Right now I am seeing more startups getting involved in the cybersecurity space with more and more money being splashed around in this area. The fact of the matter is that all companies, regardless of industry, are getting involved with cybersecurity or need to be concerned about it.
All of this is relatively new—particularly from the legal side.
As more money is being poured into all matters tech-related, the internet, tech information systems, networks, etc. cybersecurity has become more of a growing concern. In this article, I go through the issues that startups need to think about regarding cybersecurity. I’m going to start off with defining cybersecurity, go into some of the rules and regulation regarding such topic, and then end with practical notes as far as what trends I’ve been seeing in the cybersecurity space and tips for startups.
Table of Contents
I. What is cybersecurity law?
II. What cybersecurity laws do startups need to pay attention to?
III. “Does my startup need cybersecurity insurance?”
IV. Cybersecurity for Texas startups
V. What are the latest startup trends in cybersecurity?
VI. Cybersecurity legal tips for startups
I. What is cybersecurity law?
No one has defined cybersecurity law as of yet in a real solid official capacity. You will be hard pressed to find a straight up definition. In the Cybersecurity Act of 2015, the term cybersecurity is not strictly defined. For practical purposes for yourself and in such a circumstance, just go with what’s common knowledge as far as what you think cybersecurity is. Cyber deals with networks, information systems, software/hardware processes, etc. You know what security is. I’m not going to bother explaining what that is.
Don’t worry too much about what cyber and security and cybersecurity law mean. Is it a big deal that there’s not a clear definition? In some ways, yes. In some ways, no. There are other things to worry about for an entrepreneur. Leave it to the lawyers to break down the semantics and technical details of it.
Regardless, you know essentially what cybersecurity law is. It’s just law that’s concerning these topics that I just mentioned. And if you’re in the information systems space, data networks, etc. then there may be laws governing the security of these systems that you need to abide by and follow.
Don’t ignore cybersecurity law
Look, the fact of the matter is that you will never achieve 100% security. The law is designed in a way that shows understanding of this. You will not believe some of the (massive) cases where a huge breach was achieved by perpetrators in a manner that could not reasonably be foreseen by a company. Thankfully for companies the law does not simply impose full liability to the company for a breach.
Security back in the day is different than it is now. Back then if some perpetrators broke in to someone’s office or maybe stole someone’s briefcase, that might very well be all they get—whatever is in that person’s briefcase.
Now is a different story. Now if someone breaks into an executive’s account, there is potential that they get access to all sorts of confidential information, including all corporate records depending on the how data is partitioned and secured. Recent examples of big cybersecurity breaches include Sony, Equifax, Target, and Ashley Madison.
What does this mean? It means that the stakes for security are higher than ever and that if you screw up the consequences can make your life miserable.
Cybersecurity law is important because either a couple of things can happen: (1) there are some laws and regulations you have to follow and you will be in trouble if you don’t; and (2) there are some standards that are created that if you don’t follow them, youll have negative, potentially devastating repercussions.
One of the biggest reasons, besides a general moralistic reason, to pay attention to cybersecurity is that a lawsuit can be extremely damaging to your company.
I’ve talked about this before. A lawsuit can totally crush your company.
I will say though that you can definitely bounce back from a large cybersecurity suit. Customers that have been loyal to Sony and Target are still loyal to those companies despite cybersecurity breaches. If they stopped using those companies, it may be for other reasons beyond cybersecurity. In other words, a cybersecurity “event” is not a death sentence in and of itself. But it can be extremely costly, extremely disruptive, and a huge mark on the company’s numbers.
II. What cybersecurity laws do startups need to pay attention to?
A. Cybersecurity laws and regulation
As I mentioned, the fact of the matter is that cybersecurity is an unsettled area of law—it is yet to be more developed.
In the U.S., there are only very few federal cybersecurity laws and regulation that are in place. If you believe that there are no federal regulations in place for your particular startup industry you are probably right. Most of the rules are recent, or are formed on the basis of older laws that are being applied in a new ways. The cybersecurity laws that do exist mostly pertain to certain industries.
Here is the overview of some of the laws, regulations, and agencies giving recommendations. The reason I list them here is to give you notice of some of the more prominent laws and to also give you an idea as to what the trends are in this space: the trends primarily concern the protection of the privacy of the individual, including methods to control access to particularly sensitive data.
