Data privacy and cybersecurity advice for startups

Privacy and Cybersecurity Attorney Michael Waters shares advice for healthcare startups

With an extensive list of data privacy laws and regulations and an increasing number of ransomware attacks reported in the news, there are certain steps healthcare entrepreneurs need to take in order to comply with the law and protect their consumer data. MATTER partner Michael Waters, privacy and cybersecurity attorney at Polsinelli, shares a few tips on complying with data privacy laws and preparing for and responding to data incidents.

1. What are data privacy and cyber security, and what falls into each bucket?

Data privacy and cybersecurity are closely related. Cybersecurity is actually a component of data privacy: data privacy relates to the acquisition, storage, handling, sharing and use of data, and cybersecurity refers to the protection of that data from hackers or other unauthorized access.

2. How should entrepreneurs address data privacy and security when developing products and services?

For many developers, data privacy and cyber security are often not core components of the product being developed and therefore may be an afterthought since they may seem like a waste of time or slow the speed to the market.

However, it’s really important to focus on data privacy and cybersecurity early in the developmental process for a few reasons:

  1. Organizations are legally required to protect personal information.
  2. More and more business customers are demanding or expecting that vendors and third parties are taking steps to protect data.
  3. If you’re not protecting data, you may end up having a data breach or incident which can impose liability on the organization. It can also be a pretty significant PR hit, which is something that particularly new organizations don’t want to deal with.

3. What laws might a startup need to consider when developing products and services?

Some countries have comprehensive data privacy laws, meaning there’s essentially one law that you have to know, understand and comply with. Unfortunately, we don’t have that in the United States. We have federal laws, and some are industry-specific, such as HIPAA in the healthcare industry.

On the federal side, we also have laws that focus on protecting certain individuals’ information such as laws that are designed to protect the personal information of children. And then each state has various data privacy laws. Some of them are very comprehensive, such as CCPA in California, and some are specific to certain types of data, such as BIPA in Illinois which focuses on biometric information.

Because there are so many laws, it’s critical for businesses to think about whose information they may be collecting through their product or their service, where those people are located and how that information is being used and shared. If you’re at a point in development where you don’t have those answers and don’t know which laws apply, you can at least give some thought to general privacy principles that are common in many laws.

For example, there’s a decent chance you may need to let people know what data of theirs you possess, and you need to protect that data. You may need to give them a copy of that data, and they may even ask you to destroy their data — and you might have an obligation to do so.

4. What might business customers require startups to demonstrate from a data privacy and security standpoint?

Many business customers are subject to the same laws previously mentioned, and some of those laws require organizations to ensure that third parties protect the information they share with them.

For example, in healthcare, hospital systems and providers are subject to HIPAA. Part of HIPAA requires that if they receive patient information and share it with a third party, they need to make sure that third party is also complying with HIPAA and protecting that data. And as a result, those healthcare providers are going to want assurances that your organization is complying with HIPAA.

Your contract with them is going to basically attest that you’re complying with HIPAA. Knowing this in advance will put you in a much better position to be ready to respond to those requests for information.

It depends on the scope of the data breach — where impacted people are located, who is impacted and who owns the data. Generally speaking, if you have a data incident that results in someone accessing or acquiring people’s personal information without authorization, you may need to let them know. You also may need to let industry regulators, state attorneys general or other enforcement agencies know. If the incident is large enough, you could be subject to class action lawsuits or other litigation as well as investigations of the incident.

In healthcare, any incident that impacts 500 or more patients is subject to investigation by the Department of Health and Human Services. When they investigate, they will not only ask questions about the incident, but they will use the incident as an opportunity to audit your HIPAA compliance, asking for certain HIPAA policies and procedures, evidence you’ve trained your employees on HIPAA and the technical security controls you had in place. You want to be in a position to answer those questions.

6. What should entrepreneurs consider and proactively plan for in regards to ransomware?

Many breach notification laws are focused on providing notice to people when their personal information has been accessed or acquired. In some ransomware incidents, data is just encrypted — nobody’s accessed it or acquired it. In the public, we hear that somebody’s network is out or they’re experiencing IT issues. What we don’t hear is that they’re dealing with a ransomware attack.

They’re happening all the time — we’re just one law firm, and we probably see three-to-five ransomware attacks every week from our clients. It’s happening that often. Knowing it’s that frequent, organizations should do a few things:

  1. Have viable backups. This lessens the likelihood of needing to make a ransom payment.
  2. Have security protections in place such as multi-factor authentication can significantly decrease the likelihood that somebody gets into your network.
  3. Think about how you’ll handle a data incident by preparing an incident response plan and training employees.

7. What other advice would you give startups regarding data privacy and cyber security?

You may have heard of the concept of privacy by design or security by design. Rather than waiting until the product is fully formed, bake data privacy and cyber security into the design process. Knowing that data privacy laws exist, that business partners are going to demand that you’re focused on data privacy and cybersecurity and that data breaches are so prevalent, you want to start focusing on privacy and security early in the process. Don’t wait until you have a fully finished product before you start thinking of those things.

Interested in hearing from more Polsinelli lawyers? Learn how to protect your IP with Patent and Intellectual Property Attorney Morgan Kirley.

About Polsinelli

Polsinelli is an Am Law 100 firm with more than 950 attorneys in 23 offices nationwide. Recognized as one of the top firms for excellent client service and client relationships, Polsinelli is committed on meeting our clients’ expectations of what a law firm should be. Our attorneys provide value through practical legal counsel infused with business insight with a focus on health care, real estate, finance, technology, private equity, and corporate transactions. Polsinelli LLP in California, Polsinelli PC (Inc) in Florida.