Crafting Better Data Privacy Guidelines for Startups, Acquiring Companies

Reprinted with permission from CIO Journal. The Wall Street Journal.

Where in the business plan of a newly-minted startup company does data privacy fall? Is it a top-level discussion point? Does it get its own slide? All too often, data privacy isn't even in the mix. Most startups have limited resources and are hyper-focused on developing their dazzling smartphone app, social media website, or internet-enabled device. So it isn't surprising that startups aren't giving privacy equal attention.

This common development path raises several problems, both for the startup as well as for potential acquiring companies. A startup rushing to secure data long after a breach can bring undesired regulatory attention or litigation, and also compromise investor and consumer confidence. Acquiring companies need to be on the lookout too, because when you acquire a new company, you acquire their data too. As a result, the acquirer can face litigation, or substantial unforeseen costs for remediation, when it discovers privacy slip-ups after the acquisition.

Entrepreneurs that make security a priority can see many benefits. First and foremost, a lapse in security may not leave room for second chances, possibly derailing a new startup. Beyond the peace of mind of addressing security upfront, security itself can be a selling point, to consumers and investors alike. Security can also avoid costly and embarrassing repairs down the road, a misstep which might allow competitors a window of competitive opportunity they might otherwise not have.

Starting with a focus on data privacy at the outset is the best plan. The legal and business implications of working on privacy as an afterthought are simply too severe. Here are some key principles for new tech startups.

Build in privacy by design. Companies that embrace a privacy by design approach work to build privacy in from the start. As a result, by counseling with their engineers and attorneys, they can identify pitfalls early and develop an ecosystem that will support privacy and security. Counsel can still work towards -- not against -- accomplishing business objectives, but after fully vetting privacy concerns.

Draft clear privacy policies. Few things can go as far in garnering consumer trust as transparency. And the legal benefits of a well drafted privacy policy are substantial. The FTC has broadly asserted its jurisdiction under Section 5 of the FTC Act to police unfair and deceptive trade practices. The agency has repeatedly challenged companies for falling short of their privacy policies. Very often, better disclosure could have avoided a brush with the FTC.

Scope privacy ramifications early and thoroughly. An FTC consent order -- the kind of order entered after a settlement with the agency -- typically lasts 20 years. Consider that the steep price of a privacy misstep. Measured against that reality, the cost of an early and thorough process aimed at identifying privacy implications of collected data can quickly seem small.

Combining skilled data privacy counsel along with IT professional can help startups consider the unforeseen implications of data collection and security protocols. In hindsight, everything is painfully obvious. Legal challengers will have the benefit of that hindsight, and careful review of documents and testimony obtained from your employees, to make a case of botched security.

Not only do tech startups face unique challenges when confronting today's data privacy implications, but companies that later acquire a tech startup also confront some new challenges. Here are some key principles for the acquisition of a startup.

Conduct a security audit. A larger, more established, acquiring company generally has greater resources and experience with security. Conducting an audit of the security in place at the startup will bring those greater resources to bear and help identify security holes that the startup might not have been in a position to identify.

Conduct a privacy audit. A thorough audit of the data collected and stored by the startup should be conducted. Collected data should be compared to existing privacy policies. Updates to those policies should be considered if any deficiencies are uncovered, or if the new business model of a newly merged entity might change the original scope of the privacy commitments undertaken in the policy.

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.