By Julie Sartain

Several weeks ago, boxes of confidential records that contained client names, Social Security numbers, dates of birth and invoices were discovered in a public recycling bin behind a supermarket in Spartanburg, SC. Peggy Garland-Coleman, a tax return consultant who closed her CPA firm three years ago, said she discarded the records after several days of shuffling papers to determine exposure risks.

Three months ago, two individuals were arrested for identity theft after stealing over $16,000 from victims in the Santa Clarita Valley area. By salvaging and reassembling shredded checks from the trash dumpsters of a self-storage facility, this couple collected enough information to open and operate a check counterfeiting racket.

And, last October, sensitive documents with client names, addresses, bank statements, credit card account numbers and Social Security numbers from a law firm were found scattered across the sidewalks, through the streets and along the interstate in Baton Rouge, LA. According to the firm's owner, a cleaning company was paid to dispose of the documents, but they were not shredded. When asked why, he said a lot of it was public record anyway.

Security breaches such as these happen every day, but when they happen to mom-and-pop businesses, the public rarely hears about it. According to New York City Housing Authority (NYCHA) Chief Privacy Officer Sheetal Sood, CIPP/US, who has multiple security certifications, the smaller businesses have a long way to go before they come close to properly handling data securely.

"Speaking as a privacy professional, which does not reflect the opinions of NYCHA, I believe the smaller businesses have very lax controls around data security," says Sood. "They usually have very little or no technology to work with, which leads them to perform most of their transactions manually. The SMBs (small to medium businesses) that do have the appropriate technology are prone to hacking attacks, especially if they employ wireless network access."

According to Avivah Litan, Gartner Research's lead consumer privacy analyst, many SMBs—unless they are in professional services such as tax accounting or law—are unaware of the laws that govern privacy, such as The Gramm-Leach-Bliley Act (GLBA), the American Recovery and Reinvestment Act and the Payment Card Industry Data Security Standard (PCI DSS). "The typical nonprofessional service business has no training or education on laws governing the collection of personally identifiable information (PII) or other sensitive customer data," says Litan, "and they are too busy running their businesses to even think about these subjects."

Sood adds, "As far as the laws are concerned, they have probably heard about the more popular ones such as the Health Insurance Portability and Accountability Act (HIPAA), especially if the SMB is a dentist or a doctor's office, but general awareness of the law and rules regarding data collection are severely lacking. Large enterprises face fines, reputation loss and brand-tarnishing when PII is poorly managed...The government regulates corporations, especially publicly owned businesses, but small businesses have more gray areas and less direction."

For example, according to Sood, most SMBs accept credit cards from their customers but do not follow the PCI standards. The PCI standards are very clear and freely available on the Internet. Due to the lack of general awareness regarding the privacy laws and the rules surrounding data security, however, policies and procedures are often missing. Some businesses have policies about data management, but more often than not, there are no procedures. "It's just a matter of implementing some controls," she says, "versus having none."

"The promises you make to customers should include how you are going to protect their personal information and reduce the risk of identity theft," says Karen Barney, program director at the Identity Theft Resource Center. Policies, procedures and protocols must be developed and in place to protect customer data. An introduction to privacy laws, which all SMBs should implement immediately, is widely available on a number of business websites.

According to Barney, some of the procedures and protocols that need to be in place include:

  • Clearly define standard operating procedures.
  • Restrict information access to “need-to-know” basis only.
  • Secure all sensitive information.
  • Truncate or encrypt Social Security numbers and financial account numbers whenever possible.
  • Clearly define document-handling procedures, including proper paper and electronic records disposal.
  • Control and vet document delivery practices.
  • Minimize how much is out of your control; i.e., third parties, subcontractors, disposal companies.
  • Conduct ongoing training and education about identity theft awareness and prevention.

“Many small businesses fail to recognize the impact of losing customer information until it happens," says Rex Davis, director of operations at the Identity Theft Resource Center. "The result can be a devastating surprise for both the business and the customers involved. A data breach, even if not publicized widely, is something that customers do not forget or easily forgive. At the minimum, each small business owner should review the available guidelines regarding the protection of information, make its own checklist of items that apply to that business and then take appropriate measures to restrict and safeguard customer information. A key question should be this: Do we need to keep this information in the first place?”   

Katherine Hutt, a spokesperson for the Council of Better Business Bureaus, adds, “Safeguarding privacy is one of the eight BBB Standards of Trust. Every business, large or small, must make the privacy and protection of its customers’ data a foundational principle of its business practices. You cannot build a relationship of trust with your customers if you fail to do everything in your power to protect their data and their privacy.”

Editor’s Note: Find out how one SMB—the Ontario Telemedicine Network (OTN)—earned the 2011 IAPP Privacy Innovation Award. Then get tips from OTN’s chief privacy officer on how to develop a “privacy awareness culture.”

Julie Sartain, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO, The Privacy Advisor and Inside 1 to 1: Privacy.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»