Startups and Cybersecurity 101: What Do Startups Need to Know about Cybersecurity Law?

Right now I am seeing more startups getting involved in the cybersecurity space with more and more money being splashed around in this area. The fact of the matter is that all companies, regardless of industry, are getting involved with cybersecurity or need to be concerned about it.

All of this is relatively new—particularly from the legal side.

As more money is being poured into all matters tech-related, the internet, tech information systems, networks, etc. cybersecurity has become more of a growing concern. In this article, I go through the issues that startups need to think about regarding cybersecurity. I’m going to start off with defining cybersecurity, go into some of the rules and regulation regarding such topic, and then end with practical notes as far as what trends I’ve been seeing in the cybersecurity space and tips for startups.

Table of Contents

I. What is cybersecurity law?
II. What cybersecurity laws do startups need to pay attention to?
III. “Does my startup need cybersecurity insurance?”
IV. Cybersecurity for Texas startups
V. What are the latest startup trends in cybersecurity?
VI. Cybersecurity legal tips for startups
VII. Conclusion

I. What is cybersecurity law?

No one has defined cybersecurity law as of yet in a real solid official capacity. You will be hard pressed to find a straight up definition. In the Cybersecurity Act of 2015, the term cybersecurity is not strictly defined. For practical purposes for yourself and in such a circumstance, just go with what’s common knowledge as far as what you think cybersecurity is. Cyber deals with networks, information systems, software/hardware processes, etc. You know what security is. I’m not going to bother explaining what that is.

Don’t worry too much about what cyber and security and cybersecurity law mean. Is it a big deal that there’s not a clear definition? In some ways, yes. In some ways, no. There are other things to worry about for an entrepreneur. Leave it to the lawyers to break down the semantics and technical details of it. 

Regardless, you know essentially what cybersecurity law is. It’s just law that’s concerning these topics that I just mentioned. And if you’re in the information systems space, data networks, etc. then there may be laws governing the security of these systems that you need to abide by and follow. 

Don’t ignore cybersecurity law

Look, the fact of the matter is that you will never achieve 100% security. The law is designed in a way that shows understanding of this. You will not believe some of the (massive) cases where a huge breach was achieved by perpetrators in a manner that could not reasonably be foreseen by a company. Thankfully for companies the law does not simply impose full liability to the company for a breach.

Security back in the day is different than it is now. Back then if some perpetrators broke in to someone’s office or maybe stole someone’s briefcase, that might very well be all they get—whatever is in that person’s briefcase. 

Now is a different story. Now if someone breaks into an executive’s account, there is potential that they get access to all sorts of confidential information, including all corporate records depending on the how data is partitioned and secured. Recent examples of big cybersecurity breaches include Sony, Equifax, Target, and Ashley Madison. 

What does this mean? It means that the stakes for security are higher than ever and that if you screw up the consequences can make your life miserable.

Cybersecurity law is important because either a couple of things can happen: (1) there are some laws and regulations you have to follow and you will be in trouble if you don’t; and (2) there are some standards that are created that if you don’t follow them, youll have negative, potentially devastating repercussions.

One of the biggest reasons, besides a general moralistic reason, to pay attention to cybersecurity is that a lawsuit can be extremely damaging to your company.

I’ve talked about this before. A lawsuit can totally crush your company.

I will say though that you can definitely bounce back from a large cybersecurity suit. Customers that have been loyal to Sony and Target are still loyal to those companies despite cybersecurity breaches. If they stopped using those companies, it may be for other reasons beyond cybersecurity. In other words, a cybersecurity “event” is not a death sentence in and of itself. But it can be extremely costly, extremely disruptive, and a huge mark on the company’s numbers. 

II. What cybersecurity laws do startups need to pay attention to?

A. Cybersecurity laws and regulation

As I mentioned, the fact of the matter is that cybersecurity is an unsettled area of law—it is yet to be more developed.

