What do Startups Need To Know About Data Privacy and Security? Facebook’s philosophy to “move fast and break things” has become a guiding principle for many startups today. However, in the mad rush to market, these startups often neglect to consider the data privacy and security vulnerabilities they create in their network, which can cause their entire organization to collapse.
News coverage and episodes of Mr. Robot give the mistaken assumption that cyber attacks such as malware, ransomware, and phishing expeditions, to name a few, only happen to big corporations that collect big data. However, malicious attackers do not discriminate. They go for big or small, established or new. If a company collects data, it is at risk.
Organizations have the responsibility to protect personal information that they collection. The increase in cyber attacks coupled with the new mandatory breach notification, will put more organizations under the spotlight. They will be criticized by regulators, media, and class action litigants for their less than adequate data privacy and security policies. This should have startups, which collect or use personal information, concerned about the volatility of their organization. While large organizations will likely survive the attack, bad press, and sanctions, most startups won’t have the proper resources or brand name recognition to sustain their business. At a time when startups are looking for public support, they cannot afford to lose public confidence in their organization.
With the new mandatory breach notification, it is more important than ever for startups to have data privacy and security at the forefront of every decision they make in designing their service and building their organization. Having robust data privacy and security policies and procedures will demonstrate to potential investors and customers that the organization understands risks and has taken the appropriate steps to mitigate those risks.
Data Privacy and Security: What Startups Need to Know
Startups need to be aware that there are restrictions in the way they can collect, use and disclose personal information.
The Personal Information Protection and Electronic Documents Act (PIPEDA), a federal legislation, sets out the ways in which private-sector organizations can collect, use and disclose personal information while in the course of a commercial activity. PIPEDA applies to all provinces except for those provinces that have a substantially similar legislation such as in Alberta and British Columbia. PIPEDA also reinforces the principle that organizations must protect personal information that is under their control.
‘Personal information’ is any information that can make an individual identifiable, when that information is reviewed independently or collectively. Personal information can be, amongst other things, names, dates of birth, medical history, addresses, ethnic origin, income, opinions, and visual images. It can also be IP addresses.
To ensure compliance with privacy legislation, startups are advised to think about ways they handle personal data from the inception of their business. Policies and procedures formulating data management practices should be documented. Amongst other things, startups should document: (1) What type of information they are collecting? (2) How sensitive that information is? (3) What is the purpose of collecting that information? (4) What do they plan to do with the information? (5) Who are they going to disclose it to? and (6) How are they going to discard it when they no longer need it? Startups should also consider where their users reside and whether they need to comply with the data privacy laws of their users’ jurisdiction.
Before startups can collect personal information, they must first seek express consent from their users. Consent is provided so long as the user knows what information they are disclosing and what the organization intends to do with the information. If an organization intends to disclose personal information in their possession to a third party, the organization should seek consent to do so. Implied consent may be sufficient in some circumstances.
Startups do not relieve themselves of their obligation to protect personal information by sharing it with third party vendors, including companies providing services such as cloud computing, HR services, and data analytics. Startups should limit the personal information they share with third parties to reduce the risk that a third party will use the data inappropriately or create a security risk. Through contractual means, startups should also ensure that engaged third parties incorporate comparable levels of data privacy protection. Before engaging with a third party, startups should conduct a pre-contractual due diligence audit to ensure the third party is in compliance with data privacy and security legislation. Conversely, if a startup wants to be retained to act as a third party vendor, it will have to demonstrate it is in compliance with data privacy and security legislation, otherwise be viewed as a liability.
Cybersecurity: What Startups Need to Know
The rise of data breaches make it more important than ever to protect personal information.
As of November 1, 2018, once amendments to PIPEDA come into force, organizations which experience a breach resulting in “a real risk of significant harm to an individual”, must notify those individuals affected as soon as “feasible”. The term “harm” is interpreted broadly and includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, and identity theft. The notice must include sufficient information about the breach, including the information that was compromised. Notice should be provided expeditiously so that affected parties can mitigate the risk of their personal information being misused. Should an organization contravene the new notification requirement, it can be penalized $10,000 and $100,000 for each breach.
Breached organizations are also required to report a breach to the Privacy Commissioner of Canada, a regulatory body.
The amendments to the legislation require organizations to keep records of every breach involving personal information under their control. This should concern startups whose potential investors will want to conduct their due diligence. If a breach is exposed through the due diligence process, a startup will be a less attractive investment. Similarly, a company looking to acquire a startup might be disinterested in the acquisition for fear of reputational harm and class action litigation.
For the above reasons, startups need to develop security safeguards from the inception of their business. The level of security required should be proportional to the sensitivity of the information in the organization’s control. As part of the data management plan, startups need to incorporate security policies and procedures, including a data breach response plan.
Startups should be proactive in documenting all decisions relating to their data privacy and security governance. Such documents will provide transparency into the organization’s decision making process. Regulatory authorities, litigants, and media will look to the organization for thoroughness and effectiveness of data privacy and security policies, practices, and procedures. Transparency into thoughtful security decisions may help the organization thrive.
By implementing robust privacy policies and security safeguards from the inception of a business, startups will gain the trust of investors, customers, and third parties.
Want to know more about Data Privacy and Security? Contact Sharon below or come out to one of TorontoStarts Startup Law Workshop to get the top 10 things Startups need to know. Sharon and other startup Lawyers can be found at our monthly Startup Social Open Bar Open Pitch event. Learn more with Startup Coach Workshops and Courses
About the Author
Sharon Bauer
In her practice as a litigator, Sharon is client-focused, ensuring she understands her clients’ needs. She regularly strategizes with her clients and team to ensure the desired outcome is achieved. Her detailed risk analysis throughout the litigation provides clarity to her clients.
Sharon strives for efficiency in her work process and enjoys exploring new methods of practicing law, which will increase work productivity and client satisfaction.
Sharon has a keen interest in cybersecurity and privacy. She regularly writes about emerging trends in this area. She enjoys exploring all things tech and how they can be ethically incorporated into our lives.
Sharon is a life-long learner always looking to explore innovative ideas, tapping into her creativity, and projecting her passion.
