Small firms are probably aware that there are laws regulating the handling of data, but they probably assume that these apply only to larger firms and that they are too small to have any data that is worthwhile or protected under state/provincial or federal laws. Think again. Data protection laws generally worry about the content of your data, not the volume of it. That is, you don’t need to have “tons” (not the technical term) of data to be to regulated by data privacy laws. If you maintain personally identifiable information (PII) you may be regulated by these laws which may include penalties and fines for non-conformance. PII means you store a person’s first name/initial, last name and then link it to another piece of personal information, such as, but not including:
Social Security Number
Driver’s license, or state ID
Some financial account number, e.g. credit/debit card, checking account, etc.
Health insurance ID
You are very likely required to observe regulations regarding protection of that data, and reporting of data breaches.
This isn’t an issue for the faint of heart. Contact a managed service provider with expertise in your specific industry or field of business to make sure you are in compliance. Failure to maintain compliance can lead to some very expensive fines and penalties.