As indicated by the audience of the What To Do If You’re Hacked & Other Data Privacy Best Practices for Startups event last week, startups are taking notice of privacy issues and are interested in protecting their businesses. Emerging businesses should recognize that big companies, such as Target and Uber, are not the only ones facing security breaches and data privacy issues.
Read more on the event: Event Recap: What To Do If You’re Hacked & Other Data Privacy Best Practices for Startups
Another key point of awareness is that breaches are not limited to outside hackers getting into a company’s environment. A breach is any unauthorized access to another’s information and that can happen when an employee leaves and still has access to the network, when a device whether a phone, laptop or jump drive is lost or when an employee’s household member accesses your company network from a shared computer.
Three Steps to Cost-Effective Best Practices for Data Privacy
Despite having limited resources, startups can take advantage of some relatively inexpensive best practices related to data by following these three steps:
1. Understand the Data You Collect
First and foremost understand what type of data is in your environment: customer data, employee data, your intellectual property and whether that information requires a certain level of protection. All information is not created equal, so the same level of privacy and security safeguards are not needed. The type of personal information that companies want to handle with care includes social security numbers, dates of birth, credit card numbers, bank account numbers and medical and health information.
2. Determine Your Protection Needs
Once you know what type of data you have and determine what level of protection is required, it is important to have policies and procedures in place that show you have trained and educated your workforce on how the data may be used, shared and accessed. A Bring Your Own Device policy (“BYOD”) is important so employees know the expectation of what can and cannot be done on the device, what you as the employer are able to see on the device if there is a “containerized” solution and what will happen if that device is lost or when you and the employee part ways.
3. Do What You Say and Say What You Do
The most common mistakes I see early stage companies make is posting a privacy statement on their website that has nothing to do with their actual internal practices. These are merely copied and pasted from other websites and in actuality, leave these companies susceptible to a regulator’s wrath. Why? Because these statements say the company does XYZ when in fact the company has no idea what XYZ is and that has no relation to what goes on in the company. The Federal Trade Commission (“FTC”) considers this an unfair and deceptive practice. Therefore, it’s important do what you say and say what you do.
Why Does Your Business Need a Privacy Statement?
Create a privacy statement that reflects how YOUR company collects, stores, uses, shares and if appropriate protects customer/visitor data. There is no federal law requiring privacy statements on websites. The State of California does require that its citizens be advised of certain practices when they visit websites. So, it created a de facto requirement. You can filter out California residents from visiting your website, wait for the California Attorney General’s office to contact you about your failures and remedy that within 30 days or, you can create a statement.
Again, do not say something in that statement that you don’t actually do. If you say you “take visitors’ privacy seriously and use the best level of protection” you’d better be prepared to prove that to the FTC, a federal regulator. Transparency will not only help with the FTC but probably with those who visit your website as well.
What Should You Consider When Creating Privacy Statement?
Here is a list of questions I ask all companies to answer before I create a Privacy Statement. You may want to consider these when working with an attorney to create your Privacy Statement:
Privacy Statement Questionnaire:
- What is the purpose of the website; e-commerce, informational, marketing, etc.? (If e-commerce, see additional questions below).
- Who is your target audience?
- What do you know about your users/visitors? How do you know that?
- With whom do you share information about your users/visitors?
- Do users/visitors to the site create accounts? If so, what information is collected in order to create and maintain an account?
- Do users/visitors have the ability to post comments, photos/content on the site?
- Do you market to people who come to the site? If so, how?
- What type of cookies do you use?
- Do you accept user’s “Do Not Track” preferences?
- Is the web developer available for a 20-30 minute conversation regarding the site architecture, cookies and analytics information/uses?
E-commerce Websites Additional Questions:
- Who is the 3rd party credit card processor?
- Have you reviewed the terms of service/agreement to know how the processor stores, transmits & keeps credit card information?
- Do you know if the processor has the right to contact your customers? If so, under what circumstances?
- Does the processor use your customer information for any purposes?
- If the processor is breached & your customers’ information is jeopardized, when does the processor contact you? Does it contact your clients or do you?
- Do you have a copy of the agreement?
Drafting and implementing a Privacy Statement specific for your company is not enough. Once written and posted, it must accurately reflect what you do. Since technology changes rapidly and emerging companies change their business models quickly, your privacy statement may need updating or at least review on a regular basis.
If you'd like to work with Maia T. Spilman or a lawyer from our vetted network, submit a free request today!