With lots on their mind, startup owners tend to back-burner decisions that do not help the bottom line. More often than not that includes deciding how privacy and data security should be managed. Françoise Gilbert, a partner with the law firm Greenberg Traurig, LLP suggests that is a bad idea, “A single error can undermine the trust of investors and customers, attract unwanted regulatory attention or litigation, and ultimately, derail a startup’s success.”
“Most startups cannot survive on their own without the help of third-party investments or contracts,” continues Gilbert. “If they want to succeed and meet these third parties’ requirements, they have to implement from the start and continue to use, the appropriate privacy and security safeguards that are adapted to their specific business model.”
And Gilbert ought to know, in 30 years, she has seen plenty of mistakes; she outlines in her law firm’s Emerging Technology Views blog what to avoid. So, startup owners, to steer clear of additional angst, here’s Gilbert’s list of what not to do.
1: Assuming privacy or security is just for the geeks
Investors worried about their stake in companies are speaking their minds. Gilbert explains, “There is a rising number of shareholder derivative actions for breach of fiduciary duty stemming from failure to supervise the company’s activities related to privacy and security, such as lack of compliance or failure to meet commonly used practices.”
2: Ignoring relevant rules and laws
Startups may not be up to speed on applicable laws and regulations. Gilbert says startups, in that category, may be in for a shock when conducting business with large, established clients. “The startup will be expected to have in place the same levels of protection, awareness, or maturity as its larger client,” writes Gilbert. “If it cannot meet the client’s standards regarding the protection of personal information, the startup will not be able to sign a contract.”
3: Thinking you are flying under the radar
Experience has taught Gilbert that size and/or newness of a company is irrelevant when it comes to legal issues. “Litigants and judges are focused more on the effect the mistake, abuse, security incident, or legal violation may have on the public at large,” suggests Gilbert. “If they determine the effect is significant, the fact it was caused by a five-person company is likely to be irrelevant.”
4: Ignoring the benefits from policies
There are reasons why companies have policies and processes related to privacy and data security. You should define who is allowed to access what information needs to be addressed, or misuse of sensitive information will occur. Gilbert adds that policies more often than not increase efficiency rather than slow a company down.
SEE: Guidelines for building security policies (Tech Pro Research)
5: Believing you are not responsible
It is common for startups to assume that responsibility for sensitive information residing elsewhere will move to the party who controls it. “The entity that the customer knows — not the service provider — will be sued or investigated if data is illegally processed or inadequately protected,” mentions Gilbert.
6: Assuming that more is better
Simply put, the more data a company controls, the more vulnerable it is to legal violations and the likelihood of having a security breach. Gilbert explains, “Collecting a massive amount of data causes a significant security risk. The larger the volume of data, the higher the probability that it will be stolen.”
Copying privacy and security policies from the internet or borrowing language from other similar businesses is a false economy according to Gilbert. “From a legal standpoint, this may end up constituting misrepresentation, which can be prosecuted by a state Attorney General or the Federal Trade Commission, and in some states by competitors for unfair or deceptive practices,” explains Gilbert.
8: Making representations that they don’t understand
It’s not just consumers who do not read privacy statements; Gilbert contends that new business owners tend to miss the fine print of their policies as well, which could lead to false representations or making promises that they cannot keep.
9: Misunderstanding the effect of anonymization
In the security world, this is a hot item, right now. Skilled data scientists, when using existing software application and equipment can de-anonymize files and link them to the right individual. Business owners may be subject to privacy and data security regulations even though personal and sensitive data is thought to be anonymous.
In today’s digital world, all companies have sensitive, regulation-controlled information, even fledgling startups, to whom Gilbert offers one last piece of advice:
“When developing a new company, a new product or a new offering, too many startups focus on the ‘cool technology’ or the ‘cool idea’ they think will impress investors and bring in lucrative contracts, but pay too little attention — or perhaps no attention — to other critical elements such as privacy and security. Whereas investors and mature organizations understand these risks and do their best to manage them.”