Data Privacy: What Founders Need to Know to Avoid Disaster, with Lucas Beal
Lucas: It's not something that can be retroactively done. You have to build it from the foundation. You have to start with privacy by design.
Trevor: Hello, and welcome to the Founder Shares podcast. We're so happy that you've chosen to spend some time with us. I'm your host, Trevor Schmidt. I'm an attorney at Hutchison, a law firm in Raleigh, North Carolina. We work with founders and entrepreneurs in technology and life science companies start up, operate, get funded, and exit. We are daily inspired by the people we work with and want a chance to share some of these stories with you, our listeners. So whether you're already an entrepreneur, want to be one someday, or are just fascinated by the stories of how a business goes from idea to success or not such a success, this podcast is for you.
Today's guest is my Partner at Hutchison, Lucas Beal, whose practice focuses on debt of privacy and security, employment law, contract negotiation, and corporate law. He's here to tell us all the legal ins and outs of data privacy and why all companies, even startups, need to be aware of the rules and regulations. Lucas got into data privacy while working as an in house counsel for a life sciences company. And while at a weekly meeting in 2016, a new law was brought up that was coming down the pipeline called General Data Protection Regulation, or GDPR. Lucas raised his hand, volunteering to tackle it. GDPR is now a huge part of Lucas's practice, as are many other acronyms in the data protection world. It can be confusing sometimes, but Lucas keeps it simple, both for his clients and for his family.
Lucas: We were watching The Little Mermaid. Ariel, who's kind of like the main character, signs a contract with the villain Ursula. And I was watching this with my then three year old daughter, Betsy, and told her that you're never allowed to sign a contract without Daddy first reviewing or this will happen. Yeah, I think she probably should have read that contract before signing her life away and giving up that voice.
Trevor: Ariel was moving so fast, and she didn't care what it took to get what she wanted. And sometimes the startup world is similar. You're moving 100 miles an hour at all times, and data privacy rules are not exactly high on the priority list for each day. So to start, I ask Lucas why a startup needs to care about all of these things.
Lucas: I think it's twofold. I think one is, like, the punishment aspect. What's going to happen to you as a company if you're not compliant? And we've seen under GDPR, there are massive fines. I have a tracker on my Bookmarks that I can look at, the enforcement tracker of the most recent penalties that have been handed down by the EU regulatory authorities, and they're massive. And as a small startup company, that's scary. We want to make sure that if we are collecting that EU data. If we are processing that EU data, that we're doing so in accordance with GDPR, and we're being mindful of all of those checklists under GDPR to make sure that we're avoiding those. But I think from a business aspect, and I know we're going to talk a little bit about this conference that I just went to, but a big piece of that conference was data privacy. As a business enabler in today's society, people are very mindful about their data and their personal information and how that's being shared and how that's being used. So I think if you put that at your forefront, how trustworthy of a company you can be from a commercial aspect, there are a lot of gains there that your Chief Marketing Officer doesn't have to spend resources on, just knowing that you've got that trust from the community, the individuals that you're targeting. So I think those are the two main aspects that I would really highlight as why a startup company should really invest in data privacy.
Trevor: No, I mean, this may be an unfair general question, but have you seen kind of even in your practice time frame, a shift in maybe consumers perception of data and data privacy and their rights? And is there more attentive to it? Is there more of a transactional relationship with it? How do you view that?
Lucas: I think it's really a case-by-case scenario. I think when I'm talking about me personally, me as a young lawyer fresh out of school twelve years ago, I didn't really know anything about where my information was being shared. I would put my email address into every website, not considering where it was going, how it was being used. I think truly getting into the nuts and bolts of GDPR really highlighted for me why we need to be concerned about that. Why does some third party marketing agency need to have all of this information on me? I think it's similar to the Do Not Call list, which is probably almost, I don't want to say archaic now, but this is truly the next step in that. I just remember my parents as a kid having all of the telemarketers call right at dinner time and on repeat. Please put me on the do not call list. Please put me on the do not call list. I think there has been a general shift in kind of focus on what personal data is being shared, but I think it's always been there. We've always had that concern, how is our information being shared? How is this inconveniencing me? We just now have different standards to abide by.
Trevor: Yeah, I think that's an interesting point. And one thing I did want to raise, you've mentioned GDPR a couple of times. What would you say to somebody who's like, well, I'm not doing any business in Europe. I don't have access to data from Europe, so I don't really need to worry about data privacy. Because the big scary stuff is over in the EU.
