On September 29, California Governor Gavin Newsom signed an amendment (AB 1281) that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions through December 31, 2021. The extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements.

Partial Employee and B2B Exemptions

The amendment extended the exception for businesses from complying with certain CCPA requirements with respect to the personal information of California employees, applicants and business contacts.

The partial employee exemption specifically exempts personal information that is collected by a business about a person in the course of the person acting as a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of” the business to the extent that the personal information is collected and used solely within the employment context. The exemption also applies to personal information used for emergency contact purposes, as well information that is necessary to administer employment benefits.

Under the exemption, employers are still required to inform employees and applicants, at or before the time of collection, of the categories of personal information to be collected and the purposes for which the information will be used (i.e., a “notice at collection”). Further, employers are not exempt from the “duty to implement and maintain reasonable security procedures and practices.” And employees and applicants retain the private right of action in the event that certain of their personal information is subject to a data breach.

Continue reading

The Blackbaud Breach

In July of this year, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of administration, fundraising, and financial management software, notified its clients that it had discovered and stopped a ransomware attack.  In a public statement, Blackbaud described the attack:

In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.  . . .  Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. . . . The subset of customers who were part of this incident have been notified and supplied with additional information and resources.

Since its July announcement, nonprofit organizations throughout the world have issued their own notices of breach to their stakeholders, relying in large part on Blackbaud’s description of the breach.

Key Takeaways from the Breach

While data breaches are an almost daily occurrence, the Blackbaud breach is notable for a couple of reasons.  First, even though it was able to prevent the ransomware attack, the cybercriminal exfiltrated unencrypted data from Blackbaud’s servers, in reaction to which Blackbaud elected to pay a ransom for the criminal’s agreement to destroy the data – given the reliability of criminals, a somewhat dubious promise.  The response indicates that Blackbaud was threatened with a new, but increasingly common, tactic in ransomware attacks – the cybercriminal will couple a ransomware attack with theft of data, and threaten to make the data public unless it receives payment.  As more and more companies are able to reconstruct compromised systems through backups and other means, cybercriminals have found a new way to monetize their attacks.

More importantly, the fact that this breach created a waterfall of breach disclosures reflects the impact of vendors on today’s data environment.  Blackbaud provides comprehensive data, financial management, fundraising, payment, and other services to schools, museums, faith communities, foundations, healthcare organizations and nonprofit organizations, and those entities rely on Blackbaud for critical functions that are essential to their missions.

The Role of Vendors

Firms increasingly rely on vendors for data management functions. The 2018 Ponemon Institute survey of data breaches reported that that at least 56% percent of organizations participating in the survey experienced a data breach due to a vendor’s security shortcomings.  At the same time, companies are increasingly reliant on vendors – a recent Bomgar survey reported that, on average, companies allow 89 vendors to access their networks weekly, and that 71% of respondents expect to become more reliant on third parties in the coming years. Continue reading

Shrems II – Groundhog Day, All Over Again

Past is Prologue

One of the keys to the European’s Union data protection regime has been the prohibition against transferring personal data from EU countries to jurisdictions that do not have regimes that, in the determination of the EU, provide adequate protection to consumers. Beginning in 2000 the U.S. – EU Safe Harbor Framework allowed U.S. companies to certify their compliance with EU data protection requirements, and facilitated the transfer of data between the EU and the U.S. On October 6, 2015, the Court of Justice of the European Union, the European Union’s highest court, overturned the Safe Harbor Framework. In response, the EU and the U.S., primarily through the Department of Commerce, developed International Safe Harbor Privacy Principles, commonly called the “Privacy Shield,” and a more robust framework was adopted, allowing substantially the benefits of the Safe Harbor.

On July 16, 2020, the CJEU held that the EU-U.S. Privacy Shield arrangement — which includes more than 53,000 participating companies — is invalid. The CJEU said in a press release that, in the court’s view, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” The Court also said that the United States ombudsman is neither independent enough, nor has adequate authority, to provide an effective cause of action to guarantee the protections under EU laws and regulations.

In particular, the court said that the ombudsperson mechanism in the U.S. — a role created by the Privacy Shield arrangement — “does not provide data subjects with any cause of action before a body which offers guarantees” at the level of EU law. The CJEU said the ombudsperson, which sits under the U.S. Department of State, is neither empowered nor independent at an adequate level.

Impact of the Decision

Like the invalidation of the Safe Harbor, the rejection of the Privacy Shield is likely to create substantial disruptions in data transfers, a key to international trade, until a resolution is found. It is hard to overstate the significance of this decision. The U.S. Commerce Department estimates that the value of the transatlantic economic market at $7.1 trillion, and that a multitude of companies, large and small, rely on the ability to transfer personal, employee and other data from the EU to the U.S. The impact on individual firms will be wide: Continue reading

Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, will host a panel of industry leading experts for the webinar, The Right Stuff: Validating Reasonable Information Security

Date: Thursday, June 18, 2020

Time: 10 AM – 11:15 AM PDT; 1 PM –  1:15 PM EDT

Register Now

Most organizations have never had to prove that they have reasonable information security. Business and legal pressures are changing this dramatically. The California Consumer Privacy Act exposes businesses that have been breached to serious financial liability when they do not have reasonable information security. With data breaches increasing in scope and damage regardless of the money spent on cybersecurity, businesses will need to validate – in effect prove – that they have reasonable information security in order to avoid financial, legal and reputational harm.

