Another key issue for startups when it comes to data security is ensuring compliance the Federal Trade Commission “disposal rule.” Originally implemented as a means as for combating identify theft of information stored on large corporate servers, the Disposal Rule is part of the Fair and Accurate Credit Transactions Act of 2003. In a nutshell, companies are required to implement certain safeguards when destroying electronic files so that these files cannot be read or reconstructed by unauthorized users. As it would pertain to startups, any customers lists, credit reporting data, medical information, and any sensitive financial information or confidential customer communications (relating to online communications companies) should be appropriately safeguarded and disposed of in a prudent fashion.[21]
Two of the other key areas startup companies should be vigilant in dealing with privacy issues, and where most occur, are with employees/independent contractors and outside vendors.[22] With respect to employees, informational privacy can be easily maintained by restricting the use of customer information to only the employees who need access to it. Limiting who is given access is one of the most time efficient ways of policing the disclosure and protection of information. In addition, company policy related to privacy should apply to all employees, not just the ones who frequently come into contact with sensitive information. Additional safeguarding can be achieved through confidentially and non-disclosure agreements. Express provisions in all agreements about the privacy of all personal non-public information will greatly assist in enforcing or defending privacy claims at a later date. In addition, the startup should include a provision where they can terminate the relationship if the employee or contractor fails to meet any of the stated privacy policy conditions. This small step can effectively eliminate future problems for startups in non-“at will” employment states.
When dealing with third parties, startups should be especially prudent in the area of privacy protection. Up to a third of data security breaches among companies arise as a result of the actions of their third-party relationships, for example with payment processors, advertisers, and vendors.[23] The first step for startups addressing privacy concerns with third parties should be to understand what nonpublic data it possesses, which is subject to regulation, and any legal obligations that may result from the disclosure of that data.[24] Federal, state, and local laws may impact the manner in which non-public information needs to be treated in different phases of the outsourcing. Companies must next review their own privacy policies to ensure that disclosure of personal information to third parties is permitted.[25]
In addition, due diligence is needed with respect to the third party the startup is conducting business with. The company should review the privacy policies of any entity it has reason to believe it will share nonpublic personal information with. Privacy policies of outside vendors should also be reviewed on an annual basis to ensure compliance with the startup’s own policies. Agreements with vendors should also include a right for the startup to continuously monitor and audit the vendor’s security practices and commitments from the vendor that any of its vendors/contractors will comply with the stated privacy policy. Also, as a practical matter, vendor contracts should include the appropriate indemnity provisions, which agree to indemnify the startup from unintended disclosure third-party claims caused or permitted by the vendor. Even in situations where the vender has proper controls in place, the startup may want to consider purchasing liability insurance or requiring the vendor to purchase insurance to support the vendor’s ability to compensate the outsourcing entity.[26] These actions taken together should help minimize the startup’s privacy-related risk in these areas.
Go to Brotman Tax Resolution Services
Go to The Brotman Virtual Law Office
Go to Resource Blog Homepage
———————————————————————————-
[21] FACTA Disposal Rule Goes into Effect June 1, www.ftc.gov/opa/2005/06/disposal.htm, Last accessed: December 13, 2009.
[22] Diana J.P. McKenzie and Benjamin D. Kern, “Privacy and Outsourcing: The Regulatory Framework. 724 PLI/Pat 341,” (October, 2002).
[23] Timothy J. Muris, Protecting Consumers’ Privacy: 2002 and Beyond, Remarks at the Privacy 2001 Conference (October 4, 2001), available at http:// www.ftc.gov/speeches/muris/privisp1002.html
[24] Diana J.P. McKenzie and Benjamin D. Kern, “Privacy and Outsourcing: The Regulatory Framework. 724 PLI/Pat 341,” (October, 2002).
[25] Timothy J. Muris, Protecting Consumers’ Privacy: 2002 and Beyond, Remarks at the Privacy 2001 Conference (October 4, 2001), available at http:// www.ftc.gov/speeches/muris/privisp1002.html
[26] Diana J.P. McKenzie and Benjamin D. Kern, “Privacy and Outsourcing: The Regulatory Framework. 724 PLI/Pat 341,” (October, 2002).