Lucas: Yeah, much like Ursula from our Little Mermaid story, the tentacles are long. And just because you're not focusing on EU, there could be ramifications. I think there was a story, and this was in one of the North Carolina Bar Associates and Privacy annual meetings I went to a few years ago where we discussed a CCTV, a small mom-and-pop shop at Canada who had passed along personal data of an EU citizen. And while the fine was not as big as what we've seen from Google and Facebook, it was significant enough for this small mom-and-pop shop to be pretty affected by it. And again, they are not based in the EU, but yet they had a fine from a regulatory authority because of the information they were collecting on their closed circuit television network.
Trevor: Wow. Well, I mean, even aside from GDPR and kind of the reaches of EU reaching US-based companies, I mean, we're starting to see more with US regulations, kind of looking to be very serious about how companies use personal information and data. What are you seeing kind of on the US front?
Lucas: I think in due-diligence and transactional activities that I've been involved with, it's become forefront. What are you doing? What are you collecting? What information are you sharing? How are you protecting that? Do you have any SOC 2 certifications? Are you high trust certified acquiring entities are becoming very concerned with our startup clients privacy practices. Do you even know what you're collecting? So I think it's my number one advice for startup clients is what you can do is data map that is very inexpensive and at a foundational level. If you do that as you're growing, that can save you time. It's like, what is it? The ounce of prevention is worth a pound of cure. I think data mapping is that I joke and call it the plumbing network of your data privacy. Because truly, if you've got a breach, you can look through that data map and see, well, here's the leak. Let's clog it.
Trevor: For those who aren't familiar, what is a Data map? Or how do you think about that?
Lucas: Yeah, so a data map is truly what you're collecting, and where are you collecting it? I think of it as a flowchart. I think that's the easiest way to think about it. The personal data comes in here from our cookie. We store it on Google analytics or not Google analytics, But GCT or Amazon. We transfer it to our service provider over here, HubSpot, or whoever it may be, for our marketing emails. And it's truly just a data flow of the information you're collecting, where it's stored, and where it's being sent. And an interesting point from the conference I just went to is that not only is this your internal plumbing, but it also shows you where you need to focus on your compliance. So if you are cash strapped and you can't afford to invest in a multimillion dollar data privacy program, we could focus on this right here. Look at this transfer. That's a huge hotspot for us. That's a risk area. So how can we focus on that? We can never be compliant overnight, but we can take small steps. And I think the data map is where we highlight those hotspots.
Trevor: So aside from the data map, kind of what else or how else should companies be thinking about data privacy and how to take those first steps to address these issues?
Lucas: I think in terms of compliance with a lot of these big alphabet soup regulations that we just talked about, it's making sure that we've got an intake, we've got an info @startup.com or a privacy @startup.com that is a monitored website so that when we get these individuals from California, from the EU that are requesting hey, what did you have on me? What kind of information do you have on me? As soon as we get that email, the timeline starts ticking in these regulations as to when we have to respond by if we've got that mechanism in place and we can go ahead and start monitoring, we've got that domain monitored, we can truly start the foundation of our compliance for some of these regulations. And I think going back to the data map too, if we're transferring that data, there are restrictions when it comes to transferring personal data out of the EU. We want to make sure that if we've got that German individual's personal data that's come in from our cookie, are we transferring it to the US. Is it staying in Germany? That's another issue or reason why we want to make sure we've got that data map. Because those are those it's not really low hanging fruit, but those are the easy ways that we can be compliant and build that foundation. And data map is the key to that.
Trevor: Yeah, you may have touched on some of this, but what are some of the common mistakes that you see young companies or startup companies making?
Lucas: Avoiding talking about data privacy, waiting too late to start talking about data privacy. I think when we're talking about the US. We have a very sectionalized data privacy. We've got HIPAA for medical care. We've got CCPA at the state level.
Trevor: And then we have CCPA is California's law.
Lucas: That's right. Thanks. And then we have a number of consumer protection that we see with the FTC. And a lot of folks are like, you know what, I'm not in healthcare. I don't receive any PHI. So this is not applicable to me. And then we start doing a dive into what they're doing and their practices, and we well, this information is flowing from an insurance provider that is PHI. We should be considerate and compliant with HIPAA. And so then you're spending a lot of money and resources and time to kind of reinvent that wheel to make sure that you are following and being HIPAA compliant. If we're talking again in the healthcare sector.
