You’re a small business.

You handle Personally Identifiable Information (PII) all the time.

You can invest in the best firewalls, encryption tools, and cybersecurity software, but if your employees don’t know how to safeguard PII correctly, your business is still at risk.

In fact, human error is one of the leading causes of data breaches. That’s why employee training isn’t just an IT concern — it’s a business survival strategy.

Why Employee Training Matters

Your employees interact with PII daily: customer names, addresses, payment details, account numbers … if they don’t know how to protect this information, cybercriminals can exploit their mistakes. Phishing emails, weak passwords, misplaced documents, and accidental data sharing are all common pitfalls.

What Should PII Training Cover?

1. Recognizing Phishing Attacks. Employees should be able to spot suspicious emails, links, and attachments designed to steal sensitive data.
   

2. Strong Password Practices. Implement passphrases, multi-factor authentication (MFA), and secure password managers to reduce vulnerabilities.
   

3. Handling Data Securely. Teach employees where and how to store, access, and dispose of PII. Locking down USB drives, shredding documents, and using secure cloud storage are key.
   

4. Social Engineering Awareness. Scammers often impersonate coworkers, IT support, or even customers to gain access to PII. Employees should verify requests before sharing data.
   

5. Incident Reporting. If a breach happens, immediate action is critical. Employees must know who to report to and how to contain the damage.

Behavioral Training: The Human Firewall for Protecting PII

Technical Controls alone can’t keep Personally Identifiable Information (PII) safe. Your employees and their behaviors are the first line of defense against breaches. That’s why behavioral training is just as important as security tools. Small mistakes, like clicking a phishing link or writing down passwords, can expose sensitive data. Teaching employees to think before they act is key to protecting customer and business information.

Key Behavioral Training Areas

1. Phishing and Social Engineering Awareness. Employees need to recognize suspicious emails, fake login pages, and fraudulent phone calls. They should be trained to verify requests, never click unknown links, and report anything suspicious.
   

2. Secure Password Habits. Weak passwords are an open invitation to hackers. Employees should be required to use passphrases instead of simple passwords, enable multi-factor authentication (MFA), and avoid writing down or sharing login credentials.
   

3. The Principle of Least Privilege. Employees should only access the data necessary for their role. Training should emphasize that curiosity isn’t an excuse for looking at sensitive data, and accessing unauthorized information can have serious consequences. Management should craft job descriptions that emphasize least privilege in action: certain levels of employees should only see certain levels of information.
   

4. Safe Data Handling. Employees must understand the risks of leaving documents unattended, storing PII on personal devices, or discussing sensitive information in public places. Shredding physical documents and locking screens when away from a workstation should become second nature.
   

5. Incident Response and Reporting. Employees should not fear repercussions for reporting a security mistake. Encouraging quick reporting of lost devices, phishing attempts, or suspicious activity can prevent bigger breaches. Incident Response is critical. Most states demand a time-frame for reporting data breaches or losses to consumers. Further, without reporting, there can be no corrective action to improve the information system.

The Importance of People

Security isn’t just an IT responsibility, it’s about fostering a company-wide culture to value PII — to treat it with kid-gloves. Behavioral training transforms employees from potential risks into active defenders of your business’s data.

Training isn’t a one-time event. Cyber threats evolve, and your employees need ongoing education to stay ahead. A well-trained team isn’t just your first line of defense. It’s your strongest.

R

Small businesses collect customer data every day: names, email addresses, payment details, and maybe even Social Security numbers. But do you really know what qualifies as Personally Identifiable Information (PII) and, more importantly, how to protect it?

PII is any information that can be used to identify an individual. That includes obvious details like full names, home addresses, and phone numbers, but also less obvious data, like IP addresses, biometric data, and login credentials. If your business stores, processes, or transmits PII, you’re responsible for keeping it secure.

So why does this matter? Because cybercriminals want PII. Stolen personal data can be sold on the dark web, used for identity theft, or exploited in phishing scams. And if your business is the source of a breach, that could mean legal trouble, fines, and — worst of all — a loss of consumer trust.

PII Laws Vary by State—What That Means for Your Small Business

When it comes to PII in the United States, there’s no single national standard for how businesses must protect it. Instead, each U.S. state has its own regulations, creating a patchwork of laws that small businesses need to navigate. If you collect, store, or process PII from customers across multiple states, compliance can get tricky.

Why Do PII Laws Vary by State?

Some states take data privacy very seriously (I’m looking at you, California), while others have looser regulations. The reason? Data privacy isn’t just about security, it’s also a political and economic issue. States balance consumer protection with the business community’s needs, which is why some enforce strict mandates while others rely on general consumer protection laws.

For example:

• California (CCPA/CPRA) is one of the strictest PII regulatory frameworks requiring businesses to disclose data collection practices and allowing consumers to opt out of data sales.
  

• New York (SHIELD Act) mandates "reasonable" security measures, even for businesses outside New York that handle New Yorkers’ data.
  

• Texas and Florida have evolving data breach notification laws but fewer proactive consumer rights like California or New York.
  

