What is Personal Information and Why is it Important to Your Business?

Chances are, your business collects personal information about customers, employees and/or partners. This means you have an obligation to protect that information. Failure to do so could lead to legal issues or even bankruptcy. Unfortunately, many businesses have found themselves in these situations over the past several years.

Jane Hils Shea, technology and data privacy attorney for Frost Brown Todd said in an email interview with Small Business Trends, “The frequency and extent of data breaches is at an all-time high in terms of both number of breaches and number of individual records compromised, and the expenses associated with data breach response is increasing.”

Here’s what your small business needs to know about personal information and how to protect it.

What Is Personal Information?

Personally identifiable information or sensitive personal data can be anything that is used to identify an individual’s personal identity. For instance:

Social Security Number
Contact Information
Payment Information
IP Address

There’s a good chance that your business collects some of this information about your customers already. Any time someone pays with a credit card or signs up for your email list using their name and contact info, you gain access to personal information.

This means you need to have policies in place to protect this information and let customers know exactly how you intend on using this data. Here’s what you need to know.

Why Is Personal Information Important to Your Small Business?

There are laws and regulations that require businesses to meet certain standards when it comes to storing and protecting personal information. In most cases, you’re bound by the actual language that you use in your own privacy policies. So it’s important that you outline exactly how you plan on using any personal information you collect and have customers agree to that policy when they do business with you. However, there are other standards that apply to specific industries as well.

Shea says, “An online business that collects personal data about persons located in the U.S. is primarily bound by the promises made in its website privacy policy. IF a business is a part of the financial services or healthcare industries, it could be subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) or the Health Information Protection and Portability Act (HIPAA). If it collects data about children under 13 it could be liable under the Children’s Online Privacy and Protection Act (COPPA).”

Payments are another major area where businesses need to focus their security efforts. Shea explains, “Businesses that accept credit cards should be certain they comply with the Payment Card Industry Data Security Standards (PCI-DSS). All businesses that take payment by credit card are required by their card processing agreement to have implemented and to maintain the PCI-DSS.”

Online businesses also need to be aware of international laws or those that focus on personal information from customers outside the U.S., like the GDPR laws that went into effect for the EU earlier this year.

When it comes to protecting personal information, the Fair Credit Reporting Act’s Identity Theft Rules require certain businesses to have written identity theft protection programs. And many vendor service agreements also require businesses to implement industry standard security procedures as part of their contract agreements.

How Can Your Business Protect Personal Information?

There are many steps you can and should take to protect the sensitive data and personally identifiable information you collect about customers, employees, and vendors. Your exact plan will depend on what data you actually collect. But there’s one essential principle that applies to basically every business.

Shea says, “The cardinal rule and the first step for a business to take to protect against data breaches is to “know thy data”. A strong information security program begins with a data inventory and a data map. This exercise tells a business what personal data it collects and processes about its customers and its employees, and identifies where in its system it is located so it can best protect that data. Further, it should understand how the personal data is processed and transmitted, how long it is retained, and what its data destruction obligations are.”

She also offered a handful of concrete steps you can employ. For example:

Delete all data from your system that you don’t use or need to keep for legal or compliance reasons.
Develop a Data Breach Response Plan.
Develop a business resilience plan and back up essential data in a reliable cloud server.
Add encryption for the transmission and storage of sensitive personal information.
Train employees on security awareness.
Require employees to use strong passwords, two-factor authentication and other preventive security practices.
Check with your vendors about their security measures and practices.
Use EMV chip card technology to reduce the risk of card fraud.

Protection StepsDescription

Know Thy DataStart with a data inventory and map to identify what personal data you collect and process. Understand how it’s used, where it’s located, and your data destruction obligations.

Delete Unnecessary DataRemove data from your systems that you no longer use or need, especially if not required for legal or compliance reasons.

Develop a Data Breach Response PlanCreate a plan outlining how your organization will respond to a data breach, assigning responsibilities and communication procedures.

Establish a Business Resilience PlanBack up essential data in a reliable cloud server to ensure data recovery in case of loss or breach.

Implement EncryptionEncrypt sensitive personal information during transmission and storage to protect it from unauthorized access.

Security Awareness TrainingTrain employees on security best practices, including recognizing threats like phishing and practicing strong security habits.

Enforce Strong Passwords and 2FARequire employees to use strong, unique passwords and consider implementing two-factor authentication (2FA) for added security.

Vendor Security AssessmentAssess your vendors’ security measures and practices, ensuring they meet your data protection standards.

EMV Chip Card TechnologyImplement EMV chip card technology for transactions to reduce the risk of card fraud, especially in payment processing.

Cybersecurity Best Practices for Small Businesses

In today’s digital landscape, the importance of cybersecurity cannot be overstated. Small businesses, just like large corporations, are prime targets for cyberattacks. The consequences of a data breach can be devastating, leading to financial losses, reputational damage, and legal troubles. Therefore, it’s crucial for small businesses to implement robust cybersecurity measures to protect their operations and customer data. In this section, we will explore some cybersecurity best practices tailored to the unique needs and constraints of small businesses.

Regularly Update Software and Systems

Outdated software and operating systems are vulnerable to known security flaws that cybercriminals can exploit. Small businesses should establish a routine for updating all software and systems promptly. This includes operating systems, antivirus programs, firewalls, and applications. Consider enabling automatic updates whenever possible to ensure your systems are always equipped with the latest security patches.