Trevor: Yeah, because even if you're not in the healthcare sector, and you and I have talked about this before, but this concept of what is it, Privacy by design?
Lucas: Yes.
Trevor: Talk a little bit about that and how that can be helpful for companies as they think about this process?
Lucas: Yeah. So I have given a number of talks for some of our clients on what is privacy by design, and it's truly a top-down bottom-up starts at the top, goes to the bottom, goes back to the top, where privacy is really intertwined into every piece, every fiber of the company. It's not something that can be retroactively done. You have to build it from the foundation. You have to start with privacy by design. And I can think of no better privacy by design example than what I saw a meme on LinkedIn recently, where a company was hosting a big conference, and the conference had red lanyards on your name tag if you didn't want to be photographed. And then if you're blue, then you could be used in social media. You could be used in whatever you wanted. But then they knew that if you have that red band, they would not use you in any. And I think that's the kind of thinking that we need to think about. It’s not only is this our day-to-day operation, but even these one off conventions that we're hosting, we got to think about privacy. We got to build that in. We got to make sure that that individual is in charge of their personal data, their image, and how that's being used. I think the key to that is having somebody on the board. If you have a board of directors that is privacy-minded and can really talk about this at the board level. I've seen a few of our clients that we've worked with historically that their board didn't know about privacy. And it was one of those companies that didn't understand about HIPAA because they didn't think that they had PHI, when in reality, they did. And I think if we've got that mindfulness at the top and it flowing all the way down and then back up again to the top, that's truly what we mean by privacy by design.
Trevor: Well, that's interesting, because as I think about the stakeholders, maybe historically you would think of privacy as being maybe falling within the IT department or something along those lines. But really, as privacy expands, it has to be a conversation amongst senior leadership. Everybody from the CEO to HR, everybody's got access to different types of personal data, and having all of those stakeholders involved seems very important.
Lucas: Yeah. And I think HR I'm glad that you mentioned HR, because under the California CCPA, there are specific obligations for employers. What to do with employee information and how that should be shared, how that should be used. So I think it's important that you have multiple individuals inside the industry really thinking about privacy in their world. The CFO, the Chief HR Officer, and obviously the CISO, the Chief Information Security Officer. They should be working together in tandem to really push this privacy forward.
Trevor: Well, and it may be helpful too, because we've talked about personal data and kind of use some of that language, but talk a little bit about the breadth of what that means in some of these statutes, because some people might be like, well, I don't have medical information. I don't have credit card information, so why do I really need to worry about this?
Lucas: Yeah, I think, again, in EU GDPR world, they're very lucky because they have one definition. Personal information is identifiable, what identifies me. So it's my name, it's my birthday, it's my address. There's a laundry list of personally identifying information that is considered personal information. And then in the US, we have different buckets that we need to look at. We've got this California, we've got CCPA, where personal data could be your Internet history, your browsing history, along with all of those personally identifiable information. And then we have HIPAA. I can't tell you how many times I get on a call with one of our clients, and they're like, I get PHI. Well, let's talk about that. What kind of PHI are you receiving? Where is it coming from? Well, individuals tell me about their particular diagnosis. Is that coming from an individual or is that coming from their doctor? Oh, it's coming from the individual. I was like, well, what you have there, thankfully, is not PHI. It's personally identifiable information, though. And we do want to protect it, but we're not at that HIPAA phi protected level. I love having those conversations. The conversations I don't like are the reverse, where like, oh, I don't have PHI, but when in reality, they very much do. So when we're in HIPAA world, we want to talk about the nexus. Where is that information coming from? Or where is that information flowing through? Because as soon as it flows through those statutorily defined covered entities, which are the physician, the healthcare system, the insurance provider, it's PHI, and we need to treat it as such.
Trevor: Yeah, and I think it's helpful, too, to know that for some of these definitions, there's certain information that we may not historically have thought of as personally identifiable information that still qualifies. I mean, things like unique online Identifiers, IP addresses, those types of things. I've had that conversation with clients where they're like, we don't have any personal information. We just have this tracker that we associate with a single person. We know who that is. He's like, well, let's talk about that a little bit, right?
