The post Time to Update your Privacy Policy appeared first on Cybersecurity Lawyer Forum.
]]>In 2024, privacy laws adopted by Montana, Oregon, Texas and Utah will become effective. While the laws have much in common (and are similar to the laws already in effect), they each have special characteristics, and companies will need to evaluate how they impact operations, disclosures and policies.
What do they have in common?
Each of the new laws provides similar rights to consumers:
The statutes also impose similar obligations on businesses:
None of the new state laws provides for a private right of action like California’s (which allows users to sue violating companies), but each of them has an enforcement mechanism that includes penalties for noncompliance. Enforcement will generally be carried out by the attorney general of these states.
What’s different about the laws?
Montana
Montana’s Consumer Data Privacy Act (MCDPA) was passed in May 2023 and will take effect on October 1, 2024. The MCDPA applies to entities that:
The law exempts state entities, nonprofit organizations, institutions of higher education, registered national securities associations, and entities governed by the privacy regulations of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).
Note: The thresholds for coverage by the MCDPA are generally lower than other states, and have no monetary floor; companies should consider whether they might fall within the purview of the MCDPA even if they do limited business in Montana.
Oregon
Oregon’s Consumer Privacy Act (OCPA) will take effect on July 1, 2024. The OCPA applies to entities that meet the following criteria:
The OCPA exempts specific entities, including state government entities, certain financial institutions, insurance producers and consultants, and nonprofit organizations focused on detecting and preventing insurance fraud.
Businesses must also must obtain affirmative consent to collect and process sensitive information (an “opt-in” mechanism).
Note: the opt-in mechanism is more restrictive than many other states that have an opt-out requirement.
Texas
The Texas Data Privacy and Security Act (TDPSA) will take effect on July 1, 2024. The TDPSA uses a unique standard to determining coverage and generally applies to any that:
The TDPSA also has several entity-level exemptions, including: nonprofits, state agencies and political subdivisions, financial institutions subject to GLBA, covered entities and business associates governed by HIPAA, and institutions of higher education.
Unlike the privacy laws in many other states, the TDPSA has no specific thresholds based on annual revenue or volume of personal data processed.
Business Obligations. The TDPSA imposes specific obligations on data “controllers”—those that determine the purposes and means of processing personal data, including: limiting collection of personal data to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection; prohibiting controllers from processing personal data in violation of state and federal antidiscrimination laws or discriminate against a consumer for exercising any of the consumer’s rights under the TDPSA, including by denying goods or services, charging different prices, or providing different quality of goods or services; giving consumers’ right to opt out of the sale of personal information by the controller; obtain consent from a consumer prior to processing sensitive personal data; and “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
Utah
Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) in March 2022. The law will take effect on December 31, 2023. The UCPA applies to entities that:
Like other states, the UCPA has exemptions, including institutions of higher education, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, organizations covered by HIPAA, and financial institutions governed by the GLBA.
The UCPA does not require consent for processing sensitive personal data, but controllers do have to clearly notify consumers and provide them the opportunity to opt out of having their sensitive personal data processed ahead of time.
What Should You Do?
In addition to the laws described above, more statutes will go into effect in 2025, and states (like New Jersey) are actively pursuing their own variations of data privacy laws. These laws will create challenges for companies as they seek strategies to comply with laws and, just as importantly, to protect the personal information of their employees, customers, clients and other stakeholders. The JMBM Cybersecurity and Privacy Group works with clients to develop and implement policies and procedures to achieve these goals.
JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Stuart K. Tubis is an attorney in JMBM’s Cybersecurity and Privacy Group. Stuart uses his background in technology to counsel clients on a range of legal issues, including compliance with privacy and security laws and regulations. Stuart is available to develop privacy policies, help prevent data breaches and respond if/when they occur. Contact Stuart at skt@jmbm.com or 415-984-9622.
The post Time to Update your Privacy Policy appeared first on Cybersecurity Lawyer Forum.
]]>The post Time is Short – Reporting your Data Breach appeared first on Cybersecurity Lawyer Forum.
]]>Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.
The SEC Acts. Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations.
The rules were proposed last year and contested by trade organizations and businesses, arguing that four days is inadequate to identify the nature and scope of a breach, and would be as likely to disclose inaccurate information as it would to benefit consumers and shareholders.
In contrast, the SEC, in adopting the new regulation, cited the new rule as enhancing transparency into cyber threats after years of attacks against businesses by criminal gangs and, most significantly, groups backed by nation states. The SEC also saw this as an opportunity to address gaps in existing cybersecurity disclosures.