In the U.S., there are only very few federal cybersecurity laws and regulation that are in place. If you believe that there are no federal regulations in place for your particular startup industry you are probably right. Most of the rules are recent, or are formed on the basis of older laws that are being applied in a new ways. The cybersecurity laws that do exist mostly pertain to certain industries.

Here is the overview of some of the laws, regulations, and agencies giving recommendations. The reason I list them here is to give you notice of some of the more prominent laws and to also give you an idea as to what the trends are in this space: the trends primarily concern the protection of the privacy of the individual, including methods to control access to particularly sensitive data.

Health Insurance Portability and Accountability Act (HIPAA)

I am sure you have heard about HIPAA at your doctor’s office or when dealing with a medical issue. There are a number of provisions with this act; however, the part that we are interested in for the purposes of this article regard the privacy and security of identifiable health information for individuals. The general approach is that this health information needs to have properly regulated use and disclosure by certain types of entities (such as medical service providers). A great deal of these matters fall under what is called the Privacy Rule. A complementary rule called the Security Rule lays out regulations for compliance regarding the security of certain types of electronic health information. The Security Rules goes on to make sure that there are administrative safeguards in place as well as physical and technical (e.g. encryption of data). HIPAA goes into other avenues such as enforcement for breaches and other matters.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act deals with regulation of financial institutions. While the GLBA addresses a number of issues including removing certain types of entity restrictions, it concerns cybersecurity and privacy. One of the big issues that GLBA tackles is giving notice to individuals; it requires financial institutions to give each consumer a privacy notice periodically. This notice concerns the information that is collected about the consumer, how that information is shared and used, etc. Essentially the GLBA attempts to give some power to the individual in the form of awareness of what is going on with the individual’s data.

Food and Drug Administration (FDA)

The FDA regulates medical devices and as you may know different types of devices require certain reviews, notifications, and approvals. In regards to cybersecurity the FDA has released a number of guidelines in order to provide recommendations for premarket submissions. The FDA recommends design controls to ensure medical device cybersecurity. The approach the FDA takes is a risk-based approach that considers whether the device is capable of connecting to other devices or networks in combination with potential harm to patients.

National Highway Traffic Safety Administration (NHTSA)

Vehicles are increasingly using more electronic technology such as advanced driver assistance functions which employ many sensors, electronics, and computer systems. The NHTSA has given broad guidelines in regards to cybersecurity and, like many other institutions, recommends the National Institute of Standards and Technology Cybersecurity Framework. This framework is structured as so:

Identify: develop an organizational understanding to manage cybersecurity risk

Protect: create and implement safeguards

Detect: create and implement methods to identify a cybersecurity event

Respond: create and implement activities in how to take action as relates to a cybersecurity event

Recover: create and implement plans for resilience and methods to restore any lost capabilities due to a cybersecurity event

You can read more about this framework here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

General Data Protection Regulation (GDPR)

GDPR is the buzzword these days, but not many people know what it is. GDPR is a data protection and privacy regulation in European Union law. In a nutshell, GDPR tries to give individuals control over their personal data, primarily through means of consent, disclosure, and technical and organizational methods. One of the issues that GDPR hits hard on is penalties on companies that violate its provisions. Violators of GDPR may be fined 20 million euros or 4% of annual worldwide turnover, which over is greater. That is enough for companies to pay attention to this regulation.

I will do an article about GDPR soon as this is a large topic.

Other

Similar agencies and groups have rules and recommendations regarding cybersecurity such as the Federal Energy Regulatory Commission for the national electric grid infrastructure. Expect these types of recommendations to increase in the near future.

B. Cybersecurity related claims arising under common law

There’s a catch here that even if a law does not seem like it’s directly related to high-tech issues or matters of the cyber vein, you still need to pay attention to cybersecurity issues. If, for example, you manage highly sensitive data on a computer hard-drive, and you work in airports on the way to a flight and you negligently leave your equipment wide open—maybe there is a legal issue there.

