Data Privacy Checklist for the Lean Startup

A breach of your company’s data systems can happen more quickly than you realize:  An email misaddressed to the wrong “Jennifer Smith” is one example, depending on the circumstances. Below is a list of basic recommendations that you should consider as your company grows.  You should know the basics and be prepared for what steps you would take when—not if—you learn your company has experienced some type of data breach. 

What to do now (before the breach): 

  1. Audit your company’s security practices.  This means:
    1. Find out
      1. What type of data do you have?
      2. What type of measures are you using to protect it?
      3. How often do you review these?
    2. Institute industry-standard protective measures:
  2. Data security policy:  Yes, you need one.  Yes, it needs to be written.
    1. Don’t forget to look closely at your partners and vendors for how they protect personal information
    2. Don’t assume you can’t negotiate
  3. Incident response plan.  This should include
    1. Timelines and individuals with responsibility for specific actions.
    2. Resources for rapid response and investigation (i.e. forensics firm that has been pre-vetted and qualified)
    3. Communications plan (see below). 
  4. Prepare your communications plan to include:
    1. Employees
    2. Your insurance carrier.
    3. Industry regulators
    4. State regulators
    5. Law enforcement
    6. Affected individuals

What to do if you think data was breached

  1. Don’t call it a breach until you have all the facts.
  2. Get all the facts.  Engage a qualified forensics firm
    1. Maintain attorney-client privilege on all communications
    2. This means that if you hire a forensics firm, you should have your counsel hire them, not you
  3. Take steps quickly to ensure the threat is contained and that other data repositories are secure.  Often threat actors will cause a diversion to attempt to pull company resources away from where they can effectively respond to a second breach in a short period of time.
  4. Prepare analysis and begin scoping notification requirements for affected jurisdictions. 
  5. Make the time to time to do a remedial assessment.
  6. Implement those recommendations.  Failing to take appropriate action after an incident can expose the company to claims of breach of fiduciary duties. 

The foregoing article is provided for informational purposes only and is not legal advice or a legal opinion, and does not create an attorney-client relationship. It may not apply to your specific facts or circumstances, and you should not act or rely on any information contained in this article without first seeking the advice of an attorney licensed to practice in your state.

More to explore

Oh just admit it, you're a little bit of a nerd too...

About Foundry Legal

Foundry Legal is a technology transactions and regulatory practice in Denver, Colorado focused on data privacy, social impact organizations, and capital formation.  The firm serves clients across a range of industries, including new agriculture, financial institutions, aerospace, and professional services.  Other stuff about us