Skip to content
Intro
8 min

Handling Customer Data Safely in SMB Apps

Your Shopify store and Mailchimp account have customer data right now. Here's how to not lose it.

Last updated: March 20, 2026

Your customer list is in Mailchimp. Your payment processor has credit card numbers. Your email tool has contact histories. Your CRM has notes your sales team took during calls.

Every one of those tools is a target. Every one of them is your responsibility.

Most data breaches don't come from sophisticated hackers—they come from misconfigured databases, weak passwords, and employees clicking on phishing links. These are solvable problems.

What this solves (in real business terms)

Customer data protection is about:

  • Not losing data you need to run your business
  • Not being liable when data is exposed
  • Not losing customer trust (which is worth more than any fine)
  • Not being the story that makes the local news

What can go wrong

The SFMTA breach. San Francisco's transit agency paid $150,000 to ransomware criminals after an employee's credentials were compromised via a phishing email. The credentials were sold on the dark web within hours.

The dental office scenario. A two-person dental practice in Texas got phished. Attackers accessed their patient management software and stole 10,000 patient records including insurance information and SSNs. The practice paid $50,000 in notification costs, credit monitoring for patients, and HIPAA fines. They also lost their EHR certification and had to switch systems mid-pandemic.

Your vendor's breach is your problem. The GoDaddy breach in 2021 exposed 1.2 million customer email addresses. Those customers then received phishing emails that appeared to come from their service providers. Attribution became nearly impossible, and many victims didn't know where the original leak occurred.

CCPA non-compliance costs. If you have a California customer whose data was exposed due to your negligence, they can sue for $100–$750 per incident. A breach affecting 1,000 California residents = $100,000 minimum, not counting the cost of notifying them.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Password manager (1Password, Bitwarden) | $5–$10/user/month | | Multi-factor authentication (most SaaS: free) | $0 | | Email security / phishing training (KnowBe4) | $5–$10/user/month | | Security audit of your SaaS tools | $1,500–$5,000 | | Cloud backup with versioning | $500–$2,000/year | | Incident response retainer | $2,000–$10,000/year |

Minimum viable implementation

  1. Turn on multi-factor authentication everywhere. Every SaaS tool. Every user account. This alone prevents 99% of credential-based attacks. Use an authenticator app, not SMS if you can avoid it.

  2. Use unique passwords everywhere. Get a password manager (Bitwarden has a free tier). The password for your email should not be the same as your Shopify admin.

  3. Audit who has access. Quarterly: who's in your Mailchimp? Your CRM? Your Google Workspace? Remove people who left 6 months ago. Remove integrations you stopped using.

  4. Encrypt sensitive data at rest. Most enterprise SaaS tools (Shopify, Stripe, QuickBooks Online) do this automatically. If you're storing customer data in a spreadsheet, encrypt it with a tool like Boxcryptor or just move it to a platform that handles it.

  5. Back up your data. Cloud platforms have backups, but do you? Export your customer list monthly and store it somewhere separate. Test a restore once a year.

  6. Train your team. Send a fake phishing email to your staff quarterly. KnowBe4 has free training resources. One successful phishing attack can bypass everything else you've done.

Vendor questions (copy/paste)

When evaluating a new SaaS tool that will handle customer data:

  1. "Where is our data stored, and what jurisdiction does that fall under?"

  2. "Do you support SSO (single sign-on)? What authentication standards?"

  3. "What's your breach notification process? How quickly will we know if our data is involved?"

  4. "Do you have a SOC 2 report or third-party security audit we can review?"

  5. "What happens to our data if you have a security incident or your company fails?"

  6. "Can you provide a list of your sub-processors who will have access to our data?"

When to hire help

Hire a security consultant if:

  • You store payment card data directly (PCI DSS compliance requires specific expertise)
  • You process health information (HIPAA requires a security risk analysis by a qualified professional)
  • You've had a breach or suspicious activity
  • You're handling data for government contracts (FAR compliance requirements)
  • You have more than 20 employees and no dedicated IT staff

For most Gulf Coast SMBs: start with MFA everywhere, unique passwords, and quarterly phishing tests. That's 80% of the benefit for 10% of the cost.

Related Reading

7 min · Intro

Accessibility Basics: Why It Matters for Your Business

Your website probably isn't accessible. Here's what that actually costs you—and how to fix it.

6 min · Intro

Data Classification for Small Business

You can't protect everything the same way. Here's how to sort your data so you know what's actually at risk.

7 min · Intro

Data Retention: What to Keep and Why

Holding onto data you don't need is a liability, not a safety net. Here's how to decide what stays and what goes.

8 min · Intro

Data Processing Agreements: What They Mean in Practice

Every SaaS tool that touches customer data should have a DPA with you. Most don't—until you ask.

8 min · Intro

Breach Notification: Who Needs to Know and When

Most SMBs find out about a breach from their customers—not their tools. Here's how to flip that equation.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch