dallas

How do Texas startups comply with GDPR?

Your Name ·

Even if your startup is in Houston or Dallas your startup may need to comply with GDPR under certain circumstances. Here’s what to do.

  1. Figure out if GDPR applies to your company

  2. Figure out which role you play under GDPR

    You’re a controller if you decide the purposes and means of processing. You’re a processor if you—wait for it—process personal data. Keep in mind that it is possible to be both a controller and a processor.

  3. Adopt GDPR principles

    You must abide by these principles under GDPR: that data is processed lawfully & fairly, that there’s a purpose limitation, that data is not excessively collected (minimization), that the data is accurate, that you implement ideas of storage limitation, and that processing is done confidentially and with integrity,

  4. Figure out the purpose and basis for processing

  5. Implement technical and organizational safeguards

    Your startup needs be properly capable and beefed up to handle data/data processing.

  6. Make appointments under GDPR

    You may have to assign a Data Processing Officer if you regularly process data or if you handle sensitive data; also assign a representative (similar to a corporate registered agent for business filings but in the EU for data protection purposes).

  7. Allow data subjects to exercise their rights

    Under GDPR data subjects have certain rights to their data. Make sure you allow them to exercise these rights. Remember that some rights will be unavailable depending on the basis used for processing.

  8. Make sure contracts, privacy policy, etc. are properly in place

    There are relationships you’ll need to tend to—between the data subject, controller, and processor. See here for what you need in those documents.

  9. Maintain good records

    Depending on the size of your organization you may need to keep good records of processing activities. It’s a smart idea to keep records regardless.

  10. Report if you have any breaches or if there are other issues

    You have a duty to report breaches and other issues under GDPR.

    Don’t relax immediately though. You may also have to report to individuals in different states as well.

  11. Review this article to make sure you’re understanding is well-rounded

    Remember—bits and pieces of information are largely useless. Make sure you have a good organized understanding of all of this. Read this article for an overview of GDPR.

Startups and cybersecurity insurance FAQ

Your Name ·

What is cybersecurity insurance?

As I’ve mentioned before, cyber, cybersecurity and similar terms are still unsettled in a number of industries including the legal industry. The insurance industry is also warming up to these types of items and ideas. In essence, cybersecurity insurance or cyber liability insurance is an insurance policy designed to help cover liability and losses that may result from data breaches, cyber attacks, and similar events.

Does my startup need cybersecurity insurance?

YES: if your company is sizable or handling data is a core business practice

NO: if your company just started and you have not established an MVP

Don’t panic about getting cybersecurity insurance on day one. Remember formational issues. This is all a process. Use the sidebar to help you go through the different phases of a business in a systematic way.

What is the difference between D&O, E&O, CGL, FLI insurance

Commercial General Liability Insurance (CGL): this is the basic type of insurance policy and most every business needs this. It’s the broad insurance policy that covers general business risks such as covering bodily injury or property damage on business premises or similar due to business operations, etc. Note that many CGL insurance policies do not cover cyber attacks.

Directors and Offers Liability Insurance (D&O): this is a type of insurance that indemnifies for losses for wrongful acts of directors and officers

Errors and Omissions Insurance (E&O): this is a type of insurance that protects in the service-providing industry—it’s about focusing on the failure to perform or financial loss caused in the service or product sold by the policyholder.

Fiduciary Liability Insurance (FLI): this is a type of insurance that is designed at protecting businesses’ and employers’ assets against fiduciary related claims of mismanagement of a company’s employee benefit plan. If administrators violate Employee Retirement Income Security Act (ERISA), FLI insurance may be involved.

There are a billion other types of insurance out there. These are just some of the bigger ones. Work with your insurance provider to see what exactly you need for the industry that your startup is in.

What is covered under a cybersecurity insurance policy?

Different items. Don’t think that just because you have “some type of cybersecurity insurance” that you’re totally set. You’ll need to do some research into what is appropriate for your type of business. Some types of cybersecurity insurance policies cover data breaches (covers your costs when information is attacked). Others, such as cybersecurity liability insurance, covers costs when the startup is accused of negligently allowing a cyber event for a third-party.

Additionally, what is covered will vary from policy to policy. One important item to consider is total coverage vs. coverage per incident. Just because you get a million dollar policy, that does not mean that if you suffer a breach you can recover $1 million. You have to look at timing issues and the amount per incident under a policy.

Additionally, you’ll also have to see what is covered vs. what’s not. There may be some types of data breaches or causes of data breaches that won’t be covered under a policy. See what’s excluded and what’s not under an insurance policy.

Who should I talk to and who should I get insurance from for my startup?

Talk to at least three insurance providers. There are lots of insurance companies out there such as Travelers, CNA, etc. Rates vary wildly—often for the same exact thing. It is a good idea to do some searching because of this issue. The other important item to remember is that you should get insurance from a reputable company. Don’t reach for the bottom of the barrel. The last thing you need is for some cyber event/data breach to happen and you have a lousy insurance company play games with you.

What is this about privileged communications?

Okay. This is something you may have heard rumblings about. Essentially it is this: your communications with your lawyer are privileged (this means something specific—but for now just think that the confidentiality of it is protected). However you can blow that privilege if there is a certain type of third-party present during that communication. So essentially, if you are talking to your lawyer about something very confidential about a particular data breach or other cyber event, the communication’s protections may be blown if there is a third-party present (in this case an insurance agent). Work with your lawyer to discuss what kinds of communications are appropriate with an insurance agent.

Can you list the steps to get insurance?

Yes:

  1. talk to insurance providers;

  2. understand how policies work;

  3. decide how much coverage you need;

  4. talk to insurance providers again with a better understanding of all of this;

  5. fill out the application (which may be time consuming with a number of technical questions).

How much does coverage cost?

The annoying answer is that it depends. If you’re handling sensitive data and you’re in the health care industry, then it will likely be higher. If your company has high revenues and is in the data handling business, then you’ll likely be paying more for coverage because you need that coverage to be adequate.

If policies are too expensive, see what you can do about getting that rate down. Can you deal with having a higher deductible? How much coverage do you actually need? There are ways to play with the numbers to get something appropriate for your startup. And again, talk to more than one insurance provider.