Your Bismarck Small Business Probably Handles More Regulated Data Than You Realize

Data governance is the framework of policies, roles, and processes that determines how your business collects, stores, uses, and shares information. In Bismarck's mix of healthcare providers, financial services firms, energy companies, and government contractors, the odds are high that your business already touches data subject to federal or state rules — whether you know it or not.

The global average breach cost hit a record $4.88 million in 2024, with 40% of breaches involving data spread across multiple environments — a costly governance gap that made those incidents the hardest to detect and contain. Small businesses won't absorb a breach at that scale. But they face the same underlying vulnerability.

What Data Governance Actually Means

Data governance isn't a technology project — it's a business policy decision. It defines who can access which data, how long records are retained, who can share information externally, and what happens when something goes wrong.

A tax preparer in south Bismarck deciding who gets access to client returns is doing data governance. A healthcare clinic establishing retention schedules for patient files is doing data governance. The question isn't whether you have data practices — you do. The question is whether they're deliberate.

"We're Too Small for Governance Frameworks"

If your business is modest in size, tools like the NIST Cybersecurity Framework probably feel designed for corporate IT departments. That intuition makes sense. It's also wrong.

According to Snowflake's head of core data platform, small businesses face the same risks as large enterprises when data is mismanaged — the same security vulnerabilities, the same competitive exposure. NIST's Cybersecurity Framework 2.0 reinforces this: it added a dedicated 'Govern' function and published a quick-start guide for small businesses with little or no existing cybersecurity or data governance plans in place.

The practical shift: start with one written policy — even a single page — rather than waiting until governance feels manageable at your size. It never will if you keep waiting.

Bottom line: Governance complexity should match your business size, but the need for governance doesn't shrink with your headcount.

Federal Compliance Is Already Knocking

You might assume that data regulations apply to banks and hospital systems — not a local auto dealership or accounting firm. That assumption is worth testing before a breach tests it for you.

Under the FTC's updated Safeguards Rule, businesses including auto dealers, tax preparers, and collection agencies must report breaches within 30 days of discovering an incident involving 500 or more consumers. And that's just the federal floor: all 50 states, D.C., Puerto Rico, and the U.S. Virgin Islands have enacted breach notification laws requiring businesses to alert affected individuals when personal information is compromised — North Dakota included.

If you hold consumer data — and most businesses do — you likely have existing legal obligations. Governance is how you meet them before someone is asking why you didn't.

In practice: Map what data types your business holds before assuming which rules apply; the categories often surprise people.

Building Your Governance Framework

A governance framework doesn't need to be elaborate to be effective. A survey of data and analytics professionals found that only 19% of enterprises have a fully-implemented strategy, while 35% have no strategy at all — meaning most businesses that recognize the need haven't acted on it yet.

Start here. These five elements give you a working foundation:

• [ ] Data inventory: Document what data you collect, where it lives, and who is responsible for it

• [ ] Access controls: Limit data access to employees who need it for their specific role — not everyone on staff

• [ ] Retention policy: Define how long different record types are kept and when they're deleted

• [ ] Distribution policy: Specify when and how data can be shared with vendors, contractors, or third parties

• [ ] Incident response plan: Establish a clear sequence of steps if unauthorized access or a breach occurs

Even a one-page document covering these five areas puts you ahead of most small businesses.

Protecting the Data You Hold on Employees and Customers

Your employees and customers trust you with sensitive information — payroll records, signed agreements, financial files, contact data. Protecting that information is the practical expression of that trust.

Saving sensitive documents as PDFs before sharing them preserves formatting and limits unintended editing. Adobe Acrobat is an online tool that lets you secure a PDF with a password directly in your browser, adding encryption before you send a sensitive document by email or shared drive. When a file contains personally identifiable information, a password ensures only the intended recipient can open it.

Making Governance Stick

Written policies are only as effective as the people following them. Three elements determine whether your framework holds up in practice:

Training: Employees need to understand not just the rules, but why they exist. A billing coordinator who knows that a forwarded email could trigger a state notification requirement will make better daily decisions than one mechanically following a checklist.

Measurable goals: "Improve data security" is unmeasurable. "Review access permissions for all shared folders every quarter" is not. Specific, trackable goals make governance reviewable — and improvable.

Communication: Governance breaks down when employees don't know who to contact when something looks wrong. Designate a point person and make sure everyone knows where to direct concerns, even if that person is you.

Bottom line: A policy that no one has been trained on offers roughly the same protection as no policy at all.

Connect With the Chamber — and Get It Done

The Bismarck Mandan Chamber EDC's 1,200+ member network includes the legal, financial, and IT professionals who can help you put practical governance in place. If you're starting from scratch, a peer conversation with a member who handles compliance or data management is worth more than a week of reading generic frameworks.

Data governance is a business continuity decision. The businesses that address it before a breach — before a regulatory inquiry — are the ones that keep their customers' trust when it matters most.

Frequently Asked Questions

Does North Dakota have its own data breach notification law?

Yes. North Dakota's data breach notification statute requires businesses to notify affected North Dakota residents when a breach of personal information occurs. The law applies regardless of where your business is headquartered, and it operates alongside — not instead of — any applicable federal rules like the FTC Safeguards Rule. Comply with both the state and federal requirements that apply to your data types.

What if I'm a sole proprietor with no employees — do I still need data governance?

Yes, if you hold data on clients, customers, or contractors. The legal obligations around data breach notification and regulatory compliance attach to the data you hold, not to your employee count. A sole-proprietor tax preparer or insurance agent is still covered by the FTC Safeguards Rule if they work with qualifying consumer financial data. The threshold question is what data you handle, not how many people work for you.

What counts as "personal information" under most breach notification laws?

Definitions vary by law, but most statutes cover name combined with a Social Security number, driver's license number, financial account number, or medical information. Email address and password combinations are increasingly included in newer state laws. When in doubt, treat any combination of name plus a sensitive identifier as protected.

How do I know if my current data practices create legal exposure?