Small businesses have a lot on their plates, and protecting customer PII might not exactly be the first priority. While there may seem like more pressing matters that need to be addressed, safeguarding customer PII is critical and should be taken care of as soon as possible.
Businesses that neglect their PII responsibilities are in for a rude shock when they see just how expensive it can be to recover after the data is breached in an attack or through negligence.
Protecting personal identifiable information (PII) is challenging for any organization, but small businesses have a particularly hard time. Among other factors, they simply lack the resources and skills that their big enterprise brethren can leverage to guard their critical data.
Despite these limitations, it’s still possible for small businesses to manage the risks effectively. However, it requires a proactive approach, with organizations ensuring that they have reasonable policies and security measures in place ahead of time.
If they don’t, their customer PII could be leaked or stolen, which can result in the data being used to commit a range of cybercrimes, severe legal penalties for the small business, disruption to normal operations, and serious damage to the company’s reputation.
To help your small business understand the dangers associated with customer PII, as well as how you can protect it appropriately, Comparitech has created this detailed guide with everything you need to know.
What is personal identifiable information (PII)?
Personal identifiable information (PII) is exactly what you may have guessed from the name. PII is information that can identify or potentially be linked back to a person. Under some sets of regulations, the name may be tweaked slightly to personally instead of personal, or identifying instead of identifiable, but the definition remains more or less the same. Some of the more common types of PII can include a person’s:
- Name (this can also include aliases, maiden names and the maiden names of people’s mothers)
- Phone number
- Email address
- Date of birth
- Social Security number
- Passport number
- Drivers license number
- Credit card number
- Bank account details
- Employment information
There are also a bunch of less obvious records that can be considered PII in certain situations:
- Biometric data – Details like fingerprints, voiceprints and iris scans.
- Medical information – Including a person’s medical history, diagnoses, treatment details, as well as payment and insurance information.
- Education records
- Criminal records
- IP addresses and other online records
- Some sets of regulations even have a catch-all phrase to cover types of PII that they may not have explicitly mentioned. These often say something along the lines of “Any other information that could be linked to a specific person.”
These lists aren’t exhaustive, and different sets of regulations have their own approaches as to what they consider PII. Although they may vary in their breadth, strictness and how the data must be dealt with, the definitions of PII are largely similar.
Prominent laws governing personal identifying information (PII)
We will briefly cover some PII regulations from the US and Europe. There are many other regulations at the national or state level across the world, but listing all of them is beyond the scope of this article.
The US and European laws are a good place to start because they cover a significant number of people. Many other countries follow their leads when it comes to regulation.
A number of related regulations cover specific industries or types of data. For example, the US’ HIPAA sets out strict guidelines for how health-related PII, known as protected health information (PHI), should be processed.
Likewise, the Payment Card Industry Data Security Standard (PCI DSS) is an industry-standard that stipulates how organizations should protect payment card data. If your organization is involved in processing these or other specifically regulated types of data (either its own data, or data it processes on behalf of another organization), then it needs to inform itself of the standards or laws it is subject to, and any extra steps it may need to take to protect its data.
The US Privacy Act of 1974
One of the most prominent US laws concerning personal identifiable information is the Privacy Act of 1974. It established a code of fair information practices that stipulate how federal agencies are allowed to collect, maintain, use and disclose information regarding individuals.
It was introduced in the wake of the Watergate scandal in a bid to curb the illegal state surveillance against individuals and to help prevent government abuse. The Privacy Act of 1974 defines PII records as:
“…any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.”
The Act limits federal agencies by prohibiting them from disclosing individual records without the consent of the person. Although there are exemptions, such as for police investigations, the laws were an important milestone for preventing government overreach.
The Act only protects individuals from data collection by federal agencies. While state, local and non-government agencies are not covered by the Privacy Act of 1974, it was a critical step forward in terms of how we consider PII and the rights of individuals.
The National Institute of Standards and Technology (NIST) is a government body that focuses on leadership and developing technological standards. It aims to assist industries with innovation and cohesiveness.
NIST created the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) as a set of guidelines to help organizations manage their various needs and comply with regulations. The guidelines aren’t a set of regulations themselves, because NIST is a non-regulatory agency.
