As 2019 begins, we are one year away from the highly anticipated California Consumer Privacy Act of 2018 (CCPA or the Act) going into effect.  As companies update their privacy policies to comply with the CCPA, it is essential to determine whose personal information the Act protects.  Two issues businesses should consider when updating their data privacy policies are:  (i) the geographic residence of the individuals whose information is collected; and (ii) whether the Act applies to their employees. Continue Reading Defining “Consumer” Under The California Consumer Privacy Act

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA). Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Insider Threats If Your Program Only Focuses on External Threats, You are Only Halfway There

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.    Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication. Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices

As previously discussed, software as a service (SaaS) solutions offer the allure of being able to outsource IT for data storage.  Being able to rely on someone else to protect you sounds great, but is it really?  Losing control over your sensitive data requires serious diligence of the third party vendor.  Caveat emptor: SaaS solutions can expose companies to unknown risks. Tips to avoid those risks are discussed below.

Continue Reading Three More Risks to Consider with SaaS Solutions

Recent developments in privacy law and a rise in class action lawsuits related to data collection offer a cautionary tale about understanding legal and ethical boundaries of monitoring “on-the-clock” employee conduct. With a hodgepodge of federal, state, and local legislation governing employee privacy rights, employers are often left to navigate a complicated legal landscape while balancing the practical need to understand how employees are using company information and equipment.  Employers, for example, have a legitimate interest in protecting company trade secrets, detecting unlawful transmission of unlicensed material, and improving work productivity.  Employees, on the other hand, may have a reasonable expectation of privacy in certain contexts while at work.

This quandary begs the question, where do employers draw the line? Continue Reading Workplace Monitoring: Where Do Employers Draw The Line?

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms. Continue Reading Implications of Brexit on GDPR

On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims. Continue Reading New Cybersecurity Law Offers Safe Harbor Against Tort Claims

In August, the Federal Trade Commission (FTC) approved changes to a video game industry program in an effort to ensure compliance with the Children’s Online Privacy Protection Act (COPPA). This comes after a 2017 study finding that YouTube, the video platform owned by Google, is the most popular online media platform among children, with as many as 80% of children ages 6-12 using it daily. Yet YouTube claims in its Terms of Service that the platform is not intended for anyone under the age of 13, and by agreeing to the terms, consumers affirm that they are indeed at least 13 years old. Users also agree to Google’s privacy policy, which details how Google collects data such as a viewer’s device, location, or phone number, and tailors advertisements and services based on that data.

Continue Reading FTC Under Pressure from Congress to Investigate Violations of Child Privacy Laws

Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements.  Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors