Updated: Jan 27
By John Alec Stouras
Our dependence on the Internet in this day and age is enormous. The pandemic has highlighted how vital data is to everyone in the world, especially small businesses. Monetizing your customer's information is by and all, okay. But, there are a lot of laws to keep your eye on and some best practices to keep in mind as well.
Privacy Laws: A Snapshot
There are so many privacy laws circulating the world that it will get your head spinning in every direction possible. If you are mainly doing business in the US and Europe, there is a small list you should keep in mind: COPPA (Children's Online Privacy Protection Act), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), CCPA (California Consumer Privacy Act), and the GDPR (General Data Protection Regulation, an EU law on data protection). Though I will not go into the nooks and crannies of each of those laws, and the list is by far non-exhaustive, the purpose was to show you how many rules circulate privacy. Stumbling into a privacy issue can happen instantly. To give an example, you could have a server where you allow people to store their credit card information for future purchases. Someone could launch an attack against your site, and now, not only have you lost customers, but they may seek legal action through various routes. To prevent this, here are some best practices you might want to keep in mind.
The Short List of Best Practices:
Password Protection and Creation
I wanted to start with a step that you could implement right now: passwords. It may be a surprise to you, but lots of people use similar passwords all the time, such as "password," "Superman," and "123456.” Click here for a CNN article on common passwords. For any passwords you use for your site or another place where you hold yours or a customer's data, generate a complex password to ensure the privacy of both you and others. The reason for having a strong password is that it is your first line of defense, right next to front-end and back-end systems like firewalls. Making a strong password puts you in the minority of people. SplashData suggests a couple of steps to be safer from hackers: use eight characters or more with mixed characters (always err on the side of more, mix words with numbers and uniquely special characters), and avoid using the same username/password combination for multiple sites. A bonus step would be not to keep your passwords saved on your computer. I know many people use a document or a note page on their computer to keep password lists. However, if your computer is hacked, you've permanently forfeited all of your keys to every website imagined. If you need to store your passwords, use a piece of paper and place it in a secure place in your house.
This section pertains the most to your computer and hard drives, and less so much third-party websites (though you should keep those safe as well), because they will contain all the pertinent, vital, and sensitive information of your whole operation. Your computer is likely the brain of your business, and making sure its secure will take money and diligence. Most business owners are hesitant to invest in cybersecurity strategies that are discussed below because you will not make any revenue out of security, and it mostly just sucks in cash. Nevertheless, though you may not be making revenue, it is vital to your business. Do not make the mistake of not investing anything at all into security, just because it simply doesn’t turn a profit. You need it, and you won’t know you need it till something happens.
If you aggregate consumer data for your business, this topic is for you. Differential privacy more so pertains to if your company engages in the social sciences or is otherwise research-focused. It is a difficult topic to explain because of the math involved. If you'd like to dive deep into differential privacy, Harvard University created a Privacy Tools Project that sets the topic up nicely and creates practice guides for various fields. Click here. Simply, differential privacy's main objective is to make it so if you look at an output, you can't tell what individuals' information was used. The method can complete the objective by adding statistical noise; that's the key to the entire thing. How does it do this? Well, let's use an example.
Selena's website, called Selena's Book, is a website that uses customer data to plot out reviews on cars. The site uses customer's personal information to submit reviews; however, due to privacy concerns, she implements methods of data anonymization such as by changing someone's name like "Keiffer" to something incoherent and unrelated to him like "L72DFE." Data anonymization in privacy isn't enough anymore due to linkage attacks, which are attacks that are done by connecting the dots of multiple data sources. Click here to learn more about linkage attacks. So, to add an extra level of protection, she uses a differential privacy system, that also adds statistical noise to Keiffer's response. It does so by, in layman's terms, taking a picked number of her customer responses, and changing them. Thus, if Keiffer gave a three-star to a red sedan and the algorithm picked this, it would switch the actual result to something random (e.g., five stars). Though it may sound like it's not giving Keiffer's response justice and might introduce too much statistical noise, if done correctly, it shouldn't change the outcome of the customer responses all that much. The random noise introduced by the privacy algorithms keeps all of the participant's data in a safer state as you may have noticed (and if so, very astute statistics observation!), you need generally larger sizes of groups to make the model work well. If the size for the group is too small, it may introduce too much noise and skew results in a more substantial fashion.