NIST’s primary aim is to assist government agencies in understanding the appropriate protective measures for PII. However, it’s also free for non-government organizations to use, and it’s a great starting place for small businesses.
The document defines PII as:
“―any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Europe’s General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a set of European laws adopted in 2016, but only became enforceable in 2018. Instead of PII, the GDPR uses the term personal data. While the terms are similar, personal data is broader than most US definitions of PII, and the regulations surrounding it are much more stringent.
The GDPR states that personal data is “any information relating to an identified or identifiable natural person”, including the things we would normally consider identifiers such as names, online identifiers, or “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
It’s a legal mouthful, but the definition basically covers any type of information that can be linked back to a person. The GDPR sets out how personal data should be processed, which refers to just about anything that you could do to data, either manually or by automated means. Things like:
The GDPR has seven major principles surrounding personal data:
- Lawfulness, fairness and transparency.
- Explicit limitations on what purposes data can be used for.
- Data minimization – Collecting the minimal amount of data necessary to achieve a stated purpose.
- Accuracy – Ensuring information is accurate and kept up-to-date.
- Limiting data storage time-frames – Data should be stored for no longer than necessary.
- Security – The appropriate technical and organizational measures should be taken to protect data.
- Accountability – Entities that process personal data must be responsible for it and demonstrate compliance.
The GDPR is one of the most extensive sets of legislation for protecting PII that the world has seen. In our age of ever-increasing data collection and monitoring, it was a positive step forward for protecting the privacy of individuals. However, its broad reach also came with compliance burdens, particularly for small businesses.
Small businesses are not exempt from the regulations, but there are some provisions that make compliance less difficult. For example, businesses with under 250 employees do not need a designated data protection officer.
Due to the scope of the laws, European-based small businesses that process personal data need to tread carefully, as do international businesses that process European data.
Why do we need to protect customer PII?
If you’re a small business owner, you might find all of these varying sets of regulations a needless hassle. While it is true that they are burdensome, these laws are necessary evils, because they protect every one of us from something far worse.
Imagine a dystopia where we have no rules regarding PII. Businesses and the government could collect whatever information they want, then do with it as they please. The more optimistic among us may believe that human goodness would emerge without any pesky government regulation, resulting in a world where only organizations that deal with data respectfully survive.
The skeptics probably have a far more sinister view of what would happen. Mega-corporations acting so unhinged that they make Facebook’s data collection look like child’s play, with national governments surveilling every single move we make. Obviously, no one would want such extensive privacy invasions.
You may argue that this already pretty much happens, and you would certainly have a reasonable point. Tech giants and other organizations already collect a terrifying amount of information on us and use it in ways that go against our interests. China’s surveillance system is already incredibly invasive.
However, we also have pretty clear evidence that the right laws make a big difference. As the GDPR rolled out, Facebook released a host of measures that made it much easier for users to control if and how their data was shared. Google did the same, as did many other invasive companies.
While China’s laws don’t protect its citizens from the extreme surveillance of its government, people from the US have regulations like the Privacy Act of 1974 that give them a greater degree of privacy. If anything, the world needs more legislation to keep our PII safe, rather than less.
PII laws protect us from crime
It’s not just companies and the government that PII regulations protect us against. They also help keep us safe from cybercrime. Just like businesses, cybercriminals love PII because it’s valuable. Unfortunately for them, people don’t tend to willingly hand over their information to hackers in the same way they do for businesses.
But cybercriminals aren’t overly concerned about what’s legal and what isn’t, so they resort to other means to steal PII. They hack into company systems and databases and take whatever they can.
Why should you care? Because sometimes it’s your data.
Once hackers have completed a successful attack and siphoned off a mountain of data, they then try to make money from it. Often, they will just sell it on to other criminals who use it in various schemes, but sometimes they do the dirty work themselves.
The particular crime will depend on what kind of data the hackers have managed to get a hold of. If it’s usernames and passwords, they could be selling things like the credentials for stolen Netflix, Spotify or other accounts.