Health Insurance Portability and Accountability Act (HIPAA)
I am sure you have heard about HIPAA at your doctor’s office or when dealing with a medical issue. There are a number of provisions with this act; however, the part that we are interested in for the purposes of this article regard the privacy and security of identifiable health information for individuals. The general approach is that this health information needs to have properly regulated use and disclosure by certain types of entities (such as medical service providers). A great deal of these matters fall under what is called the Privacy Rule. A complementary rule called the Security Rule lays out regulations for compliance regarding the security of certain types of electronic health information. The Security Rules goes on to make sure that there are administrative safeguards in place as well as physical and technical (e.g. encryption of data). HIPAA goes into other avenues such as enforcement for breaches and other matters.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act deals with regulation of financial institutions. While the GLBA addresses a number of issues including removing certain types of entity restrictions, it concerns cybersecurity and privacy. One of the big issues that GLBA tackles is giving notice to individuals; it requires financial institutions to give each consumer a privacy notice periodically. This notice concerns the information that is collected about the consumer, how that information is shared and used, etc. Essentially the GLBA attempts to give some power to the individual in the form of awareness of what is going on with the individual’s data.
Food and Drug Administration (FDA)
The FDA regulates medical devices and as you may know different types of devices require certain reviews, notifications, and approvals. In regards to cybersecurity the FDA has released a number of guidelines in order to provide recommendations for premarket submissions. The FDA recommends design controls to ensure medical device cybersecurity. The approach the FDA takes is a risk-based approach that considers whether the device is capable of connecting to other devices or networks in combination with potential harm to patients.
National Highway Traffic Safety Administration (NHTSA)
Vehicles are increasingly using more electronic technology such as advanced driver assistance functions which employ many sensors, electronics, and computer systems. The NHTSA has given broad guidelines in regards to cybersecurity and, like many other institutions, recommends the National Institute of Standards and Technology Cybersecurity Framework. This framework is structured as so:
Identify: develop an organizational understanding to manage cybersecurity risk
Protect: create and implement safeguards
Detect: create and implement methods to identify a cybersecurity event
Respond: create and implement activities in how to take action as relates to a cybersecurity event
Recover: create and implement plans for resilience and methods to restore any lost capabilities due to a cybersecurity event
You can read more about this framework here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
General Data Protection Regulation (GDPR)
GDPR is the buzzword these days, but not many people know what it is. GDPR is a data protection and privacy regulation in European Union law. In a nutshell, GDPR tries to give individuals control over their personal data, primarily through means of consent, disclosure, and technical and organizational methods. One of the issues that GDPR hits hard on is penalties on companies that violate its provisions. Violators of GDPR may be fined 20 million euros or 4% of annual worldwide turnover, which over is greater. That is enough for companies to pay attention to this regulation.
I will do an article about GDPR soon as this is a large topic.
Similar agencies and groups have rules and recommendations regarding cybersecurity such as the Federal Energy Regulatory Commission for the national electric grid infrastructure. Expect these types of recommendations to increase in the near future.
B. Cybersecurity related claims arising under common law
There’s a catch here that even if a law does not seem like it’s directly related to high-tech issues or matters of the cyber vein, you still need to pay attention to cybersecurity issues. If, for example, you manage highly sensitive data on a computer hard-drive, and you work in airports on the way to a flight and you negligently leave your equipment wide open—maybe there is a legal issue there.
Essentially, even if you work in an industry without clear data security and privacy laws you still have to be careful because of common law claims that may be asserted against you. The basis of these claims include negligence, breach of contract, unjust enrichment, unfair or deceptive acts, and others.
Those reading this that are interested in the nitty gritty legal side court cases can read https://casetext.com/case/in-re-sony-gaming-networks-customer-data-sec-breach-litig to see a good discussion of the types of claims that are brought up in a cybersecurity related case.
What does this mean for data handlers, tech startups, and similar?
- Just because there are not cybersecurity laws in your specific startup industry, you still have to pay attention to industry standards of reasonableness and best practices in terms of how you handle data and other cyber related matters.
- Don’t make promises in a contract that you are unable to keep. Follow best practices when it comes to contracts. Watch out for standards, risks, qualifiers in contractual language.
- Be expedient when things go wrong - be careful of economic injury claims for lost money or property.
III. Does my startup need cybersecurity insurance?
YES: if your company is primarily in the business of handling or processing tech data or private information.
YES: if your startup is sizable even if its primary business is not related to cybersecurity.
NO: the only time a tech startup does not need to get cybersecurity insurance is when it is young/still working on that MVP and is not primarily in the business of handling data. Eventually however if you get large enough you will need to get insurance.
If you are handling a lot of data, then needing cybersecurity insurance should not come as any surprise. Almost every business in any industry has a specialized form of insurance that they go to. If you’re in the real estate industry and you rent out commercial space to tenants, do you have appropriate commercial property insurance? Yes. If you’re a physician practicing anesthesia, do you have medical malpractice insurance? Yes. There’s an industry specific type of insurance you can surely get. Look at what is the main nature of your business. Just talk to your insurance provider about it and see what kinds of options they have. It may be an extra addition or package to a general business liability insurance that they may offer. Talk to a number of different insurance providers to find the right fit.