Essentially, even if you work in an industry without clear data security and privacy laws you still have to be careful because of common law claims that may be asserted against you. The basis of these claims include negligence, breach of contract, unjust enrichment, unfair or deceptive acts, and others.

Those reading this that are interested in the nitty gritty legal side court cases can read https://casetext.com/case/in-re-sony-gaming-networks-customer-data-sec-breach-litig to see a good discussion of the types of claims that are brought up in a cybersecurity related case.

What does this mean for data handlers, tech startups, and similar?

- Just because there are not cybersecurity laws in your specific startup industry, you still have to pay attention to industry standards of reasonableness and best practices in terms of how you handle data and other cyber related matters.

- Don’t make promises in a contract that you are unable to keep. Follow best practices when it comes to contracts. Watch out for standards, risks, qualifiers in contractual language.

- Be expedient when things go wrong - be careful of economic injury claims for lost money or property.

III. Does my startup need cybersecurity insurance?

YES: if your company is primarily in the business of handling or processing tech data or private information.

YES: if your startup is sizable even if its primary business is not related to cybersecurity.

NO: the only time a tech startup does not need to get cybersecurity insurance is when it is young/still working on that MVP and is not primarily in the business of handling data. Eventually however if you get large enough you will need to get insurance.

If you are handling a lot of data, then needing cybersecurity insurance should not come as any surprise. Almost every business in any industry has a specialized form of insurance that they go to. If you’re in the real estate industry and you rent out commercial space to tenants, do you have appropriate commercial property insurance? Yes. If you’re a physician practicing anesthesia, do you have medical malpractice insurance? Yes. There’s an industry specific type of insurance you can surely get. Look at what is the main nature of your business. Just talk to your insurance provider about it and see what kinds of options they have. It may be an extra addition or package to a general business liability insurance that they may offer. Talk to a number of different insurance providers to find the right fit.

Besides protecting your startup, there’s another key part of cybersecurity insurance. If you want to do business or have a contract with an entity, you may be required to have some form of cybersecurity insurance. In other words, some businesses will NOT work with your startup if your startup does not have cybersecurity insurance in place. I want you to keep that in mind when you are growing and operating your startup.

If your startup is still young and new, then you may not need the beefiest type of cybersecurtiy insurance that’s out there. Work with your insurance provider to see if there’s a good fit for the size and scale of your operations. This is not a binary thing—either you have cybersecurity insurance or you don’t. There are definitely different levels of insurance that is possible to get. 

Issues to watch out for when purchasing cybersecurity insurance

The name of the game for cybersecurity insurance is in part how to make sure your claim doesn’t get denied. There are other issues like speed of processing and such. This is a tricky area because unlike car insurance, for example, cybersecurity event issues are less clear cut and not as well defined as something like a fender bender. This will change as time goes on with the occurrence of more cybersecurity incidents and as cybersecurity definitions become more concrete.

General issues — pay attention to the same kinds of issues when you purchase cybersecurity insurance as you do any other kinds of insurance. When you see a coverage of $100 million, does that mean per event or does that mean overall? Watch out for language and pay close attention to what exactly your limits are and the terms of coverage.

General liability Insurance — general liability insurance nowadays does not apply to cybersecurity insurance. Back in the day this used to not be as much of an issue. But it is now. Don’t think that just because you have some general business coverage or similar that you are fine and covered. It doesn’t work like that.

Be careful of exclusions with cybersecurity insurance — make sure not to work yourself out of coverage. Consider the following: insurance companies often exclude coverage due to war because of obvious reasons (they don’t consider it a normal type of risk, they would go bankrupt if they accounted for acts of war and tried to offer generally accepted premium rates). After 9/11, the idea of war broadened as it pertained to insurance claims and coverage. Warfare, particularly in the cyberspace, is broad and difficult to ascertain. There have been legal cases where classifying a cyber attack by a certain actor changed whether or not the insurance company was liable under the war exclusions clause. What does this mean? It means to be careful about working your way out of coverage and for you to really think about how you classify cybersecurity events. It also makes the following point even more important.