If it’s credit card data, they may try and run up as many purchases as possible. If the information they steal is more thorough, such as that contained in medical records, cybercriminals can mount even more devastating crimes. They can commit identity theft, take out loans using false information, or commit insurance fraud.
Sometimes these crimes will only cause slight disruptions. At the highest levels, they can ruin people’s lives. And you can be a victim.
If we didn’t have laws that stipulate how PII can be collected, stored transmitted, or processed in other ways, then organizations could deal with it in a haphazard manner. They wouldn’t have to put a bunch of burdensome security and privacy measures in place to keep people safe.
What would happen?
Cybercriminals would celebrate. They could steal data without even having to try, allowing them to commit the above-mentioned crimes on a much grander scale. The online world would be in absolute chaos.
Why do PII laws have to apply to small businesses?
Small businesses have much more limited access to the skills and resources needed to keep customer PII safe, so they often find PII regulations unfair. This is hard to dispute, but it doesn’t change the need for tight legislation to keep personal data secure.
If various PII laws only applied to larger organizations, it would lead to a predictable outcome. The regulations would make larger organizations much more difficult to attack, so hackers would simply switch their targets and hone in on small businesses, taking the path of least resistance to get their valuable data.
There seems to be a misconception that small businesses aren’t vulnerable to having their data stolen. While it’s true that enterprises have much larger databases, and that’s where the big money is made, there also tend to be much stronger security measures in place that need to be combated.
The reality is that 43 percent of cyberattacks affect small businesses. You just don’t hear about them as much, because they aren’t as newsworthy as the big attacks.
As you can see, it’s important for PII laws to cover small businesses as well. However, due to the increased difficulties that smaller organizations have with compliance, governments should make extra provisions that help small businesses meet regulatory standards, rather than bend the rules to accommodate them.
The main challenges that small businesses face
Small businesses face a lot of the same threats as their larger rivals, but often lack the skills and resources to handle them appropriately. From sole traders to those with dozens of employees, it’s not possible to have experts in every aspect of a company’s operations within such small teams.
Smaller companies may have an IT worker, but is the worker an expert in penetration testing? How about network architecture or threat analysis? Organizations with their own small IT departments may be able to handle the basics, but they aren’t well-positioned to combat many of the more advanced threats.
Other small businesses may have no one with IT knowledge on board and may be using cobbled-together systems that are full of security holes and weaknesses. Others may outsource their security to consultants or specialist organizations.
While this is generally the best approach for small businesses to handle their cyber risks, they still have to put trust in their partners to set up appropriate systems. If a small business has no information security knowledge, it probably won’t be able to evaluate vendors appropriately and may end up with systems that are completely inappropriate for the threats that it faces.
Dodgy IT vendors may only implement security mechanisms in a haphazard way, and may not address all of the various organizational and policy matters that are critical for both cyber defense and compliance with the applicable regulations.
In addition to the lack of skills and knowledge, small businesses often don’t have the funds available to adequately address the risks that they face. They may be aware of the security threats, as well as the need to have systems in place, but various financial pressures may always see the budget eaten up before the small business has a chance to implement the right defenses.
Limited knowledge and resources make it tremendously difficult for small businesses to defend themselves in the current threat landscape, because it’s simply too complex. While it is difficult for smaller organizations to overcome these issues, they still need to make cybersecurity a priority so that they can appropriately protect their PII and other critical assets.
Whether it’s through outsourcing, partnerships or bringing some cyber skills into the team, smaller companies must do everything that they can to prevent their businesses from being devastated by cyber-attacks or regulatory breaches.
If you want to learn more about protecting your small business check out our guides below:
What happens if the right measures aren’t in place to keep PII safe?
If small businesses don’t have the right safeguards in place to keep their PII safe, the risks of suffering a data breach increase. They can be caused in several different ways, such as:
- Employee negligence – Employees may accidentally expose PII. For example, a receptionist may accidentally email unencrypted medical records to the wrong recipient.
- Insider threats – Sometimes employees become disgruntled with the company or are paid by outsiders to steal data.
- External attackers – These are your run-of-the-mill hackers and cybercriminals who could be in Ukraine or in the next suburb. They probe networks for weaknesses, looking for easy ways to steal data.
