Articles Posted in Policies and Procedures

The Blackbaud Breach

In July of this year, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of administration, fundraising, and financial management software, notified its clients that it had discovered and stopped a ransomware attack.  In a public statement, Blackbaud described the attack:

In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.  . . .  Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. . . . The subset of customers who were part of this incident have been notified and supplied with additional information and resources.

Since its July announcement, nonprofit organizations throughout the world have issued their own notices of breach to their stakeholders, relying in large part on Blackbaud’s description of the breach.

Key Takeaways from the Breach

While data breaches are an almost daily occurrence, the Blackbaud breach is notable for a couple of reasons.  First, even though it was able to prevent the ransomware attack, the cybercriminal exfiltrated unencrypted data from Blackbaud’s servers, in reaction to which Blackbaud elected to pay a ransom for the criminal’s agreement to destroy the data – given the reliability of criminals, a somewhat dubious promise.  The response indicates that Blackbaud was threatened with a new, but increasingly common, tactic in ransomware attacks – the cybercriminal will couple a ransomware attack with theft of data, and threaten to make the data public unless it receives payment.  As more and more companies are able to reconstruct compromised systems through backups and other means, cybercriminals have found a new way to monetize their attacks.

More importantly, the fact that this breach created a waterfall of breach disclosures reflects the impact of vendors on today’s data environment.  Blackbaud provides comprehensive data, financial management, fundraising, payment, and other services to schools, museums, faith communities, foundations, healthcare organizations and nonprofit organizations, and those entities rely on Blackbaud for critical functions that are essential to their missions.

The Role of Vendors

Firms increasingly rely on vendors for data management functions. The 2018 Ponemon Institute survey of data breaches reported that that at least 56% percent of organizations participating in the survey experienced a data breach due to a vendor’s security shortcomings.  At the same time, companies are increasingly reliant on vendors – a recent Bomgar survey reported that, on average, companies allow 89 vendors to access their networks weekly, and that 71% of respondents expect to become more reliant on third parties in the coming years. Continue reading

Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, will host a panel of industry leading experts for the webinar, The Right Stuff: Validating Reasonable Information Security

Date: Thursday, June 18, 2020

Time: 10 AM – 11:15 AM PDT; 1 PM –  1:15 PM EDT

Register Now

Most organizations have never had to prove that they have reasonable information security. Business and legal pressures are changing this dramatically. The California Consumer Privacy Act exposes businesses that have been breached to serious financial liability when they do not have reasonable information security. With data breaches increasing in scope and damage regardless of the money spent on cybersecurity, businesses will need to validate – in effect prove – that they have reasonable information security in order to avoid financial, legal and reputational harm.

During this webinar, our panel of experts cover:

The meaning of reasonable information security: What is it? Why the established information security frameworks, such as NIST, ISO and CISO,  do not deliver reasonable information security; Why dynamic assessment of an organization’s information security posture is crucial; The impact of overlooked vulnerabilities in cloud and IoT environments.

The legal requirement for validating reasonable information security: The far-reaching impact of the California Consumer Privacy Act’s requirement for reasonable information security practices and procedures; Why the law is a precursor to similar requirements likely to be adopted by other states and the federal government; legal exposures arising from inability to validate reasonable information security.

The business and insurance imperatives for validating reasonable information security: Cyber insurance carriers will no longer take at face value an insured’s representations about its information security posture; Larger enterprises will decline to do business with companies that cannot validate the effectiveness of their information security measures; Regulated companies will no longer be permitted to self-certify their compliance with information security and privacy requirements. Continue reading

As a privacy and cybersecurity lawyer, I’m often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor’s model, make sure to change the name and contact information, and they’re done.

They are right about one thing – any company that collects any kind of personal information needs a privacy policy. Laws throughout the world – not just in the United States, but in the European Union, Canada, Australia and elsewhere – have laws that require a privacy policy, some in great detail, others more generally. The California Online Privacy Protection Act, which went into effect in 2004, began this trend, and the advent of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California increased the details for privacy policies of companies under their jurisdiction, by requiring greater detail on the types of data collected, the uses of the data, and how consumers can limit the use of personal data.

There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.