Lucas: Yeah, I mean, it's confusing. And again, this is where it's kind of nice to be in that GDPR world because we've got that definition and it's pretty clear.
Trevor: So aside from kind of like their internal policies and management of doing the data mapping, kind of understanding who their stakeholders are internally, how do companies kind of address data privacy, I guess, from their customer facing side of things? I mean, how do you get the authorizations that you need making sure that you're using the data the way you're supposed to? How do you advise clients on that?
Lucas: Yeah, so again, I think we really want to look at I hate to keep sounding like a broken record, but I want to look at that data map and I want to see where is your information coming from? What kind of information are you getting? Because unfortunately, we've got different standards here. If we are using cookies, and we are.
Trevor: Let me stop you right there. And I'm sorry to do that, but for those who are not maybe technologically-minded, what's a cookie and what does that mean?
Lucas: Yeah, so that's going to be we think of Google Analytics as what a cookie is, but when you're in a browser and you have your information automatically saved just for convenience, a cookie does that for you. A cookie can also track where you've come from and where you're going and what you're doing on that particular website. So if you're spending a certain time on a particular shoes, then that cookie will say, this individual likes these shoes. Let's target him with these shoes. Personal experience there.
Trevor: I was going to say, yeah, anytime you've gone from one website to another and all of a sudden the ads seem to follow the first website that was your cookie.
Lucas: That's right. So they are a marketer's dream tool because they are truly helping to target individuals with very specific ads. There are protections in every browser that you can go to, to make sure that that's removed, that people can't use those cookies. But if we're in EU World, we have to make sure we've got consent before we're taking any personal data or GDPR world is probably a better way to say that if we're using any personal data collected via cookies, we've got to have expressed written consent before we do that. Which is why every time we go to a website now, we have that cookie banner that says, hey, we're using cookies. Do you accept? And when I was in London for this conference, every website had three options. Do you accept all, accept only those necessary, or reject all? Which is the standard we technically should all be following, but we don't here in the US. So that was an interesting observance when I was in London about that.
Trevor: It's funny that you mentioned the UK trip because I feel like anything involving UK or EU travel anymore has increased 20 minutes extra each time, because just clicking on each box every time I go to a new website and be like, no, I really don't want your cookies. No, I really don't want them.
Lucas: That's right. And it's like going to news websites that I use in the States just to check on local news. Here in Raleigh, they had the banners correct over there as well. I was like, this is impressive. I appreciate that.
Trevor: So I think I stopped you as you're starting to talk about kind of looking back to the data map and cookies and how we're collecting that information and kind of then making sure we have that authorization. So kind of what other steps are companies taking to, again, make sure they have the rights that they need to the data they're using.
Lucas: Yeah. So, again, we want to look at all of the when we're in the US. We want to look at all of our privacy laws from can spam, do we have the ability to unsubscribe from marketing emails. But I think once I've looked at that data map, I'm going to back up a little bit. What I want to make sure is we've got that public facing privacy policy that's really telling the customer what information we're taking from you, where that information is going, how we're using that information, how we're sharing that information, and what we're doing to protect that information. That's the key, I think, in kind of building your privacy foundation is really starting with that privacy policy. You're using the data map to start with that privacy to build that privacy policy.
Trevor: No, I think it's helpful because a lot of times you think about just the basic documents that most businesses are going to need, and sometimes the privacy policy or terms of use of their website or their software gets pushed down the line a little bit. But again, as you're thinking about privacy from the beginning, having that privacy policy in place to explain to your customers, this is what we're taking from you or what you're providing for us, and this is what we're doing with it, and having that clear line of communication. And I also think it's something that needs to be revisited. You can't set your privacy policy and leave it ten years later and come back to it and see what it looks like.
Lucas: My party line is there is it's a living document? We should be looking at it at least annually. I would love biannually, but it is truly a living document, and it also has to be indicative of actual practice. Trevor, you and I can draft a privacy policy that checks every box of every privacy regulation that's out there, but if that client's not really doing that, that's doing them more harm, because we are publicly saying, hey, we do this, which is opening us up to FTC claims and additional claims. So we always want to make sure that, yes, this is what we should be doing, but this is what we're actually doing. And we're going to work to get to that level. And when we work to get to that level, Trevor and Lucas are going to update this privacy policy so that we're there.