Implement Strong Password Policies

Weak passwords are a common entry point for cyberattacks. Encourage your employees to create strong, complex passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. Passwords should be unique for each account and changed regularly. Consider implementing two-factor authentication (2FA) to add an extra layer of security to your accounts.

Educate Your Team on Cybersecurity

Human error is a significant contributor to cybersecurity breaches. Ensure that your employees are well-informed about cybersecurity best practices. Conduct training sessions or workshops to educate them on recognizing phishing attempts, social engineering tactics, and other common threats. Encourage a culture of vigilance and responsible online behavior within your organization.

Secure Your Wi-Fi Network

Your Wi-Fi network is a potential entry point for cybercriminals. Secure it with a strong password, and consider using Wi-Fi encryption protocols like WPA3 for enhanced protection. Regularly update your router’s firmware to patch security vulnerabilities. Create a separate guest network for visitors and customers to prevent them from accessing your internal network.

Backup Your Data Regularly

Data loss can occur due to cyberattacks, hardware failures, or other unforeseen events. Implement regular data backup procedures to ensure that critical business information is safe and recoverable. Store backups in secure, off-site locations or use cloud-based backup solutions. Test your backup and recovery processes to verify their effectiveness.

Install and Maintain Antivirus Software

Antivirus and anti-malware software are essential components of your cybersecurity strategy. Install reputable antivirus software on all devices connected to your network. Keep it updated to detect and mitigate the latest threats. Configure your antivirus software to perform regular scans of your systems.

Establish a Cybersecurity Incident Response Plan

Despite your best efforts, security incidents can still occur. Having a well-defined incident response plan is crucial. Outline the steps your organization should take in the event of a cybersecurity breach. Assign responsibilities to specific team members, and establish clear communication channels. The goal is to minimize damage and downtime while swiftly addressing the issue.

Limit Access to Sensitive Data

Not all employees require access to all data and systems. Implement the principle of least privilege (PoLP) by restricting access to sensitive information only to employees who need it for their roles. Regularly review and update access permissions to align with organizational changes.

Regularly Monitor Network Activity

Continuous monitoring of your network’s activity can help detect anomalies and potential security threats. Consider using intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify and respond to suspicious activities. Monitor access logs and network traffic for signs of unauthorized access or unusual patterns.

Secure Mobile Devices

In today’s mobile-driven world, mobile devices are often used for work-related tasks. Ensure that all mobile devices used for business purposes are equipped with security measures such as remote wipe capabilities and encryption. Educate employees on mobile security best practices and the risks of downloading unverified apps.

Collaborate with Cybersecurity Experts

Cybersecurity is a complex field that requires expertise. Consider partnering with cybersecurity consultants or managed security service providers (MSSPs) to assess your security posture, identify vulnerabilities, and develop a tailored cybersecurity strategy. Their insights and guidance can be invaluable in protecting your business.

Stay Informed About Emerging Threats

Cybersecurity threats evolve continuously. Stay informed about the latest cybersecurity trends, vulnerabilities, and attack techniques. Subscribe to cybersecurity news sources, attend industry conferences, and engage with online communities to gain insights into emerging threats. This knowledge will help you proactively adapt your cybersecurity measures.

Best PracticeDescription

Regularly Update Software and SystemsKeep all software and systems up to date with the latest security patches and enable automatic updates when possible.

Implement Strong Password PoliciesEncourage employees to use strong, unique passwords and consider implementing two-factor authentication (2FA).

Educate Your Team on CybersecurityConduct training sessions to educate employees on recognizing common threats and promote a culture of vigilance.

Secure Your Wi-Fi NetworkUse strong Wi-Fi passwords, encryption protocols, and regularly update router firmware. Create a guest network.

Backup Your Data RegularlyImplement data backup procedures, store backups securely, and regularly test backup and recovery processes.

Install and Maintain Antivirus SoftwareInstall reputable antivirus software on all devices and keep it updated to detect and mitigate threats.

Establish a Cybersecurity Incident Response PlanCreate a plan outlining steps to take in case of a breach, assign responsibilities, and establish communication channels.

Limit Access to Sensitive DataFollow the principle of least privilege (PoLP) to restrict access to sensitive data based on job roles.

Regularly Monitor Network ActivityUse intrusion detection and prevention systems to identify and respond to suspicious network activity.

Secure Mobile DevicesEnsure mobile devices have security measures like remote wipe and encryption, and educate employees on mobile security.

Collaborate with Cybersecurity ExpertsPartner with cybersecurity consultants or MSSPs to assess your security, identify vulnerabilities, and develop a strategy.

Stay Informed About Emerging ThreatsKeep up with the latest cybersecurity trends and threats by subscribing to news sources, attending conferences, etc.


Small businesses may have limited resources, but they are not immune to cybersecurity threats. Implementing robust cybersecurity practices is not only a necessity but also a strategic investment in the long-term success of your business. By prioritizing cybersecurity, staying vigilant, and fostering a culture of security awareness, you can protect your operations, customer data, and reputation. Remember that cybersecurity is an ongoing process, and adapting to new threats is key to maintaining a secure business environment.

Photo via Shutterstock

This article, “What is Personal Information and Why is it Important to Your Business?” was first published on Small Business Trends