Last week, Priori Legal’s monthly Meetup, which was co-hosted by Nomad Financial and Founder Shield, focused on the topic: What To Do If You’re Hacked & Other Data Privacy Best Practices for Startups. Priori data privacy lawyer, Maia Spilman, and startup expert, Peter Crysdale, discussed best practices and common missteps around data privacy and security for startups.
In case you missed it, here is a summary of the top ten takeaways from the event so your company can implement proactive measures to protect your customers’ data and your reputation.
10 Key Takeaways on Data Privacy
1. What is a breach?
Many businesses operate under the mistaken assumption that a breach only occurs when you get hacked.. In reality, a breach occurs whenever an unauthorized individual receives access to information. While this includes hackers infiltrating your systems, it also happens when a device is misplaced, stolen or lost, you or your employees accidentally leak data and any other time information is passed to someone without access.
2. Are big corporations the only targets for being hacked?
No, security breaches of startup companies are becoming increasingly commonplace. Notably, two technology startups reported breaches by hackers: Twitch and Slack. This is one potential downside of early traction: hackers looking to monetize the data you’ve collected.
It’s important for startups to adopt best practices to protect and prevent breaches before they occur.
3. Is there a law in the United States that governs data privacy?
In the United States, there is no singular privacy law, but rather a patchwork of federal and state laws. Two types of information are regulated: health information and financial information. The Health Insurance Portability and Accountability Act creates a duty for health services providers to protect health information, and likewise the Gramm-Leach-Bliley Act creates a duty for banks to financial information.
But, health and financial information are not the only two types of information that can create liability in the event of a breach. The Federal Trade Commission enforces companies to maintain best practices to protect consumers from fraud, identity theft, deception and unfair business practices. In addition to these federal regulations, states have also enacted varying laws governing privacy issues. As a result, it’s important to consult a lawyer to help you navigate the fragmented state and federal regulations that may apply to your company.
4. What if my business collects data from individuals in other countries?
Unlike the United States which views big data as a commodity, in the European Union, private information is a human right that belongs to the individual. As a result, European Union law recognizes the “right to be forgotten,” which means that an individual may request a company delete the personal information that they have collected.
In the United States, only California recognizes this right and only for individuals who turn 18 to eliminate the information from previous years. If your business entails having users from other countries, you’ll likely want to speak with a lawyer about including a disclaimer that these users affirmly agree to have their information processed and secured under the laws of your jurisdiction.
5. Are there any steps or best practices your company can take to protect it from a breach?
Despite having limited resources, startups can take advantage of some relatively inexpensive practices to protect your company and customer information. One of the most important steps your company can take is implementing a Privacy Policy that details how your company collects, uses and stores personally identifiable information. You’ve likely seen, and ignored, a Privacy Policy on a website or app that you visit on a regular basis. Privacy Policies, however, combat one of the largest issues with collection of private information: the lack of consent or knowledge of the data subject.
Although there is no federal requirement (California does have a state requirement), a Privacy Policy will not only create legal protection for your company, but also creates transparency and security for your users. Moreover, adopting a Privacy Policy earlier gives your company an opportunity to think about what information is necessary for the functionality of your product or service, how this will be stored and who will have access to this information. By establishing these best practices for your business, you can eliminate any undue risk.
6. Can you copy a similar business’s Privacy Policy to save money?
No! Inaccuracies in your Privacy Policy can cause even more problems and expense than not having a policy at all. Borrowing language creates a strong likelihood that your policy describes practices that are not actually being used by your company. A Privacy Policy only provides protection if you accurately reflects the practices of your business. Therefore, it’s not only important to consult a lawyer in creating a Privacy Policy to your business’s practices, but also ensuring that you and your employees stick to those practices. Privacy Policy rule of thumb: “Say what you do, and do what you say.”
7. Why should you care about having an accurate Privacy Policy?
If you are not following the policies you broadcast to the public, you can run into serious problems, such as FTC action against you for “deception.” Because technology changes rapidly, your Privacy Policy may require updating or revision. In this case, you should clearly inform users of when and what the changes are, unless it is “material change” which may require you to seek permission.
8. How do you know if you are breached?
If you aren’t a savvy technology company, it may be difficult to know when you are breached. In fact, on average it takes a company over 200 days to know if there has been a breach. To alleviate the time lapse, you should establish practices for employees to immediately report any lost or misplaced devices or documents.
9. What should you do if you are breached?
If you are breached and haven’t established best practices or bought cybersecurity insurance, it may be too late to avoid serious liability. Nonetheless, it is important to consult a lawyer to ensure you don’t make a bad matter worse by failing properly notify the proper individuals, governmental authorities and in some cases even media outlets. The notification rules regarding a privacy breach vary dramatically by state—47 states have different rules on when, who, what and how you must notify.
10. Can a director be held liable for a data breach?
It is possible for the director, owner or manager of a business to be held personally liable for data breaches depending on their behavior. For example, if there was intentional malfeasance or fraud with regard to the collection and storing of information, a complicit individual can be held personally liable. Although this may often not be the case, a large data breach can harm not only a company’s reputation but also those in charge. Both Target’s CEO and COO were fired after they were hacked.
If you need help with drafting, editing, or updating your Privacy Policy, you can request an experienced data privacy lawyer through Priori Legal’s trusted attorney network!
Read more on data privacy best practices: Protecting Private Data: 5 Best Practices For Your Company
Be on the lookout for next month’s Meetup event on our Facebook!
