Cybersecurity and Privacy Primer for Businesses and Startups

Internet LawStartup and Business Law
Written By Matt Chambers
sab security blog.jpg

Cybersecurity may sound like an IT issue but businesses are finding out this is a major issue for top management. Large corporations, small businesses, and even startups maintain a range of sensitive data, ranging from personally identifiable information to confidential financial and client information. Computers produce a lot of information on clients. Look at Yahoo's 2017 breach which impacted 3 billion accounts. If you are curious if your email address has been part of a breach, plug it into the safe breach checker (no password or credit card required) Have I Been Pwned. It will tell you when and where account information using that email address has been stolen and sold. If you use the same password for every account then a hacker could gain access to everything.

We collect data on clients and potential clients in a lot of ways CEOs may not even think of. For instance, you may have a breach when the website plugin you use to add a new newsletter subscriber is hacked. The user data gets stored on the cloud by the app developer. One hack can release names, email addresses, phone numbers, birth dates, and countless additional information to the dark web and it was not even your website that was hacked. Does your cloud computing provider have proper data protections? Does your credit card processing company use encryption?

There are a lot of potential soft spots in any company. Businesses need to ensure compliance and coverage over privacy and cybersecurity issues.

What laws protect information privacy?

Every few weeks the news reports on another information breach with millions at greater risk of having their identity stolen. Obviously there are some important federal laws protecting Americans across the nation, right?

Wrong.

Privacy is covered by a patchwork of contract law and regulations that may or not apply, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLB Act or GLBA), and the EU General Data Protection Regulation (GDPR). The FTC has some powers over privacy practices as seen on one of Facebook's more recent breaches.

I remember Fred H. Cate, Indiana University law professor and Center for Applied Cybersecurity Research senior fellow sounding the alarm on privacy and cybersecurity issues in his Information Privacy seminar back in 2012. Professor Cate was ahead of his time and is still a national resource on information privacy. Asked about consumer protections, he told the Los Angeles Times to not expect new legislation any time soon.

“I think it is very unlikely we will see meaningful federal privacy legislation this year, despite all of the talk about it and the clearly demonstrated need for such legislation. For the past decade, we have started almost every year saying that this would be the year we would finally see privacy legislation. So far those predictions have been wrong.”

Preventative measures

Privacy breaches can be more than some malicious hacker stealing financial information. Even stolen laptops, lost thumb drives, mishandled paper records, or an employee or vendor can divulge private information. We previously focused on noncompetition and trade secret issues former employees can cause businesses but the same rules apply to privacy. Limiting physical and remote access to potentially private information is the first step in preventing a breach. The use of encryption, firewalls, and other security measures can stop the more advanced hackers. Simple things like keeping website software and plugins up to date are important as they may include important security updates.

Written Information Security Programs

Businesses need what's referred to as a Written Information Security Program (WISP) developed to limit data security risks. WISPs are required in Massachusetts, the financial industry, or under an FTC Act, but should be in place even when not required. There is simply no way to prevent all and every breach but basic guidelines can limit high tech and low tech risks and prepare for a breach. The WISP is based on a risk assessment of company data. A proper WISP will limit both physical and digital access to client information ranging from locked file cabinets to firewalls and everything in between. Similar to trade secrets, employees, vendors, and third parties must follow certain protocols with customer information. Marketing and SEO vendors can come in contact with client information and can be a prime target for hacks if they do not follow basic security protocols. Additionally, a WISP must include a plan for what to do in a breach.

Privacy Policies

Businesses typically first encounter a privacy policy because their website template may include a section for terms of service and a privacy policy. We have discussed privacy policy failures before but generally these must be highly tailored to the business and the type of data it collects. It is much more involved than simply downloading an online template. The policy needs to outline what and how information is collected, how the data will be protected, how it may be sent to third parties, describe the use, provide opt-out methods, include age restrictions, and provide a privacy contact for the business.

Does this feel like overkill? The problem is even a small website can track a lot of information. Services like DropBox, MailChimp, and even Google Analytics are very useful but these are third-party companies may receive private information. Even cookies intended to improve website usability collect and save personal information.

There was a breach -- what next?

Breaches do not have to be a serious as the Sony hack which exposed embarrassing, salacious, and damaging emails and business information. Sometimes a hacker makes off with something unimportant like a database of customer questions from a website. Almost all states, including North Carolina, require notification of a breach of publicly identifiable information. If you wondered why you might receive a breach email from a travel site you used once to look up hotel prices and you never included financial information, it's because of this requirement.

Businesses need an incident response plan. This plan will outline how to notify those of a breach, how to preserve evidence of a breach, and who is responsible in these situations. Preserving evidence is important if the business is sued or investigated over the breach. Some states require information the Attorney General or others of a breach so multi-state companies need a competent incident response plan to ensure compliance.

Getting into compliance

Businesses must get ahead of privacy issues to both limit chances of a breach and to limit liability. What typically followed each breach mentioned above was a class action lawsuit costing millions in damages and attorneys fees. A qualified privacy attorney can assist with developing privacy policies to protect both the business and their clients.

Contact our attorneys to learn more about your options. Spengler Agans Bradley offers a flat-rate legal checkup for startups and business needing a broad, overall legal review of their business and business practices, including privacy issues.

To contact us, or to sign up for our newsletter, please visit our Contact page or reach out to the relevant attorney directly through their bio page. In addition, you can find primary contacts for each practice area by visiting our Areas of Practice page.

Matt Chambers
Previous

Fraud and the Fyre Festival Part 1: A Legal Analysis of the World's Worst Music Festival
Next

Protecting Intellectual Property in Software and Apps