Each of these types of data breach can have disastrous outcomes for the affected business. They include:
- Legal penalties – If your business suffers a data breach, it may face very serious legal consequences. This depends on which laws are violated, but certain offenses can lead to millions in fines or even imprisonment.
- Business disruptions – If your company suffers a data breach, it may cause significant interruptions to normal business practices. The business may have to shut down certain operations while the source of the breach is investigated and until new security measures can be implemented. If services are interrupted, it may not be able to conduct it’s usual tasks, which can decrease revenue.
- Brand damage – Data breaches don’t exactly make your company look good. If you were a prospective customer looking into two hypothetical companies that were equal in all other ways, which would you choose – the one that had had a major breach or the one that seems to be secure? Not only can a data breach put off future customers and clients, but it may also cause existing business to switch to a competitor. As an example of how devastating a breach can be, Equifax’s share price dropped over 18 percent after it was breached.
Examples of small business PII hacks
The following are several examples of small business PII hacks, which detail the significant consequences the victims suffered:
80sTees data breach
In 2013 the clothing company 80sTees notified several of the state attorneys general across the US of a data breach that affected its customers. In January, the company’s owner, Kevin Stecko had been alerted by Discover that some of the site’s customers had noticed suspicious transactions on their accounts.
The company stopped storing credit card information, removed existing credit card data from its systems, hired a forensic examiner and contacted the Secret Service. However, the ensuing investigation found no evidence of an intrusion into the company’s systems. It wasn’t until several months later when MasterCard and Visa also reported fraudulent charges that the breach was confirmed.
By March, the forensic investigator discovered that malware had been slipped onto 80sTees’ systems in June 2012 and had evaded the company’s antivirus solutions. In April, 80sTees notified over 3,500 customers who were affected by the breach, while American Express also sent letters out to its affected customers.
Despite the measures, more customers noticed ongoing fraudulent transactions at the end of April. In response, further notification letters were put on hold so that they wouldn’t interfere with the investigation.
It wasn’t until January 2014 that the Secret Service wrapped up its case, finding that the card data was exfiltrated to an external email address. The Secret Service was not able to conclusively determine who the perpetrator was. However, it presumed that a former executive who had since died was responsible.
80sTees responded by notifying all customers who made orders between June 2012 and April 2013 that their data may have been breached. Stecko stated that the breach of customer PII ended up costing the company $200,000 to resolve, however this figure does not include the sales that the company missed out on during the breach, or any damage to the brand’s reputation.
Rosenthal Wine Bar & Patio
At the start of 2014, a Californian wine vendor notified its customers that it had been breached. The Rosenthal Wine Bar and Patio, a wine tasting room in Malibu, learned that hackers had installed malware on its systems that may have compromised the names, card numbers, expiration dates, security codes and addresses of its customers.
Although the company was unsure whether the data would be abused, it notified its customers of the breach and warned them to monitor their credit card statements for any suspicious transactions that may have been caused by fraud. The Rosenthal Wine Bar and Patio also offered one year of identity theft protection services to those affected, in order to help defend against potential scams.
The company also responded by upgrading its security systems. In addition to the costs of upgrading its security infrastructure, the Rosenthal Wine Bar and Patio also had to shoulder the costs of investigating the breach, notifying those affected, and providing identity theft protection.
In addition to this, the breach also led to numerous bad reviews on Yelp, which can have a disastrous effect on future business. According to the operations manager Katherine Dimas, all of the business disruption and associated costs was the result of just a few customers being affected.
Silversage Advisors may have thought it was doing everything right. The California-based financial advice company kept backup hard drives of important business data at a house away from its office, just in case a disaster struck and they lost all of their data in a fire, ransomware attack or other calamity.
The hard drives were even placed in a safe that was bolted to the floor. In general, this is a great practice, because having data safely stored at a second location makes it much easier to recover from worst-case scenarios.
However, the home was hit by professional burglars, who managed to crack open the safe and make off with the valuable hard drives. While the company didn’t end up losing all copies of its records, the thieves now had access to the names, addresses, Social Security numbers, drivers license numbers, account details and other sensitive information from hundreds of clients.