Trevor: Yeah. And I think that's helpful. And it kind of goes back to kind of what you were talking about at the beginning of why companies should care. But I don't know a lot of people who read privacy policies other than us at our jobs. But to a certain extent, it is also I don't want to say a marketing material, but you're communicating to your clients or your customers how you're using their data, what you value about them and what they can value or understand from your company about what you value. I don't know if you've seen that used that way or you see how companies kind of treat their use of data as something that can be beneficial to the company?
Lucas: Yeah. And again, I think the conference that I just returned from business, an enabler, business enabler was the theme of the week. And I think this is a great example of that. If you are being forthright with your privacy, what you're doing, how you're using this information, you're putting that customer base, you're telling them, hey, you can trust us. This is what we do. And we're seeing in this climate that, that is huge and that is very attractive for customers. If I see that you are giving me the three options on a cookie, and I can only accept those that are necessary, I trust that you are going to protect my information, information that I share with you, so I might be more willing to share more with you. And I think that could be a huge boon for a lot of our clients.
Trevor: Yeah. And I think, again, as this progresses and then there continues to be more and more data regulation, it's going to be a differentiator between companies. It's just, again, how forthright you are about what you're doing and what customers understand about it.
Lucas: I agree wholeheartedly.
Trevor: So you've mentioned it a couple of times now, but you went to a conference recently on data privacy. Can you tell us a little bit about that?
Lucas: I did, yeah. It was put on by the International Association of Privacy Professionals, which I'm going to give them a plug. This is not an ad. I don't get any feedback here. But iapp.org is one of the most amazing catalog of free resources for individuals. It has a tracker on upcoming laws in the US and Ex-US, and also just FAQs on compliance. I love spending some time on that website and seeing what's been updated. But IAPP did put on this data protection intensive conference in the UK. And it happened to fall the same week that the parliament read the first UK update to their Privacy Regulation. Because of Brexit, they're having to redo their whole Data Privacy Regulation as they had fallen under the GDPR Umbrel when they were part of the EU. So now they're trying to make sure that they can stay in the good graces of those in the EU. But it's the Conservative party, rather, is in charge right now, and they have a very pro business mind, and so they're trying to weigh the balance there.
Trevor: So are we going to see much in the way of kind of divergence from the UK. From kind of the GDPR standards, or they expect it to adhere closely to it?
Lucas: I think they're going to toe the line, and I'll be frank, I haven't read the full I think it's a 30 page regulation. I haven't read the full document yet. I'm still kind of waiting to see where this lands because it's still being read in parliament. So I think it's on its third reading right now. But the Secretary of State of Science, Technology, and Innovation, I believe it's her title, spoke the second day of the conference, and it was really her pep rally for this regulation. There was some warm reception from some I was trying to look through the crowd to see kind of what people were, if I could read their minds as they were listening to her talk. And it did seem like there was a mixed bag of reception from our crowd. But again, I could be misreading things. That was interesting, but I think one of my favorite parts of the conference was the Schrems. Max Schrems discussed data transfer, and for those in the privacy world, Max Schrems is kind of a big deal. You may have heard of Schrems I and Schrems II, which are two huge lawsuits in the EU around data transfer and his organization. He has an organization that is focused on data privacy, a nonprofit, and they sued because this affected us here in the US. The privacy Shield was what we relied on in the US to transfer personal data in and out to the US.
Trevor: Right. This was a situation where you had data in the EU from EU data subjects. They wanted to take it to the United States or use it in the United States, and we had some policies or procedures in place to do that. And Schrems was challenging that, is that right? That's right.
Lucas: Yeah. And Max Schrems didn't like that because he didn't like what our NSA was doing with data and how they had access to our data or the data of EU residents, EEA residents. So we challenged that he won, which struck down the Privacy Shield. So we could no longer rely on that as a data transfer mechanism out of the EU. Which is why we have our standard contractual clauses update as well. Schrems II also affected our standard contractual clauses. And to hear him talk about this was really interesting because he claims rather to be very pro data transfer. And I think as soon as he said that, the. Entire audience erupted in laughter. I want to say he is Austrian. I could be wrong on that, but he was very stoic and he didn't understand why it was funny. He's like, no, I truly am very pro-data transfer. He just wants it to be done a certain way, and he wants certain protections to always be there, and that individuals always are in the driver's seat of their personal data. So I really enjoyed hearing him talk. What was both comforting and discomforting is that there is no way to untangle the spaghetti. And I'm stealing the metaphor from the conference around data transfer. I think we're going to be using these standard contractual clauses, data processing agreements, for the foreseeable future. And unfortunately, I think they may grow in depth so that we can be compliant with the Brazilian regulation and some of these other the Chinese regulation, which is coming out, is going to be another wrench in the privacy landscape as well.
Trevor: Yeah. So for our listeners, these might be documents you're familiar with, but essentially as you're negotiating any sort of transfer of data, typically you'll start to see these DPAs, which are data processing or data protection agreement.
Lucas: Yeah, either or, but I like to call them as data processing agreements, specifically if we're talking about GDPR. But I don't think that there's any right or wrong there, as long as it checks the box and we've got those standard contractual clauses attached as an addendum.
Trevor: Yeah. And so they're going to just specify how you can use their data, which hopefully is consistent with your services agreement, and then specify again how you transfer from one jurisdiction to another. Just again, to make sure you're complying with these regulations and these different rules that are applying.
Lucas: That's right. Yeah, and I think you may have a five page contract and then a 35 page data processing agreement.
Trevor: Hopefully a lot of that data processing agreement is pretty consistent between.
Lucas: That’s right. And I think, just to touch on that briefly, the standard contractual clauses are kind of my recommendation for our clients who are transferring data out of the EU or the EEA. And those are non-negotiable. Those are blessed by the regulatory authorities. In the EU, there are four different modules. So depending on the relationship between our client and the client or the adverse party in the EU, we want to make sure we're using the correct module to line up. And I think you and I had a conversation about this this summer. I hated it at first. I just wanted those standard contractual clauses. I didn't want to have to think about this. But now it makes total sense, and I'm totally on board with it. It actually makes things easier because there were a lot of situations where the processor, controller, importer exporter, which are the terms in the actual strainer, contractual clauses were reversed, and you had to kind of shove this square down the circle because we couldn't alter it. They were non negotiable. So I am on board with these now.
Trevor: Nice. So you kind of talked about some new regulations that are coming on board. What other developments did you learn about at the conference? Or what do you see coming as far as new developments in the area of privacy?
Lucas: Yeah, so I always recommend keeping a look @iapp.org because they've got an awesome tracker of what's going on. Their current tracker lists the legislative process for those State Data Privacy Laws in the US. I would love to say that we've got a Federal Privacy Law coming that would kind of supersede all of these state laws so that we could have that one standard that we need to meet. I don't foresee that happening this year. Maybe after the 2024 election, we could see some headway there. But right now, there's a number of states that have privacy laws in the works. They're either in the committees, they're already being read on the floor. This is another plug for reviewing your privacy policy on a biannual basis because these laws are coming out pretty quickly and they are slightly different. The Virginia law has some nuances that California didn't have. Nevada is a very nuanced situation as well. That's probably less worrisome from us in North Carolina. But it is important to make sure that you're reviewing that, to make sure that you're up to date and compliant with all of these laws as they're coming out.
Trevor: So how do you advise clients on that? You're talking to a Founder. Just like we potentially have exposure nationwide, I can't really pay for a nationwide survey of all these laws. How do I put myself in the best position?
Lucas: I think it's true for employment law as well. If you're compliant in California, you're mostly compliant in the remaining states. And that rings true here. Although, as I mentioned, there are some nuances to Virginia. We have a lot of clients based in Boston. There's the data breach law notification requirements that are very specific in Massachusetts. I feel your pain, I really do, when it comes to how expensive it is to do that nationwide search. But unfortunately, I think we do want to meet that CCPA, that California standard. But we also have to be mindful of where our data is coming from. And I think another plug for data mapping. But if we know where that data is, then again, we can focus on those compliant, those hotspots for compliance. So if we only have a large contingency in Virginia and there are threshold requirements, which when we're talking about threshold requirements, there are certain number of individuals that we are collecting information in that state, then we know we can focus on that Virginia nuance. And we don't have to focus on California right now because we haven't met that threshold number. So, again, I think that's where you want to spend your money. Is that data mapping.
Trevor: I think that's helpful. And I'm glad you mentioned data breach because I think that's kind of a whole nother topic, but one that I think is important to people. So what worst case scenario? There is some sort of a data breach where somebody's either got hacked or some of that personal information has been exposed in a way that they didn't intend. What do you recommend companies do? Kind of how did they respond to that? How did they plan for that?
