1. Do we receive any health information from health plans, health care clearinghouses or other health care providers?
If you do, you may be required to comply with the Health Insurance Portability and Accountability Act as a “business associate.” 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e), as modified by the HITECH Act of 2009. This requirement means you will have to have a written agreement with the provider of the information (the “covered entity”) that describes your permitted and required uses of protected health information, promises you will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law and that you will report misuses of the information and any breaches, promises that you will use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract, and ensures that any subcontractors that create, receive, maintain or transmit electronic protected health information do the same.
2. Do we store, process or transmit payment card information or sensitive authentication data?
If so, you will need to comply with the requirements of the Payment Card Institute Data Security Standard (“PCI DSS”). Among other things, this rule requires that you implement certain security features, such as perform security assessments or, in some cases, hire a third party to conduct security assessments. The risk of noncompliance is monetary penalties, violation of state laws and exclusion from the major payment card systems, such as Visa and Mastercard. If you outsource this task, then you don’t have to comply with PCI DSS. But you should choose your vendor carefully. And you should make sure your agreement with the vendor provides that the vendor will comply with PCI DSS in handling your customers’ data.
3. Do we collect personal information from children under the age of 13?
If you do, you will need to comply with the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501, et seq, as implemented by 16 CFR Part 312. And if your immediate answer is no, you should look at that closely. The rule defines “personal information” broadly to include geolocation data down to a street name, as well as any persistent identifier. The rule also defines “collecting” broadly to include letting information be made publicly available on your website/app, passively tracking a child, or even the collection of such information by another company through your website/app (e.g., through an ad network or plug-in) if your website/app is “directed to” children. COPPA’s requirements are numerous but include, among other things, obtaining “verifiable parental consent” before collecting personal information from a child, providing notice of your practices with respect to that information, including providing a list of all operators collecting or maintaining that information, and allowing parents to update or delete the information.
4. Do we collect any sensitive information, such as Social Security Numbers (“SSNs”)?
If so, you will want to do a couple of things. First, you should consider whether your security measures are reasonable. The Federal Trade Commission (“FTC”) has authority under 15 U.S. Code § 45 to bring actions against “unfair or deceptive acts or practices” (and each state has enacted its own version of that Act). The FTC uses this power to bring enforcement actions against companies for failing to employ “reasonable” security measures to protect personal data. “Reasonableness” is a sliding scale, so the more sensitive the data, the more security measures you need to take in order to reasonably secure it. Generally, SSNs and similarly sensitive data should be encrypted, at least during transmission. Second, you should investigate whether you are required to comply with Massachusetts General Law Chapter 93H and regulation 201 CMR 17.00, which require entities that store or use personal information about Massachusetts residents to develop and enforce a written information security plan.
5. Do we knowingly collect any information from individuals outside of the United States?
If you answered “yes” (or “maybe”) to any of these questions, consider contacting an attorney in Taft’s Start-Up and Growth Companies practice. We will be happy to advise you and make sure that data privacy and security laws aren’t a stumbling block to your venture’s success.