Gaps in Disclosure. Because there are a wide variety of laws and rules governing disclosure, there is little consistency in the timing or content of breach notifications. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all. Christopher Hetner, a former cybersecurity adviser at the SEC who provides guidance to the National Association of Corporate Directors, said, “The outcome of this rule will be to create more normalcy across disclosures.”
Arguments against the Regulation. The tight timeframe for disclosure raises concerns. The brief period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with added information that was unavailable at first, but that also could create consumer and shareholder confusion.
The regulation is also unclear in defining how an incident would become material and how much detail will be required in public filings. This is a particular issue, since four days is unlikely to be adequate to collect and verify meaningful information about a security incident.
Third Party Risks. The regulation also will require companies to create stronger reporting relationships with vendors. Over the past several years, the cyberattack risks raised in the supply chain of information management has become key, and unless vendors (and all of the parties in the vendors’ supply chain) cooperate promptly, a reporting company may be unable to meet the requirements of the new rule.
Annual Reporting. An issue that has not been widely reported is the requirement that companies must describe in their annual report what processes, if any, a company has in place to assess, identify and manage material risks from cybersecurity threats “in sufficient detail for a reasonable investor to understand those processes.” Combined with the SEC’s “plain language” mandate, this requirement alone might be a significant task.
Companies can deal with these new regulations by creating, implementing, testing and updating strong cybersecurity incident response plans. When a company has 96 hours to report publicly a cybersecurity incident, it cannot waste time trying to create a playbook to respond; the playbook must be in place and accurate. The necessary parties must have the “muscle memory” to know how to respond, not only to respond directly to the breach, but to comply with new and potentially burdensome regulations. The JMBM Cybersecurity and Privacy Group works with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing cybersecurity landscape.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels’ clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post Time is Short – Reporting your Data Breach appeared first on Cybersecurity Lawyer Forum.
]]>The post State of Play – State Privacy Laws in the United States appeared first on Cybersecurity Lawyer Forum.
]]>We now have, however, ten state privacy laws – five adopted in just the past two months. While the laws have commonalities, none of them are entirely consistent with each other; businesses, particularly those with operations in multiple states, will have to consider how to comply in an efficient and effective manner. This will be no easy task, since in addition to the ten existing state laws, there are nine additional states with active bills. When state legislatures return, it is entirely likely that we will need to revisit this issue.
Creating a privacy regime requires an individual analysis of each company, including the data it collects, how it uses it, and who has access to it. Ten separate laws make the job much more difficult, but we start here on three points – who is covered, what rights are granted, and key similarities and differences.
Who is covered?
The states each vary as to whether a company is covered under the laws.
Each of the laws also excludes information collected and processed under the Health Insurance Privacy and Protection Act and the Gramm-Leach-Bliley Act.
What rights are granted?
All states that have adopted state privacy laws grant certain rights:
In addition, each state requires covered companies to be transparent in their privacy practices. Beyond this, the states begin to differ:
Key Similarities and Differences
The Devil is in the Details
From this brief discussion of only a few aspects of the existing state privacy laws, it should be clear that companies collecting personal information – which covers almost all companies – will be challenged to comply with a multitude state laws (and with more to come). The burden on middle market companies will be particularly acute, since they have limited resources to address these issues (but face the same kind of liability as large firms). And companies that do business overseas can face even more significant challenges to comply with European, British, and other data protection laws. The JMBM Cybersecurity and Privacy Group provides current, impactful, and effective advice on all aspects of data security and privacy and works with clients daily to address the challenges of new and developing laws and regulations.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels’ clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post State of Play – State Privacy Laws in the United States appeared first on Cybersecurity Lawyer Forum.
]]>The post Is it Time to Analyze Analytics? appeared first on Cybersecurity Lawyer Forum.
]]>More than that, analytics have become a security issue. The tools used to collect visitor data – cookies, pixels, beacons, and other technologies – have created a risk surface that can allow bad actors to identify targets and breach defenses. At the same time, the nature of these tools makes them one of the risks that companies can manage, allowing them to comply with privacy mandates and reduce cyber risk.
In the Beginning . . .
Originally, analytics were limited. Cookies and other devices allowed a website recognize a user, and to smooth the operations of the website. This little piece of code on your computer made it easier to log on to a website, to complete a purchase, and to see the information you look for. Although cookies did allow the website to recognize a user – essentially, to collect personal information – they were generally limited to the website; they were also typically “session cookies” used to facilitate a single user session, or “persistent cookies,” allowing the site to differentiate a new visitor from a prior visitor.
