Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss Impact of international privacy laws on U.S. companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Cybersecurity for middle market companies.
Continue reading
Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss the first steps to take when there’s a data breach at your company. The other videos in this 4-part series include: Why companies need a cybersecurity training program; Cybersecurity for middle market companies; and Impact of international privacy laws on U.S. companies.
Continue reading
Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss cybersecurity for middle market companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Impact of international privacy laws on U.S. companies.
We are flooded with news reports of major data breaches and malware attacks. The reports focus on attacks against businesses with significant volumes of sensitive personal and financial information, like financial institutions, hospitals, retailers – and most recently, law firms. There is no question that the press pays the most attention to a data breach when large volumes of valuable information have been stolen or encrypted for ransom.
Some firms, like business managers and family offices, have not received much media scrutiny. But lack of media coverage is not a reason for comfort. These organizations are ripe targets for intruders, precisely because of the people they represent and the information they possess. Business managers and family offices hold the most confidential information of their clients – financial records, bank and securities account information, health records, estate planning and trust documents, physical locations of valuable assets and the like. Intruders do not gravitate only to the largest companies or those with the highest public profiles. Rather, intruders are attracted to targets with valuable information, regardless of who they are.
California, home of many of the world’s largest technology companies, has long been at the forefront of protecting personal electronic information in the United States. California adopted the nation’s first data breach notification law, led the nation in requiring website privacy statements, and actively enforces online privacy. On October 6, 2015 Governor Jerry Brown signed SB 178, the Electronic Communications Privacy Act (CalECPA), taking another step further by requiring California law enforcement agencies to obtain a warrant and notify the subject(s) of the warrant before acquiring electronic information.
Continue reading
On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in Federal Trade Commission v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the FTC to regulate data security standards. Although the decision dealt most directly with the hospitality industry, it is a wakeup call for every company that is subject to FTC jurisdiction.
Continue reading
The Safe Harbor
For 15 years, the Safe Harbor Framework has provided a way for U.S. companies to comply with the EU Data Protection Directive. Under the directive, transfers of personal data from the EU to a non-EU country are prohibited unless the receiving country can assure an adequate level of protection for the data. While a number of countries do comply – among them Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay – the United States does not. The Safe Harbor Framework was developed by the United States Department of Commerce and the European Commission as a mechanism to address the EU law’s adequacy standard. U.S. businesses voluntarily participate in the Framework and thereby comply with its terms.
Continue reading
Effective January 1, 2014, amendments to the California Online Privacy Protection Act (“CalOPPA”) require all commercial websites and online services that collect personally identifiable information (“PII”) to include additional disclosures in their privacy statements: how the operator responds to browser “Do Not Track” signals or other similar mechanisms; and whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s site or service.
Continue reading
This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization. Read Cyber Risk and the Board of Directors –Closing the Gap.
The term ‘corporate assets’ may conjure up thoughts of mechanical equipment, financial instruments, computer hardware, and even personnel. Often overlooked in this terminology are an organization’s digital information assets, which may include high-value trade secrets, sensitive digital correspondence, business strategy information, or the financial and personally identifiable information of consumers.
Corporate directors have a duty to protect all organizational assets. While the assumption is that cybersecurity threats are only a problem for hi-tech companies, the truth is that the potential for a data breach poses a significant risk for any company that stores any of its data electronically. Threats to a company’s sensitive digital information can include cyber-attacks, hacking, phishing, and ransomware scams, to name a few.
“Corporate boards can be timid about engaging cyber risk because the nature of these risks has no real parallel in the experience of most corporate directors.”
– Michael A. Gold
Due to the seemingly massive volume of information and lack of time or personnel, Cyber Security Fatigue besets many corporate boards. Corporate directors may focus their efforts on other priorities that are more closely related to their areas of expertise, believing that cyber security is being managed by their corporate information technology department.
It’s a common misconception among many organizational leaders that the corporate IT department is responsible for managing a company’s cybersecurity shield. Often, the truth is that IT departments are, in general, not experts in cybersecurity; in fact, many of the directives of IT professionals is counter to encouraging good cybersecurity practices in favor of speed of access, simplified password protocols, or rushing to get a product or service to market quickly.
This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization.
Also covered in this article is the role that corporate directors play in addressing cybersecurity risks, preparing for the possibility of a cyber-attack, and responding to data breaches, should one occur. Possible legal implications for the board and its members, as well as reports from Lockton Companies, a major insurance broker regarding the “increasing trend in D&O Claims filed as a result of data breach events, and lack of adequate disclosure surrounding such events,” are included.
Reproduced with permission from Corporate Governance Report, 16 CGR 120, 10/07/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) https://www.bna.com
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. He is also a co-author of Bloomberg BNA’s Corporate Practice Series Portfolio 86, Records Retention for Enterprise Knowledge Management, which is available for purchase at https://www.bna.com/records-retention-p6983/. Contact Mike at MGold@jmbm.com or +1 310.201.3529.
On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
Continue reading