Find a good insurance company — this makes a big difference. As I mentioned, insurance companies look for ways to deny claims or to find some exclusion so that they don’t have to pay you. But even beyond that, or less than that, you don’t want to have to deal with an insurance company that is super late to pay out or just plays games. A new field like cybersecurity insurance is even more ripe for game playing. Get a good feel when you talk to an insurance agent. Additionally, talk to more than one agent. Get one you have some confidence in. Insurance rates vary wildly. Don’t get too cheap with insurance premiums though. If you’re going to cut corners (e.g. not pay much of a premium), then they’ll cut corners too. Using different companies to insure different aspects of coverage can be challenging as well. Again, cybersecurity isn’t well defined. Should a claim fall under a crime fraud policy or cybersecurity policy? This is why it’s important to have a good insurance company to back you and not find every angle to screw you over.

IV. Cybersecurity for Texas startups

Texas, like other states, has looked to increase cybersecurity efforts and safeguards, primarily through the use of agencies to provide guidance.

While cybersecurity law is a new area of law globally, many states have adopted certain types of security breach notification laws. In Texas, this is codified in 521.002, 521.053 of the Texas Business and Commerce Code. This is also known under the Identity Theft Enforcement and Protection Act. This law defines personal identifying information and sensitive personal information such as a social security number, driver’s license number, certain types of financial data, and certain types of medical conditions.  

Section 521 is basically saying the following things:

1.  A person cannot obtain someone else’s sensitive personal information without the person’s consent and without proper intent;

2.  A business has a duty to protect that sensitive information; and

3.  A business has to give notification following a breach of security of computerized data

In other words a person may not obtain or possess this type of private content without the other person’s consent and without an intent to obtain a good, service, or similar. 

The important item for readers of this site is that a startup has a duty to protect this sensitive information. Like many types of laws, this law relies on a reasonableness standard. Texas Business and Commerce Code section 521.052 sates that a business shall implement and maintain reasonable procedures including taking any appropriate corrective action to protect from unlawful use or disclosure of sensitive personal information collected or maintained by the business in the regular course of business. 

The law gives further guidance that the business shall destroy or arrange for the descrution of the information that are not to be retained by the business. 

If the startup violates these section, then it is liable for sizeable civil penalties and injunction. 

V. What are the latest startup trends in cybersecurity?

Now that I’ve gone through a number of cybersecurity legal issues, here are some of the trends I’ve been noticing dealing with cybersecurity as a field. If you can hit one of these categories really hard and do all of the other things correctly—i.e. grow properly, raise money, etc. you’ll do really well in the cybersecurity space.

Physical security is merging with cybersecurity

In the past, physical security (e.g. doors, videocameras, and locks) were kept as physical. Cybersecurity, relating to data and similar networks, only pertained to situations where an individual would sit down at a company desktop and log in to the system. Now all of the systems I just mentioned are merging. While electronic key cards to enter a door are not new items, they are more sophisticated and more information is being processed through them in an integrated way with other information systems. Biometrics and other items related to the physical body are also playing a larger role. More and more startups are getting into this physical side of cybersecurity.

Value of data means more systems being in place to control data

There’s a saying that data is the new oil. Anything people believe or perceive to be valuable will see an increase in protections for it. A lot of startups out there are attempting methods of how to protect this data as data can be very difficult to contain. How do you keep something contained that is relatively intangible? As I mentioned, more money is being spent on cybersecurity than ever before. Spending money to control data is just simply a cost of doing business. It’s the cost of moving from physical cabinets to digital cabinets—and part of that is making sure data stays in those digital file cabinets unless properly removed. There is opportunity in this space.