While none of Silversage Advisors clients had reported any fraud on their accounts, the company responded by reporting the breach to law enforcement and alerting those who had been affected in accordance with California law.
Silversage Advisors offered one year of free identity theft protection and credit monitoring services to those who were affected. It also advised them to place alerts for fraud on their credit files.
Not only did the breach of PII result in expenses for the company in regards to the investigation and fraud protection services, but it also may have violated the trust that many of its clients had in the company.
This is particularly detrimental to the survival of a financial advice business, because clients need to be able to trust it with their investments and their futures.
What can we learn from these small business examples of PII breaches?
It’s easy to assume that the small businesses from above were just unlucky. It’s partially true – there are many other small businesses with similar security setups who have managed to skate by unscathed so far.
The reason that 80sTees and Silversage Advisors were attacked over others may not be that these businesses had the absolute worst security – instead, it’s more likely that these were simply vulnerable businesses that the attackers stumbled upon by chance.
If you’re a small business owner, your strategy may simply be to hope that you’re one of the lucky ones. If this is the case, luck might keep you safe for a little while, but sooner or later your company will fall victim, and it will end up costing you far more than a few proactive protective measures would have.
Cybercriminals scan the internet looking for weaknesses, and these attacks aren’t going away anytime soon. In fact, they are becoming more prominent, so it’s only a matter of time before poorly protected businesses show up on the radars of cybercriminals.
While each of the above-mentioned businesses may have been unlucky to a certain degree, there were also simple things that they could have done to prevent the attacks. Silversage Advisors could have simply encrypted the hard drives, which would have made the data completely unreadable unless the thieves also had the password.
80sTees and the Rosenthal Bar and Patio could have done the same, and encrypted the data wherever it was stored. Or they could have set up their systems in a way that they weren’t storing credit card data at all.
With access control systems, logging and monitoring, they also could have been alerted every time someone tried to access certain data, which would enable them to put a stop to the attacks before they succeeded.
A range of different security measures alongside the appropriate policies could have easily prevented each of these attacks, saving the businesses the huge costs and reputational damage that the breaches caused.
How small businesses can keep their PII safe
Hopefully by now, all small business owners have realized just how important it is to keep their customer PII safe from cyber attacks and other breaches. Once business owners are aware of the problem, the next step is to work toward the appropriate solutions.
Every business is different. They collect different data, need to access it for differing purposes, have varying amounts of resources, and the list goes on. Because of this, we can’t simply offer a cookie-cutter approach that will suit all organizations.
Instead, it’s best for small businesses to engage well-established and respected consultants or security providers who can conduct a risk analysis of your individual organization, and then build up a defense plan based on its unique circumstances.
While our article may not be able to give you the tailor-made plan your organization really needs, we can help to point you in the right direction.
Analyzing the current situation
The first step of protecting PII involves taking stock of where your small business currently stands. List out the following:
- What PII does your organization collect, store, transmit or process?
- How is the PII collected, stored or transmitted?
- What about other types of sensitive and valuable data? How is it processed?
- Are there protection measures in place for your PII and other data? If so, what are they?
- What are the critical systems, infrastructure and other assets that your organization uses?
- What protection measures are in place?
- Are there any policy or organizational measures that focus on protecting PII?
- What are the company’s security weak points?
- What are the main threats that it faces?
- For how long is PII retained?
- With what third parties is PII shared?
Once you have completed this analysis, you should have a better idea of what your organization currently has, and what needs to be protected. It should highlight the current weaknesses and give you insight into what needs to change, so you can come up with a comprehensive security plan.
Building a security plan
With your analysis in hand, you can construct a tailor-made security plan that covers your small business and its PII against its biggest threats. While no security plan can be one hundred percent bulletproof, a well-constructed plan makes it much harder to infiltrate your organization. This generally means that most threat actors will simply move onto businesses that are easier to exploit, which significantly decreases the risks that your organization faces.
It’s easy to confuse what a cohesive security plan involves. Some may think that you just slap on a bunch of technical measures like encryption, and then a business is good to go. In reality, there is much more to it.