Since then, the tools used to identify website visitors and their actions have exploded in both numbers and potency, creating opportunities and challenges for website owners.
How do Analytics Work?
The point of website analytics is to collect, report and analyze data generated by visitors who interact with a website. This allows website owners to measure user behavior, optimize the user experience, and gain insights to meet business objectives – most often, increasing engagement, conversion, or sales.
A good example is the Facebook (Meta) Meta Pixel. As Facebook describes it:
“The Meta Pixel is a piece of code on your website that can help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart. You’ll also be able to see when customers took an action after seeing your ad on Facebook and Instagram, which can help you with retargeting. And when you use the Conversions API alongside the Pixel, it creates a more reliable connection that helps the delivery system decrease your costs.”
This is a long road from the session cookie. Now, analytics can be deeply intrusive and collect significant data: operating system, browser type, geolocation, internet protocol addresses, first- or third-party cookie IDs, proprietary digital identifiers, bounce rates, page views, e-mail open rates and links clicked, actions taken on pages, referring/exit pages, user agent string, and other device metadata.
What are the Risks?
When a website collects data, that data is often “shared” and “sold” (under the broad definitions of the California Consumer Privacy Act). Website owners are required to disclose that fact and give consumers the tools to opt out of the sale and sharing of personal information. When a website owner fails to do so, they face potential exposure to claims by consumers and regulatory authorities.
Regulators and plaintiffs’ attorneys are increasingly creative in making claims where information is collected and shared without appropriate disclosure and consent. And, even where the claim may be invalid, the website owner will be forced to spend time and money to defend their actions.
What’s on Your Website?
To be clear, there is no prohibition against collecting and sharing data, so long as the website owner complies with laws and rules governing the use of personal information. Some website owners are deliberate about their use of analytics, and take steps to manage and actively disclose their use of the information they collect.
Many website owners, however, aren’t aware of what’s happening on their sites, and they might not know all of the data collection tools embedded in them. Website designers often include analytic tools that help the function of the site without the website owner’s knowledge, and when a website adds links to other, third-party sites (including social media sites), the result can include placement of third-party pixels, cookies, and beacons for the benefit of others.
Because of this, website owners should monitor their websites; there are a variety of tools that identify the data collection tools on their site, their function, and what is being done with the information. With that knowledge, the website owner will know how to control and use the tools and to minimize their exposure to legal claims.
Website owners also often advertise on social media, and those advertisements collect data for the website owner – that has to be accounted for, both in privacy policies and in compliance with data.
Action Items
Website owners should take action to address both regulatory changes addressing the collection and use of analytics data, and technological changes in how data is collected, aggregated, and shared:
Michael A. Gold is the Chair and Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Mike and Bob help clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. They develop and implement data breach response plans, and respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331 and Mike at MGold@jmbm.com or +1 310-201-3529.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post Is it Time to Analyze Analytics? appeared first on Cybersecurity Lawyer Forum.
]]>The post The CPPA Speaks Again – Five Takeaways appeared first on Cybersecurity Lawyer Forum.
]]>While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post The CPPA Speaks Again – Five Takeaways appeared first on Cybersecurity Lawyer Forum.
]]>The post California Consumer Privacy Act and Employee Personal Information appeared first on Cybersecurity Lawyer Forum.
]]>Employee and Business Personal Information
While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.
The Exemption and its Demise
The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.
The expiration of the exemption will be challenging. While many consumer-facing companies have adopted policies and procedures that can be adapted to employee and B2B personal information, many companies that have little or no consumer contact will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.
For all businesses, employee information will raise issues, since employers are obligated to collect vast amounts of personal information, including sensitive personal information (such as financial, health and intimate personal characteristics) to conduct businesses. These businesses will need to address the information they collect, where it is held, who has access to it and how it is used. Businesses will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights.
Business Challenges
Personal information obtained from employees presents particular significance. California businesses need to evaluate the differences and similarities between the rights afforded to employees under the CCPA (including how the exemptions from disclosure and deletion apply), and those provided under the California labor laws. California employers have, or should have, adopted many of the processes required under the CCPA. For example:
B2B Implications
While the emphasis of this development has been the impact on employers, B2B personal information is now subject to the same regime as employee personal information. Businesses need to analyze their collection and use of B2B personal information, as well as provide the same rights as the rights to a consumer under the CCPA, including the right to know, right to delete, right to opt out of sale or share, and right to limit use and disclosure of sensitive personal information.