Industries are working on defining cybersecurity

In order to best work on it, protect it, legislate around it, you have to define it. Many industries are working on defining cybersecurity right now. I already mentioned how this is true in the insurance industry. And as the Texas law shows, standards of reasonableness are important to define. Industries are working to define best practices and figure out what are reasonable measures to protect data and networks.

Startups are working to remove the human element of cybersecurity

The biggest hole for cybersecurity issues isn’t computers or devices, it’s people. This is being more and more realized. The Sony breach is testament to that; crappy passwords, Nigerian princes, phishing attacks—people are a weak point in the cybersecurity sphere. A trend is developing where there is a demand to removal the human element in cybersecurity. In the past, employees and others were simply reminded to change their password every x amount of months. While that is a good practice, cybersecurity professionals have noticed that this is simply not good enough and are thus promoting various forms of biometrics and similar. There has additionally been an increase in demand for cybersecurity education in companies.

Consolidation of trust

Because so many devices, physical objects, etc. are being integrated, we are seeing a farming out of cybersecurity to institutions that are more specialized for it. Inhouse IT units are relying more and more on third-party controls to assist in increasing security and making it more robust. There is an outsourcing of components of cybersecurity. This raises a good question of who is securing the securers. Corporate trust is a big issue at the moment. We have started to see how corporations, even large ones, like Apple and very recently Google want to be the players in the industry that is the one to trust.

VI. Cybersecurity legal tips for startups

1. Follow the law

This is obvious advice: “follow the law!” but it pertains to industry specific cybersecurity laws that are popping up. Cybersecurity law is a new and upcoming field with a lot of changes. As I mentioned, most industries don’t have specific cybersecurity laws pertaining to them, but this is slowly changing so you have to stay in tune with the law.

2. Adopt best practices with data and security

You have to pay attention. Learn what is going on in your industry and follow reasonableness or better standards. What you want to do is to make sure you adopt reasonable standards in order to comply with the law and in order to avoid any common law problems. Automate processes to allow for less human error. Do two factor authentication. Use encryption for certain types of sensitive data. Educate your employees. Use firewalls and other kinds of antivirus measures on items that store personal information.

3. Don’t make promises you can’t keep

Cyber events and attacks can lead to disproportionate loss. Have well documented, good contracts. Don’t make promises in contracts that you can’t keep. Don’t make representations and warranties that are inappropriate. This too is to keep from breach of contract claims from popping up. Remember that lawsuits can be brought up under common law claims.

4. Increase cybersecurity as your startup grows

A small startup is not able to build a robust framework on day one. You don’t have to, for example, have everything in the self-assessment package found here from the very get-go: http://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdf  Instead you have to build up over time, while paying attention to point 1 of following the law.

5. Get cybersecurity insurance

If you’re just getting started with your startup (pre-MVP), you don’t need this, but after that you will. Use this article to help you understand the main issues of cybersecurity insurance and to avoid any gotchas.

6. Have a cybersecurity action plan

Understand that cybersecurity events will happen. You cannot have perfect 100% security. That’s just not how security works. You cannot achieve it, and the law does not require it. If you are big enough, a cybersecurity event will occur. How you prepare for that is the key. The best practice is to have a plan ready in action that you able to execute. Essentially, you need to prepare for a crisis before the crisis and not during the crisis where decision making is more desperate and can go wrong. Furthermore, many states have passed breach notification laws.

The more you can show that you had a plan that is reasonable and that you execute the plan, the more favorable a court will look at your situation.

VII. Conclusion

Coming soon I will be writing more about cybersecurity law as I get a lot of questions about this area. If you are a startup working in the startup cybersecurity space in Texas and want to chat, email me and let’s get some coffee.

The Only Three Things to Look At When Hiring a Startup Lawyer

There are only really three things to look for when hiring a startup lawyer. But actually these three are the only three things anyone looks to when hiring any business, company, etc. I’ll go through them here in this article. In order to not do some nonsense and make you wait til the end of the article to “find out what they are!!” the three factors that you need to look at when hiring a startup lawyer are these:

1. Price
2. Trust
3. Product

That’s it.

