How Startups Can Protect Consumer Privacy and Enhance Cybersecurity

Many startup businesses collect and store vast amounts of personally identifiable information (PII) from consumers, but often fail to adequately protect the privacy of this consumer information. There could be many reasons for this, but it is likely the result of limited budgets and priorities.

Startup founders are faced with so many challenges and tasks when trying to start a business that concerns about privacy and cybersecurity just don't get much attention. Startups may also believe that they aren't targets for cybersecurity threats. Even if startups do recognize that they are targets and intend to implement cybersecurity controls to protect the privacy of the consumer information they collect and store, they usually have limited financial resources, and have to use their limited funds on other important business needs.

Despite these challenges, startup businesses still have the same duty to protect consumer privacy and address the same cybersecurity risks as more established businesses. So when they are developing their businesses plans and processes, cybersecurity must be part of the discussion.

Unlike established businesses, however, startups are in the unique position of being able to build cybersecurity into their business processes from the very beginning so that it becomes part of the culture of the business. They do not have to try to retrofit established business processes with new cybersecurity controls.

Information Security Programs

Ideally, startups should develop and implement a comprehensive information security program. This can be a large undertaking, but startups can plan and prioritize the various components of their information security program according to the size and type of their business, and then scale the program as the business grows.

In general, an information security program must contain administrative, technical and physical safeguards that are appropriate to the: a) size, scope and type of the business; b) amount of resources available to the business; c) amount of consumer information that needs to be protected; and d) need for security and confidentiality of such consumer information.

With this in mind, startups should address the following components when developing an information security program to protect consumer privacy and enhance cybersecurity:

• Identification of System and Information Assets;
• Risk Assessments;
• Legal Requirements;
• Security Policies;
• System Security Plan;
• Physical Security;
• Personnel Security;
• Incident Response Plan;
• System Documentation;
• Business Continuity;
• Disaster Recovery; and
• Training and Awareness Program.

Each of these components should be informed by standards and best practices appropriate for the business. Examples of these include the National Institute of Standards and Technology (NIST) Special Publication 800-53, and the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001:2013 and 27002:2013 standards.

Identification of System and Information Assets

In order to develop and implement an information security program, a startup needs to know exactly what information needs to be protected and where that information is located. To do this, the startup must identify all of its information and system assets, and build an inventory of these assets. This inventory will be used to identify: a) sensitive information; b) the location of such information; c) the systems used to access, process and store the information; and d) how the information is used, processed, transferred and shared.

Because this inventory is vital to the other components of an information security program, identifying all system and information assets must be a top priority.

Risk Assessments

The risk assessment process uses the startup's inventory of system and information assets to determine where systems may be vulnerable to data security incidents and establishes the risk profile for the business. This risk profile forms the foundation for the startup's information security program and helps prioritize any actions that need to be taken to mitigate identified risks. Startups will need to perform both a privacy risk assessment (risks associated with data privacy) and a security risk assessment (risks associated with IT systems and facilities).

Risk assessments can be quite complex and ideally should be performed by a qualified vendor. However, an external risk assessment is often cost prohibitive for a startup. Fortunately, there are risk assessment templates available for free online. Because risk assessments are a critical component of an information security program, startups may want to use these free templates to perform their own risk assessments until they can afford external assessments.

Legal Requirements

After a startup has identified its information and system assets, and the primary risks associated with those assets, it should determine the legal requirements associated with those assets. A startup's legal compliance obligations will vary depending upon the particular business, and are particularly important for startups in highly regulated industries, such as health care and financial services. Determining the applicable laws and regulations is fact-specific, but usually depends on: a) the types of information collected; b) the jurisdiction in which the startup operates and/or stores information; c) the jurisdiction in which the individual whose information is collected resides; and d) how the information is used. In addition, startups should ensure that their collection and use of information is consistent with their own policies.

Security Policies

In order to implement and maintain a comprehensive information security program, a startup needs to have polices that establish the purpose and scope of the program and define the different roles and responsibilities. These policies will then be used as a reference point to determine whether information systems meet the requirements set forth in the policies. Startups can use the previously-mentioned NIST and ISO/IEC standards to develop these policies, but should tailor the policies to their specific business and information systems.

System Security Plan

The security plan describes the security requirements of the information systems and the controls required to meet the security requirements, as well as the responsibilities of those who have access to the information systems. Likewise, the security plan should be informed by the risk assessments and incorporate controls to mitigate the risks identified by such assessments. At a minimum, the security plan should be reviewed and updated annually, but ideally should be reviewed and updated any time there is a change to a system.

