This article is a reprint of Wise Bread's contribution to OPEN Forum from American Express -- where small business owners can get advice from experts and share tips with each other.
Every time you do business with a customer or a client, you wind up with access to some very sensitive information, such as payment accounts. Due to the nature of that information, it's a must to protect it as if it was your own. After all, without appropriate protections in place, your clients may find themselves asking why they should trust you. It's becoming a bigger issue, as well: if you handle any part of your business online, the chances of someone gaining access to information immediately goes up. Despite that concern, there are steps you can take to keep your customers' information safe.
Include where it is located and how you plan to protect it. In some states, you may even have a legal requirement to have a written plan. Paula deWitte is both a lawyer and an engineer. She spends a lot of time thinking about both the legal and technical requirements to protect information and has even prepared courses for small business owners needing more information on the topic. She says:
A business must have a written information security program in place. A business cannot defend that they are using reasonable procedures to safeguard SPI if they do not have the procedures written down. How else do employees know what to do? If I ask a business owner if they use reasonable procedures, they must have a written program and they must institute this program as a continuous process...Further, this is a good business practice. If a data breach occurs and a business is required to notify affected individuals, it's better to have a thought out plan that can be put into action instead of attempting to react to a crisis.
While it may be more convenient to leave filing cabinets unlocked and give access to everyone in the office, the truth of the matter is that there are always some records that don't need to be available to everyone. Whether it's the details of how your clients are paying to account details, controlling access to your records is important. Even something as simple as locking a filing cabinet can give you a measure of control. There can be reasons beyond your customers' comfort for securing this information, of course: just think of what a competitor might do with something as simple as a list of your clients.
Olive Juice, a children's apparel company that sells its products online, has taken steps to protect their customers' credit card numbers, addresses, and other sensitive details at their website. Rather than just rely on an out-of-the-box ecommerce package, the company developed its own security package, relying on one-way hashes and secure encryption. The custom system allowed Olive Juice to balance customers' experiences using the site with offering rigorous security.
Simply backing up your computer to a hard drive is not necessarily a secure process, although you can improve on it if you take steps like keeping that hard drive offsite and limiting access to it. The number of backup solutions that incorporate some level of encryption and security has grown, allowing you to automate the process of backing up data. When choosing a backup solution, especially one that uses cloud storage online, your first step should be to check the level of security. Reliable companies tend to highlight their security measures on their websites. Those companies that don't even mention security are less likely to be able to keep your information safe.
Breaches do happen, no matter the size of your business. However, it's what you do after a breach that determines how your customers will respond. It's important to develop a template for how you will handle such situations, because, in the moment of a crisis, it's easy to miss an important step or two. A good plan will include how you plan to notify your clients (including a form email or call script if necessary), what you might do in response to certain situations (like a breach caused by an employee deliberately mishandling information) and perhaps some consideration for how you may create an incentive to keep your customers with you through the crisis (such as a coupon or a discount).
One important consideration as you're thinking about how to adequately protect client information is just what should be considered sensitive. DeWitte says:
Over forty states have passed laws that make business owners liable for protecting sensitive personal information (SPI). SPI is the name and either the social security number, drivers license number, or financial account number of an individual. At a minimum, all businesses maintain the social security numbers of their employees so this law applies to them. The law has three duties for businesses: (1) to use reasonable procedures to protect SPI; (2) to property destroy or arrange for the destruction of SPI; and (3) to notify affected individuals if the business discovers or is notified that a data breach has occurred.
You may find it necessary to protect more than just what is required by law for your customers. If, for instance, you have a login system for clients to access their accounts on your website (not uncommon if you run an ecommerce site), you may need to also take steps to protect usernames and passwords for the site — especially if you save credit card information for your clients. It's also crucial to be aware of the legal requirements in your state, as well as any other states you routinely do business in. Certain federal laws may also affect your decisions, such as the CAN-SPAM law, which holds businesses responsible if their servers send out spam and mandates how businesses handle customers' email addresses. The FTC maintains compliance guides for such laws in order to help businesses protect their customers' information, including an in-depth guide and tutorial for businesses on how to handle sensitive information.
Disclaimer: The links and mentions on this site may be affiliate links. But they do not affect the actual opinions and recommendations of the authors.
Wise Bread is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.