That’s all there is.

Everything else is fluff. Watch out for fluff in lines when people talk about their business. The fact of the matter is that people try to complicate everything. All of this stuff is quite simple really. Have you seen companies that say things like: “A global innovator in business”; “a true leader in vision”; “a legal tour de force”? Yadda, yadda, yadda. You know what I’m talking about. There’s a reason why no one cares for talk like that. Because it doesn’t mean anything.

So let’s talk about what actually means something.

The things that mean something when it comes to hiring a lawyer, company, whatever are price, trust, and product.

It is extremely difficult to find a business that really nails all three of these categories. And if you think a company does, there may be a shortcut that they are taking somewhere that you’re not seeing. Maybe they’re selling data you give them in ways that push the boundaries of what is and what is nonconsensual (that’s a big thing these days—watch out for this). Or maybe they are screwing over their employees or committing some unethical act.

People love taking shortcuts here and there. But legal matters is not where to take such a shortcut. Shortcuts will catch up to you. It’s the same as eating properly. The fact of the matter is that to eat well takes plenty of time, energy, and money. There is no way around it. Taking a shortcut will catch up to you in pretty awful ways. So if you can’t take a shortcut when it comes to legal matters, what do you do? You understand and focus on the only things that matter, in this case, price, trust, and product and make sure that it’s a good fit.

Let’s go through each of these:

1. Price

Hiring an attorney costs money.

There’s not any real way around this. And if there is—be careful. A lot of people avoid talking about pricing and legal fees; but let’s not beat around the bush—price is a factor that people think about.

If you find an attorney that is willing to do the job extremely cheaply—beware. Quality costs money. Like I said, there’s no way around that. However, a good attorney actually saves you money because it keeps more costly mistakes from happening later down the road. I’ve had to correct mistakes before made by other attorneys. It’s not cheap. As I’ve said before, few attorneys actually give numbers for things like this. For actual numbers regarding legal fees of lawyers in Houston and Dallas see this post.

So a lawyer and legal costs are pricey. But there are ways to mitigate that. Here’s how:

Hire a startup lawyer earlier in the process

The earlier you do this in the process the less costly it ends up being. It’s easier and it’s cheaper to have an attorney start you off with a few documents than it is to hire an attorney in year 5 and have a ton of documents for the attorney to go through just for something simple. That gets costly. And it takes a lot of time.

I’ve noticed that a number of entrepreneurs have the attitude that they’ll get legal on board when their company has grown a bit and when more funds are available. I get it. Money can be tight at the beginning, but this is the wrong attitude. It’s better to make sure that mistakes don’t get made from the get-go. At the very least, get the conversation going with an attorney. Some guidance is better than none.

Understand the structure of legal fees

There are different ways to structure attorney’s fees. It’s possible that an hourly rate for your matter doesn’t align incentives the best for all of the parties. In that case, a fixed fee or unbundled fee can make sense. There are all sorts of mechanisms available. Work with your lawyer. Tell your lawyer what kinds of costs you are expecting and how that fits into your budget. See if they can unbundle certain fees and such.

2. Trust

Trust is a huge factor.

Take a look at a company like Amazon. People love, or at least, order from Amazon in part because they can trust them. It’s easier to order from them than some site you’ve never heard of. Why? Because of trust. You can trust that they’ll ship the product when they say they will. You can trust that you’ll get it in 2 days like you want.

In the legal profession you will not be able to get that level of commitment with a promised result; and in fact there are attorney ethical issues about promising certain results. So what does trust mean here? It means the following:

Do you trust their decision making process?

There’s definitely a right and wrong way to make decisions. There’s a whole field of study dedicated to decision making. There are some good books out there on this topic. If you’re interested in this, and if you’re making decisions you should be: check out this book by the Heath brothers: click here. It’s about how to make better choices.

