by

Companies that are subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act face the challenge of complying with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded companies that suffer a data breach. Because the SEC’s standards for disclosure often set a standard for private companies as well, the regulations are likely to have an impact on other companies.

Breach Notifications for the Past 20 Years.  Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.

The SEC Acts.  Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations. Continue reading

by

Congress has managed not to adopt a federal privacy law, leaving it to the Securities Exchange Commission, the Federal Trade Commission, and other regulators to fill the void – something that will take years to implement and will be subject to challenges.

We now have, however, ten state privacy laws – five adopted in just the past two months. While the laws have commonalities, none of them are entirely consistent with each other; businesses, particularly those with operations in multiple states, will have to consider how to comply in an efficient and effective manner. This will be no easy task, since in addition to the ten existing state laws, there are nine additional states with active bills. When state legislatures return, it is entirely likely that we will need to revisit this issue.

Creating a privacy regime requires an individual analysis of each company, including the data it collects, how it uses it, and who has access to it. Ten separate laws make the job much more difficult, but we start here on three points – who is covered, what rights are granted, and key similarities and differences. Continue reading

by and

Website analytics are a key part of understanding whether a website “works,” and how to improve it; they arose almost at the same time that companies began using websites to transact business. For the most part, and for a long time, website analytics were seen as benign – a way to track information without trampling on an individual’s privacy rights. But the multitude of ways in which companies collect information on websites without a user’s knowledge make it more and more likely that a website owner can find itself in violation of privacy laws.

More than that, analytics have become a security issue. The tools used to collect visitor data – cookies, pixels, beacons, and other technologies – have created a risk surface that can allow bad actors to identify targets and breach defenses. At the same time, the nature of these tools makes them one of the risks that companies can manage, allowing them to comply with privacy mandates and reduce cyber risk.

In the Beginning . . .

Originally, analytics were limited. Cookies and other devices allowed a website recognize a user, and to smooth the operations of the website. This little piece of code on your computer made it easier to log on to a website, to complete a purchase, and to see the information you look for. Although cookies did allow the website to recognize a user – essentially, to collect personal information – they were generally limited to the website; they were also typically “session cookies” used to facilitate a single user session, or “persistent cookies,” allowing the site to differentiate a new visitor from a prior visitor.

Since then, the tools used to identify website visitors and their actions have exploded in both numbers and potency, creating opportunities and challenges for website owners. Continue reading

by

On Monday, October 17, 2022, the California Privacy Protection Agency Board issued revised regulations to the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020). The revised regulations propose dozens of changes that were intended to address business concerns that some of the requirements were confusing and costly to implement.

While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:

  • Notice at Collection. Businesses will need to review and update notices at collection; a simple statement that personal information is being collected in accordance with a privacy policy will not be adequate. In particular, the proposed regulations emphasize that references to the collection and use of information in a notice at collection must be specific; the link should direct the reader to the specific provision, not just to the first page of the privacy policy.
  • Contract Requirements for Service Providers and Contractors. The proposed regulations carry over and emphasize the contractual requirements for Service Providers and Contractors. The importance of incorporating these provisions into vendor agreements, whether directly into an agreement or through an addendum is essential, as is implementing the guardrails described in the regulations. The recent settlement between Sephora and the California Attorney General is a direct result of the failure to address this issue.
  • Limits on Selling and Sharing Personal Information. Covered businesses will need to look carefully at how their vendor relationships could be construed as selling or sharing personal information and be ready to include a “Do Not Sell/Share” link, not just where data is collected, but also on the home page of the business’ website.
  • B2B and Employee Data. Most companies should, by now, be aware that personal information gathered from business contacts and employees will be subject to the CCPA beginning January 1, 2023. For companies that have not had to comply with these requirements before, this will impose a significant burden to implement effective procedures and policies addressing these needs.
  • Regulators (and others) are Looking. Finally, companies should be aware that the CPPA and the California Attorney General (along with plaintiffs’ counsel and even some consumers) are watching. Businesses that don’t make a good faith effort to comply can expect to be called out, and often in public and expensive ways.

Continue reading

by

In 2018, the California Legislature adopted the California Consumer Privacy Act (CCPA) and became the first state to enact a comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale and sharing of personal information.

Employee and Business Personal Information

While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.

The Exemption and its Demise

The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.

Continue reading

by

Online privacy policies are ubiquitous. Sometimes they are mandated by law – that’s been the case in California for years – and a variety of other states and federal agencies (like the Securities and Exchange Commission) require them as well. As a practical matter, almost every firm that has an online presence has a privacy policy. But it’s not enough to have a privacy policy – the policy has to be “right,” and failing to do that can open a company to liability. At the same time, done correctly, a privacy policy is an important asset.