Besides protecting your startup, there’s another key part of cybersecurity insurance. If you want to do business or have a contract with an entity, you may be required to have some form of cybersecurity insurance. In other words, some businesses will NOT work with your startup if your startup does not have cybersecurity insurance in place. I want you to keep that in mind when you are growing and operating your startup.
If your startup is still young and new, then you may not need the beefiest type of cybersecurtiy insurance that’s out there. Work with your insurance provider to see if there’s a good fit for the size and scale of your operations. This is not a binary thing—either you have cybersecurity insurance or you don’t. There are definitely different levels of insurance that is possible to get.
Issues to watch out for when purchasing cybersecurity insurance
The name of the game for cybersecurity insurance is in part how to make sure your claim doesn’t get denied. There are other issues like speed of processing and such. This is a tricky area because unlike car insurance, for example, cybersecurity event issues are less clear cut and not as well defined as something like a fender bender. This will change as time goes on with the occurrence of more cybersecurity incidents and as cybersecurity definitions become more concrete.
General issues — pay attention to the same kinds of issues when you purchase cybersecurity insurance as you do any other kinds of insurance. When you see a coverage of $100 million, does that mean per event or does that mean overall? Watch out for language and pay close attention to what exactly your limits are and the terms of coverage.
General liability Insurance — general liability insurance nowadays does not apply to cybersecurity insurance. Back in the day this used to not be as much of an issue. But it is now. Don’t think that just because you have some general business coverage or similar that you are fine and covered. It doesn’t work like that.
Be careful of exclusions with cybersecurity insurance — make sure not to work yourself out of coverage. Consider the following: insurance companies often exclude coverage due to war because of obvious reasons (they don’t consider it a normal type of risk, they would go bankrupt if they accounted for acts of war and tried to offer generally accepted premium rates). After 9/11, the idea of war broadened as it pertained to insurance claims and coverage. Warfare, particularly in the cyberspace, is broad and difficult to ascertain. There have been legal cases where classifying a cyber attack by a certain actor changed whether or not the insurance company was liable under the war exclusions clause. What does this mean? It means to be careful about working your way out of coverage and for you to really think about how you classify cybersecurity events. It also makes the following point even more important.
Find a good insurance company — this makes a big difference. As I mentioned, insurance companies look for ways to deny claims or to find some exclusion so that they don’t have to pay you. But even beyond that, or less than that, you don’t want to have to deal with an insurance company that is super late to pay out or just plays games. A new field like cybersecurity insurance is even more ripe for game playing. Get a good feel when you talk to an insurance agent. Additionally, talk to more than one agent. Get one you have some confidence in. Insurance rates vary wildly. Don’t get too cheap with insurance premiums though. If you’re going to cut corners (e.g. not pay much of a premium), then they’ll cut corners too. Using different companies to insure different aspects of coverage can be challenging as well. Again, cybersecurity isn’t well defined. Should a claim fall under a crime fraud policy or cybersecurity policy? This is why it’s important to have a good insurance company to back you and not find every angle to screw you over.
IV. Cybersecurity for Texas startups
Texas, like other states, has looked to increase cybersecurity efforts and safeguards, primarily through the use of agencies to provide guidance.
While cybersecurity law is a new area of law globally, many states have adopted certain types of security breach notification laws. In Texas, this is codified in 521.002, 521.053 of the Texas Business and Commerce Code. This is also known under the Identity Theft Enforcement and Protection Act. This law defines personal identifying information and sensitive personal information such as a social security number, driver’s license number, certain types of financial data, and certain types of medical conditions.
Section 521 is basically saying the following things:
1. A person cannot obtain someone else’s sensitive personal information without the person’s consent and without proper intent;
2. A business has a duty to protect that sensitive information; and
3. A business has to give notification following a breach of security of computerized data
In other words a person may not obtain or possess this type of private content without the other person’s consent and without an intent to obtain a good, service, or similar.
The important item for readers of this site is that a startup has a duty to protect this sensitive information. Like many types of laws, this law relies on a reasonableness standard. Texas Business and Commerce Code section 521.052 sates that a business shall implement and maintain reasonable procedures including taking any appropriate corrective action to protect from unlawful use or disclosure of sensitive personal information collected or maintained by the business in the regular course of business.
The law gives further guidance that the business shall destroy or arrange for the descrution of the information that are not to be retained by the business.
If the startup violates these section, then it is liable for sizeable civil penalties and injunction.
V. What are the latest startup trends in cybersecurity?
Now that I’ve gone through a number of cybersecurity legal issues, here are some of the trends I’ve been noticing dealing with cybersecurity as a field. If you can hit one of these categories really hard and do all of the other things correctly—i.e. grow properly, raise money, etc. you’ll do really well in the cybersecurity space.
