Between breaches and privacy gaffes at global mega-corporations, more people are on edge about protecting digital data. Consumers want to be able to control what companies collect and store, and many businesses want to be able to recoup costs for online services they’re expected to provide free of charge. So far, smaller businesses in the US have been excluded from this excitement. But that exception may be ending sooner rather than later.

Coming soon to a city near you

The General Data Protection Regulation (GDPR) in the European Union has already impacted many larger, international businesses based in the US. The California Consumer Privacy Act (CCPA) will impact many businesses that were too small or local to be affected by GDPR. But the CCPA exempts businesses below a US$25 million revenue threshold; many of these organizations may choose to kick the can down the road rather than to implement security standards such as those laid out in the NIST Cybersecurity Framework.

This may currently seem like a reasonable and cost-effective way of doing business, as many people erroneously consider smaller businesses a less tempting target for criminals. Smaller businesses are, in fact, squarely in the crosshairs of criminals, and are often less able to weather the financial costs associated with a breach. And it may not be long before smaller businesses are legally compelled to comply with security and privacy standards, just like bigger businesses.

Legislation has been proposed in the New York State Senate that goes much further in its proposed protections for consumer privacy. Like the CCPA, the New York Consumer Privacy Act would allow people to find out what information companies are collecting about them, see how they’re sharing that data, request corrections or deletions, or opt out of having their data shared with other organizations. Unlike the CCPA, this privacy legislation would apply to businesses of any size.

It still remains to be seen whether this will become law in New York as currently written. Whether or not the New York legislation specifically impacts your business, this wave of privacy legislation is only just beginning. It’s likely that privacy legislation will soon be coming to your locale. It could be at the city or state level, or it could even become a federal law of the land.

Smaller businesses cannot afford to ignore how they gather, store and protect data. They may soon be called upon to adhere to the same standards as larger organizations. And smaller business may have less access to funding that would allow them to move quickly should they need to rush to address privacy and security issues.

In order to prevent costly compliance issues later, smaller businesses should start preparing now.

Start with risk assessment and security training

To protect your business adequately, it’s important to know what you have to protect. Knowing what assets you have – in terms of both data and devices – will help keep your expenses lower. As a smaller business, you have an advantage in that assessing risks to your organization will likely be a much less complex process than for a larger business.

If you’re not sure where to start, you may wish to check out the NIST Small Business Cybersecurity Corner. If you feel you don’t have the bandwidth or expertise to handle the recommended actions, there are a growing number of security service providers out there that you can hire to help you manage this process.

Even if you don’t have the experience to implement security controls, it’s still important for everyone in your organization to be well versed in good cyber-hygiene practices. It’s the responsibility of everyone in the company to protect your data and devices. This is especially important if your business isn’t large enough to have a full-fledged security department, or if any of the data in your care has been made available to you by your customers. And finally, the good news is that to help bring the people in your company up to speed, training is available that’s both high quality and free or inexpensive.