Executive Summary: Haekka’s Comprehensive Compliance Guide for Startups 

Simar Kohli
February 4, 2022

This is an executive summary of Haekka’s Comprehensive Compliance Guide for Startups. This guide introduces various types of compliance and includes the three most important steps in becoming compliant. For the complete version of the guide that includes specific details for each type, check out www.haekka.com/comprehensive-compliance-guide-for-startups today!

Introduction: What is compliance?

The transition to remote work has created many new opportunities and challenges for companies looking to conduct business virtually. Cloud-connected applications have enabled people to share data more freely than ever and can save firms billions of dollars if utilized correctly. However, the movement to the cloud also brings many risks: the largest of which is regulatory compliance. The International Compliance Association defines compliance as “the ability to act according to an order, set of rules, or request”. Although that appears straightforward, there is a ton of teeth behind that seemingly simple definition. 

Compliance is more than a buzzword. It’s a set of legal parameters that must be followed in order to allow your startup to operate. It’s a way of building trust with your customers so they know that your team is safe to work with. It’s a means to ensure that your employees are following best practices across different aspects of employment. And for many companies, to put it bluntly, it's a pain in the butt to deal with.  

Maintaining compliance can be extremely challenging for any firm, but it’s particularly difficult for small growth-oriented companies. Most startups rarely have the budget to hire people whose sole focus is keeping the organization compliant. Compliance standards like SOC 2, HIPAA, etc. all have very specific requirements that need knowledge in the areas they cover, and your average person won’t know where to start. Another difficulty most startups have is they onboard and terminate employees much faster than more established companies. New hires can represent a significant risk for companies if they are not up to speed on international or federal regulations. It’s easy for a founder to ignore compliance and focus on growth, but this will come back to hurt their startup in the future. 

Here at Haekka, we’re believers in building compliance and organizational controls from the ground up. It's much easier to do something right before you start operations instead of post-development. We also believe that everyone at a company, no matter their role, should play their part in maintaining compliance. Even if a startup has the right processes in place, all it takes is one employee deviating from said processes to ruin compliance for everyone. 

Non-compliance can destroy a startup by causing immense legal issues and eroding trust with clients. Bigger companies have tons of money to invest in compliance initiatives, but a startup is inherently at a disadvantage. That's why Haekka has written this Comprehensive Guide to Compliance for Startups. This compliance guide covers several different types of compliance certifications available, the processes for getting certified, costs associated with getting compliant, issues with non-compliance, and much more! It also covers various steps different companies should follow based on their size and growth stage. Here's everything a startup needs to know about compliance. 

What are some common compliance frameworks?

There are many different types of compliance requirements out there, each of which is important in different scenarios. Some firms will need every type of compliance listed in this guide while others will only find one certification to be relevant to their business. Here is a high-level overview of the most common types of compliance. 

SOC 2

SOC 2 stands for Service Organizational control II. A company can become SOC 2 certified by passing an audit from a firm accredited by the American Institute of Certified Public Accountants (AICPA). SOC 2 is focused on protecting a company's customer data. It includes various criteria for ensuring best practices for different organizations based on their needs, NOT a specific set of tools/procedures. This means that every company will have a different SOC 2 report. Any startup that is going to work with private customer data should get SOC 2 certified to build trust around handling data security and privacy. Although SOC 2 is often focused on North American companies, it is still recognized globally as a way to verify data security

ISO 27001

ISO 27001 is short for “ISO/IEC 27001 - Information technology - Security techniques - Information security management systems - Requirements”. Essentially it's another information security certification, but this one is the leading international standard. While there are many ISO standards (that will be covered later), the most common is ISO 27001. Unlike SOC 2, ISO certifications require adherence to certain best policies and procedures. All companies looking to conduct international business utilizing any private information should get ISO certified. 

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. It was written by the United States government to protect sensitive patient health information from being transmitted without their knowledge. One critical component of HIPAA is the privacy rule which outlines how covered entities (essentially any company working with private health information) must handle medical data. One distinction between HIPAA and other certifications is that there is no “HIPAA certification”. HIPAA provides a legal minimum that covered providers must abide by, so HIPAA violations can lead to fines and/or jail time. Although they can’t get ‘HIPAA certified’, any company working with private health information should undergo training to make sure they are not at risk of violating HIPAA requirements.  

