What is data security, and why should small businesses have policies for it?
Small business owners have a lot on their plates. Many are busy with business development and client relations, while also working to stay compliant and protect against cyber threats.
In 2020, almost a third of data breaches — or 28% — impacted small businesses, according to the 2020 Verizon Data Breach Investigations report.
The United States Small Business Association reports 88% of SBOs feel vulnerable to cyberattacks.
SMBs are particularly susceptible to online attacks because they face the same threat landscape as big companies — but without the same resources. In short, small businesses are easy targets in several ways:
- They don’t have the funds for big, specialized IT departments
- They may feel like they don’t have data worth stealing, thus less focus on the security of their data
- Busy SBOs may be more often concerned with growing revenue and securing investments than data security
SBOs need data security policies in place to prevent breaches, but also for other significant reasons — like avoiding noncompliance penalties, protecting their company’s reputation, and fulfilling their commitments to their customers.
What is data security?
Data security involves the protective measures you take to keep data safe from unauthorized access and corruption or loss. This includes both external and internal company information.
“Data” is everything from competitor information to client email addresses and employee files.
- Multi-factor authentication: Requires users to provide 2 or more pieces of information to access data
- Encryption: Coding a message in a way where only authorized recipients can decode it
- Backups: Making copies of essential business information on additional drives or storing it in the cloud
- Firewalls and antivirus: Firewalls protect your devices and systems from malicious traffic. Antivirus prevents harmful files from executing and accessing the system to steal or damage you data
What does data security have to do with compliance?
Beyond your business’s measures to protect your client list, bank accounts, and product designs — laws like the Health Insurance Portability and Accountability Act, General Data Protection Regulation, and California’s Consumer Protection Act mandate that companies have appropriate data security measures in place.
Congress passed HIPAA in 1996 to protect patient health information. HIPAA sets regulations and requirements for the collection, processing, and storage of health records and insurance information.
GDPR was the European Union’s answer to consumer privacy concerns and the first major regulation to put power back in the hands of consumers. Regardless of your physical location, businesses must comply with GDPR if any of the data they are handling — employee or consumer — belongs to an EU data subject.
CCPA went into effect on January 1, 2020. Among other requirements, it says businesses must explicitly disclose what information they collect and that consumers have a right to data deletion. Like GDPR, businesses must comply with CCPA if any of the data they’ve collected belongs to California residents.
Businesses must remain compliant with the various data security and protection regulations of these laws or risk hefty fines. HIPAA violations max out at $1.5 million per year. GDPR penalties can reach €20 million or 4% of worldwide revenue, while CCPA fees range from $2,500 to $7,500. These fines don’t include compensation for victims (which can be very impactful to a business that holds thousands of customer records).
How can I make sure my small business is compliant?
- Create a culture of compliance: Make sure to bake compliance into the culture with a top-down approach. When owners and managers set a strong example, the result is contagious.
- Know the rules: Make sure you understand what you’re required to do under HIPAA, GDPR, CCPA, and other applicable data protection laws. Sometimes this is easier said than done. Seek outside, expert help when you’re unsure how to protect your business.
- Educate employees: Train employees on data security and compliance measures, then document it. Your documented policies, expectations, and escalation steps.
- Invest in the right technology: Use HR tech that manages data security and protection of employee data. It’s also helpful to find technology that offers compliance assistance to help you learn about requirements.