Most startups collect some form of secure information in digital form. The collection, use and disclosure of this information is regulated under federal, state and even some International laws. As a startup business, it is important to safeguard customer data so that your small business does not face consequences of failing to comply with data privacy laws. Startup founders that understand their legal obligations and make the proper investment to comply with the laws can reduce the likelihood of liability and compete more effectively by earning a reputation that protects their customers.
Federal Laws Governing Data Privacy
There is no one comprehensive federal law that governs data privacy in the United States. Instead, there is a patchwork of state and federal laws and regulations and industry standards that govern the collection, use, and disclosure of private information. Companies that collect financial or medical data have notable exceptions where US lawmakers have adopted specific rules and privacy restrictions.
The Federal Trade Commission protects consumers by stopping unfair, deceptive or fraudulent practices in the marketplace. While the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. The FTC might take action against organizations that:
- Fail to implement and maintain reasonable data security measures.
- Fail to abide by any applicable self-regulatory principles of the organization’s industry.
- Make inaccurate privacy and security representations (lying) to consumers and in privacy policies.
- Fail to provide sufficient security for personal data.
- Violate consumer data privacy rights by collecting, processing or sharing consumer information.
- Engage in misleading advertising practices.
Other Federal laws that govern the collection of information
This is by no means an exhaustive list – but some of the regulations that could apply to your company include:
- ECPA (Electronic Communications Privacy Act) – protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. Establishes criminal sanctions for interception of electronic communication.
- FISMA (Federal Information Security Modernization Act) – assigns responsibilities to various government agencies to ensure the security of data in the federal government.
- Gramm Leach Bliley Act – governs the protection of personal information in the hands of banks, insurance companies, and other companies in the financial service industries.
- FRCA and FACTA (Fair Credit Reporting Act, and Fair and Accurate Credit Transactions Act) – restricts use of information bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living to determine eligibility for credit, employment, or insurance.
- TCPA (Telephone Consumer Protection Act) – regulates calls and text messages to mobile phones, and regulates calls to residential phones made for marketing purposes (telemarketers).
- FERPA (Family Educational Rights and Privacy Act) – gives students the right to inspect and revise their student records for accuracy, and prohibits disclosure of these records or other persona information on student without the student or parent’s consent.
- HIPAA (Health Insurance Portability and Accountability Act) for organizations in the healthcare space, specifically to protect what is considered protected health information.
- GDPR (European Union General Data Protection Regulation) for all organizations that handle data of European Union citizens. The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.
- CCPA (Proposed California Consumer Privacy Act) for all organizations that handle data of California residents. The CCPA gives consumers more control over the personal information that businesses collect about them.
- Future State-Specific regulations currently being reviewed by state senate – from Nevada, New York, Washington, and Texas.
State Data Privacy Laws
Although companies would rather comply with one single federal standard than have to decipher through multiple statewide laws, state lawmakers have felt pushes from consumers, consumer advocates and even companies to set their own rules. Let’s take a look at some important State Data Privacy Laws that may impact your small business
- CCPA (California Consumer Privacy Act)
- CPRA (California Privacy Rights Act)
- CDPA (Virginia’s Consumer Data Protection Act)
- CPA (Colorado Privacy Act)
- New York SHIELD Act
How To Ensure Compliance With Data Privacy Laws
How Should My Business Navigate Data Privacy Laws?
What you don’t know about data privacy laws can put your business at serious risk. The regulations vary, so we recommend using online resources, software or hiring legal counsel to ensure compliance with the complex and ever-changing laws.
While this is by no means an exhaustive list, here are some steps businesses can start with:
- Map your Data: where is your data coming from, and what related target fields is it going to?
- Secure your Databases: encrypt at rest and in transit, and harden your host.
- Secure your Application: build in authentication, app-level access controls, and audit logging.
- Back up your Data: multiple region backups of your database should be standard.
- Have a Disaster Recovery Plan: what happens if your servers go down? Do you have a backup plan, or have you lost everything?
- Implement Host and App-level Intrusion Detection
- Implement Application Vulnerability Scanning: detect and mitigate vulnerabilities in your applications
- Protect your Credentials, Tokens, and Secrets: mange your passwords, API keys, and other secrets.
- Create a Manual: Have a comprehensive Policy and Procedures Manual highlighting how you handle data security.
- Audit your Vendors and Third Parties: if a vendor you work with has a breach, it may effect your customers as well. Make sure they have their stuff together too.
Penalties for Non Compliance
Businesses, large or small, that fail to follow data privacy and security laws can face serious ramifications. Cybersecurity incidents are often the precursor to investigations and possible enforcement actions by state attorneys general or the FTC. In addition, companies have been held liable for failing to adhere to their privacy policies. These incidents can also lead to private causes of action (or even a class action) typically by consumers whose information was compromised or improperly used or disclosed.
An additional consequence resulting from non compliance with data privacy laws is the businesses reputation. Small businesses in particular have a difficult time recovering after they have lost trust from its existing and potential customers and investors.
Exemplar Companies Data Privacy Legal and Compliance Experts
Exemplar Companies is staffed by skilled legal and compliance professionals practiced in data privacy and cybersecurity with experience across multiple industries. From regulatory compliance, to control, implementation, and incident response, we are the firm clients trust for data privacy thought leadership and expertise. Contact us today to learn more: email@example.com
You May Also Like
2022: The Tax Tornado Is Coming From a financial/estate planner’s and estate attorneys’ point of view, Happy New Year and glad 2021 is behind us. While 2021 was a great year for consulting revenue, it left everybody paralyzed by the wealth destroying proposed...
Few technologies have attracted more buzz and controversy than blockchain. The past year proved to transformative and booming with new trends and inventions in the blockchain world. Blockchain has taken over many industries and will likely continue to transform...
“You manage machines and lead people.” Impacting words spoken to a doctoral student who was loving her organizational developmental course, and grateful it wasn’t stats. I carry those words close to me as I transitioned from a doctoral candidate, to graduate, to...