Start-up companies know that, when potential investors kick the tires, they will look carefully at the company's business model and IP portfolio. These days, investors are also likely to look at whether the company is in compliance with privacy and data security laws. Cybersecurity has become increasingly important for business of all sizes. While identity thieves may focus on the target rich environments of large-scale enterprises, any company that stores personal data or sensitive business information is vulnerable. Moreover, even in the absence of a data breach or other adverse event, companies that fail to adequately protect sensitive data can find themselves subject to liability.
For start-up companies, it is important to protect personal data and sensitive information right out of the gate. Putting appropriate systems in place at the outset will be much more cost-effective than having to change everything a couple of years later, and, more importantly, will better protect your company from loss and third-party liabilities.
Every company that collects personal information – including information about its own employees and customers – needs to have a plan for keeping that information secure. Such a plan must have proactive and reactive elements. Proactively, the company must understand what kinds of sensitive information it has and take reasonable precautions to safeguard it. Reactively, the company must have a plan for handling a data breach or other unauthorized disclosure of sensitive information, and must be able to implement that plan extremely quickly; this is not just good business, but a legal requirement in all 50 states.
While we cannot cover all aspects of data security and privacy here, we offer these 10 tips that may be particularly relevant to start-ups.
- Inventory and lock up your sensitive information. Make an inventory of the information that your company has related to individuals, including its employees, contractors, customers, partners, and vendors. Such information includes Social Security numbers, financial account passwords, driver's license numbers, health information, and credit card numbers. In some jurisdictions, any information relating to a living individual who can be identified (such as name plus contact information) could trigger privacy laws and must be treated as sensitive. Sensitive information, whether electronically or on paper, should be secured. Any duplicates or electronic backups must be similarly secured. It is prudent to avoid making more copies than are needed to run the business, making sure to preserve the ability to restore deleted files if needed.
- Limit access on a "need to know" basis. Think about who really needs access to your company's sensitive information, and limit access to those individuals. This sounds obvious, but such formalities are often overlooked in the start-up context. Identifying the specific individuals with access to sensitive data on the written inventory is an important part of building a cybersecurity plan, and will help your company create and follow appropriate protocols.
- Use antivirus programs. Make sure that each electronic device used in your company's business is equipped with antivirus software, and keep that software up to date.
- Update your software. Make sure that your company installs every software update as soon as it is available. It was widely reported that the massive Equifax data breach occurred as a result of Equifax's failure to install a patch to its web-facing Apache software which had been available for two months. Do not let this happen to you!
- Use encryption. When sending highly sensitive information outside the company, use encryption.
- Deal carefully with vendors. If your company uses vendors, consider whether they need to have access to your company's sensitive information. If not, don't provide access. If access is required, limit it to what is really needed. In any event, you need to make sure that the vendor has appropriate safeguards in place. As we noted in a recent blog post, you are known by the company you keep, and a vendor's carelessness may well be attributed to your company.
- Don't forget the paper. When we think of privacy and data security, we usually think of what resides on computers and other electronic devices. But the unauthorized disclosure of paper copies of sensitive information can be just as devastating. Make sure that such papers are locked up, provide keys only to employees with a need to access the information, and dispose of any hard copies by shredding rather than by throwing them away in a trash can or recycling bin.
- Be aware of the reporting laws. In order to prepare a plan of action in the event of a data breach, you need to know what laws apply and what the reporting requirements are. Some jurisdictions have extremely short reporting deadlines, such as 72 hours in the European Union (which can apply to US-based companies if data about Europeans is disclosed).
- Know what country your data is in, so as to avoid inadvertently triggering the laws of other jurisdictions. If your business is based in the United States, and does not utilize sensitive data from people in other countries, it is best to keep your data within the United States. This means that it may not be appropriate to use off-the-shelf cloud services such as Amazon Web Services or Microsoft Azure, at least without taking steps when setting up your account to specify that your company's data must be kept onshore. If your company stores data in the European Union, it may be unable to freely move that data anywhere else, and the legal requirements of the GDPR can be onerous.
- Repeat. Revisit your privacy and data security plan at least once per year, as well as every time the company experiences a significant change such as an acquisition or taking on a new line of business.
Although time and funds are often scarce at the start-up stage, if your company is highly regulated (e.g., health care or financial services), or deals with data from people outside of the United States, getting legal advice early on can prevent costly problems from occurring later. You will also want to contact an attorney immediately if your company experiences a data security incident or an unauthorized disclosure. In such situations, time is of the essence.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.