Silicon Valley is up in arms over revelations that employees at Carta's brokerage business improperly accessed sensitive cap table data from Carta's core SaaS business in order to connect buyers and sellers of startup shares. The conventional wisdom is to blame Carta for this "breach of trust" in mishandling sensitive customer data.
But there's another way to view this story that puts responsibility back on the global startup community. Founders freely provided their confidential cap table data to Carta without any data centric policy controls and technical safeguards in place. In the spirit of caveat emptor, if you subscribe to Carta’s service and you agree to give them your sensitive cap table data without any policy controls in place, then perhaps you bear some responsibility for any misuse.
Rather than clutch pearls when things go wrong, founders should have demanded proper data protections upfront. What if founders agreed to share their data with Carta only after it had been protected by a policy control capability like the open Trusted Data Format (TDF)? The data itself could have been policy-wrapped to restrict access to only approved purposes.
With granular data-centric security controls, implemented by Carta, or implemented by the data owners themselves, this entire fiasco could have been avoided. Founders could freely share sensitive data with Carta without sacrificing security, privacy, or control. Properly protecting data from the start would have prevented improper access downstream.
As I have written previously, this is not a technology issue — the technology is ready — it is a willingness issue. My brother, Will Ackerly, and I started Virtru in 2012 to address a global crisis of Trust and lay the foundation for individuals and enterprises to exercise the fundamental human right to privacy and security. Today, we are giving the public and institutions (over 7,000) easy-to-use and practical tools to take action to protect their data wherever it is shared. Our careers in government gave us insight into the foundational failure of the early internet: that you must trust third parties to “do the right thing” with your data, and that these entities were, at best, cavalier with this responsibility. (And, Virtru is indeed not alone – there is an emerging group of companies and groundbreaking new approaches, working to return ownership and control to data owners.)
It's time for the startup world to evolve its understanding of data-centric security. Rather than simply blame third parties after a breach, demand they implement controls like encryption and granular policy enforcement on your data first. Take responsibility for securing your data before it ever leaves your hands.
There’s also strength in numbers: When a critical mass of privacy-minded startup leaders and their organizations take action to demand better protections for data, big things can happen — and we all benefit as a result.
Once again, Carta's catastrophe demonstrates the need for data-centric security standards to allow organizations to share sensitive data without sacrificing control over the data itself.