By Julie Sartain

Several weeks ago, boxes of confidential records that contained client names, Social Security numbers, dates of birth and invoices were discovered in a public recycling bin behind a supermarket in Spartanburg, SC. Peggy Garland-Coleman, a tax return consultant who closed her CPA firm three years ago, said she discarded the records after several days of shuffling papers to determine exposure risks.

Three months ago, two individuals were arrested for identity theft after stealing over $16,000 from victims in the Santa Clarita Valley area. By salvaging and reassembling shredded checks from the trash dumpsters of a self-storage facility, this couple collected enough information to open and operate a check counterfeiting racket.

And, last October, sensitive documents with client names, addresses, bank statements, credit card account numbers and Social Security numbers from a law firm were found scattered across the sidewalks, through the streets and along the interstate in Baton Rouge, LA. According to the firm's owner, a cleaning company was paid to dispose of the documents, but they were not shredded. When asked why, he said a lot of it was public record anyway.

Security breaches such as these happen every day, but when they happen to mom-and-pop businesses, the public rarely hears about it. According to New York City Housing Authority (NYCHA) Chief Privacy Officer Sheetal Sood, CIPP/US, who has multiple security certifications, the smaller businesses have a long way to go before they come close to properly handling data securely.

"Speaking as a privacy professional, which does not reflect the opinions of NYCHA, I believe the smaller businesses have very lax controls around data security," says Sood. "They usually have very little or no technology to work with, which leads them to perform most of their transactions manually. The SMBs (small to medium businesses) that do have the appropriate technology are prone to hacking attacks, especially if they employ wireless network access."

According to Avivah Litan, Gartner Research's lead consumer privacy analyst, many SMBs—unless they are in professional services such as tax accounting or law—are unaware of the laws that govern privacy, such as The Gramm-Leach-Bliley Act (GLBA), the American Recovery and Reinvestment Act and the Payment Card Industry Data Security Standard (PCI DSS). "The typical nonprofessional service business has no training or education on laws governing the collection of personally identifiable information (PII) or other sensitive customer data," says Litan, "and they are too busy running their businesses to even think about these subjects."

Sood adds, "As far as the laws are concerned, they have probably heard about the more popular ones such as the Health Insurance Portability and Accountability Act (HIPAA), especially if the SMB is a dentist or a doctor's office, but general awareness of the law and rules regarding data collection are severely lacking. Large enterprises face fines, reputation loss and brand-tarnishing when PII is poorly managed...The government regulates corporations, especially publicly owned businesses, but small businesses have more gray areas and less direction."

For example, according to Sood, most SMBs accept credit cards from their customers but do not follow the PCI standards. The PCI standards are very clear and freely available on the Internet. Due to the lack of general awareness regarding the privacy laws and the rules surrounding data security, however, policies and procedures are often missing. Some businesses have policies about data management, but more often than not, there are no procedures. "It's just a matter of implementing some controls," she says, "versus having none."

"The promises you make to customers should include how you are going to protect their personal information and reduce the risk of identity theft," says Karen Barney, program director at the Identity Theft Resource Center. Policies, procedures and protocols must be developed and in place to protect customer data. An introduction to privacy laws, which all SMBs should implement immediately, is widely available on a number of business websites.

According to Barney, some of the procedures and protocols that need to be in place include:

  • Clearly define standard operating procedures.
  • Restrict information access to “need-to-know” basis only.
  • Secure all sensitive information.
  • Truncate or encrypt Social Security numbers and financial account numbers whenever possible.
  • Clearly define document-handling procedures, including proper paper and electronic records disposal.
  • Control and vet document delivery practices.
  • Minimize how much is out of your control; i.e., third parties, subcontractors, disposal companies.
  • Conduct ongoing training and education about identity theft awareness and prevention.

“Many small businesses fail to recognize the impact of losing customer information until it happens," says Rex Davis, director of operations at the Identity Theft Resource Center. "The result can be a devastating surprise for both the business and the customers involved. A data breach, even if not publicized widely, is something that customers do not forget or easily forgive. At the minimum, each small business owner should review the available guidelines regarding the protection of information, make its own checklist of items that apply to that business and then take appropriate measures to restrict and safeguard customer information. A key question should be this: Do we need to keep this information in the first place?”   

Katherine Hutt, a spokesperson for the Council of Better Business Bureaus, adds, “Safeguarding privacy is one of the eight BBB Standards of Trust. Every business, large or small, must make the privacy and protection of its customers’ data a foundational principle of its business practices. You cannot build a relationship of trust with your customers if you fail to do everything in your power to protect their data and their privacy.”

Editor’s Note: Find out how one SMB—the Ontario Telemedicine Network (OTN)—earned the 2011 IAPP Privacy Innovation Award. Then get tips from OTN’s chief privacy officer on how to develop a “privacy awareness culture.”

Julie Sartain, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO, The Privacy Advisor and Inside 1 to 1: Privacy.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»