It’s hard to imagine a startup that does not collect some form of sensitive information in digital form, and the collection, use, and disclosure of such information is regulated under federal, state, and even international laws. The purpose of this post is to outline the legal framework that creates your obligations to safeguard customer data and the consequences of failing to comply with these laws. Startup founders that understand their legal obligations and make the investment to comply with them can reduce the likelihood of liability and ultimately compete more effectively by earning a reputation for protecting their customers.
Federal Laws Governing Data Privacy
Currently, the legal framework for data privacy consists of a patchwork of state and federal laws and regulations and industry standards that govern the collection, use, and disclosure of private information. Unlike other countries, the United States has not adopted a comprehensive regulatory regime prescribing the exact activities the government deems permissible. Rather, US law has relied mostly on private litigation and government enforcement actions under laws that predated the modern digital era. Notable exceptions where US lawmakers have adopted specific rules and privacy restrictions are where companies collect financial or medical data.
Unless a company operates its business solely in a single state and has no out of state customers, it will be subject to the FTC’s consumer protection rules. Additionally, there are a number of federal statutes that apply to specific business activities that implicate data privacy issues. Some examples include:
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act addresses commercial email communications and governs the use and collection of email addresses for commercial purposes. It also prohibits using misleading or false information in email headers, or subject lines that are materially misleading.The Telephone Consumer Protection Act (TCPA) applies to marketing activities via telephone calls and text messaging and regulates the use and collection of telephone numbers for commercial calls and messages. Litigation under the TCPA is on the rise, so if you are calling or text messaging consumers, you must obtain their express written consent and give them an opportunity to opt out from receiving messages.The Electronic Communications Privacy Act (ECPA) governs improper access, interception, or disclosure of a wide range of electronic communications (e.g. email). You will want to pay particular attention to the ECPA if you are monitoring your employees’ electronic communications.The Computer Fraud and Abuse Act (CFAA) forbids computer hacking and tampering, and criminalizes certain acts of unauthorized access to government computers and other protected computers.The Children’s Online Privacy Protection Act (COPPA) strictly regulates companies that have websites for kids (or knowingly collects information from kids) and gives parents control over what information the company collects. The FTC has published a helpful guide for complying with COPPA.The Fair Credit Reporting Act (FCRA) regulates how businesses like credit reporting agencies can use and disclose credit reports, credit card numbers, and other information. If you take an adverse action (e.g. refuse a loan, refuse to hire) based on a credit report provided under the FCRA, you must disclose certain information about that report to the consumer.
In addition, US law takes a much more detailed approach when it comes to protecting consumers’ financial and medical information. If you are operating in these industries, you will need to comply with a number of additional laws and prohibitions including:
The Gramm-Leach-Bliley Act (GLBA) governs financial institutions such as banks, insurance companies, securities firms, and other companies that receive customers’ nonpublic financial information in connection with the offering of financial products or servicesThe Health Insurance Portability and Accountability Act (HIPAA) governs any company that comes into contact with personally identifiable medical information and provides specific requirements for the protection and disclosure of that information.
State and International Laws
Additionally, all states have so-called “little FTC Acts” that prohibit unfair or deceptive business practices. Although these state laws are based on the FTC Act, they are often enforced more aggressively by state attorneys general and private litigants and apply to conduct that would not be illegal under the FTC Act. Similarly, all states, excluding Alabama and South Dakota, have adopted legislation requiring businesses to notify individuals if their personally identifiable information has been subject to a security breach.
Finally, if you have international customers, which many commercial websites do, you will need to be aware of international data privacy standards, which may go farther than US law does in restricting your activities. For example, the European Union (EU) has taken a comprehensive approach to the protection of data and in some cases prohibits companies from transferring the private data of EU residents to countries that do not have similarly strict standards for data privacy, which includes the US.
What Happens if You Don’t Comply with Privacy Laws?
Startups that fail to follow data privacy and security laws can face serious ramifications. Cybersecurity incidents are often the precursor to investigations and possible enforcement actions by state attorneys general or the FTC. In addition, companies have been held liable for failing to adhere to their privacy policies. These incidents can also lead to private causes of action (or even a class action) typically by consumers whose information was compromised or improperly used or disclosed. Plaintiffs may claim that the company breached its contractual obligation to protect the personal information, claim that the company was negligent in its protection of that data, or bring a claim under a state’s consumer protection statute for unfair or deceptive business practice. Claims may also come from affected third parties; for example, if credit card information was compromised, the credit card company may seek reimbursement from the breached company for the costs of reimbursing the cardholder for fraudulent charges.
Claims can result in civil damages, penalties, sanctions, and fines. Often, the government enforcement actions result in a settlement where the company agrees to pay a sum of money, discontinues or changes a certain aspect of its business operation, or agrees to overhaul its cybersecurity measures. Private litigation can result in similar settlements, but generally, these plaintiffs are looking for compensation for the harm they have experienced.
Perhaps the most important consequence resulting from a data breach is not legal liability but the sometimes-irreversible reputational damage. Small businesses in particular have a difficult time recovering after they are hacked, and a startup company attempting to earn the trust of existing and potential customers or investors will be significantly affected by failing to safeguard its private data or respond properly to a breach. As the sophistication of hackers and challenges of data privacy and security continues to grow, it is important to know your legal obligations to protect information.
© 2017 Alexander J. Davie — This article is for general information only. The information presented should not be construed to be formal legal advice nor the formation of a lawyer/client relationship.