WHAT STARTUPS NEED TO KNOW ABOUT SECURITY & DIGITAL PRIVACY LAWS

Most small business owners wrongly assume that their businesses are not a target for a data breach.

Most small business owners are wrong.

While hacks at major corporations like Adobe, Marriott International, and Equifax get all the media attention, more than 63% of small and medium-sized businesses experienced data breaches in 2019, and nearly 74% of those hacks involved external threat actors.

Small businesses don’t have the multi-million dollar assets of big enterprise companies, so why do they experience the majority of cyberattacks?

It’s because only 14% of them are adequately prepared for an attack. It is also because they are connected to large companies as a vendor and provide an easier way into those larger companies.

Small business owners are typically acting as CFO, CMO, and COO in addition to CEO. Setting up data privacy programs doesn’t obviously make money the way managing and selling the product does, so data security typically takes a back burner to other business needs.

This is especially true at a startup, where processes are still being developed and resources are stretched incredibly thin.

But when a data breach costs businesses of all sizes an average of $200,000 (even before fines from the enforcement of privacy laws), and when 60% of SMBs go out of business within six months of a data breach, putting it on the back burner might just burn your house down.

 

Privacy law requires data privacy protection

Not protecting your data isn’t just financially risky. It’s also legally risky.

After the European Union (EU) gave consumers unprecedented control over how their sensitive personal information is collected and used online with the passing of its General Data Protection Regulation (GDPR) in 2016, other governments quickly followed suit.

The California Consumer Privacy Act (CCPA) is the first comprehensive data privacy bill in the United States. Companies that operate in or collect personal data from residents of California and has global revenue of over $25M, collect data from more than 50,000 people, households, or devices, or earn more than 50% of revenue from the sale of data, are required under CCPA to:

  • Clearly explain to consumers what data is being collected, why it is being collected, and what is being done with that data
  • Notify users if their data is being shared or sold with third parties
  • Give consumers the ability to correct their collected information if it is inaccurate, to delete their information from the database, and to stop their data from being shared or sold
  • Let users limit how and how often they are contacted by a business

CCPA compliance is also important for businesses that don’t meet this threshold, as their customers might not do business with them if they don’t comply. This is particularly important for B2B companies, where CCPA compliance is often required to make a sale. In other words, failure to secure data can jeopardize sales, while establishing data security can generate a competitive advantage.

The CCPA also creates a framework for sanctioning and fining companies that do not take reasonable security measures to protect consumer data should a data breach occur, and limited private right of action also means that individual customers may be entitled to damages after such a breach.

The CCPA was the first comprehensive data privacy law in the US, but it’s not the last. California has already passed the CCPA’s successor (Consumer Privacy Rights Act, or CPRA), which ups the ante by including criminal and civil liabilities if a consumer’s sensitive personal information (name, email, or password) is exposed in a data breach.

Virginia, New York, and Massachusetts also require security programs, and in 2020, 30 states had bills being studied by a task force, in committee, or in legislative chambers. Initial privacy laws like the CCPA have thresholds that exempt small businesses, but current trends indicate that may not continue.

When you combine the legislative landscape with an increased consumer expectation of privacy rights, it’s clearly in your best interest to be proactive about privacy.

 

Your privacy roadmap

When you have a startup, you have plenty of maps: product maps, go-to-market maps, marketing maps, and maps for your maps. You should also have a privacy map. Here are the major landmarks you need to plot around.

Build it in

Establishing a data privacy program may be complicated, but it is exponentially easier and more affordable to do it at the beginning of an infrastructure build than it is to try and retroactively cram it into an existing system.

This is where startups have a tremendous advantage. There are affordable, scalable privacy solutions you can implement right now to help you comply with current regulations and industry best practices while making sure your system quickly responds to future laws.

To be sure of compliance, it’s also a good idea to consult a lawyer. A business and cybersecurity attorney can make sure that your contracts put you in a strong position and also help you develop and practice your incident response procedures.

You can also hire a fractional privacy officer, a privacy expert who can give you top-notch advice at a fraction of the price.

Know what you’re working with

You can’t protect your data if you don’t know what or where it is. It can be highly beneficial to do a data mapping exercise where you follow a data record on its entire journey through your system.

Doing this will show you if you are collecting data you don’t need, if people who shouldn’t have access permissions do, where you’re at risk for a breach, and if the vendors with whom you share data engage in risky practices.

As we’ve mentioned, it’s much easier to do this with small amounts of data and build a scalable program than it is to go back and try to unite disparate systems that started as “temporary fixes” and ended up as the status quo.

Knowing how you interact with your data will give you the keys you need to build an effective, efficient privacy program that works for your company’s unique needs.

You also need to know which laws apply to your business, especially since there may be more than one (a fractional privacy officer is a great resource for this step too).

 

Set yourself up for success

After you know what privacy laws apply to you and how you interact with your customers’ information, there are some simple steps you can take today to dramatically increase the safety of your data.

  • Institute a least privilege model

A least privilege model means employees have access only to the minimum amount of data they need to complete a task. Using this principle reduces the risk of intentional and unintentional human error exposing your data. 

  • Password policies

Requiring your employees to have strong passwords that are regularly changed goes a long way in preventing external bad actors from accessing your system through low-level employees.

It’s also worthwhile to consider instituting two-factor authentication for employee log-in processes. This extra layer of security may be annoying, but it’s one of the most cost-effective ways to keep hackers out of your databases.

  • Device and network policies

Make sure everyone in your organization understands that work devices shouldn’t be used for personal business and vice versa. Having all the security in the world won’t help if a hacker gains access to an employee’s device after an Amazon shopping spree.

It’s also important to enforce a strict policy against the use of company devices on vulnerable public Wi-Fi networks.

  • Encrypt sensitive information

Payment details and personally identifiable data are much safer when encrypted.

  • Stay current on your software patches and upgrades

Patches exist solely because of identified vulnerabilities in a software platform. In today’s digital world, there is no excuse for a data breach resulting from outdated software.

  • Plan to succeed, but plan to fail too

Even companies with great privacy programs can be hacked. Having a detailed breach response plan that clearly delegates responsibilities across your teams to quickly contain damage and notify customers is critical to maintaining goodwill and avoiding debilitating sanctions.

  • Train your employees, and do it more than once

Think about how often you talk about customer service or productivity. You need to be talking about privacy just as much.

 

It only takes one employee clicking on a bad link in a phishing email to take your whole network down. Privacy training can be a full-day training or five minutes in a staff meeting, but it needs to be happening all the time to be effective.

Sell it!

A privacy program may not be as sexy as launching a new product, but it’s one of the few operational necessities that can get you major bonus points with consumers. Because data privacy is still an emerging business practice, early adopters who do it right can (and should) sell their privacy programs as a value-added service from a consumer-focused company.

Currency of digital trust

Digital trust, or the amount of trust a consumer places in a company or website to protect their identity, is the most valuable commodity of the future digital economy. Startups that build great privacy programs can start off building digital trust from day one, giving them a vault full of banked goodwill.

 

About the authors: 

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance.  Jodi as a Certified Informational Privacy Professional and serves as the outsourced privacy office for companies.    Justin Daniels is a Shareholder with Baker Donelson providing corporate advice to growth-oriented and middle market domestic and international technology businesses. He is passionate about cybersecurity and considers it a strategic business enterprise risk.