During this webinar, our panel of experts cover:

The meaning of reasonable information security: What is it? Why the established information security frameworks, such as NIST, ISO and CISO,  do not deliver reasonable information security; Why dynamic assessment of an organization’s information security posture is crucial; The impact of overlooked vulnerabilities in cloud and IoT environments.

The legal requirement for validating reasonable information security: The far-reaching impact of the California Consumer Privacy Act’s requirement for reasonable information security practices and procedures; Why the law is a precursor to similar requirements likely to be adopted by other states and the federal government; legal exposures arising from inability to validate reasonable information security.

The business and insurance imperatives for validating reasonable information security: Cyber insurance carriers will no longer take at face value an insured’s representations about its information security posture; Larger enterprises will decline to do business with companies that cannot validate the effectiveness of their information security measures; Regulated companies will no longer be permitted to self-certify their compliance with information security and privacy requirements. Continue reading

As a privacy and cybersecurity lawyer, I’m often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor’s model, make sure to change the name and contact information, and they’re done.

They are right about one thing – any company that collects any kind of personal information needs a privacy policy. Laws throughout the world – not just in the United States, but in the European Union, Canada, Australia and elsewhere – have laws that require a privacy policy, some in great detail, others more generally. The California Online Privacy Protection Act, which went into effect in 2004, began this trend, and the advent of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California increased the details for privacy policies of companies under their jurisdiction, by requiring greater detail on the types of data collected, the uses of the data, and how consumers can limit the use of personal data.

There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.

But they are wrong about what it takes to create a privacy policy. Using another company’s policy might be a starting place, but it takes much more. Assuming that all privacy policies are alike is a dangerous practice – if a company does not take the steps to ensure that the policy is accurate and complete, it increases, rather than limits, its liability. Companies must analyze their data collection practices and make sure that reality is reflected in the policy.

What is Included in a Privacy Policy?

While there are a wide variety of policies, they generally include some key elements:

  • Information about the business, including contact details;
  • The types of personal data that is collected;
  • How the data is used;
  • Whether and how it is shared with third parties; and
  • What does the company do to protect personal information?

Continue reading

Robert E. Braun, chair of JMBM’s Cybersecurity & Privacy Group, will be the keynote speaker for the webinar, Privacy and Information Security – Best Practices and Imperatives.

Date: Wednesday, May 27, 2020

Time: 2:00 PM Pacific Time

Register Now Continue reading

Moving to the Cloud to Save Money

The Covid-19 pandemic has created profound challenges for almost every organization. As these challenges mount, companies are dramatically cutting their soft costs, including information security. Many companies are reducing their information security and privacy compliance spending by moving to the cloud. This is good, right? Maybe, and only if the move is managed in a well-informed way. Not asking the right questions up front can lead to serious consequences.

It is crucial to keep in mind that no information security or privacy law in existence today views being in the cloud, in and of itself, as constituting reasonable information security. Nor does any information security or privacy law view the cloud as a mitigating factor in the context of data breaches.

 Increasing Reliance on Cloud Computing

The use of cloud platforms has grown exponentially. One of the results of the work-at-home mandate, which will persist even as work restrictions are relaxed, is the continuing move to cloud computing, both because of the benefits of scalability and the dedicated IT and IS resources afforded by cloud vendors and also the need to conserve financial resources. It is difficult and expensive to maintain onsite information technology and information security operations and staff. Cloud computing reduces costs and increases accessibility.

Moving to the cloud, however, does not eliminate all risks – some hazards go away but others are introduced. Cloud environments are vulnerable if end-users fail to observe proper security hygiene – vulnerabilities at the end-user level will create vulnerabilities in the cloud environment. It is imperative as well that the cloud vendor has appropriate information security and privacy compliance measures in place. Many smaller cloud vendors and service providers who use the cloud have deficient information security and privacy compliance frameworks, assuming they have any in place at all. Many organizations, especially small and medium sized businesses, seldom evaluate whether their vendor’s cloud is a safe place to be.

Getting the move to a cloud environment right is crucial. The security and availability of an organization’s data is important for both operational and business continuity reasons. Moving to a cloud is no excuse for taking eyes off of information security or for lax privacy compliance. Continue reading

Leonard Lee of Thomson Reuters Legal Current interviewed Bob Braun, Co-chair of JMBM’s Cybersecurity & Privacy Group for a podcast titled, “Are You Practicing Social Media Hygiene?”

Listen to the podcast here.