Physical Security

Physical security is often ignored by many startups, mainly because they do not operate from their own facilities until their businesses become more established. This can be a critical oversight, however, because the technical controls put in place to protect consumer privacy and enhance cybersecurity are pointless if information systems are not protected from physical threats. Physical threats are any events ' whether man-made, natural, accidental, or intentional ' that cause a disruption of the services provided by the information system. Physical security controls typically include locks, barriers, security guards, cameras, fire and smoke detection, and alarms. Although physical security may not be a priority for early-stage startups, as these businesses grow, it is critical that they include physical security in their information security programs.

Personnel Security

Individuals pose one of the greatest threats to information security. Whether the information accessible to a startup's personnel is sensitive consumer information or proprietary company information, the startup should clearly define the responsibilities of each job position within the organization, and limit access to such information to the minimum necessary to perform the specific job. Depending upon the sensitivity of the information, it may be necessary to perform background checks on individuals being considered for certain jobs. Because of the expense associated with performing background checks, startups may choose not to do this. Either way, to mitigate the threat posed by personnel, startups should provide information security training that is appropriate for the applicable job position.

Incident Response Plan

An incident response plan is essential for any business that faces the risk of an information security incident. The plan should involve a team of individuals with the skills necessary to effectively respond to an incident in a timely manner. This should not only include individuals with computer-related technical skills, but also legal and public relations skills. The plan should document the actions that need to occur during each phase of incident response ' preparation, identification, containment, eradication, recovery and follow-up. Although startups may not think that an information security incident is likely, having an incident response plan protects the organization by providing the actions that will prevent the incident from spiraling out of control.

System Documentation

System documentation is usually very low on the priority list for startups, but documentation outlining an information system from the development state to the production state is an important component of an information security program. The documentation allows the personnel involved in information security to understand the information system's configuration and operational state, which helps with troubleshooting and developing future system enhancements. It also prevents startups from having to rely on the specific individual(s) who developed the system.

Business Continuity

A business continuity plan is used to ensure that a startup's critical business processes remain operational to support the startup's mission. The business continuity plan usually consists of a document, or set of documents, that contains the critical information a business needs to maintain operations during or after an adverse event. After the plan has been developed, it must be tested periodically and corrected for any weaknesses.

Disaster Recovery

Like a business continuity plan, a disaster recovery plan is used to ensure that a startup's critical business processes remain operational. A disaster recovery plan is different, however, because it consists of the actions that a startup must take before, during, and after a disruption in order to minimize the losses to the organization caused by the disruption to the startup's information systems. A disaster recovery plan must also be tested periodically and corrected for any weaknesses identified during testing. It is important to note that the most important goal of a business continuity plan and a disaster recovery plan is to protect the startup's personnel, because they are the startup's most important asset and protecting loss of life outweighs any loss of information or information system.

Training and Awareness Program

As previously mentioned, individuals pose a serious threat to information security. Therefore, one of the most important components of an information security program is a training and awareness program that trains all of a startup's personnel in their security responsibilities. The training and awareness program should inform all personnel of the organization's security policies and procedures and the organization's expectations of personnel regarding their security responsibilities. The program should also provide all of the information necessary to enable the personnel to perform their security responsibilities effectively. Topics that should be included in such a program will change over time and as technology changes. Therefore, the training program should be updated and subsequent training should occur at least annually.

The result of such a training program will be increased awareness and a reduction in the number of accidental security incidents.

Conclusion

Many startups fail to adequately protect the privacy of consumer information because they are faced with so many challenges and tasks when starting their businesses that privacy and cybersecurity aren't a priority. Likewise, many startups also have limited budgets and can't afford the expenses involved with developing and implementing a truly comprehensive information security program. Despite these obstacles, startups still have a duty to protect consumer privacy. Startups can meet this duty by building cybersecurity into their business processes from the very beginning and making it a part of the culture of the business. This can be accomplished by planning and prioritizing the various components of an information security program, and then scaling the program as the business grows.

Bill O'Connor is a Certified Information Systems Security Professional, Certified Information Privacy Professional and a member of Baker Donelson's Privacy and Information Security Team. As a member of the firm's Emerging Companies Team, O'Connor counsels entrepreneurs and startups on technology, information security and privacy matters. He may be reached at 901-577-8121 or by e-mail at [email protected].