Showing 12 posts in Data Privacy.
These changes are driven by new Europe-wide privacy regulations coming into effect in May.
It’s clear that the giants of the online world have to comply with those rules.
What has been less clear is that many, many companies that don’t focus their efforts online may also have to comply.
The new General Data Protection Regulation (“GDPR”) covers collection and processing of “personal data” of EU residents. The new rules replace a twenty-year-old privacy framework that launched at about the time the public Internet did.
The new law reflects the massive growth of online services since then, the growing use of personal consumer data across a wide variety of businesses, and the desire of European regulators to protect their citizens against these increased methods to access and use their data.
GDPR AND EXPANDED MEANING OF “PERSONAL DATA”
The rules apply to any information that identifies or can be used to identify a natural person.
Even if that information cannot identify someone on a standalone basis, it may be considered protected information if it could be used in combination with other information to identify someone.
This goes well beyond name, email address, and credit card number to capture cookie data, IP address, biometric information, location data, and other material not generally considered “personal” in the US.
REACH AND REQUIREMENTS OF GDPR
If your business receives or performs any operations on “personal data” of EU citizens, you may be subject to the new laws, even if all your operations are in the US and even if your connection to the data is passive. (For example, exporting personal data by storing or transmitting it in the cloud on non-EU servers could trigger the law’s requirements.)
In addition, you may become subject to the requirements of the law if your suppliers or customers impose the law’s standards on you by contract in order to protect themselves. The rules impose numerous technical requirements regarding planning and assessment of data collection, security, and use; may require appointment of a Data Privacy Officer; give EU consumers a “bill of rights” regarding how their information is used; and require notice of data breaches within 72 hours.
PENALTIES AND PLANNING
The new rules are designed to increase the reach of the EU regulators, to protect a wider variety of information, and to make non-compliance hurt. The GDPR provides for penalties up to €20 million or 4 percent of global revenue (whichever is higher) for non-compliant handling of EU personal data.
The effort to achieve compliance will require legal, technical, and other resources.
If your company has a website, employs online or email marketing, deals with overseas partners or customers, uses cloud storage or transmission, or otherwise has access to EU personal data, you need to be aware of these rules and their potential impact for you.
Likewise, if your business partners have significant overseas operations such as those listed, you may become subject to the new rules through your relationships. Either way, the potential penalties are serious and the potential for disruption and embarrassment serious.
Proper planning can help you evaluate whether you are subject to the new rules and how to address any gaps in your company.
The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.
For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:
- The company’s leadership ignored warning signs of an issue.
- The warnings were ignored because of a spat with the vendor that flagged the issue.
- The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.
- The company approved stock sales by several insiders after the problems came to light.
- Etc. Etc.
In other words: the news keeps getting worse.
For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.
- Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.
- Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.
- Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.
- Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.
- Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.
In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness
It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.
All these entities “should know better.” They probably had layers and layers of plans in place. Their plans probably aimed at security for the benefit of their third-party constituents. They see the same headlines we all see, their lawyers tell them “you should do this so you don’t face angry consumers.” Their planning focused on liability avoidance.
Cyber planning IS important. The reality for most companies, though, is that the real value of planning is that it allows you to protect your own assets. Most companies will never be the subject of worldwide headlines and consumer class-action suits about a hack of their networks. Hackers routinely penetrate the networks of companies large and small, but the true danger for most companies is not a loss of consumer data. It’s that their own assets may take a hit.
Paying attention to cyber matters will be increasingly important as these major players continue to take very-public hits: it gets harder and harder for even small companies to say, “I never thought it could happen to me.” But the resources directed to information security planning don’t have to be all about network penetration and bells and whistles. They don’t have to be fancy and only capable of implementation with a huge legal, IT and risk management staff. A lot of problems can be avoided by simple process tweaks and employee awareness and training.
Consider the company customer records: they may not have any “personally identifiable information” in them, the loss of which drives the massive breach headlines we now see so routinely. But they probably contain pricing, discount information, volume and tiering plans, sales cycle data, and other material that would make you vulnerable if it got leaked.
Now consider that information in an Excel spreadsheet, not protected by encryption, role-based access, or even a password. How easy would it be for someone to email that outside the company, whether accidentally or on purpose?
Think it doesn’t happen? It does. I’ve had multiple clients face some variant of this spreadsheet email in the last three years. It’s disruptive, it’s expensive, it’s embarrassing, and it’s got the potential to lead to liability. Most importantly, it’s compromising your “secret sauce.” Why wouldn’t you spend some time on planning and training and shoring up a few easy practices to prevent this kind of event?
If you are a small company looking to grow, and looking for a buyer, having your assets protected is important to your value: that’s why you’ve registered your intellectual property, for instance, and put contracts in place to protect it. If you are a company at scale, protecting your assets is about investing in your stable returns.
None of this is expensive or scary or overly “techy.” It’s just good business sense.
If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.
The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.
The EU views privacy as a fundamental human right; it is enshrined that way in the EU constitution. In this way, regulators and citizens of the EU are far more attuned to personal privacy than most Americans. The new privacy rules carry potentially very steep penalties: fines for violations can amount to up to four percent of global revenue or 20 million Euros (whichever is greater).
