Many, if not most, small businesses keep customer information on their computers or servers. When you collect and store customer information there is an expectation that the information will remain secure. In some cases there are legal liabilities to the small business if client information is released. Credit card information is regulated under PCI-DSS, and releasing this information is a $25,000 fine PER CARD NUMBER. This can be double in the case of willful negligence. There are other regulatory requirements for health care providers under HIPAA-HITECH, and public corporations under SOX. If you run a web site, customer user ID and password information needs to be secured as well.
What can you do?
- Privacy Policy – create a privacy policy, post it on your website, and teach it to your staff, and follow it.
- Client Information – know what information you collect, what you have, and where it is stored.
- Information Retention – keep only essential information and delete the rest. While it is tempting to retain information indefinitely, the less you have stored the less you have to lose in a breach.
- Secure the Information – make sure that what you do keep is securely protect and that access is restricted to those employees who have legitimate access requirements.
Lax or non-existent security policies and practices are behind the majority of customer information breaches. When your company is featured in news headlines after a breach, “we didn’t know” is not going to be an acceptable excuse.
More information is on the StaySafeOnline.org website.
Share
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com