Physical security is merging with cybersecurity
In the past, physical security (e.g. doors, videocameras, and locks) were kept as physical. Cybersecurity, relating to data and similar networks, only pertained to situations where an individual would sit down at a company desktop and log in to the system. Now all of the systems I just mentioned are merging. While electronic key cards to enter a door are not new items, they are more sophisticated and more information is being processed through them in an integrated way with other information systems. Biometrics and other items related to the physical body are also playing a larger role. More and more startups are getting into this physical side of cybersecurity.
Value of data means more systems being in place to control data
There’s a saying that data is the new oil. Anything people believe or perceive to be valuable will see an increase in protections for it. A lot of startups out there are attempting methods of how to protect this data as data can be very difficult to contain. How do you keep something contained that is relatively intangible? As I mentioned, more money is being spent on cybersecurity than ever before. Spending money to control data is just simply a cost of doing business. It’s the cost of moving from physical cabinets to digital cabinets—and part of that is making sure data stays in those digital file cabinets unless properly removed. There is opportunity in this space.
Industries are working on defining cybersecurity
In order to best work on it, protect it, legislate around it, you have to define it. Many industries are working on defining cybersecurity right now. I already mentioned how this is true in the insurance industry. And as the Texas law shows, standards of reasonableness are important to define. Industries are working to define best practices and figure out what are reasonable measures to protect data and networks.
Startups are working to remove the human element of cybersecurity
The biggest hole for cybersecurity issues isn’t computers or devices, it’s people. This is being more and more realized. The Sony breach is testament to that; crappy passwords, Nigerian princes, phishing attacks—people are a weak point in the cybersecurity sphere. A trend is developing where there is a demand to removal the human element in cybersecurity. In the past, employees and others were simply reminded to change their password every x amount of months. While that is a good practice, cybersecurity professionals have noticed that this is simply not good enough and are thus promoting various forms of biometrics and similar. There has additionally been an increase in demand for cybersecurity education in companies.
Consolidation of trust
Because so many devices, physical objects, etc. are being integrated, we are seeing a farming out of cybersecurity to institutions that are more specialized for it. Inhouse IT units are relying more and more on third-party controls to assist in increasing security and making it more robust. There is an outsourcing of components of cybersecurity. This raises a good question of who is securing the securers. Corporate trust is a big issue at the moment. We have started to see how corporations, even large ones, like Apple and very recently Google want to be the players in the industry that is the one to trust.
VI. Cybersecurity legal tips for startups
1. Follow the law
This is obvious advice: “follow the law!” but it pertains to industry specific cybersecurity laws that are popping up. Cybersecurity law is a new and upcoming field with a lot of changes. As I mentioned, most industries don’t have specific cybersecurity laws pertaining to them, but this is slowly changing so you have to stay in tune with the law.
2. Adopt best practices with data and security
You have to pay attention. Learn what is going on in your industry and follow reasonableness or better standards. What you want to do is to make sure you adopt reasonable standards in order to comply with the law and in order to avoid any common law problems. Automate processes to allow for less human error. Do two factor authentication. Use encryption for certain types of sensitive data. Educate your employees. Use firewalls and other kinds of antivirus measures on items that store personal information.
3. Don’t make promises you can’t keep
Cyber events and attacks can lead to disproportionate loss. Have well documented, good contracts. Don’t make promises in contracts that you can’t keep. Don’t make representations and warranties that are inappropriate. This too is to keep from breach of contract claims from popping up. Remember that lawsuits can be brought up under common law claims.
4. Increase cybersecurity as your startup grows
A small startup is not able to build a robust framework on day one. You don’t have to, for example, have everything in the self-assessment package found here from the very get-go: http://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdf Instead you have to build up over time, while paying attention to point 1 of following the law.
5. Get cybersecurity insurance
If you’re just getting started with your startup (pre-MVP), you don’t need this, but after that you will. Use this article to help you understand the main issues of cybersecurity insurance and to avoid any gotchas.
6. Have a cybersecurity action plan
Understand that cybersecurity events will happen. You cannot have perfect 100% security. That’s just not how security works. You cannot achieve it, and the law does not require it. If you are big enough, a cybersecurity event will occur. How you prepare for that is the key. The best practice is to have a plan ready in action that you able to execute. Essentially, you need to prepare for a crisis before the crisis and not during the crisis where decision making is more desperate and can go wrong. Furthermore, many states have passed breach notification laws.
The more you can show that you had a plan that is reasonable and that you execute the plan, the more favorable a court will look at your situation.
Coming soon I will be writing more about cybersecurity law as I get a lot of questions about this area. If you are a startup working in the startup cybersecurity space in Texas and want to chat, email me and let’s get some coffee.