• Other States have minimal PII-specific laws, mainly requiring breach notifications.

What This Means for Your Small Business

1. Where Your Customers Live Matters. If you do business across state lines, you must comply with the laws of the states where your customers reside. Being aware of their data breach and consumer protection laws is important.
   

2. You May Need a Privacy Policy. Most states require businesses to publish how they collect, store, and share consumer data.
   

3. Data Breach Reporting is Not Universal. Depending on the state, you might have to report a breach immediately or within a set timeframe, only if a threshold of affected consumers is met. Understanding those requirements and thresholds is central to crafting good policy.
   

4. Non-Compliance Can Get Expensive. Some laws allow consumers to sue businesses for mishandling PII, leading to fines, lawsuits, or reputational damage.

How to Stay Ahead

• Take an Inventory. What is PII? Where is it stored? How is it maintained? Build an awareness with your team about its importance.
  

• Know Your Customers. If you serve Californians, comply with the CCPA. If you have New York clients, follow SHIELD Act rules.
  

• Implement Strong Security. Even if your state has weak PII laws, data breaches hurt your business. Encrypt data, train employees, and enforce access controls.
  

• Stay Updated. PII laws change constantly. Partner with a legal or IT consultant to stay compliant.
  

While federal data privacy laws might eventually unify regulations, small businesses can’t wait—staying informed and proactive is the best defense. Protecting PII isn’t just about compliance — it’s about maintaining trust with your customers. A single breach can undo years of hard work, so take the right steps to keep your customers’ data safe.

R

Comcast resells an Internet connectivity solution offered by Cradlepoint. The Cradlepoint router uses cellular radio (4G and 5G) to provide a backup route for Internet traffic as a fail over.

If it’s even unboxed, I often find the Cradlepoint installed by the Comcast technician in the following way.

In this scenario, the Cradlepoint receives an Ethernet hand-off from the Comcast Gateway. But that hand-off isn’t a WAN port — it’s a local, standard Ethernet port. So, at first glance, you might presume that the Comcast Gateway is dual-honed (that it has two WAN ports: one for the coax out and one for the Ethernet hand-off to the Cradlepoint) and there’s a load-balancing logic in the Comcast Gateway so that (when the Internet goes down) the WAN port switches to the Cradlepoint.

However, this isn’t true. It’s a regular Ethernet hand-off; the Comcast Gateway isn’t dual-honed.

Therefore, if the Comcast ISP connection drops, even though the Cradlepoint is on, connected, and receiving a signal, it’s not offering anything to your network. The Comcast Gateway drops, and the clients connected behind your Ethernet Switch can’t route. I’ve found plenty of folks paying for this service for years and yet it adds no value.

The correct topology looks like this.

The Comcast Gateway hands-off one Ethernet cable to the WAN port of the Cradlepoint; your Ethernet Switch and/or PC’s are behind the Cradlepoint.

In this configuration, the Cradlepoint is testing for connectivity against its WAN port. If the Comcast Gateway goes down, the load balancing logic of the Cradlepoint starts routing Ethernet packets against the radio (over wireless). All’s good, and the users don’t even notice the difference.

Now, this configuration creates some LAN IP schema challenges.

Typically, the network would have DHCP’d against the Comcast Gateway’s local DHCP service, handing out addresses like 10.1.10.x, and any statics you might have (say, for a multifunction copier) are configured to that address schema.

Moving the LAN behind the Cradlepoint disrupts those configurations. LAN PC’s now DHCP against the Cradlepoint, which hands out a different schema, like 192.168.165.x. Machines that use standard IP stacks with no statics receive the DHCP assignment and begin routing; devices configured statically need to be changed to the new schema.

But what if you wanted to modify the LAN settings on the Cradlepoint? Like, to setup a new DHCP scope or add static reservations? Sorry, the Cradlepoint can’t be administered by a local administrator nor by Comcast; Comcast tier 1 business support will actually tell you to contact Cradlepoint. So your options in this configuration are limited. So, ideally, we’d insert a dual-honed router of our own so we can better control the LAN.

In this configuration, we’ve inserted a consumer dual-honed router: there are two WAN ports. WAN 1 is cross-connected by an Ethernet cable to the Comcast Gateway; WAN 2 is cross-connected by an Ethernet cable to the Cradlepoint’s Ethernet port.

Load-balancing logic in the Consumer Router allows us to say, if WAN 1 fails, fail-over to WAN 2. WAN 2 is the Cradlepoint, connected by cellular, and it routes the LAN packets to the Internet across the Cradlepoint.

You’ll notice that I didn’t connect the WAN port of the Cradlepoint to the Comcast Gateway. It’s unnecessary: the load-balancing feature of the Consumer Router is pinging both WAN 1 and WAN 2 to decide when to fail-over.

In this configuration, you can control the LAN’s settings (DHCP scopes, reservations, IP schema, or any other typical LAN features you want to implement) from the Consumer Router. The Cradlepoint is just a WAN2 transit point used for fail-over.

Ideally, this is the configuration we’d like to see, where we gain the Cradlepoint’s advantages but are not subject to its administrative limitations.

R