Lucas: Yeah, I'd like to start with the easiest question and that's how do you plan for it? And I think that is training. What is a breach? I did a webinar for our clients. Gosh, that was almost two summer it was two summers ago now. Almost just defining what is a breach because a lot of people don't know that a breach is not necessarily some nefarious individual hacking into my computer and stealing my data to mine bitcoin it's also, hey, I left my thumb drive at the gym and that thumb drive had all of our client list on it. It had their email address, it had potentially sensitive information on it that's technically a breach as well, or physically handing a document to somebody that shouldn't have seen it. That's also a breach. So I think a we want to make sure that all of our employees are up to date and can identify a breach. This empowers each employee to report it so that we can mitigate any potential ripple effects that this breach could have. I think having a breach response plan is number two there for planning. And that's really the I call it the CPR guide. Hey, you go call 911. I'm going to do chest compressions. It truly is giving individual jobs. So we've got the person who's doing the deep dive into the breach to see what happened. If we are talking about a hack, we've got the IT folks really trying to see what was exposed. How was it exposed? We've got the Chief Communications Officer developing a plan to talk about this. If we have to notify individuals under a certain state statue, then we've got that ready to go. Those are the two keys. It's really to be prepared and to train individuals to identify a breach. And having cybersecurity is super helpful. Cybersecurity insurance rather super helpful because some of these key players that we're going to need in that breach response plan are going to be covered by your cybersecurity insurance.
Trevor: Yeah, I'm glad you mentioned it too, because I do think it's an important consideration for companies. I think most companies now need cyber-insurance policy. We're not insurance brokers and we're not trying to sell it here. But I think the added protection that it provides to companies not only from kind of a liability and cost perspective, but again from a process perspective, one of the benefits that the cyber liability policy is going to provide is just experts who deal with these types of scenarios day in and day out. They have a response team, they have a playbook that they can go to to kind of help you respond to it. Because hopefully this is your once and only experience with this as your company and you never have to deal with it again and haven't had to deal with it in the past. But there are people who can kind of provide that level of expertise.
Lucas: That's right. I think it's not if it's going to happen, but when it's going to happen, unfortunately. So I think the more prepared we can be, the better, because we're not going to be running around running fire or yelling fire. Rather, we're going to be doing something because we've got our job and we know what we're supposed to be doing.
Trevor: Right, well, and I also think it's the importance you mentioned of training, because not only being able to identify breaches, but as you know, so many breaches actually are caused by human error. Rather than somebody outsmarting your computer systems and getting in that way now, it's more likely somebody used a dumb password or gave their password to somebody they weren't supposed to, or accessed information in a place that they weren't supposed to. All things that can probably at least be mitigated by having decent training in place.
Lucas: That's right. And I don't want to underscore the importance of infrastructure and security there, but it truly is the individual employee that is the biggest risk factor for cybersecurity. So training and again, making sure they can identify hey, this email looks suspicious. I shouldn't click on it. I always recommend that if you get a weird looking email from a coworker, don't reply to that email. Teams them, slack them, text them, call them. Hey, I got this email. It had a PDF attached to it. It says I need to DocuSign it. I don't remember needing to sign anything. Is this valid? And that's a good way to detect a phishing attempt.
Trevor: Yeah, it's amazing how sophisticated some of these are. But like you said, identifying kind of an alternate channel to kind of confirm, I think is super important.
Lucas: I agree.
Trevor: What are some other types of security breaches that you've seen kind of in your practice or that have become more common that you see companies dealing with?
Lucas: We always see the bank. You deposit this $100,000 check into your account and then you have to pay us 50,000 of that back. Though I think that's something that we still see pretty regularly. When I was in the banking world prior to law school, that was something I saw on a daily basis. I think in terms of breach, though, the phishing attempts are rampant. And I think the phishing attempts because of the UK I'm sorry, the Ukraine-Russian conflict, we saw kind of a spike in those last year that springs to mind as the main fees of bad doings right now?
Trevor: No, I think that's helpful. So what else should companies be on the lookout for that we haven't really talked about or that you think about when you think about data security and privacy?
