By Julie Sartain
Several weeks ago, boxes of confidential records that contained client names, Social Security numbers, dates of birth and invoices were discovered in a public recycling bin behind a supermarket in Spartanburg, SC. Peggy Garland-Coleman, a tax return consultant who closed her CPA firm three years ago, said she discarded the records after several days of shuffling papers to determine exposure risks.
Three months ago, two individuals were arrested for identity theft after stealing over $16,000 from victims in the Santa Clarita Valley area. By salvaging and reassembling shredded checks from the trash dumpsters of a self-storage facility, this couple collected enough information to open and operate a check counterfeiting racket.
And, last October, sensitive documents with client names, addresses, bank statements, credit card account numbers and Social Security numbers from a law firm were found scattered across the sidewalks, through the streets and along the interstate in Baton Rouge, LA. According to the firm's owner, a cleaning company was paid to dispose of the documents, but they were not shredded. When asked why, he said a lot of it was public record anyway.
Security breaches such as these happen every day, but when they happen to mom-and-pop businesses, the public rarely hears about it. According to New York City Housing Authority (NYCHA) Chief Privacy Officer Sheetal Sood, CIPP/US, who has multiple security certifications, the smaller businesses have a long way to go before they come close to properly handling data securely.
"Speaking as a privacy professional, which does not reflect the opinions of NYCHA, I believe the smaller businesses have very lax controls around data security," says Sood. "They usually have very little or no technology to work with, which leads them to perform most of their transactions manually. The SMBs (small to medium businesses) that do have the appropriate technology are prone to hacking attacks, especially if they employ wireless network access."
According to Avivah Litan, Gartner Research's lead consumer privacy analyst, many SMBs—unless they are in professional services such as tax accounting or law—are unaware of the laws that govern privacy, such as The Gramm-Leach-Bliley Act (GLBA), the American Recovery and Reinvestment Act and the Payment Card Industry Data Security Standard (PCI DSS). "The typical nonprofessional service business has no training or education on laws governing the collection of personally identifiable information (PII) or other sensitive customer data," says Litan, "and they are too busy running their businesses to even think about these subjects."
Sood adds, "As far as the laws are concerned, they have probably heard about the more popular ones such as the Health Insurance Portability and Accountability Act (HIPAA), especially if the SMB is a dentist or a doctor's office, but general awareness of the law and rules regarding data collection are severely lacking. Large enterprises face fines, reputation loss and brand-tarnishing when PII is poorly managed...The government regulates corporations, especially publicly owned businesses, but small businesses have more gray areas and less direction."
For example, according to Sood, most SMBs accept credit cards from their customers but do not follow the PCI standards. The PCI standards are very clear and freely available on the Internet. Due to the lack of general awareness regarding the privacy laws and the rules surrounding data security, however, policies and procedures are often missing. Some businesses have policies about data management, but more often than not, there are no procedures. "It's just a matter of implementing some controls," she says, "versus having none."
"The promises you make to customers should include how you are going to protect their personal information and reduce the risk of identity theft," says Karen Barney, program director at the Identity Theft Resource Center. Policies, procedures and protocols must be developed and in place to protect customer data. An introduction to privacy laws, which all SMBs should implement immediately, is widely available on a number of business websites.
According to Barney, some of the procedures and protocols that need to be in place include:
- Clearly define standard operating procedures.
- Restrict information access to “need-to-know” basis only.
- Secure all sensitive information.
- Truncate or encrypt Social Security numbers and financial account numbers whenever possible.
- Clearly define document-handling procedures, including proper paper and electronic records disposal.
- Control and vet document delivery practices.
- Minimize how much is out of your control; i.e., third parties, subcontractors, disposal companies.
- Conduct ongoing training and education about identity theft awareness and prevention.
“Many small businesses fail to recognize the impact of losing customer information until it happens," says Rex Davis, director of operations at the Identity Theft Resource Center. "The result can be a devastating surprise for both the business and the customers involved. A data breach, even if not publicized widely, is something that customers do not forget or easily forgive. At the minimum, each small business owner should review the available guidelines regarding the protection of information, make its own checklist of items that apply to that business and then take appropriate measures to restrict and safeguard customer information. A key question should be this: Do we need to keep this information in the first place?”
Katherine Hutt, a spokesperson for the Council of Better Business Bureaus, adds, “Safeguarding privacy is one of the eight BBB Standards of Trust. Every business, large or small, must make the privacy and protection of its customers’ data a foundational principle of its business practices. You cannot build a relationship of trust with your customers if you fail to do everything in your power to protect their data and their privacy.”
Editor’s Note: Find out how one SMB—the Ontario Telemedicine Network (OTN)—earned the 2011 IAPP Privacy Innovation Award. Then get tips from OTN’s chief privacy officer on how to develop a “privacy awareness culture.”
Julie Sartain, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO, The Privacy Advisor and Inside 1 to 1: Privacy.