Look, no lawyer has the answer for everything. No person does either to be fair. The question is if this lawyer doesn’t know the answer to the question, will they be able to figure out the answer to the question. It’s not about having every answer. It’s about trusting the person to go out and get the right answer. Do I trust this person to do that?

Doing that requires good decision making skills. Do you trust your lawyer to know how to make decisions properly?

Do you trust them to be a reasonable person?

I’ve had people come to me and show me what some other lawyers charge and what was completely out of line. You need to find someone who is fundamentally a reasonable person. I’ve not had a single billing issue/dispute/problem with a single client. If there’s an issue, will they handle it and talk to you about it in a reasonable way? Or will they just tell you to stuff it?

Being reasonable also extends to other matters. When a lawyer says they will contact you at a certain time, do they? One of the biggest grievances against many lawyers is that they avoid emails, phone calls, and other forms of contact. You need to be able to trust your lawyer that they’ll be reasonable with these kinds of things. Trust goes beyond just what the attorney produces.

Do you trust this person to be diligent?

You have to trust that this person is a diligent person—that this lawyer keeps updated with the ongoings with the law and the field in general. This kind of thing is important.

3. Product

Legal work product is inherently extremely intangible.

So it becomes difficult for many lay people to understand the quality of a legal product. This is unlike many other fields such as consumer goods. If you have a crappy camping stove, it’s probably not difficult to tell. It doesn’t feel right in the hand. Or it breaks quickly. Or it seems unpolished. The legal field isn’t like that. In the legal field, it can just be difficult to ascertain the quality of work. It’s just very intangible.

Because of this intangibility there is a trap that’s there. And it’s this: even though it can be difficult to see the differences in attorney work-product, don’t mistake that for there not being any differences—subtle or otherwise.

Subtle differences make a big difference. An attorney who really focuses on startup law will have differences in their work-product than an attorney who doesn’t.

Let’s say that two attorneys are 80% the same in their approach to a document. That means that there’s a 20% difference. Now if you consider that the attorney is preparing for you hundreds of pages of documents over a number of years—that 20% difference really makes a real difference as it adds up. Small improvements collectively add up.

Quality work product is also not just throwing every thing under the sun into a document. There’s a real art to this. At the law firm I worked at in Tokyo, I really understood what this meant. Some lawyers, particularly in the U.S., try to put too much into their agreements and make documents hundreds of pages long unnecessarily. There’s actually a legal movement here in America to reduce all of that excessive legalese type of work. I applaud these efforts.

Given the intangible nature of legal work, here are the qualities to look for in order to understand the quality of work-product:

What type of work does this person do?

Is there an air of polish? You know what this means. Does stuff just look . . . sloppy? The product should also be clear. I’ve had clients come to me and complain that other lawyers they’ve worked with left them confused and didn’t properly explain matters to them. Look at how a lawyer you’re going to hire answers your questions and concerns in discussions, conversations, emails etc. Are answers clear? Remember—how they do anything is how they do everything.

Does this person have the experience for this type of work?

There are a lot of lawyers out there. Find one that focuses on the particular area of law that you are involving yourself in. If you’re in the maritime field in Houston, maybe you shouldn’t hire a Texas startup lawyer and should look to a lawyer in the maritime industry. Each practice area has it’s own best practices and methods of accomplishing tasks.

Does this product work for me?

If some lawyer is located in Argentina and you’re trying to create your startup in Dallas or Houston, then maybe their product, while it may be an otherwise awesome product, might not be the best fit for you. So this is a personal matter on some level. The product needs to be a proper fit for you.

Make sure the product is right for you.

Conclusion: the only factors that really matter when hiring a startup lawyer is price, trust, and product. Focus on getting that right balance. Beware of those that attempt to take shortcuts. Legal is not the place to do that. Like I said—you can keep eating garbage/processed food, but it’s going to catch up to you.