By Rebecca Herold, CEO, Privacy Professor®
I’ve been working with hundreds of businesses over the past fifteen years, and I’ve found many common challenges that they are always trying to address, as well as some common, dangerously incorrect, beliefs about security and privacy. There are some common misconceptions that are unique to one-person to small businesses.
Here are four common recurring incorrect information security and privacy beliefs of small businesses, and the facts that these businesses need to know.
1. We’re too small to have to comply with regulations and laws.
I’ve heard this statement a lot over the years. While it is true that some regulations do not apply to businesses that have fewer employees than a specified amount (for example, the U.S. Family and Medical Leave Act (FMLA) of 1993 applies to all businesses with fifty or more employees; those with less than fifty are not legally obligated to follow the law), this is generally not the case for information security and privacy legal requirements. And this makes sense, when you think about it. Many small businesses — even those comprised of just one person — possess an enormous amount of personal information as a result of the work they do for their clients.
For example, three years ago I performed a security and privacy program audit of a vendor of one of my clients; a U.S.-based multi-national healthcare and financial organization, with well over one million customers within ten lines of business. This particular vendor provided all the website hosting services for one of the businesses, a very specialized healthcare service managed separately from all the other businesses. This healthcare business had over 200,000 insureds/customers. The vendor was a small four-person family business, a couple and their son and his wife. They had no information security documentation, and no security controls in place except for anti-virus, an outdated firewall, and IDs with passwords (that had never been changed, and were three characters long).
When I asked them if they realized that they not only were putting their client’s data at risk, but were also not complying with most of the HIPAA requirements, they responded, “We only have four people in our business; we do not have to follow regulations…We’re too small!” I’ve heard similar sentiments from many other one-person and slightly larger businesses throughout the past fifteen years. Organizations of all sizes need to understand they all need to implement security and privacy protections. The absence of security controls within a tiny business could impact hundreds of thousands of individuals if a breach occurred, and the penalties for regulatory noncompliance could put those tiny businesses out of business.
Lesson: When it comes to addressing information security and privacy, organizational size does not matter. Every size of business must implement effective information security and privacy practices.
2. We use outsourced managed systems services providers, so we don’t have anything to comply with.
Over three hundred one-person and small clinics are currently using my new HIPAA compliance service. As they go through the process of setting up their information security and privacy policies and procedures many have sent me messages basically stating that they don’t need a technology-specific policy (e.g., to address HIPAA Security Rule Technical requirements) because they use a managed systems services provider, and so they don’t need to comply with those requirements — they contracted another business to take care of all that! Oh, really? Do they not use laptops? Smartphones? Tablets? Wireless networks? USB drives? And a wide range of other technologies, themselves when performing their work? Oh, well, yes, they do. If an organization is using technology (few are not in today’s society), then they need technology policies and procedures. They also need policies indicating what they require of their contracted service providers for such safeguards. And they also need many, and possibly most, of the other administrative and physical security topics. Just because major systems activities are outsourced, every business will still be collecting, accessing and using their own information in some way and form.
Lesson: If you have a business of any size, you need to have administrative, physical and technical security controls and policies. Even if you used a managed systems provider, you still have to ensure safeguards for all the information you interact with during the course of daily work, in all forms. They will be simpler forms of controls and policies than large organizations, but they are still necessary.
3. We don’t have any personal information; all the information we have can be found online.
If I had a dollar for each time I got some form of the following question and comment over the past few years I could use it to go on a nice vacation. Here are the two general statements heard most often.
A) “If someone’s name and/or address, or any other personal information item, is posted online for the world to see, then why do we need to put safeguards and controls around that information? Since anyone can get it, there is no need to worry about securing it or how it is used; right?”
No! It is still personal information that must be protected within your business.
B)“If information is on the Internet then it is no longer protected health information (PHI) because is it public information! Names are public information, not PHI!”
Also, no. Wrong! You must still protect personal information that may be found publicly elsewhere.
Why are the answers to these questions “no”? Because context must be considered to effectively protect privacy. Protecting privacy isn’t just about protecting access to specific information items; it goes far beyond that and requires understanding how information can impact privacy based upon the contexts in which it is used, the other information items involved, how other information items from elsewhere (e.g., big data files, metadata, etc.) are combined with it, and the actions and decisions made based upon analysis of all the information items.
Consider different scenarios for a piece of paper that involve the same personal information item; a full name.
A) A full name found on a piece of white paper, with nothing else printed on it, in the street. This doesn’t reveal much, if anything at all, depending upon the geographic location and how many others have the same name. So, the full name would have little privacy impact within this context.
B) A full name found on a piece of paper with a letterhead for a mental health clinic, that also contains a full address and phone number, in the street. This provides more information, more context, and more privacy impacts, again the extent to which depends upon the geographic location, how well known the person may be and also any malicious or criminal tendencies within the person(s) finding the paper.
Lesson:Just because a personal information item/identifier is found online or elsewhere in public does not mean that it no longer needs protecting in all the many other contexts within which it is used. Context has significant impacts upon privacy whenever individual personal identifiers are involved. If your small or one-person business collects, processes, creates or otherwise uses personal information, you must apply effective safeguards to protect it…regardless of whether or not the personal information items may be found somewhere online.
4. Our client takes care of security stuff; that is their responsibility. They hired us to do work for them.
Oh, I’ve heard this statement from a lot of online start-ups, cloud vendors, and small businesses. If a small or one-person business has clients that are other businesses, keep in mind that your clients have their own security and privacy compliance activities for their own business, that is separate from yours. What you need to do are activities appropriate for your business activities and to mitigate your risks. Some of the common activities that all types of contracted businesses need to do include such things as:
- Having administrative safeguards, such as information security and privacy policies/procedures appropriate for your business activities, providing training and ongoing awareness communications, doing risk assessments, implementing workforce information security activities oversight, assigning responsibilities for information security and privacy, and knowing where risks are within your own business.
- Having technical safeguards, such as anti-malware on your laptops and other mobile computing devices, using firewalls, using strong passwords, not sharing accounts, using encryption as appropriate based upon risk, securing wireless connections, and limiting access to data to only those who need it to perform business activities.
- Having physical safeguards, such as ensuring you do not use your laptop in areas where others who are not authorized to see your clients’ data can view it, keeping control of your computing and storage devices, and keeping backups stored in secure locations.
Lesson: Every organization, of every size, and in every industry, needs to establish information security and privacy safeguards and controls to appropriately mitigate the risks within their own organization. You cannot expect that the actions that your clients are taking will also be mitigating your own risks…because they won’t; even if you are a small business!
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.