Navigating Data Security Policy: a Primer for Startups


For most startups, it’s not a matter of whether you’ll have a data breach, it’s whether you’ll know about it and how well you’ve prepared for it. That’s been the main takeaway at two recent events highlighting the importance of data security protocols for startups. Last month, the Federal Trade Commission (FTC) held a “Start with Security” conference in San Francisco, the first in a series of events under the Commission’s new initiative aimed at providing businesses with resources for navigating the world of security (you can watch the full event here). And yesterday, Engine co-hosted a data security panel at the Nasdaq Entrepreneurial Center in downtown San Francisco. The conversation began with a presentation by Jim Dempsey of the Berkeley Center for Law & Technology, followed by a panel featuring several experts on how technology companies, especially new ones, should manage and protect their users’ data.

These conversations are particularly timely, as companies are generating, collecting, and using more data than ever—and regulators are taking notice. Every day, even a one-person startup can handle sensitive data from hundreds of thousands of users and is expected to have security protocols in place.

The principal federal body that oversees companies’ data practices is the FTC, which has the authority to police “unfair or deceptive practices” under section 5 of the FTC Act. At its recent conference, FTC Chairwoman Edith Ramirez remarked that “in the rush to innovate, privacy and security cannot be overlooked—even in the fast-paced startup environment.” Ignorance is no longer an excuse in the eyes of the Commission. Startups should take this admonition to heart because the FTC can—and will—bring lawsuits against companies that fail to meet cybersecurity standards. Just last month, this authority was cemented by a federal court in FTC v. Wyndham. While the FTC cannot create new industry security regulations without direction from Congress, it now has explicit authority to police companies’ cybersecurity practices using its consumer-protection mandate.

This presents a conundrum for startups. As Josephine Wolff unpacks in a recent post in Slate, even “experts disagree on which computer security practices are reasonable and which are unreasonable.”

So how should startups ensure they’re not upsetting the FTC? One option is to look to the agency itself for some guidance. Published in conjunction with its outreach initiative, the FTC’s “Start with Security” paper outlines ten data security principles they advise companies to adopt, from data encryption to password policies.

At Tuesday’s event, Dempsey expounded on this document, arguing that the overarching takeaway is security by design: companies should build security into their products at every stage of development. The panelists, including a privacy lawyer, agreed emphatically, suggesting that companies of all sizes develop several security and privacy guidelines, implement them, and most importantly, document them. These include an internal IT security policy, a privacy security policy that specifically addresses how users’ personal information is handled, and finally, an incident response plan to refer to if and when a data breach occurs.

But data security requirements don’t stop at the FTC. Any startup operating in a regulated industry such as finance, healthcare, or education is likely well aware that additional laws apply in managing sensitive financial, health, and student data respectively. And to further complicate the process, there are additional state laws regulating data issues. Dempsey explained at least 47 states have their own requirements for companies’ treatement and security of user data. California, for instance, is one of the many states that have breach notification-specific laws, requiring companies to notify residents whose unencrypted personal information was acquired in an attack.

While all these laws can create a compliance nightmare for startups who lack the internal capacity to decode these various guidelines, they’re not going away. Congress has debated questions around data security for years now. Should a data security bill include enumerated, prescriptive standards or take a more loose, industry-specific “best practices” approach? Should a bill include specific requirements or should those be left to the FTC to write? We’ve seen more than six federal data security proposals already in 2015, each of which takes a different approach to answering the above questions. While it is not yet clear which (if any) of these bills will become law, the increasing momentum behind passing something sends a clear message—startups can no longer defer addressing security issues until it is convenient.

The tech community should be engaging in more conversations like the one Engine hosted today. They provide clarity around best practices so that when Congress finally passes a data security law or when a breach eventually happens and the FTC comes knocking, startups already have security protocols in place that will pass muster. Further, as our technology improves, our privacy expectations evolve, and our lawmakers better understand the extent to which policy can dictate practices, startups voices should be heard in the debate around better policies that work for both companies and users around the world.