What Does the GDPR Require?
The GDPR is designed to give EU residents a standard measure of personal electronic privacy protection that has the same basic expectations no matter whether the individual is doing business with a French company, a Japanese company, or an American company. The tenets of the GDPR sound non-controversial: they involve notice, choice, and transparency (among other things).
At a minimum, this probably merits reviewing your privacy and employment policies to ensure that they fall in line with GDPR requirements of telling EU consumers what data you collect about them, what you do with it, and what rights they have to stop you (or to change their minds once they’ve given you their information).
Merely revising your policies and ensuring that you have a way to respond to consumer inquiries is not enough to be fully compliant with the GDPR, but it may be a reasonable approach if your exposure to the market is very limited. That decision should be made in consultation with your lawyer and possibly your cyber insurance carrier so that you can weigh the risks of non-compliance (or partial compliance) against the benefits and costs of compliance.
If you have significant dealings in the EU, you almost certainly need to do more. Reviewing and documenting your company’s practices regarding data collection and use, designing privacy-aware interfaces for new products and services, establishing server locations so as to keep data local: all of these examples may be or become an important part of your GDPR readiness, because minimizing the data maintained on EU consumers and not moving it to jurisdictions that lack the EU’s protections are key policy aims of the GDPR.
Does it Apply to Me?
If you have customers, employees, or even vendors in the EU, and you interact with their personal data in electronic fashion, you may be subject to the GDPR. The rules apply if you offer goods or services to EU residents and/or if you monitor them. Cookies and other common Web tracking devices are considered a form of monitoring.
This has important implications for how you design your online and data flow practices, both consumer-facing and internal. Also, the EU definition of “personal information” is far broader than anything used in the U.S. It means anything that can be used to identify a person, not just specific information about a specific person. IP addresses, for example, are “personal information” within the EU definition – not just tax ID numbers, email addresses, and so forth.
What Should I Do?
The first step for any company is awareness: knowing whether you have dealings with EU residents, and what information you collect and use regarding them, will tell you whether you need to undertake a compliance discussion with your cyber counsel and carrier.
After that, ensuring that your company makes personal privacy a priority, both internally and externally, is high on the GDPR list. Unfortunate happenings like the Equifax and SEC breaches announced in September of 2017, combined with EU suspicion of U.S. electronic surveillance measures, will ensure that U.S. companies have to justify themselves to a skeptical regulator if they ever face their own issues.
Yesterday's news about Apple's secret effort to find the 'holy grail' for treating diabetes is just the tip of the iceberg.
The data-mining and communications solutions that are made possible by the Internet will make it possible for future entrepreneurs to launch solutions that we find hard to imagine today.
Wearable devices, once configured with the right technology to enable the monitoring of blood sugar levels, blood oxygen levels and other health data in combination with data-mining and simultaneous communication to health care providers hold great potential for guiding patients to make healthy choices and to seek medical help when appropriate.
There are obvious data privacy and cyber-security implications, of course, but even these challenges are opportunities in disguise for the entrepreneurs who can develop market-friendly solutions.
The new Administration may stand for regulatory rollback in many areas, but consumer privacy is (so far) not one. Trump's Federal Trade Commission (FTC) is pursuing a router manufacturer whose equipment hasn't caused any consumer harm yet: no data leaks, no identity fraud, no damages. Companies hoping to escape scrutiny under a relaxed privacy watchdog should consider themselves on notice.
As a best practice, it is a good idea to review your privacy policies and the marketing of your services or goods. Any claims you make about security and privacy of consumer data are fair game for scrutiny and investigation. The FTC so far has been unchecked by the courts, and this router case signals that the agency intends to continue vigorous enforcement—even under an anti-regulatory President.
Tax season brings with it many headaches. For the last couple of years, W2-related phishing scams have been among them. Cyberthieves may send email to HR or financial personnel that looks like it comes from a senior executive. The email may ask for copies of W2s for all employees. The scam used to be targeted to corporations only, but is now hitting school systems and non-profits as well.
As part of its cyber risk planning measures, any organization would be well served to have training and policies in place regarding how to respond to emails asking for this kind of information. In addition, no organization should be sending documents such as W2s by unsecured email.
Employee awareness is one of the biggest and best defenses to this kind of scam: knowing that the company policy is never to send such sensitive information in the clear, no matter who asks, can go a long way to preventing problems. A timely reminder during tax season is a good idea, as is revisiting the organization's cyber plan overall at regular intervals.
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
Yahoo has (not surprisingly) been hit with multiple consumer class action claims relating to its massive data breach. It is unclear exactly when Yahoo uncovered the 2014 breach; news reports characterize the find as "recent." Yahoo also has said that it is cooperating with law enforcement, which could help offset any issues tied to a delay of announcement.
The massive breach of accounts at Yahoo revealed on September 22, 2016, brings several thoughts to mind:
- The purchase of Yahoo by Verizon Wireless has not yet closed. Any companies undergoing diligence on the M&A front should account for this kind of issue (Yahoo's breach occurred several years ago) as part of the value and process of the transaction.
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Public Policy
- Intellectual Property
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate