Most technology start-ups lack the experience and resources needed to manage the plethora of security, privacy, and compliance issues inherent in a growing technology business. Nevertheless, the legal and business implications of poorly managed privacy and data security practices are too important to ignore. A single error can undermine the trust of investors and customers, attract unwanted regulatory attention or litigation, and ultimately, derail a start-up’s success.
In this follow up to the first instalment, Francoise Gilbert from Greenberg Traurig LLP talks about 5 additional privacy and data security mistakes that start-ups must avoid.
6. Failure to provide adequate security
Many countries require that companies provide adequate protection for the data – or certain categories of data – in their custody.
A company’s size is not an excuse for failing to seek the proper resources, technologies or experts to ensure the adequate levels of security are adopted to suit the nature of the data stored or processed by an entity.
Security breaches are to be avoided by all means. They are significantly disruptive. A company that has implemented a well thought through written security programme will be less exposed to potential security breaches and to the significant consequences of security breaches.
In most cases, a company that has suffered a breach of security might be required to publicly disclose the occurrence of the breach. It may have to send notices to affected parties and regulators, and offer credit monitoring or identity theft insurance, which is usually a significant expense. If a state of federal regulator becomes aware of the breach, a lengthy, invasive and gruelling investigation of the company’s practices may follow, resulting in significant cost, disruptions, and potentially ending with an order that submits the company to the supervision of a regulator for the next twenty years.
7. Assuming that bigger is better
Some tech start-ups tend to collect much too much data just because “we may need it later” and “storage is cheap.” The more data a company has in its custody, the more vulnerable it is to legal violations and security breaches.
Collecting too much data can cause a compliance issue; some laws require entities to collect only the minimum amount of data necessary to achieve a stated purpose. Additionally, having a lot of data can become a significant responsibility, as well as potentially costing the company significant amounts of capital. For example, some laws grant individuals the right of access to data that a company holds about them. In case of an individual’s request for access to data, the company will be required to provide copies of files that may be located in different locations, on different devices, or in different formats. The more data a company has, the more time and data experts it will need to retrieve it. Collecting a massive amount of data also causes significant security risk. The larger the volume of data the higher the probability that it will stolen.