Lucas: Yeah, I think when we're building that foundation, as we mentioned earlier, it's really starting to incorporate some of that in initially, I think, should there be any breaches in the future? We know that we've got that protective foundation built and we've really built this company with that in mind. So truly that is the fortress we need. We've trained our employees. We've created this privacy by design atmosphere throughout our company. And that's really spread into every department, every employee. Everyone is empowered. I think that is the best way we can combat some of these nared dwells, as I'll say, who are trying to get in and get our data, who are trying to hack into our systems. This is the best way we can protect ourselves.
Trevor: How do you teach your kids about data privacy as somebody who kind of deals in the space? Do you find you change the way that you talk to your kids about kind of websites or email addresses or are they too young at this point?
Lucas: I think my oldest daughter, who's seven now, is really starting to get into that. And it's interesting to me because I think I am still very much entwined with social media and it's still a part of something that I do on a daily basis. But she's already very mindful of that. Is this picture going on Facebook or is this picture going on Instagram? What are you doing with my picture here? I don't want you to post this, which I think is amazing. I'm like, I respect that we won't post this. I'll send it to Mommy instead. But yeah, it's fascinating, truly, to see such a shift in thinking. When I was seven, I would have had no idea if some random person took a picture of me. We had the old school cameras back then, but I would have had no worry about where that image was going or who was using it. But she already has that awareness and I think that's truly amazing.Trevor: Yeah, it's interesting. I wonder if we've seen a pendulum shift because it seems to have gone from, I don't know, maybe our grandparents generation where all information is sacred, we don't share it with anybody outside the family, to a different generation where it's like, here's everything about me. Go and do as you will back to kind of a, well, let's be thoughtful about it and choose what we share and how it's going to be used and make sure we're getting what we want from it.
Lucas: Yeah, I hope that's right.
Trevor: So we are the Founder Shares Podcast. And so I always like to ask my guests if there was one piece of advice that you could share with somebody who was starting a company or maybe thinking about starting a company, what would that advice be?
Lucas: Here comes the broken record. But data map. Data map. Data map. Make sure you know where your data is going, where you're getting your data from. Truly, in order to be compliant, we want to make sure we've got that clear flow of data. We want to make sure we've got the appropriate consents in place if we've got data coming from here, and we want to make sure that we've got the contractual protections. If the data is coming from this jurisdiction, the best way that we can be proactive in a shifting privacy landscape is knowing what we have, what we're doing with it, and how we're protecting it. That's truly going to be 90% of my conversations about privacy with startups is that data map, and I'm truly seeing a lot of positive response to that. People are very grateful to start thinking about that. Because when you're in the middle of a very strenuous and stressful due-diligence or transaction and you're having to develop this data map at the 9th hour, I won't name names, but this has occurred previously, you really can save yourself some time, some energy in just developing that initially and building off of that as you grow.
Trevor: Yeah, it's a great point. Do the data map now rather than realizing a week before you're about to sell your company that maybe you're not going to be able to sell your company because you haven't handled your data the way you're supposed to.
Lucas: Yeah. And to that point, we talked about this earlier, but data privacy is becoming a huge button in due-diligence for mergers, acquisitions, data sales, I'm sorry, asset sales. So it's very important. And that is going to be a good gateway and foundation for you to avoid those hiccups and potential roadblocks in that transaction.
Trevor: Yeah, I think it's a fine point because, again, it's not so much that you're not just trying to avoid the fine, you're not just trying to avoid some sort of a lawsuit because data got breached. But these are questions that are going to get asked when you take in the financing. These are questions that are going to get asked when you look to sell. So deal with it now, deal with it proactively and you could be in a better position.
Lucas: That's right.
Trevor: Awesome. Well, Lucas, thanks so much for all of the information and the wealth. If people want to get a hold of you and learn more, what's the best way for them to reach you?Lucas: Yeah, lbeal@hutchlaw.com and find me on LinkedIn. As I mentioned earlier, I do like a good social media.
Trevor: Sounds good. Thanks so much, Lucas.
Lucas: Thanks, Trevor.
Trevor: That was Lucas Beal, and if you need any help with data privacy, be sure to contact him @hutchlaw.com. If you're a founder or business owner and need legal advice, we'd love to hear from you. You can start by visiting our website@hutchlaw.com. That's hu tchlaw.com. We have the capacity to help you out with just about any legal need your company may be facing. We're passionate about the innovation economy and ready to help you on your entrepreneurial journey. This show was edited and produced by earfluence. I'm Trevor Schmidt, and we'll talk to you next time on the Founder Shares podcast.