Because many laws require businesses that use consumer's privacy to take reasonable steps, differential privacy is a great way of showing that your business is taking leaps to protect its customers.
Sensitive data, whether it's regarding business or consumer, needs excellent encryption. Further, to keep your and your client's privacy, encryption is one of the foundational tools any business needs to complete that objective. In essence, encryption takes data and anonymizes it by making it unreadable unless you have the key to decode. Email services, such as ProtonMail, have encryption embedded in their program. I use Mailvelope to encrypt email communications, and my friends will share our various keys to decode our information. Email encryption is just one type of encryption category; using a third-party encrypting service can help with computer encryption. Computer encryption, such as a disk or file encryption, can help keep all of your business documents safe. Anti-malware services, such as Kaspersky, usually packages encryption with their anti-malware programs so you can take down two birds with one stone. Antivirus software, though assistive, does not keep you fully protected. Not even encryption can, but encryption can be one of your best lines of defense against hackers. PC Magazine has a list of encryption services that they have ranked using a pros and cons list format. For more information, click here.
Sometimes, privacy topics are difficult to discuss because of the complexity that tech topics bring. Luckily, data separation is one of those relatively easy topics to discuss. Some call it more of a privacy design because it is not an extremely technical topic from a bird's eye view. Data separation is the process of keeping certain personalized identification information (the information of consumers), and other data, separate from each other. This not only can help prevent an issue if a breach happens in one area, but it also does not necessarily mean all the information is stolen. Another step is to categorize information and who has control over it. eBay uses a four-category ladder that classifies data into least sensitive to most sensitive. The higher up the ladder, the fewer people have access to it. Click here for more information. Either way, make sure you store data in different places: keeping accounts in one place, credit card information of customers in another, and other personal information in a different one, helps make sure that all of your customer's data do not fall into the wrong hands all at once.
This is a broad topic and not entirely straightforward. You may likely be using a "cloud" service through a business, which is good! However, you need also to be aware that those services still can be breached. They take reasonable measures at keeping their services safe. The extensive cloud services generally have large cybersecurity teams to make sure breaches do not often occur. The best practice here is that if you are using a third-party cloud service, think about what data you are placing on the cloud. The more information on a third-party cloud system, the less ability you have to use your protective measures. Even so, their cybersecurity teams do have a higher capacity to defend your data. These are all points you have to weigh when choosing a cloud-based service. There is a lot of them out there, so take time to evaluate each cloud service's cybersecurity efforts.
Cybersecurity Experts and Lawyers
Sometimes, knowing you need help and are willing to ask for it is a crucial step for your business. There are many experts in the field of cybersecurity and plenty of legal counsel who can also assist you in clarifying privacy regulations as well. Contact local lawyers and cybersecurity experts to help you with all things privacy! Cybersecurity experts, such as Cyber Security Experts, help small businesses through risk assessment issues and help develop security frameworks. One of the primary methods is by running engagements that test the strength of your current cybersecurity system. Call one if you feel the need to give your company an extra push.
There are even cybersecurity lawyers that deal with that specific topic. If you have fallen victim to a cybercrime, you can contact offices such as, The Law Offices of Seth P. Chazin, in the Bay Area, to help you prosecute a computer crime or fraud crime. Make sure you seek representation for any crime that happens. Self-representation in the court system is not easy and can lead to lots of problems, such as losing a lawsuit.
Further, if you ever find yourself not having the answer to something, then always ask a professional, whether that be in legal or in another field. Choosing to take things without assistance can lead to some nasty problems down the line. Never hesitate to ask questions and seek help for your business.
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy.
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact firstname.lastname@example.org.