Showing 6 posts in Risk Management.
The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order.
Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:
- Notice and Choice about how an EU individual's personal information is shared with third parties,
- Access to that information for correction or deletion,
- Security undertakings regarding that information,
- Data Integrity and Limited Purpose use regarding such information,
- Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
- Accountability for "onward transfer" of EU data to third parties.
The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.
For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts.
There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect.
Data security is a multi-part process for most organizations. Today's installment of cyber hygiene habits for 2015 reminds us that updating software is a critical step in securing our networks.
This fourth installment in our cyber hygiene series will discuss the importance of hardware upgrades in maintaining corporate data security. As with all the best practices we recommend in this series, the idea behind protection is to avoid incidents where possible, mitigate damage if they occur, and have a defensible position or "storyline" if you suffer a dispute or investigation.
The 3d Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corporation, in a decision filed August 24, 2015, ruled that the Federal Trade Commission (the "FTC") by virtue of Section 5 of the FTC Act, has jurisdiction over the data security practices of corporations that collect and use the personal data of their cases.
Consumer advocates have celebrated the case as a win for consumers. I fear it will have the opposite effect.
- Product Liability
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Intellectual Property
- Public Policy
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate