Most technology start-up companies lack the experience and resources needed to manage the plethora of security, privacy, and compliance issues inherent in a growing technology business. Nevertheless, the legal and business implications of poorly managed privacy and data security practices are too important to ignore. A single error can undermine the trust of investors and customers, attract unwanted regulatory attention or litigation, and ultimately, derail a start-up’s success. Here are 10 common privacy and data security mistakes that start-ups must avoid.
1. Assuming that privacy or security is just for the geeks
Too frequently, company management and boards fail to pay sufficient attention to the significant problems that will arise from a company’s failure to provide adequate security or to comply with applicable privacy laws. Litigation involving privacy and security is now mainstream.
There are a rising number of shareholder derivative actions for breach of fiduciary duty stemming from failure to supervise the company’s activities related to privacy and security, such as lack of compliance or failure to meet commonly used practices. For example, they could be initiated by a disgruntled minority investor who is concerned that his investment has not been managed with proper care.
2. Ignoring relevant rules and laws
Some tech start-ups may pay little attention to the fact that businesses are governed by a wide range of laws and standards, and are expected to operate within commonly accepted practices. Among other things, they may ignore the fact that the collection, use, and processing of most personal information in the United States and abroad is regulated. Ignoring these laws may lead to significant errors and may in fact subject the company to legal and other action.
Among other things, ignoring privacy or security obligations may come to haunt a start-up when it comes time to comply with the requirements of its first major customer or business partner. It may receive a superb offer for a contract with a large company that does require certain assurances of compliance with applicable laws. The start-up will be expected to have in place the same levels of protection, awareness, or maturity as its larger client. If it does not have the proper structure in place to ensure that its operations are compliant with applicable laws, it will struggle to meet that client’s expectations, and may have to create in three months what it should have built over three years. If it cannot meet the client’s standards, it will, in all probability not get that contract.
3. Thinking that they are flying under the radar
Start-up tech companies may elect to ignore their legal obligations because they are small and believe that they can easily fly under the radar. They might be able to escape notice as far as their procedures are concerned for a short time, but not for long.
Litigants and enforcers are not particularly sympathetic to a defence based on the size of a company. They are more focused on the actual effect that the mistake, abuse, security incident, or legal violation may have on the public at large. If they determine that the effect is significant, the fact that it was caused by a five-person company is likely to be irrelevant.
4. Ignoring the benefits from processes and policies
Start-ups may think that their ability to succeed requires that they be nimble. They may believe that policies and processes slow them down and are not a business imperative.
In the absence of rules defining who is allowed to access certain information or what uses are restricted, employees, subcontractors or visitors might inadvertently access highly confidential or sensitive data and misuse it. Policies and procedures provide a frame of reference and guidelines that show how to proceed, and help make decisions faster. When properly applied, they can increase efficiency and reduce errors because they help build harmony and unity of action around the company’s goals.
5. Believing that they are not responsible
Many tech start-ups hire third parties, outsource some of their functions, or locate their operations in the cloud because they do not have sufficient resources to hire personnel or to purchase equipment. In doing so, they may think that they have passed on to those third parties the responsibility for their data.
The company that initially collects the data remains primarily responsible for anything that happens to the data. The entity that the customers know – not the obscure service provider – will be the one that will be sued or investigated if data is illegally processed or inadequately protected. It will be the one whose reputation and trustworthiness will be at risk.