Data Privacy Checklist for the Lean Startup


A breach of your company’s data systems can happen more quickly than you realize:  An email misaddressed to the wrong “Jennifer Smith” is one example, depending on the circumstances. Below is a list of basic recommendations that you should consider as your company grows.  You should know the basics and be prepared for what steps you would take when—not if—you learn your company has experienced some type of data breach. 

What to do now (before the breach): 

  1. Audit your company’s security practices.  This means:
    1. Find out
      1. What type of data do you have?
      2. What type of measures are you using to protect it?
      3. How often do you review these?
    2. Institute industry-standard protective measures:
  2. Data security policy:  Yes, you need one.  Yes, it needs to be written.
    1. Don’t forget to look closely at your partners and vendors for how they protect personal information
    2. Don’t assume you can’t negotiate
  3. Incident response plan.  This should include
    1. Timelines and individuals with responsibility for specific actions.
    2. Resources for rapid response and investigation (i.e. forensics firm that has been pre-vetted and qualified)
    3. Communications plan (see below). 
  4. Prepare your communications plan to include:
    1. Employees
    2. Your insurance carrier.
    3. Industry regulators
    4. State regulators
    5. Law enforcement
    6. Affected individuals

What to do if you think data was breached

  1. Don’t call it a breach until you have all the facts.
  2. Get all the facts.  Engage a qualified forensics firm
    1. Maintain attorney-client privilege on all communications
    2. This means that if you hire a forensics firm, you should have your counsel hire them, not you
  3. Take steps quickly to ensure the threat is contained and that other data repositories are secure.  Often threat actors will cause a diversion to attempt to pull company resources away from where they can effectively respond to a second breach in a short period of time.
  4. Prepare analysis and begin scoping notification requirements for affected jurisdictions. 
  5. Make the time to time to do a remedial assessment.
  6. Implement those recommendations.  Failing to take appropriate action after an incident can expose the company to claims of breach of fiduciary duties. 

You might also enjoy

Foundry Legal is a law practice.  We primarily focus on data privacy, emerging technology companies and social impact organizations, and capital formation through private securities offerings and strategic investments/acquisitions. 

Occasionally we will find an issue that really, really goes against something we stand for and when that happens we won’t hestitate to get involved.  

The firm serves clients across a range of industries, including new agriculture, financial institutions, aerospace, and professional services.  We are in Denver, Colorado.  Other stuff about us

Other Thoughts on Things


Blockchain and Fintech

At the intersection of governance, data security, payments and financial services, and securities regulation lies the blockchain industry. Luckily for our clients, these topics are


Privacy and Data Security

As the regulation of how businesses use, store, and transmit data becomes more complex, companies and executives must navigate between state-specific and industry-level privacy and

commercial contracts

Founder Disputes & Business Divorces

One of the most overlooked and under-appreciated aspect of starting a business with other people is the human relationship. Like in any partnership, there is