Tackling Digital Policies One Step at a Time
Running a small business can be a lot like parenting kids with ages ranging from toddler to teenager — with a couple of dogs and cats thrown in for good measure. You’re always multitasking, there’s never time to give anything your full attention, and some things linger at the bottom of the to-do list until they become emergencies. But just as it’s better to handle a cold before it turns into pneumonia, there are some aspects of running a small business that are much easier — and much less expensive — to address before they turn into emergencies.
The problem is that there’s a big difference between realizing that and actually doing something about it. Awareness doesn’t magically lead to additional funds and more free time. Sometimes, though, you just have to shove your “urgent” issues aside so that you can take care of the “important” issues.
One of those important issues is your digital integrity. If you have an online presence, you have an online risk. And it extends way beyond publishing a blog post with an embarrassing spelling error. In fact, lapses in digital integrity can sometimes spell the end of the proverbial road for a business, as proven by the fact that over 60% of small businesses that experience a data breach close their doors within six months.
In other words: This is something you need to move to the top of your list. Today.
From the high level…
From a high-level perspective, your digital integrity needs to be part and parcel of your overall business strategy. That means making some tough decisions about things like how much customer data you really need to collect to accomplish your business goals — as well as how long you need to keep that data. And a lot of that needs to be hammered out in-house, although it can be helpful to involve a digital security expert to make sure you’re asking all the right questions and haven’t forgotten something important.
…To the details
But then there’s the legal and regulatory side, with all of its nitty-gritty details. As cyber threats are becoming more widespread, governments are responding by crafting laws designed to limit the risks. Unfortunately, those laws can vary from state to state — and, if you operate internationally, from country to country. That’s too much for any small business to keep up with on its own. Outside legal counsel is helpful. Another option is to engage a digital policy expert (often less expensive than a lawyer) who can help you identify the areas where legal advice is most relevant; sort of like a home designer who gives you an array of suggestions and lets you choose the ones that best fit your needs and budget.
Here are some of the issues where expert policy advice or legal counsel can help you manage:
Most businesses today are well aware of the need to comply with the Americans with Disabilities Act of 1990 when it comes to physical spaces — stores and offices must be wheelchair-accessible, for instance. But many don’t realize that the ADA also applies to digital spaces and stipulates that web sites, apps, etc., must be accessible to people with disabilities. H&R Block found that out the hard way when they were sued by parties claiming that the company’s digital properties limited access to people with vision, hearing, or physical disabilities. Legal counsel can help you determine whether your digital properties meet ADA requirements and, if not, what steps you need to take to fix them.
Protection of customers’ personally identifiable information
Businesses have an obligation to protect customers’ personal information, especially when it comes to payments. The Payment Card Industry Data Security (PCI-DSS) Council, in conjunction with major card brands, has put forth a set of requirements regarding all aspects of what businesses do with their customers’ payment information. Suffering a data breach is never fun, but if it’s determined that you failed to provide adequate protection, the price tag can be overwhelming. During the Target data breach in 2013, for example, credentials from a third-party vendor were used to access Target’s payment network, which should have been segmented from systems with lower security standards. In other words, while the vendor obtained the credentials legitimately, those credentials should not have provided access to the systems that stored and processed payment information.
The breach carried a heavy price tag. In addition to far-reaching negative publicity (right in the middle of the holiday shopping season), Target ended up paying almost $40 million in settlements as well as almost $20 million more in legal fees.
Even if you have top-notch IT talent that is well-equipped to handle your data security, being secure and being legally compliant aren’t always quite the same thing. That’s why it’s so important to get legal advice, even if you’re confident in your data security protocols.
Data transfer and storage protections
If you are a small business that only operates in the U.S., consider yourself lucky. For the rest of us, it is important to note that some countries require their citizens’ personal data to be stored on servers within national borders, regardless of where the company is headquartered. In November of 2016, LinkedIn’s failure to comply with this law led to access being blocked within Russia. Other countries, including China, have similar laws. It’s almost impossible for small businesses — especially those operating internationally — to keep up with all of the requirements without legal advice.
We’re also seeing an increasing number of countries passing laws regarding the collection and use of their citizens’ personal data. The EU, for example, passed a law requiring businesses to get express user consent before using most types of cookies. More recently, the EU passed the General Data Protection Regulation (GDPR) that goes into effect may 2018 and it not only addresses protection of citizen data, but also where the data must be stored and where it can and cannot be transferred. Starting in 2012 the U.S. also introduced privacy legislation, and you should note that many states also have their own unique requirements.
Other areas of concern
The extent of legislation regarding digital integrity is seemingly endless. Other basic considerations include things like:
- Children’s’ online protection
- Shareholder notification
- Language and content localization
- Anti-spam laws, including those for email marketing
- Appropriate and prohibited content
- Digital rights management
- Domain names, email addresses, and social media accounts
- Online advertising and promotion
- Social media (personal and corporate)
Small businesses that operate entirely within the U.S. have it a bit easier, although there are still the various state requirements to juggle. And, since ignorance of the law is not a defense (you’re guilty of breaking the law even if you didn’t know you were doing it), getting digital policy and legal advice on your online integrity has never been more important.
Have questions or need a hand developing your digital integrity roadmap? Get in touch to discuss practical solutions for small businesses operating in the digital arena.