Next Steps
Businesses subject to the CCPA should immediately take steps to comply with these new requirements, including:
Jeffer Mangels Butler & Mitchell, working through its Cybersecurity and Privacy Group, address privacy and security issues and assist with compliance, both with state, federal and international data protection laws. For more information, contact Robert Braun (RBraun@jmbm.com) or Michael A. Gold (MGold@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post California Consumer Privacy Act and Employee Personal Information appeared first on Cybersecurity Lawyer Forum.
]]>The post Privacy Policies – Some Simple Lessons appeared first on Cybersecurity Lawyer Forum.
]]>Privacy Policies as an Asset – or Liability
An accurate and well-written privacy policy can be an important asset to a company. Consumers today, more and more, look for transparency in the vendors they patronize. A privacy policy that is readable and organized benefits a company, not just because it better complies with applicable laws, but also because it reflects the firm’s commitment to accuracy and transparency. A confusing, ill-conceived policy, by contrast, opens up a company to liability, both from consumers and from governmental bodies, who regularly examine privacy policies to confirm that they comply with fair trade practices. Moreover, a privacy policy that doesn’t reflect a company’s actual practices can be used in a data breach to cast blame, and create monetary burden, on a firm.
Recent Privacy Laws Make Privacy Policies More Challenging
The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), along with similar (but not identical) laws adopted in Connecticut, Virginia, Colorado and Utah) add complexity to the mix. These laws include specific disclosure requirements in connection with the collection of personal information and enumerate rights of consumers, all of which need to be disclosed to the consumer; as a practical matter, a privacy policy is the only effective way of complying.
At the same time, the differences between the laws create challenges. The laws are inconsistent in their key definitions (such as the definition of personal information), and the rights they confer are different as well. Since online commerce inevitably flows across state borders, firms must consider each of these laws and create policies that fit each of their requirements. This effort can result in a complicated policy that may create more questions than it answers.
Moreover, we can expect additional state laws, as well as implementing regulations (such as the regulations expected to be promulgated on July 8, 2022 by the California Privacy Protection Agency). New laws and new regulations, even when they do not explicitly target privacy policies, can have an impact requiring companies to review and update their policies.
Avoiding Key Mistakes
Many companies look at privacy policies as “stand alone” items – companies view the policies as an item to check off on a list of privacy compliance items. That isn’t accurate – a privacy policy is intended to describe a company’s privacy practices, and that means that each of the descriptions in the policy – the personal information it collects, how it uses that information, with whom it shares (or to whom it sells) the information, and how individual rights can be exercised – requires validation and procedures. A privacy policy needs to be supported by, among other things:
Creating the Policy
Understanding the potential downside of an inaccurate or non-compliant privacy policy should make one lesson clear – the privacy policy is not the first step to complying with privacy laws, but the result of understanding the company’s data collection and processing practices. By taking those steps first, a company can not only create a compliant privacy policy; it can comply more completely with the ever-expanding universe of privacy laws and directives.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post Privacy Policies – Some Simple Lessons appeared first on Cybersecurity Lawyer Forum.
]]>The post Facing the Knowledge Gap appeared first on Cybersecurity Lawyer Forum.
]]>Complying with privacy mandates, and preparing for and defending against a data breach, requires knowledge – it requires visibility.
What does that mean? To achieve visibility, an enterprise needs to increase its knowledge of key elements in its infrastructure:
See Your Network
Most C-level executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.
Part of knowing your network also means knowing what is happening on the network. Companies need to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. When a breach is in process, speed is essential.
See Your Data
Surprisingly, many companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. Companies need to know:
The GDPR, the CCPA, the Virginia and Colorado privacy laws, and each statute currently proposed in the United States requires a company to disclose each of these factors – and that knowledge is necessary to comply with consumer rights under those laws. A key question is differentiating between the data you collect and the data you need; companies need to recognize that there is no benefit in collecting data that’s not necessary. There is often a sense that “we might want to have this data in the future,” but that rationale does not stand up in today’s environment. Instead of being something of potential future value, collecting, storing, and using data that isn’t necessary for the company’s business creates liability.
See Your Software
During the past year, understanding the extent of the software a company uses – and the software that its key vendors and partners use – has become increasingly important. The Log4j experience made it clear that if a company doesn’t know the software it relies upon, it cannot take preventative and reactive action to mitigate risks. Companies should create a “Software Bill of Materials,” identifying the software used by or for its business, and should understand how the software is managed, licensed, and supported.