HITRUST

HITRUST is another certification based on protecting medical information. HITRUST is special in that it builds on top of HIPAA by providing a specific set of controls that map to HIPAA requirements. HITRUST differs from HIPAA in that HITRUST is administered by a private company. HITRUST gets much more into detail than HIPAA and needs significantly more testing and validation for a company to pass an audit. The HITRUST organization has also created a common security framework (CSF) for companies to take their security to the next level. Getting HITRUST CSF certified can be an extremely time-consuming and expensive process, but it is worth it in many situations. If you want your company to be as legally protected as possible, utilize a HITRUST framework and potentially look into getting CSF certified.

PCI

PCI compliance is adhering to standards created by the Payment Card Industry Security Standards Council, a group composed of members from the five major credit card companies. PCI is another example of compliance where you can’t get ‘certified’, but failing to meet standards can lead to significant fines. The FTC adopted PCI as a de-facto requirement for merchants in 2015, so there is government enforcement as well. Although there is no specific certificate of compliance, companies looking to make sure they are using best practices for cardholder and payment information should undergo a third-party audit. Any startup that uses credit card information or other digital payment methods should undergo PCI training and complete an audit to protect themselves and their customers.       

Privacy:

Many governments have written their own compliance frameworks focused on privacy. Here is an overview of common privacy laws your startup will likely deal with. 

General Data Protection Regulations (GDPR)

GDPR is the European Union's legislation on protecting data and consumer privacy. GDPR aims to grant consumers more control over how their data is used and who can access said personal data. There is no GDPR certification, but violating GDPR can lead to legal action against businesses. GDPR does not only cover data within the EU. Companies transferring data out of the EU or conducting business with European citizens are responsible for adhering to GDPR. Any company with operations in Europe or involving European citizens should undergo GDPR training to avoid compliance issues in case of an audit. 

California Consumer Privacy Act (CCPA)

The CCPA is a piece of California specific legislation that went into effect in 2018. The act is focused on providing consumers traceability into how companies are using their data. The first key component of the CCPA is that individuals have the right to know if a business collects their data and how said business uses/shares it. The CCPA also guarantees individuals the right to delete personal information collected about them. Individuals were granted the right to opt out of their data being sold. Finally, the CCPA bans discrimination against individuals for exercising their CCPA rights.  

Virginia Consumer Data Privacy Act (CDPA)

The CDPA was passed in March 2021 to help Virginians take control of how their personal data is used. The CDPA is focused on 6 core rights:

  • Right to access: Consumers can see whether a controller is processing their data and have the right to access said data. 
  • Right to correct: Consumers can correct inaccuracies in their personal data. 
  • Right to delete: Consumers have the right to delete personal data about themselves.
  • Right to data portability: Consumers have the right to access the data they provided to the controller in a portable format that allows them to transfer information easily to another controller.
  • Right to opt-out: Consumers have the right to opt-out of processing their data for targeted advertising, selling said data, or other similar activities that affect their privacy. 
  • Right to appeal: Consumers have the right to appeal any denial of their rights under CDPA.

Colorado Privacy ACT (CPA)

Like the CCOA and CDPA, the CPA is focused on protecting consumers and their privacy. The act is primarily focused on controllers which are people that “determines the purposes for and means of processing personal data”. Under the CPA controllers must: provide consumers with  a “reasonably accessible, clear, and meaningful privacy notice”, disclose the sale of personal data and allow customers to opt-out of the sale of their data, limit data collection to what is deemed reasonably necessary in relation to the purpose of data collection, take measures to secure personal data, and obtain consumer consent before processing personal data.

Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection was passed in 1998 to protect the privacy of children under 13. COPPA applies to all websites directed towards children under 13 and any website that knowingly collects data from children under 13. COPPA puts parents in control of their children's data. Companies must get parental consent before collecting or transmitting any personal information for kids under 13. COPPA also mandates that companies do not collect any additional information from children under 13 besides what is deemed reasonably necessary for the children to use their platform. COPPA is why platforms like Facebook require all users to be 13 and up. Recently additional legislation has been proposed to raise the internet privacy age to 16 and enact further restrictions on collecting data from minors.  

