5. Communicating Your Data Security Program to Your Customers


  1. Information to share.
    • Obtain a third-party seal that verifies your small business uses an appropriate level of security to protect your website, or your Internet transactions. This can be a visual tool to communicate to customers that you have qualified for a level of certification — which is something some customers may look for.
    • Make sure that whatever information you communicate to your customers about how you protect their data is accurate and is up-to-date. For example, if you tell consumers that you keep their information on computers that you own, and then you contract with another company to provide off-site computer storage space, make sure that you reflect your new practices in your public policies.
    • Tell customers what you will do in the event that you discover that their information has been lost or stolen. For more detail, see Chapter 7 – What to Do If Customer Data is Lost or Stolen
  2. Information NOT to share.
    • DO NOT share detailed information about your security systems. Remember, criminals see what your customers see, and they can use public information about your security systems to evade them (e.g., the encryption software you use, or where you store documents).
    • DO NOT tell customers that there is no risk of ID Theft, or that their information is “100% safe.” No matter how hard you try to protect customer information, there is always a chance that someone may obtain and misuse it.
    • DO NOT guarantee or promise that customers’ information can never be lost or stolen unless you tell customers what you will do if that promise is broken.

Only 10% of US small businesses have a formal Internet security policy.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.