If you only rely on technical measures without operational measures, it’s a lot like putting heavy locks and deadbolts on the doors to a house, but then leaving the keys on a hook outside. Sure, security mechanisms are in place, but you haven’t made the house secure at all.
To remove similar flaws from our cybersecurity plans, each of the following aspects needs to be addressed:
- Organization and administration – The security plan needs overall organizational and administrative measures in place that shore up the weak points and protect against the potential threats that were identified in the analysis. The plan needs to be holistic, which includes having individuals responsible for various aspects of the plan, and coordination between each separate component to ensure a solid defense.
- Policies and procedures – At a slightly lower level, your small business’ security plan also needs policies and procedures that prescribe how things must be done to maintain adequate security. These need to be carefully considered, because there’s not much of a security benefit in enacting a policy for strong passwords if all of your employees have them on Post-It notes on their computer monitors.
- Training and awareness – Of course, your employees need to be trained appropriately on their responsibilities for helping to keep the organization secure. They should be aware of the major dangers that their roles can introduce, and also have regular updates that make them aware of the latest security threats.
- Technical measures – Finally, a security plan also needs the technical mechanisms that work to protect systems, accounts and data. These run the gamut from encryption to firewalls.
Practical tips for protecting small business PII
While the section above was important for demonstrating all of the important aspects of a comprehensive security plan, it didn’t really include much actionable advice. The following tips don’t constitute a complete security plan that will keep your organization safe by themselves, but if you take them as a starting place and integrate them into a plan that covers all of the above-mentioned components, your company should be in a much more secure position.
- Get rid of unnecessary data – Analyze the data that your organization processes and eliminate any that is not really needed. Securely erase any old data that you no longer require and look for ways that you can avoid collecting data in the first place. If you can avoid storing or processing credit card data and other PII, you should do it. Processing unnecessary data that you don’t use is simply a liability.
- Classify your small business PII according to its sensitivity – Each level of data should have the appropriate controls around it to mitigate risks.
- Encrypt all PII – Make sure it is encrypted with secure algorithms both at rest and in transit.
- Anonymize PII where possible – If PII can’t be traced back to the identity of the individual, anonymization can help reduce some of the risks to the business.
- Implement access control systems – follow the principle of least privilege and restrict access as soon as it is no longer needed. This includes removing access when employees leave or change roles.
- Enforce strong and unique passwords for each account – Don’t allow shared logins between employees.
- Implement two-factor authentication – Security tokens, authentication apps and even SMS authentication can make it much more difficult for hackers to break into accounts.
- Set up logging systems that monitor access and send alerts – This can help you keep track of who accesses what data and when enabling you to put a stop to any suspicious activity.
- Configure your firewall – Set it up to restrict outside threats.
- Run a respected antivirus solution – This will help you scan for threats.
- Always update your software as soon as possible – New versions of software often include security patches that address prior vulnerabilities. If you don’t install the latest updates, hackers can take advantage of these to penetrate into your systems.
- Train your employees about security threats – Make sure they are aware of the latest phishing attacks and other forms of social engineering, as well as how devastating these attacks can be.
- Issue company laptops and smartphones where necessary – These are easier to control than employee-owned devices. Make sure that the data is encrypted and that the devices have lock screens.
- Address any physical security issues – Make sure that access to company servers and computers is restricted, so that threat actors can’t tamper with them.
Keeping customer PII secure at a small business
As we’ve already discussed, small businesses face significant challenges when it comes to safeguarding their PII. While it’s difficult and can be seen as burdensome, it’s still critical. The costs of a data breach or regulatory violation can be far more significant than the cost of implementing the necessary precautions.
If your small business lacks security expertise, it’s best to engage a trusted consultant or security provider who can help your organization build up the measures that it needs for its security. Outsourcing can often be one of the most cost-effective ways of keeping a business safe.
The rough plan and individual tips that we have listed above are a good way to get started, and they will certainly add layers to your security that make it harder to attack your business, however they don’t guarantee that you won’t have overlooked a key aspect of your organization’s defense.
While the costs of security may seem excessive, when they are considered against the potential losses, the smart business move is to be proactive and make sure your business is as safe as possible.