Last week, Priori Legal’s monthly Meetup, which was co-hosted by Nomad Financial and Founder Shield, focused on the topic: What To Do If You’re Hacked & Other Data Privacy Best Practices for Startups. Priori data privacy lawyer, Maia Spilman, and startup expert, Peter Crysdale, discussed best practices and common missteps around data privacy and security for startups.
In case you missed it, here is a summary of the top ten takeaways from the event so your company can implement proactive measures to protect your customers’ data and your reputation.
10 Key Takeaways on Data Privacy
1. What is a breach?
Many businesses operate under the mistaken assumption that a breach only occurs when you get hacked.. In reality, a breach occurs whenever an unauthorized individual receives access to information. While this includes hackers infiltrating your systems, it also happens when a device is misplaced, stolen or lost, you or your employees accidentally leak data and any other time information is passed to someone without access.
2. Are big corporations the only targets for being hacked?
No, security breaches of startup companies are becoming increasingly commonplace. Notably, two technology startups reported breaches by hackers: Twitch and Slack. This is one potential downside of early traction: hackers looking to monetize the data you’ve collected.
It’s important for startups to adopt best practices to protect and prevent breaches before they occur.
3. Is there a law in the United States that governs data privacy?
In the United States, there is no singular privacy law, but rather a patchwork of federal and state laws. Two types of information are regulated: health information and financial information. The Health Insurance Portability and Accountability Act creates a duty for health services providers to protect health information, and likewise the Gramm-Leach-Bliley Act creates a duty for banks to financial information.
But, health and financial information are not the only two types of information that can create liability in the event of a breach. The Federal Trade Commission enforces companies to maintain best practices to protect consumers from fraud, identity theft, deception and unfair business practices. In addition to these federal regulations, states have also enacted varying laws governing privacy issues. As a result, it’s important to consult a lawyer to help you navigate the fragmented state and federal regulations that may apply to your company.
4. What if my business collects data from individuals in other countries?
Unlike the United States which views big data as a commodity, in the European Union, private information is a human right that belongs to the individual. As a result, European Union law recognizes the “right to be forgotten,” which means that an individual may request a company delete the personal information that they have collected.
In the United States, only California recognizes this right and only for individuals who turn 18 to eliminate the information from previous years. If your business entails having users from other countries, you’ll likely want to speak with a lawyer about including a disclaimer that these users affirmly agree to have their information processed and secured under the laws of your jurisdiction.
5. Are there any steps or best practices your company can take to protect it from a breach?
8. How do you know if you are breached?
If you aren’t a savvy technology company, it may be difficult to know when you are breached. In fact, on average it takes a company over 200 days to know if there has been a breach. To alleviate the time lapse, you should establish practices for employees to immediately report any lost or misplaced devices or documents.
9. What should you do if you are breached?
If you are breached and haven’t established best practices or bought cybersecurity insurance, it may be too late to avoid serious liability. Nonetheless, it is important to consult a lawyer to ensure you don’t make a bad matter worse by failing properly notify the proper individuals, governmental authorities and in some cases even media outlets. The notification rules regarding a privacy breach vary dramatically by state—47 states have different rules on when, who, what and how you must notify.
10. Can a director be held liable for a data breach?
It is possible for the director, owner or manager of a business to be held personally liable for data breaches depending on their behavior. For example, if there was intentional malfeasance or fraud with regard to the collection and storing of information, a complicit individual can be held personally liable. Although this may often not be the case, a large data breach can harm not only a company’s reputation but also those in charge. Both Target’s CEO and COO were fired after they were hacked.
Read more on data privacy best practices: Protecting Private Data: 5 Best Practices For Your Company
Be on the lookout for next month’s Meetup event on our Facebook!