Privacy Policies as an Asset – or Liability

An accurate and well-written privacy policy can be an important asset to a company. Consumers today, more and more, look for transparency in the vendors they patronize. A privacy policy that is readable and organized benefits a company, not just because it better complies with applicable laws, but also because it reflects the firm’s commitment to accuracy and transparency. A confusing, ill-conceived policy, by contrast, opens up a company to liability, both from consumers and from governmental bodies, who regularly examine privacy policies to confirm that they comply with fair trade practices. Moreover, a privacy policy that doesn’t reflect a company’s actual practices can be used in a data breach to cast blame, and create monetary burden, on a firm.

Recent Privacy Laws Make Privacy Policies More Challenging

The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), along with similar (but not identical) laws adopted in Connecticut, Virginia, Colorado and Utah) add complexity to the mix. These laws include specific disclosure requirements in connection with the collection of personal information and enumerate rights of consumers, all of which need to be disclosed to the consumer; as a practical matter, a privacy policy is the only effective way of complying. Continue reading

by

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.

Complying with privacy mandates, and preparing for and defending against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, an enterprise needs to increase its knowledge of key elements in its infrastructure:

See Your Network

Most C-level executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.

Part of knowing your network also means knowing what is happening on the network. Companies need to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. When a breach is in process, speed is essential.

See Your Data

Surprisingly, many companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. Companies need to know:

  • What data does the company collect?
  • What data does the company need to collect?
  • How does the company collect data – directly from users, clients, and consumers, or through third parties?
  • Where the company stores its data?
  • How does the company use the data it collects – particularly personal information of individuals, including employees?
  • Who has access to the data?

Continue reading

by

A New Year, A New Challenge

The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.

This is a challenge for any business, even those that have worked to comply with existing laws – the CCPA and the EU’s General Data Protection Regulation – and best practices. It’s not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just 10 days into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.

Finding Strategies

We look at all of these developments and try to find the commonalities, as opposed to the differences, to guide our clients toward efficient, cost-effective, and meaningful ways of grappling with the constantly shifting environment. One of the common elements between each of the California, Virginia and Colorado laws, as well as the GDPR and most of the pending proposals, is data minimization. Continue reading

by

Current information security and risk mitigation approaches are ineffective, and this failure is nowhere more apparent than in critical supply chains – defense, energy, health services, and other key industries. The source of much of the persistent failure to secure supply chains and the success of hackers compromising these vital arteries of commerce is that most organizations do not recognize all of the components and connections that comprise their networks. This blinkered thinking leads to suboptimal measures even when leading information security frameworks are in place. We routinely encounter the following shortcomings in our supply chain security work:

  • 󠄀Inadequate supply chain mapping – Most organizations misperceive or fail to perceive at all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers regardless of what the organization does to ameliorate risk.
  • 󠄀Failing to test cyber defenses – Many organizations stress security in depth but fall far short on what is, for supply chain purposes, a far more important security element – validation in depth, an all but fatal shortcoming that hackers count on persisting.
  • 󠄀Ignoring OpSec – Organizations place much more emphasis on information security than they do on operational security. This overlooks a multitude of risks associated with their supply chains, one of which is exploits that disrupt operations.
  • 󠄀Focusing on insoluble problems – An organization will never have perfect, if any, visibility into its 3rd and 4th degree of separation vendors. Yet organizations still struggle to find a solution to such problems. But there is no viable solution. Hence, the problem should be viewed not as a problem with a potential solution but rather as an immutable fact, at least for now.
  • 󠄀Expertise Deficit – Current cyber risks are not even remotely aligned with the number of available professionals with the expertise to address these risks. And yet organizations unfairly task their IT groups with responsibility  for supply chain security.

Continue reading

by

2021 was a challenging year in cybersecurity, and there’s no reason to believe that this will end.  As we approach 2022, all businesses large and small need to address some basic issues that impact the security of their systems. and their customers?

  • Vendors. No company stands alone – they depend on a multitude of vendors and third parties to operate.  These range from point-of-sale systems to HVAC operators to property management systems.  Every vendor that has access to company systems – and it’s surprising how many do – presents a threat.  When they have access to a company’s network, that creates an opening for a bad actor.  Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the company’s network.  And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
  • Internet of Things. Internet of things – the elf on the shelf, alarm systems, internet-enabled heating HVAC, solar panels, and public Wi-Fi systems have long been a soft underbelly of cybersecurity.  In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” (https://techcrunch.com/2021/12/17/security-flaws-wifi-gateway-hundreds-hotel/).  The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they are then able to use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.  This is not something unique to hotels – everything that connects to your system is a potential weak spot in cybersecurity.
  • Social Media. Virtually all companies use  social media to promote their businesses and attract customers.  But social media depends on the collection and use of personal information, and that information can make companies a prime target of bad actors.  Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks.  When a threat actor gains access to a network – which could be your network – they can pose an existential threat to a business through ransomware, extortion, denial of service and other attacks.

Continue reading