Council, the
Payment Card Industry self-regulates retailers and other businesses that collect credit card numbers and related personal financial information.
-
-
If necessary, companies such as WeComply, a Mt. Kisco, N.Y., concern, develop training programs for businesses on how to comply with federal laws regulating privacy.
4. Post a privacy policy that is clear and comprehensive. A handful of states have their own privacy laws that are stronger than the federal laws, including California. Its Online Privacy Protection Act of 2003 requires all online businesses that collect personal information from California residents to post a privacy policy on their Web site(s) and to comply with their policies.
Yes, you need a policy, even if it is not required by law. Today's more discerning Internet consumer demands it, experts agree. "Simply having a privacy policy link on your site builds trust and confidence," writes Jeff Finkelstein of Boulder, Colo., in his Customer Paradigm newsletter. Conversely, consumers may be suspicious of businesses that don’t clearly display their policy.
What should you include in your policy? Essentially, what PII you collect, use, and share in your business. Here are some key elements to disclose:
-
Whether you buy or sell e-mail lists or mailing lists
-
Any sharing of PII in co-marketing agreements with partners
-
Use of cookies
-
Information for customers to contact your business to be removed from a list
-
If you sell online, how you comply with the Payment Card Industry's Security Standards
Your policy need not be lengthy — large conglomerates may have privacy policies of 10 pages or longer, but a small business doesn't need that. Conversely, some small businesses offer vague statements amounting to a single paragraph or two, says TRUSTe's Hodge. Shoot for a page or less of clearly written text, and make the link visible on your site. (For more tips on how to write a privacy policy, download this PDF from TRUSTe.)
5. Have your policy reviewed by an attorney or by a privacy seal program. It's wise to get an outside opinion on your privacy policy, either from an attorney or privacy expert. Another option is using an online privacy service such as TRUSTe or BBBOnline.
The advantage of using a service such as TRUSTe or BBBOnline is that if you meet their privacy policy requirements, you are awarded a seal to display on your site — which may boost the confidence and trust of your customers.
"The Web privacy seal is one of [TRUSTe's] most popular products," says Hodge. A privacy seal may be most beneficial to small e-tailers with little or no name recognition outside their hometown or region.
TRUSTe has partnered with buySAFE to bond purchase transactions and to supply privacy policies to small online retailers with monthly sales of $1 million or less. The buySAFE program runs $240 a year.
6. If you have employees, make sure their personal information is protected too. It's easy to overlook employee data, as most privacy policies deal strictly with the interests of customers and clients. But with today's increasing use of laptops, mobile devices, and social-networking applications as marketing tools, employee privacy is also in danger.
The nonprofit Privacy Rights Clearinghouse offers this guide to preventing ID theft through responsible information-handling practices in the workplace.
One disturbing trend: An increasing number of ID theft cases have been traced back to dishonest employees obtaining sensitive information about fellow employees and customers and providing it to identity thieves. Take note of two best practices in the Privacy Rights Clearinghouse guide: (1) Do background checks on anyone you hire and (2) restrict data access to employees with a legitimate need to know.
(from Monte Enbysk: http://smallbusiness.officelive.com/ResourceCenter/expertadvice/startingabusiness/Get_serious_about_privacy)
Posts