In this brief podcast (18:28 minutes), Bob Braun discusses the risks that both companies and individuals face when posting information on social media.

Braun describes situations in which hackers spoof a company’s boss, based on real-time information posted on social media, resulting in unrecoverable monetary losses for the company.

“Posting information about yourself on social media can be used by a hacker to fool you or people you know,” he said.

Braun covers issues that individuals and employees should be aware of when using social media, including email.

“Sophisticated programs are easily available on the dark web. We are dealing with bad actors who are extremely skilled and creative,” he said.

“Habits on social media have to be consistent in business and personal lives.”

Listen to the podcast here. Continue reading

Robert E. Braun and Michael A. Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group, will participate as panelists on the webinar, What is Reasonable Information Security?

Date:   Thursday, April 23, 2020
Time: 10:00 AM – 11:30 AM Pacific Time

Register Now

JMBM’s cybersecurity lawyers, along with a cybersecurity consultant, a Chief Information Security Officer, and a cyber compliance expert will address the following questions about reasonable information security:

  • What isn’t it?
  • What is it?
  • What does the legal landscape look like?
  • Is it a realistic goal?
  • How does it impact my 3rd party risk policies and practices?

Moderator:

Sean Weppner – Chief Strategy Officer, Nisos

Panelists:

Robert E. Braun – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Michael A Gold – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Art Ehuan – Vice President, Crypsis
Gerald Beuchelt – CISO, LogMeIn
Greg Kruck – Director, Sales Engineering, CyCognito

Register Now for This Informative Program

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

There’s no question that this is one of the most difficult times we have faced. The turnaround from nearly full employment to 3,000,000 new unemployment claims, the sequestration of two-thirds of the population, the closing of restaurants, entertainment venues, places of worship, mass furloughs and layoffs, the elimination of the social interactions which we thrive on – these are not normal times. And, moreover, the world that emerges from the Covid-19 pandemic will be very different from the world that preceded it.

So with all of this going on, when many of you are simply trying to see how you can survive and emerge from this crisis, why should you worry about privacy and security?

Things Will Return to Normal

Eventually – and hopefully not terribly long from now – life will gain a new normality. It won’t necessarily be business as usual, but it will be some kind of business, and one thing that will return are the laws and regulations that govern us now. Just as the California Attorney General has decided (as of now) not to delay enforcement of the California Consumer Privacy Act, the other strictures regarding privacy and security aren’t going away. The crisis will not cause the FTC to stand down on its enforcement of claims of unfair and deceptive trade practices, the Department of Health and Human Services will continue to enforce HIPAA, the federal banking regulators will enforce the Gramm-Leach-Bliley Act, and as soon as they can meet, electronically or in person, state (and perhaps even federal) legislatures will press for more stringent privacy and security laws and regulations.

Some Changes will be Permanent

One change that is likely to stick beyond the end of the crisis is the move to remote working. Many workers will find that they like to work at home. Many businesses will realize that keeping their workforce in offices is less productive and costly. The possibility that waves of Covid-19 or other viruses may continue will make working remotely more common. And the success of online meeting tools – Zoom, Webex and others – will make both workers and companies realize that while in-person meetings are important, they aren’t always necessary.

A side effect, and one that we are already seeing, is the need to protect the expanding edge of network environments. As networks expand from the physical dimensions of an office to homes, security profiles change. Firms will need to consider how to maintain a secure computing environment when they have less control over that environment.

Security and Privacy is an Asset

An effective and compliant privacy and security program is a valuable asset that can differentiate a firm from its competitors. Clients and customers are increasingly sophisticated and recognize that a company whose privacy policy is dated before 2020 has not addressed the new obligations of companies to protect the personal information of its clients, customers, employees and others is behind the times.

Moreover, there are increasing liabilities associated with poor security and non-compliance. It is unlikely that any entity that does business in California is unaware of the private right of action that the California Consumer Privacy Act grants to individuals whose personal information has been compromised because a company failed to maintain “adequate security,” and that individual plaintiffs may be awarded between $250 and $750 for failure to maintain adequate data security. Many other state proposals, as well as federal initiatives, include a similar private right of action. In the absence of a data breach, the CCPA includes an enforcement mechanism giving the California Attorney General the ability to seek damages of between $2,500 and $7,500 for each violation of the CCPA. The stakes for companies are high, and getting higher.

What to Do?

In a crisis, companies should take the time to prepare for the aftermath. Many firms should see how they can adapt their business operations to take advantage of new opportunities and fend off threats. Companies now have the ability to allocate resources to protect themselves from breaches and establish compliance programs, which they will not as business eventually ramps up again. Companies that look forward to the new business environment and prepare for it will survive and thrive; those that do not will be left behind.

The JMBM Cybersecurity and Privacy Group assists clients both in complying with laws and achieving real data and information security. For more information, contact Robert Braun (RBraun@jmbm.com) or Michael Gold (MGold@jmbm.com).

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.