In 2020, there were 1,001 data breaches in the United States that exposed over 155 million people’s personal information. The past 10 years have seen a significant increase in the number of data breaches, jumping from 662 in 2010, to a peak of 1,632 in 2017.
But they don’t just affect the individuals whose records have been exposed—the average cost of a data breach to a company is $3.86 million, and can go as high as $8.64 million. For most small businesses, those are amounts they can ill afford.
According to Pew Research Center, 81% of Americans say that the potential risks they face because of companies collecting their data outweigh the benefits. However, with many people still working remotely due to the COVID-19 pandemic and the subsequent shift to the digital sphere, small businesses have had to follow suit in order to survive. Operating online comes with more risks for both businesses and customers, but there are a number of data privacy strategies that small businesses can implement to protect themselves and their customers.
According to Darren Guccione, CEO and cofounder of cybersecurity company Keeper Security, data privacy is the “proper fiduciary treatment and handling of customer or user data.” A customer’s data, or personally identifiable information (PII), can include anything from their first and last name, date of birth, Social Security number, home address and workplace, among other information. If a customer uses a piece of software, even if it’s just to complete an online transaction, that software will have a “profile” based on that person.
So, even though a small business may use a third-party vendor to handle their cybersecurity, Guccione emphasizes that “you are now a fiduciary and responsible party in terms of making sure that that information is confidential, secure and safeguarded.”
For businesses that transact with customers, using contactless payments terminals can be a great way to not only protect from COVID-19 transmission, but also to safeguard your customers’ data. Although there are always concerns over data breaches, fraud protection has advanced considerably. Contactless payments are actually more secure than the regular “swipe” method because each transaction is encrypted and tokenized when being sent to the payments terminal.
“The biggest thing that contactless payments does is make it easier and safer for both the merchant and the customer,” says Dustin Sullivan, vice president and national merchant sales manager at East West Bank.
With the rising adoption of contactless payments, Sullivan adds that it’s especially important for businesses to upgrade to the latest platforms, so that they can properly protect their customers’ data and themselves from fraud.
“Before the pandemic, we saw many clients making equipment upgrades,” says Sullivan. “But since the pandemic, more and more clients have taken things much more seriously and have really focused on making sure that they have what is safest and best with contactless payments.”
Guccione acknowledges that most small businesses don’t have the resources to build their own IT department or handle their own cybersecurity, but he encourages business owners to look into building relationships with third-party security firms.
“If there’s one thing that we can encourage you to do it’s to at least build a relationship with an outside security firm,” says Kristin Judge, CEO and founder of nonprofit group Cybercrime Support Network. “We don't expect smaller businesses to have a chief information security officer or a full-time IT person, but have a relationship with somebody, before you have a breach or a data privacy issue, because then you can have them come in, and they’ll already know your business.”
Prior to the pandemic and the onset of remote work, businesses may have had an easier time enforcing data privacy because the majority of people were working from a centralized office. However, with the onset of remote work, it’s become particularly important to enact endpoint protection.
“When you [have] distributed remote work, the number of endpoints essentially extrapolates in multitudes of where you were at previously,” says Guccione. “The fact that people are transacting on personal devices on home networks for business purposes, the amount of complexity that brings into an organization is astounding.”
Luckily, there are many options for endpoint security software that small businesses can take advantage of to mitigate the risks created by remote work. Guccione says that business owners should choose software based off of their business’s specific needs (find a list here) but to beware of “free” options.
Although many businesses might want to focus on outside threats to their customers’ data, Guccione says it’s equally important to be mindful of potential threats coming from within your company—that’s why a zero trust framework is so important.
“As your organization grows, you also need to be mindful of the people inside the organization that have access to data,” he says. “And zero trust is all about that…to apply ‘zero trust’ to anyone who could potentially access the system, or to someone who can access a system.”
Zero knowledge is slightly different. “What zero knowledge means is that we as a vendor…have no knowledge of, or access, to your master password or the encryption keys that could otherwise give us or a third party access to your information,” explains Guccione. “Only you hold those encryption keys, and only you have knowledge of your master password and your credentials.”
Unfortunately, there is no single nationwide guidance on data privacy laws. Instead, it’s made up of a patchwork of federal, state and local regulations, and businesses that transact in multiple locations need to understand and comply with those regional regulations. For example, the California Consumer Privacy Act gives consumers the right of restriction, whereas Virginia’s Consumer Data Protection Act does not.
Despite the discrepancies between state, federal and local laws, there are ways businesses can safeguard against violating those regulations. For data privacy best practices, Guccione provides these nine suggestions:
“It’s easy to say you don’t care about privacy until you’re a victim of the issue,” says Guccione. “There’s a saying, right? Ignorance can be bliss—it’s no longer bliss.”