The recession has pummeled small businesses' IT budgets, but that's no excuse to slack off on electronic privacy and data protection safeguards.
In fact, hard times make keeping an electronic eye on privacy and IT security critical as economic factors are contributing to more frequent data breaches from outsiders and information theft from just laid-off employees and other company insiders, according to attorney Charles Kennedy, a privacy and data protection expert.
In 2008, reports of data breaches at U.S. companies jumped 47 percent to 656, according to the Identity Theft Resource Center, a San Diego nonprofit.
Reports of laid-off employees taking company information with them are also on the rise says Kennedy, with the Washington D.C. office of Morrison Foerster. Over half of 945 laid-off workers responding to a recent poll by Ponemon Institute, a Traverse City, Mich., privacy researcher, admitted taking company data when they quit because they felt entitled to it, thought it would help in their new job or didn't realize it was stealing.
With breaches on the rise, small businesses simply can't use the bad economy to rationalize trimming their electronic data protection program budgets, Kennedy says.
Another reason companies can't let down their guard: state and federal regulators continue to pass stringent electronic data protection rules. One of the latest is the Federal Trade Commission's Red Flags Rule, which takes effect Aug. 1 and requires financial institutions, health care providers and loan processors to create identity theft prevention programs. The Obama Administration's economic stimulus bill included a stepped up health-care records security breach notification requirement that takes effect in February 2010. In addition, states such as Massachusetts and Nevada have passed laws requiring companies to use encryption and put in other controls over consumers' personal information.
Regulations aside, following stringent privacy and security protocols is good for business. "If you have good privacy practices you can make it a feature of your advertising," if you don't exaggerate claims, Kennedy says. "When the other guy has a breach and you don't, that's good for you. Security is an edge you can't afford to ignore."
Doing the same or more with less
Still, no one expects small businesses to spend half their revenue on the latest firewalls and other data protections. Companies have to maximize whatever manpower and financial resources they've got. Kennedy and Alex Puertas, a program development manager at Iron Mountain, the data storage and protection vendor, recommend the following:
If you've already purchased encryption, intrusion protection and other security technologies, make sure you're using everything you've paid for. "Some data breaches occur because companies didn't do things they should, like update passwords and firewalls. They'd already paid for them, they just didn't use them," Kennedy says.
Cut costs by eliminating some of the overlapping functions in the security technologies you use. Likewise, reallocate funds from less critical IT and compliance programs to privacy and security, Kennedy says.
Written policies can stop problems from happening in the first place and the more trouble you avoid, the less money you have to spend mopping up after the fact. Policies should cover electronic records management - what data is saved, who saves it, how often, and by what method. Policies should also cover employees' use of portable electronics, updates on new regulations and what to do to limit employees' access to sensitive data if there's a layoff.
Small businesses might not have the financial resources to maintain an in-house chief privacy officer or compliance department. If that's the case, make sure you're working with lawyers, CPAs, or other consultants who can provide you with reliable guidance and technology on privacy and security matters. "I deal with small, medium and big companies and I don't know of any that can handle all phases of this alone," Kennedy says.
Even if you use a third party to run privacy programs, choose a company insider as a liaison to ensure policies are being followed. That person should also head up formal audits every year or two so programs can be altered to adhere to new laws or industry regulations.
Trade associations are great resources for timely information on privacy regulations. In some cases, you don't even need to be a member to take advantage of reference material that's available for free on a group's Website, Kennedy says.
SIDEBAR: Electronic Privacy and Security Policies Resources
Here are additional resources for creating and electronic privacy and IT security practices:
Fighting Fraud with the Red Flags Rule: A How-To Guide for Business -- A 17-page guide from the FTC on its new identity theft prevention requirements that includes step-by-step instructions businesses can use to create their own programs.
The Identity Theft Resource Center -- Theft prevention information for businesses and consumers, plus updates and statistics on data breaches at U.S. companies.
HIPAA health-care records data breach notification -- Health and Human Services Department document spelling out details of health-care privacy protections included in the economic stimulus bill that take effect in 2010.
Iron Mountain Knowledge Center -- Free white papers, webcasts, and other materials on electronic privacy protection and security issues.