But they are wrong about what it takes to create a privacy policy. Using another company’s policy might be a starting place, but it takes much more. Assuming that all privacy policies are alike is a dangerous practice – if a company does not take the steps to ensure that the policy is accurate and complete, it increases, rather than limits, its liability. Companies must analyze their data collection practices and make sure that reality is reflected in the policy.

What is Included in a Privacy Policy?

While there are a wide variety of policies, they generally include some key elements:

  • Information about the business, including contact details;
  • The types of personal data that is collected;
  • How the data is used;
  • Whether and how it is shared with third parties; and
  • What does the company do to protect personal information?

Continue reading

Robert E. Braun, chair of JMBM’s Cybersecurity & Privacy Group, will be the keynote speaker for the webinar, Privacy and Information Security – Best Practices and Imperatives.

Date: Wednesday, May 27, 2020

Time: 2:00 PM Pacific Time

Register Now Continue reading

Robert E. Braun and Michael A. Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group, will participate as panelists on the webinar, What is Reasonable Information Security?

Date:   Thursday, April 23, 2020
Time: 10:00 AM – 11:30 AM Pacific Time

Register Now

JMBM’s cybersecurity lawyers, along with a cybersecurity consultant, a Chief Information Security Officer, and a cyber compliance expert will address the following questions about reasonable information security:

  • What isn’t it?
  • What is it?
  • What does the legal landscape look like?
  • Is it a realistic goal?
  • How does it impact my 3rd party risk policies and practices?


Sean Weppner – Chief Strategy Officer, Nisos


Robert E. Braun – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Michael A Gold – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Art Ehuan – Vice President, Crypsis
Gerald Beuchelt – CISO, LogMeIn
Greg Kruck – Director, Sales Engineering, CyCognito

Register Now for This Informative Program


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at or +1 310.201.3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

CCPA: Hotel Loyalty Programs, Data Retention and the Brave New World of Privacy

By Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.

Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.

The Act as Part of a Broader Shift in Consumer Preferences

In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.

In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions – financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children’s information is addressed under the Children’s Online Personal Privacy Act. But in general, personal information – names, addresses, and other identifying information – may be collected and used without significant restriction, and consumers did not typically object.

The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers’ attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the “legitimate” use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.

Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.

Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information – essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.

Do Hotels Need to Comply with the Act?

The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria: Continue reading

As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.

The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”

Part 1 – Data Mapping

A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.

There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.

Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps 
Part 3 of a Series

 The Privacy Policy

This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.

The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.

In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including: Continue reading

Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.

If that were all it took.

In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information.  Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.

Look at Your Settings—Often

When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings. Continue reading

Looking back with the perspective of two years, the Equifax data breach still has many lessons to teach us. Unfortunately, some of the most important lessons are masked by the extremes of the errors that characterized the original breach, which include insider trading by top executives after the breach was discovered but before it was disclosed. That, combined with the length of time the company withheld news of the breach, and the irony that its entire business model is built on security, may lure some observers into believing that the incident is unique, and they could never screw things up as magnificently.

That would, however, be a mistake.

As litigation over the breach continues, there are some takeaways that might not be as obvious, but which are important to all companies. As courts and regulatory agencies struggle with how to respond to such breaches, punish companies that disregard regulations and look to compensate victims, it becomes increasingly clear that securities compliance is more important than ever. For public companies, data breaches are doubly dangerous.

First, a key lesson from Equifax is that words matter.

Earlier this year, a federal judge upheld most of the plaintiffs’ claims in a securities class action against Equifax (note, these are claims brought by shareholders, not those whose data was breached, though of course those subsets likely overlap), in part because statements on the company’s website, in SEC filings and during investor conferences stated it employed “strong data security.” Plaintiffs allege that the statements misled investors regarding “the strength of Equifax’s cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.”

All companies, and especially those in the security business or whose business model is based on gathering, storing and processing information, can be tempted to tout one’s defenses as “the best,” “state of the art,” “industry-leading,” etc. More to the point, a marketing department is bound to use that kind of language. That language, however, is the basis for shareholder lawsuits, FTC enforcement actions and other problems. Here are three steps to take to ensure your cybersecurity statements aren’t what compound your misery after a breach: Continue reading