The Log4j issues also emphasized how important it is for companies to consider their use of open-source software. Open-source software is ubiquitous, but it is not always well-managed or updated, and is often overlooked when evaluating a company’s risk profile.
See Your Vendors
Companies have also become increasingly aware that vendors not only provide essential services; they also create risks and increase a company’s vulnerability to hackers. If a vendor can access a company’s network, a hacker can access the company’s network through the vendor. The situation is more complicated because vendors rarely act alone – they themselves have vendors, and those vendors have vendors, and so on. Even when a company can achieve a degree of comfort with a direct vendor, it may be difficult, if not impossible, to do the same with the vendor’s vendors, who do not have a direct relationship with the company.
Companies can address some of these issues by taking a systematic approach to engaging new vendors and evaluating current vendors. Key steps include:
Visibility, by itself, doesn’t prevent a malware attack. Without taking other measures – such as a thorough incident response plan – it won’t ensure an effective response or compliance with privacy laws. However, a company that fails to take elemental steps to understand its network, data, software, and vendors will be more vulnerable and non-compliant. The risks of not taking these steps far outweighs the time, effort, and cost of the effort.
You are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task. The Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Mike Gold (mgold@jmbm.com).
Thanks to Jason Ciment and his company, Get Visible (https://www.getvisible.com/) for inspiring the concept of visibility for this piece.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post Facing the Knowledge Gap appeared first on Cybersecurity Lawyer Forum.
]]>The post The New Privacy Laws – What You Need to Do Now – Data Minimization appeared first on Cybersecurity Lawyer Forum.
]]>The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.
This is a challenge for any business, even those that have worked to comply with existing laws – the CCPA and the EU’s General Data Protection Regulation – and best practices. It’s not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just 10 days into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.
Finding Strategies
We look at all of these developments and try to find the commonalities, as opposed to the differences, to guide our clients toward efficient, cost-effective, and meaningful ways of grappling with the constantly shifting environment. One of the common elements between each of the California, Virginia and Colorado laws, as well as the GDPR and most of the pending proposals, is data minimization.
What is Data Minimization?
Data minimization consists of two obvious components:
The Colorado Privacy Act presents it succinctly: “A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” Virginia’s Consumer Data Protection Act is similar; “A controller shall: 1. Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer . . . .” And the California Privacy Rights Act amends existing California law to bar businesses from collecting more personal information than “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .” and requires that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.
Why Focus on Data Minimization
Introducing data minimization can be used as the building block for a privacy-compliant data collection operation; for businesses that are subject to the existing laws, there really is no choice. Data minimization also has an added benefit: minimizing the data footprint makes it easier to achieve reasonable information security, which is another common element of the California, Colorado and Virginia statutes and a wide variety of laws either adopted or under consideration.
How to Comply
An enterprise can address data minimization using simple, straightforward steps:
It’s also important to document the process. This would include:
You should be aware that you are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task. The Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Mike Gold (mgold@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post The New Privacy Laws – What You Need to Do Now – Data Minimization appeared first on Cybersecurity Lawyer Forum.
]]>The post The Supply Chain Risk Conundrum: Rethinking the Network and Its Risks appeared first on Cybersecurity Lawyer Forum.
]]>
We are not thinking the right way about supply chain security. The empirical evidence is that regardless of the spend on information security – in human, technical financial resources – the frequency and magnitude of security incidents continues to increase. This has led to a widespread view that the most important variable in an incident lifecycle is an organization’s response to a security incident. While incident response is crucial, much more is needed to protect against risks to far-flung supply chains.
What an organization can do in terms of security with its principal vendors becomes less and less efficacious when the same or similar measures are applied to more remote vendors, if they can be applied at all. Moreover, a billion-dollar company has a different suite of concerns than a much smaller company – and the limited resources of smaller companies tend to constrain the thinking of their principals, routinely making their security strategies subpar.
Effective supply chain security strategies therefore require a realistic and far more expansive view of what comprises the organization’s network. This entails effective mapping of the entire network – including supply chains – and a robust identification and continual assessment of vendor risks, even those that can’t be easily identified or measured. Absent such initiatives, the supply chain security problem will continue to reel out of control.
Michael A. Gold is the Chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
The post The Supply Chain Risk Conundrum: Rethinking the Network and Its Risks appeared first on Cybersecurity Lawyer Forum.
]]>