Additional legislation 

While the CCPA, CDPA, and CPA are the first three major privacy bills signed into law, many other states have introduced privacy bills similar to already existing legislation. As companies continue to grow and conduct business across state lines, it’s important to know privacy laws for any state your firm operates in. There are also lots of proposed federal laws that could become a factor in maintaining compliance over the next decade. A few bills that are currently in committee are: Protecting Consumer Information Act of 2021, the Information Transparency and Personal Data Control Act, and the Cybersecurity Vulnerability Remediation Act. Keeping updated on evolving privacy legislation is a great way to make sure your startup stays ahead of the curve on handling consumer data in accordance with state and federal law. 

Haekka has training for all of the compliances in this guide so your team should have no issues passing audits! 

3 Crucial Steps to Becoming Compliant

While this compliance guide offers up many specifics on navigating various compliance frameworks, there are several commonalities between all of the different methods used to pass audits. Even if your startup is not looking for any particular certification, proof of compliance helps business development. However, it’s important to note that in 2021 passing audits has become a minimum requirement for many businesses and vendors, particularly enterprise customers. Here is a more generalized version of how to keep your customers, employees, and company as safe as possible.

1. Team training

The first thing any leader must do when growing their startup is ensure their team is properly trained on best security practices. Human error remains by far the largest threat to a team's security. Having a secure system without making sure your team is up-to-date on security awareness is the equivalent of buying a sturdy deadbolt for your home and leaving the key on the sidewalk. The rise of increasingly-elaborate phishing scams requires training built for work in 2021. This is where using an LMS that's integrated with collaboration tools can prove extremely beneficial. Research shows we learn best with other people, and lots of learning happens when teammates ask each other questions and help one another. Haekka was built for remote work from the ground up. We realized that training with coworkers in person does not reflect the future of work. The pandemic increased adoption of tools like Slack and Microsoft Teams, but the transition to said tools does not appear to be stopping anytime soon.

2. Gap Analysis

Regardless of if you are trying to pass an audit, thoroughly evaluating your technology, processes, and people for weak points is paramount to keeping your company secure. This should ideally be done before you start storing, processing, and transmitting any private data. This can be done in several ways. The first is using in-house engineers to test the system and find vulnerabilities. This has the benefit of keeping costs down which is important for growing companies, but also runs the risk of people missing their own errors. Another way to check your system's security is using third-party resources. This can be third-party software that automatically runs security tests or a separate auditor. In the rare situation you aren’t looking to pass an audit, it’s still a best practice to have an auditor conduct a gap analysis. 

The second part of a thorough gap analysis is testing your employees. This is analogous to training, but actually confirms that training was effective. Micro-learning with frequent quizzes is proven to be more effective than traditional methods, and Haekka is all in-on quizzes. Each training is broken up into several lessons, and the majority of those lessons have a quiz at the end. Haekka even allows administrators to automatically retest employees on a weekly, monthly, quarterly, or annual basis! The weekly quizzes are designed to take under 5 minutes and are a great way to ensure your employees don’t have knowledge gaps. 

3. Collect evidence

The third high-level step for keeping your systems secure is collecting as much evidence as possible. In this situation, it means keeping detailed logs of things such as logins, when data is inputting, if the system crashes, and anything else involved in protecting private data. Collecting evidence is extremely useful. It helps your team identify any weak points or potential points of failure. It also provides a safety net against any potential lawsuits depending on the context of the legal action. The most important reason collecting evidence is important is to prepare your firm for an audit. If you intend on growing, at some point you will need to pass one if not several audits in order to avoid hitting a wall. No mid-large companies will work with non-certified vendors, but these days even smaller firms organize compliance. It’s also important to collect evidence on employee training for auditors. Audit processes involve talking to employees and seeing if they are utilizing safe practices. Having evidence that employees have completed training and are kept up to date on constantly evolving security threats. Haekka was built to make compliance less of a burden for growing companies, so it automatically collects evidence for you. Haekka makes sure you never get caught unprepared for an audit!

We hope this compliance guide makes it easier for your startup to get and stay compliant. Here at Haekka our founders Travis Good and Ryan Rich have decades of experience dealing with the challenges of compliance, particularly cloud-connected healthcare. They know firsthand how difficult closing gaps in security can be so they decided to build Haekka to fix that. Whether your team is looking for HIPAA, SOC 2, PCI, or other compliances Haekka can help. If you ever feel the need to speak to an expert, the Haekka team is always available to provide guidance. Let us help you put compliance on autopilot!