IP Advice for Connecticut Start-Ups: Protecting Your Client’s Personally Identifiable Information

 David Benoit presents his fourth post as a guest blogger on the topic of Intellectual Property for Connecticut Start-Up companies.  In his fourth installment, he focuses on the need for entrepreneurs to protect their client’s most important assets: client personal information.  

In addition to implementing best practices with respect to a company’s own IP, start-ups need to be as mindful in taking adequate safeguards to ensure that any client IP that is being collected, stored, manipulated or distributed is not being used in a manner that will expose the start-up to liability.  Client IP most often includes “NPI” (nonpublic personal information) and includes personally identifiable financial information and any lists, descriptions or other groupings of consumers derived using personally identifiable financial information.  Unauthorized disclosure or access of personally-identifiable customer data typically results in financial liability (i.e., regulatory fines, penalties and legal fees) and reputational liability (i.e., damage to goodwill that the startup has worked hard to build). 

Knowing which IP safeguards to implement and what steps need to be taken if an IP breach occurs requires a thorough understanding of the ever-changing, multi-jurisdictional laws and regulations applicable to the start-up’s business.  This could include federal regulations, state- and industry-specific requirements surrounding the collection, storage, deletion and distribution of sensitive customer or end-user data.  Utilizing the services of a privacy attorney who understands not only your business, but also your client’s, is important to implementing best practices.  

Having an understanding of these regulations and standards, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Gramm-Leach-Bliley Act (GLBA) the Fair Credit Reporting Act (FCRA), the Fair and Accurate Transactions Act (FACT Act) and the Payment Card Industry Data Security Standards (PCI DSS), is extremely important to minimizing liability exposure.  Furthermore, knowing how to use customer IP without overstepping boundaries requires a well-written privacy policy, terms of service and other applicable data use agreements.