Data privacy compliance is more important than ever. All of our information is out there floating all over the internet. Every other day – there is a new breach that happened and a massive fine being handed out.
If you’re a multi-billion dollar conglomerate like Facebook or Equifax, you might be able to afford paying the fine and going about your business as usual.
But if you’re a startup, not complying with data privacy compliance regulations can straight up mean the death of your company. This post will give you a high level overview of why data privacy compliance should matter to startups. In future posts, we will dive into specific regulations.
What Data Privacy Regulations are Relevant?
This is by no means an exhaustive list – but some of the regulations that could apply to your company include:
- ECPA (Electronic Communications Privacy Act) – establishes criminal sanctions for interception of electronic communication.
- FISMA (Federal Information Security Modernization Act) – assigns responsibilities to various government agencies to ensure the security of data in the federal government.
- Gramm Leach Bliley Act – governs the protection of personal information in the hands of banks, insurance companies, and other companies in the financial service industries.
- FRCA and FACTA (Fair Credit Reporting Act, and Fair and Accurate Credit Transactions Act) – restricts use of information bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living to determine eligibility for credit, employment, or insurance.
- TCPA (Telephone Consumer Protection Act) – regulates calls and text messages to mobile phones, and regulates calls to residential phones made for marketing purposes (telemarketers).
- FERPA (Family Educational Rights and Privacy Act) – gives students the right to inspect and revise their student records for accuracy, and prohibits disclosure of these records or other persona information on student without the student or parent’s consent.
- HIPAA (Health Insurance Portability and Accountability Act) for organizations in the healthcare space, specifically to protect what is considered protected health information.
- GDPR (European Union General Data Protection Regulation) for all organizations that handle data of European Union citizens.
- CCPA (Proposed California Consumer Privacy Act) for all organizations that handle data of California residents.
- Future State-Specific regulations currently being reviewed by state senate – from Nevada, New York, Washington, and Texas.
While there are quite a few regulations listed above, HIPAA, GDPR, CCPA, and future State-Specific regulations will apply to most startups collecting any type of data.
What can happen?
You can get fined a ton of money per violation (meaning per record) by the United States Federal Government agency that oversees the applicable regulation, State Governments, and European Union government agencies in charge of overseeing GDPR.
Some examples of statutory fines for data breaches and violations:
- HIPAA: Ranging from $100 to $50,000 per violation (or per record) with a maximum penalty of $1.5 million per year for each violation.
- GDPR: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
- CCPA (proposed): Intentional Violations – up to $7,500 per violation. Other violations – up to $2,500 per violation.
As you can see, a violation is not cheap – and one breach can potentially bankrupt your startup.
What do you need to do?
Each regulation varies. If you made it to this post, you’ve already done some research and found that there are tons of resources online. Ideally, you hire legal counsel or a consultant, or buy software to help you through it.
While this is by no means an exhaustive list, here are some steps you can start with:
- Map your Data – where is your data coming from, and what related target fields is it going to?
- Secure your Databases – encrypt at rest and in transit, and harden your host.
- Secure your Application – build in authentication, app-level access controls, and audit logging.
- Back up your Data – multiple region backups of your database should be standard.
- Have a Disaster Recovery Plan – what happens if your servers go down? Do you have a backup plan, or have you lost everything?
- Implement Host and App-level Intrusion Detection
- Implement Application Vulnerability Scanning – detect and mitigate vulnerabilities in your applications
- Protect your Credentials, Tokens, and Secrets – mange your passwords, API keys, and other secrets.
- Publish your Privacy Policy – make sure your customers know your privacy policy, how to reach you, how you use their data, and how to opt out and have you delete their data.
- Have a comprehensive Policy and Procedures Manual highlighting how you handle data security.
- Audit your Vendors and Third Parties – if a vendor you work with has a breach, it may effect your customers as well. Make sure they have their stuff together too.
Let us Help
This is a very high level overview of data security compliance for startups, and there are many more caveats to making sure you are doing what youre supposed to be doing.
Managing Attorney Shahed Kader helped hundreds of companies understand data privacy regulations in his previous roles. Kader Law offers a Data Privacy Compliance package that can help you hit the ground running.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.