News, insights and resources for data protection, privacy and cyber security leaders

Ten Privacy and Data Security Mistakes Start-Ups Should Avoid (Part I)

Most technology start-up companies lack the experience and resources needed to manage the plethora of security, privacy, and compliance issues inherent in a growing technology business. Nevertheless, the legal and business implications of poorly managed privacy and data security practices are too important to ignore. A single error can undermine the trust of investors and customers, attract unwanted regulatory attention or litigation, and ultimately, derail a start-up’s success. Here are 10 common privacy and data security mistakes that start-ups must avoid.

 

1. Assuming that privacy or security is just for the geeks

Too frequently, company management and boards fail to pay sufficient attention to the significant problems that will arise from a company’s failure to provide adequate security or to comply with applicable privacy laws. Litigation involving privacy and security is now mainstream.

There are a rising number of shareholder derivative actions for breach of fiduciary duty stemming from failure to supervise the company’s activities related to privacy and security, such as lack of compliance or failure to meet commonly used practices. For example, they could be initiated by a disgruntled minority investor who is concerned that his investment has not been managed with proper care.

 

2. Ignoring relevant rules and laws

Some tech start-ups may pay little attention to the fact that businesses are governed by a wide range of laws and standards, and are expected to operate within commonly accepted practices. Among other things, they may ignore the fact that the collection, use, and processing of most personal information in the United States and abroad is regulated. Ignoring these laws may lead to significant errors and may in fact subject the company to legal and other action.

Among other things, ignoring privacy or security obligations may come to haunt a start-up when it comes time to comply with the requirements of its first major customer or business partner. It may receive a superb offer for a contract with a large company that does require certain assurances of compliance with applicable laws. The start-up will be expected to have in place the same levels of protection, awareness, or maturity as its larger client. If it does not have the proper structure in place to ensure that its operations are compliant with applicable laws, it will struggle to meet that client’s expectations, and may have to create in three months what it should have built over three years. If it cannot meet the client’s standards, it will, in all probability not get that contract.

 

3. Thinking that they are flying under the radar

Start-up tech companies may elect to ignore their legal obligations because they are small and believe that they can easily fly under the radar. They might be able to escape notice as far as their procedures are concerned for a short time, but not for long.

Litigants and enforcers are not particularly sympathetic to a defence based on the size of a company. They are more focused on the actual effect that the mistake, abuse, security incident, or legal violation may have on the public at large. If they determine that the effect is significant, the fact that it was caused by a five-person company is likely to be irrelevant.

 

4. Ignoring the benefits from processes and policies

Start-ups may think that their ability to succeed requires that they be nimble. They may believe that policies and processes slow them down and are not a business imperative.

In the absence of rules defining who is allowed to access certain information or what uses are restricted, employees, subcontractors or visitors might inadvertently access highly confidential or sensitive data and misuse it. Policies and procedures provide a frame of reference and guidelines that show how to proceed, and help make decisions faster. When properly applied, they can increase efficiency and reduce errors because they help build harmony and unity of action around the company’s goals.

5. Believing that they are not responsible

Many tech start-ups hire third parties, outsource some of their functions, or locate their operations in the cloud because they do not have sufficient resources to hire personnel or to purchase equipment. In doing so, they may think that they have passed on to those third parties the responsibility for their data.

The company that initially collects the data remains primarily responsible for anything that happens to the data. The entity that the customers know – not the obscure service provider – will be the one that will be sued or investigated if data is illegally processed or inadequately protected. It will be the one whose reputation and trustworthiness will be at risk.

 

 

Francoise Gilbert

Françoise Gilbert has focused on information privacy and security for more than 25 years; she regularly deals with compliance challenges raised by cloud computing, connected objects, smart cities, big data, mobile applications, wearable devices, social media, and other cutting-edge developments. Françoise is internationally recognized as a thought leader and expert in data privacy and cyber security. In 2015, she was recognized as a “Cybersecurity and Privacy Trailblazer”. In 2014, she was named “San Francisco Lawyer of the Year” by Best Lawyers for her work in information privacy and security. She has been listed in Chambers USA and Chambers Global since 2008, Best Lawyers in America since 2007, and Who’s Who in Ecommerce and Internet Law since 1998 as one of the leading privacy and cybersecurity attorneys.

Latest posts by Francoise Gilbert

Leave A Reply

Your email address will not be published.

Subscribe and Get 50% Off 6-Hour Workshop Video

PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

Thanks for subscribing!

Pin It on Pinterest

Share This