Data privacy should be a concern for all organizations — especially small to midsized businesses. As trusted advisors, MSPs are well-positioned to help their customers practice good data privacy hygiene.
Often, SMBs aren’t aware of just how much customer data they have on hand. That’s according to Theresa Payton, CEO of cybersecurity services firm Fortalice Solutions. Some of that information includes website visits, payment details, and even birthday information that is used for loyalty programs.
“This data isn’t just personally identifiable information; it’s a detailed pattern of life that if mishandled could lead to fraud,” Payton said. She urged MSPs to think about what the consequences could be — for their SMB clients and their customers — if this data is stolen.
ChannelPro spoke with Payton and Rebecca Herold, a longtime privacy expert and CEO and co-founder of consulting firm Privacy & Security Brainiacs. Together, they compiled a list of data privacy best practices for MSPs. Read on for more.
1. Be Conscious of Your Digital Inventory
This means taking stock of all the computing products that the company uses, including:
- Employees’ personal phones
- Laptops
- IoT (internet of things) devices — whether they reside in the office or at home
Employees working from home may have smart devices that are constantly listening and recording, such as security cameras, Herold noted. If these devices pick up information that’s being relayed during a videoconference, for example, data privacy is compromised.
Rebecca Herold
“If you have employees using their own personal devices, chances are those are vulnerable points,” Herold said.
2. Don’t Keep Data You Don’t Need
Many companies tend to hold onto data that is no longer relevant. Take one organization, which retained decades’ worth of job applications on its network, Herold recalled. These documents had sensitive information, such as drug test results. In the event of a breach, a hacker compromises this data, and the company may face legal trouble.
Data retention regulations vary based on the industry. For example, healthcare organizations must comply with HIPAA (Healthcare Insurance Portability and Accountability Act) standards that require them to keep data for a specified period of time, Herold explained. Companies that process debit card transactions may need to destroy this information shortly after the transaction goes through.
These rules are industry dependent, but they also apply to the state in which the data “owner” — the customer, not the SMB — is based. This is why it’s important for SMBs to be aware of the laws that apply to their specific situation.
“The rule of thumb is: Never keep data any longer than necessary for the purpose for which it was collected,” Herold suggested. This applies to backup media as well, she added. “Oftentimes, people have backups with dust all over them on weird types of media stored somewhere. That’s a big privacy breach waiting to happen.”
3. Data Privacy for MSPs: Use GenAI Cautiously
Theresa Payton
AI tools such as chatbots and ChatGPT expose SMBs to new risks — especially if they’re set up incorrectly, Payton said. Without meaning to, employees may compromise or expose sensitive data to the public.
“Always ensure you understand and configure your AI tools correctly, and choose vendors who prioritize robust security practices,” Payton advised.
4. Don’t Use Cookie-cutter Privacy Statements
It’s tempting for an SMB to use a generic privacy statement on a company website. However, Herold cautioned against this. Even if it’s a cookie-cutter statement, this is a legally binding document. There is a significant chance that the SMB isn’t fulfilling everything the statement promises.
“SMBs have to make sure that what is being said there is accurate,” Herold insisted. AI-generated privacy statements are exacerbating the problem since they tend to be overly optimistic, she said.
For example, though AI promises that personally identifiable information (PII) is encrypted everywhere it’s stored, an employee’s personal laptop leaves it unencrypted. “[Companies] are opening themselves to complaints from their clients that find out about it and submit a complaint, or after a breach occurs,” Herold said.
5. Privacy Laws Apply to SMBs, Too
One of the biggest issues with privacy compliance is that SMBs believe they are too small to have the laws to apply to them. This, Herold stressed, is a myth.
“You’re never too small,” she said. Drawing from her experience working with organizations that must comply with HIPAA guidelines, Herold emphasized that regulatory authorities have penalized even the smallest companies for noncompliance. “A one-person business is still responsible for [complying].”
How MSPs Can Empower SMBs to Protect Privacy
Safeguarding data privacy is essential — it’s a critical business responsibility, even for SMBs.
As trusted advisors, MSPs have a unique opportunity to guide their clients to better privacy practices. MSPs can help their clients avoid breaches, legal trouble, and reputational harm. Ultimately, empowering SMBs to prioritize privacy strengthens not only their resilience but also the trusted relationships MSPs strive to build.
Featured image: iStock
