Showing 28 posts by Mitzi L. Hill.
If you have received a deluge of emails regarding updated privacy policies from services you use, you are not alone. They relate to a new set of data privacy rules that went into effect across the European Union on May 25, known as the General Data Protection Regulation (GDPR). The new rules have sweeping implications for businesses around the world. In fact, Facebook and others have already been sued for non-compliance with the GDPR.
If you do business in the EU (including the UK, which has said it will honor the rules) in any way, it would be a good idea to check with counsel regarding whether your business must comply. Although the rules are designed to cover consumer privacy, the way they are written is very broad; B2B as well as B2C customers are affected.
Common facts that can subject you to the GDPR include having European sales or facilities, using cloud-based storage for your website or portal, performing services in the EU, serving customers located there, having employees there, having vendors there, and having European employees who work in the United States temporarily.
The fact that your company is US-based does not matter: the rules explicitly apply to any company handling the personal information of persons in the EU, regardless of the company’s location. In addition, if you serve customers who pass you EU data, they may ask you to certify your security practices or to sign a “Data Processing Agreement” that makes certain assurances about your practices.
In addition to their operational implications, the rules require notice of a breach of any EU personal data within 72 hours – a huge hurdle unless you have conducted some advance planning. Many companies are reviewing their privacy policies, work flows, employee policies, cyber preparedness planning, vendor agreements, and other matters in connection with the GDPR. Not all companies have to conduct a “scorched earth” approach to privacy, but nearly all companies would do well to consider their business and privacy practices and make adjustments where they can.
The rules as drafted leave a great deal of room for the regulators to maneuver; they are very ambiguous. The very clear part of the GDPR, however, is this: fines for non-compliance can be assessed up to the greater of €20 million or 4% of global revenue.
Taylor English’s Data Security & Privacy Team is assisting the firm’s clients with assessment of the client’s exposure to the rules, policy drafting and review, contractual terms relating to the new rules, and liaison with security and technical resources. Our team has extensive in-house compliance experience, internationally and domestically, as well as broad expertise in the legal aspects of information security planning and incident response.
The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.
It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.
If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.
The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.
The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.
According to a new survey by insurer Nationwide, almost half of all businesses have been the victim of a cyberattack without knowing it.
Most of the headlines about cyber exposure and planning focus on the need to avoid exposure to consumer claims. This neglects the real purpose of cyber planning for most companies, however: protecting your revenue and securing your growth.
Many businesses don’t have a lot of “personally identifiable information” on file, and the penalties associated with losing control over that information are generally not large (outside healthcare, financial services, and similar industries). With those facts in front of you, it can be hard to justify spending scarce resources on a defensive plan.
However, your own business assets and your own growth/succession are at risk no matter what kinds of records you hold in your company. The time and money you spend on developing and practicing good cyber habits is priceless when you think about your IP, your trade secrets, your pricing, your “secret sauce” getting out via a hacker. Bad guys troll for valuable information all the time, and often sell batches of information via online black markets. This has nothing to do with the headline grabbing consumer suits that garner all the attention.
How would you value your business in a sale if you knew you’d been the victim of a cyberattack and couldn’t demonstrate that your core assets remained secure? How would you talk to your investors or your board following an attack? What would you want to know about a target’s cyber habits before buying its business?
These are the questions that should be driving our discussion of cybersecurity planning. #cyberforgrowth – not cybersecurity as a means to fend off rare (and rarely successful) consumer claims.
The new Administration may stand for regulatory rollback in many areas, but consumer privacy is (so far) not one. Trump's Federal Trade Commission (FTC) is pursuing a router manufacturer whose equipment hasn't caused any consumer harm yet: no data leaks, no identity fraud, no damages. Companies hoping to escape scrutiny under a relaxed privacy watchdog should consider themselves on notice.
As a best practice, it is a good idea to review your privacy policies and the marketing of your services or goods. Any claims you make about security and privacy of consumer data are fair game for scrutiny and investigation. The FTC so far has been unchecked by the courts, and this router case signals that the agency intends to continue vigorous enforcement—even under an anti-regulatory President.
Tax season brings with it many headaches. For the last couple of years, W2-related phishing scams have been among them. Cyberthieves may send email to HR or financial personnel that looks like it comes from a senior executive. The email may ask for copies of W2s for all employees. The scam used to be targeted to corporations only, but is now hitting school systems and non-profits as well.
As part of its cyber risk planning measures, any organization would be well served to have training and policies in place regarding how to respond to emails asking for this kind of information. In addition, no organization should be sending documents such as W2s by unsecured email.
Employee awareness is one of the biggest and best defenses to this kind of scam: knowing that the company policy is never to send such sensitive information in the clear, no matter who asks, can go a long way to preventing problems. A timely reminder during tax season is a good idea, as is revisiting the organization's cyber plan overall at regular intervals.
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Public Policy
- Intellectual Property
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate