Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesLogical SecurityCybersecurity News

Applying FIPPs to startup B2B organizations

By Keavy Murphy
data-privacy-freepik-1170x658.jpg
December 21, 2022

 

Startup owners and small business leaders often only associate Fair Information Practice Principles (FIPPs) with government organizations, international trade or federal agencies. However, these guidelines provide a straightforward data privacy baseline for small companies operating under a business-to-business (B2B) model. Though this framework was initially developed on a foundation of sectoral laws, actionable strategies have developed out of the five FIPPs documented by the US Federal Trade Commission (FTC), that can be applied with ease to startup companies. Enforcing FIPPs best practices such as consent collection, transparency and security within B2B organizations provides a robust framework for ensuring that personal data, a customer’s most critical asset, is protected.

FIPPs are not legal frameworks or meant to be a stranglehold put in place by a government agency - they are recommendations for data protection. These best practices were enacted in the 1990s by the FTC to guide privacy as a function in electronic and online marketplaces. The principles for privacy are: 

1 - Notice

2 - Consent 

3 - Access

4 - Security

5 - Enforcement 

The primary value of the five FIPPs components? They’re simple. A startup, scale up or small B2B organization can put these practices into action, with little lift. They do not require the hiring of a team of privacy consultants, nor the purchase of expensive and unwieldy cybersecurity tools. 

 

Notice

Making a customer aware of the information you collect on them can be covered with ease in your online privacy policy. It is a data privacy best practice to explicitly disclose the information you have access to regarding a customer or business partner and to provide specifics on how that information will be used. 

Disclosing this detail is not an onerous task: a small organization, aligned with the regulatory frameworks they are held to (including but not limited to GDPR, CPRA, etc.), can write this into their website’s privacy policy. 

 

Consent

Obtaining consent from your customers to use, process or store their data is considered table stakes for any business that collects external information from business partners. Regardless of whether your small business is held to a regulatory framework or an international privacy law, it is expected that B2Bs will obtain consent for data access from the businesses that purchase their products or utilize their services. 

Fortunately, as consent gathering is now a standard practice for businesses collecting data, it is easier than ever to obtain a “yes to processing my information” check from customers. Two popular and seamless methods are the use of Opt In/Opt Out collection features and the use of contract language.

Opt In and Opt Out checkboxes are available as a standard feature on most website building platforms and content management systems. Enabling them on the homepage of your small business is often done via a website building template, with the click of a button. A second method is to include consent collection provisions within the contract between you and your B2B customer. This path can be done by leveraging your legal counsel to include specific terms relative to data collection and consent for processing within the master services agreement.

 

Access

Data privacy is paramount in 2022, as the focus for B2B companies has shifted to be less on security and more on the protection of data collected from customers. As such, allowing a customer to have access to the data you have on them or to be informed on what those specific data sets are, is now a business fundamental. Regardless of the type of data your small business gathers, a bedrock of information processing is allowing data access for those purchasing your product. 

Like the previous principles mentioned, explicit disclosure of the data you are collecting, as well as granting free access to it for your B2B customers can be a stress-free process, permitting your startup has defined standard operating procedures (SOPs) in place. 

Written standard operating procedures for how to respond to data access requests from your customers will provide the framework for what information can be disclosed and how the data sets can be sent electronically to customers. These simple SOPs should be written in clear language, free of privacy engineering jargon and incorporated into your organizations information security policy. SOPs detailing the steps to manage access requests from your business partners ensures that simple, repeatable procedures for disclosure and transmission of information are followed in each case. Making sure that your processes are followed exactly as written in the policy each time an access request is sent by a customer is a data privacy best practice.

 

Security

The fourth principle calls for guaranteeing that the data gathered by your startup is maintained with integrity and stored in a secure manner. This is perhaps the most difficult principle to follow due to the shifting risk landscape and the ever present threat of security vulnerabilities and breaches. 

However, security best practices to protect customer data oftentimes do not require the purchase of unwieldy security tools or platforms. This principle, though laborious, does not have to translate to “costly”.

Enabling encryption on the customer data you store in the cloud, enforcing multi-factor authentication for your employees that may touch that data and conducting quarterly access reviews on customer data, are three simple, but effective security controls that can be put in place by any company, no matter how small. 

 

Enforcement 

Enforcement of the above principles is technically out of the hands of a startup and scaleup organizations, as it is handled by the FTC. Keep in mind these are considered recommendations by the agency, though they are what federal and state laws are often built upon.

FIPPs enforcement is an effective measure to ensure that your small business employees are following the above fair practice principles. Referencing that an agency exists to uphold these principles and monitor that they are operating effectively, even in small companies, means that there is backing to these data privacy best practices. It guarantees that they are not empty promises for the customers you serve. 

An enforcement arm does not have to be interpreted as a terrifying, overarching agency to be feared by your small company. Instead, it can be viewed as a function that ensures your business is following the privacy best practices that customers expect as the cost of entry.

Oftentimes, small companies, start ups or scale up businesses can see data privacy as an onerous project that seems too big to tackle when the organization is still young or green. Businesses that are willing to disregard privacy practices and controls will lose out on customers who see data protection as a minimum offering. Fortunately the five FIPPs offer a simple framework for data privacy control implementation that can be done by a business, even if they are new, small or consider themselves in the startup arena.

All that is required to start building your data privacy foundation on these principles is transparency with your customers, simple security control implementation on your website, and consent collection via a written form or checkbox. No longer will data protection be an impediment for your small business, when FIPPs guide your B2B’s path. 

KEYWORDS: cyber security data privacy risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Murphy headshot

Keavy Murphy is a Boston-based security professional currently serving as the Vice President of Security at Net Health. Passionate about cybersecurity, especially for new and emerging companies, she prioritizes using soft skills to manage compliance and risk management effectively in parallel with business objectives.

Previously, she served in information security roles at Starburst Data, Cambridge Mobile Telematics, Alegeus and State Street.

She enjoys writing about and researching the benefits of effective communication within the security space. Her work has been published in reputable outlets, including Dark Reading and Info Security Magazine. In addition to her current role in the EHR software industry, she is an active volunteer with Boston Cares, has served in the ISACA Engage Mentor program, and holds both CIPP and CIPM certifications.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Security Leadership and Management
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Medical professional

Nearly 85% of Nurses Experienced Workplace Violence in the Last Year

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • cyber alert

    False positives: Mitigating concerns from cybersecurity-minded users

    See More
  • cyber security network

    Best practices in applying MITRE ATT&CK to your organizational security

    See More
  • Red rotary phone

    A CISO’s Guide to Robocall Mitigation: Applying MITRE ATT&CK to Voice-Based Threats

    See More

Related Products

See More Products
  • Optimizing Social Media from a B2B Perspective

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • into to sec.jpg

    Introduction to Security, 10th Edition

See More Products

Events

View AllSubmit An Event
  • June 10, 2026

    Applying Agentic AI in Security Operations for Faster Decisions & Better Outcomes

    ON DEMAND: Security teams have never had more visibility. We’ll explore how a new decision layer is helping security teams move from detection to decision. Turn alerts into decision-ready context, reducing reliance on manual triage and enabling faster action.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing