Electronic Data Security

Japan is the latest country to be recognized by the European Union as providing adequate protection to data. The decision is one of mutual adequacy and creates the world’s largest area of safe data flows.

Per European commissioner Vera Jourova: “Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market.”

Before the adoption of the decision, Japan implemented additional safeguards to guarantee that data transferred from the EU enjoy protection in line with European standards. This included:

  • a set of supplementary rules to bridge differences between the two data protection systems (specifically regarding sensitive data, the exercise of individual rights and cross border data transfers).
  • assurances from the Japanese government that the access of Japanese public authorities to personal data for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate
  • a complaint handling mechanism to investigate and resolve complaints from Europeans regarding access to their data

Details from the International Association of Privacy Professionals.

 

2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.

Austin, Texas, downtown skyline at sunsetThe American Bar Association is holding its upcoming 2018 Business Law Section Annual Meeting at the Austin Convention Center in Austin, TX, from September 13 to 15.

Fox partner Matt Kittay will moderate a panel entitled “Lawyer Ethical Issues in M&A Technology.” Featuring Haley Altman of Doxly, Steve Obenski of Kira Systems, and James Walker of Richards Kibbe & Orbe. The group will discuss ethical issues facing lawyers who use both emerging and globally accepted technology platforms to execute M&A and private equity transactions. The panel will take place on Friday, September 14 from 3:30 PM to 5:00 PM at the Technology in M&A Subcommittee Meeting of the Mergers & Acquisitions Committee. The Fairmont Hotel connected to the Convention Center will host the panel.

For more information and to register to attend the section’s Annual Meeting, please visit the ABA website.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password changes and using a mixture of upper case letters, symbols, and numbers.  The NIST guidelines acknowledge that users often work around these types of restrictions in a way that is counterproductive.  The most effective passwords are those that are easy for the user to remember so that it is less likely they will be written down or stored electronically in an unsafe manner.

Accordingly, NIST recommends dropping complexity requirements and requirements for frequent password changes.  Instead organizations should emphasize password length:  Passwords should be at least 8 characters in length, and users should be allowed a maximum length of at least 64 characters.

Additional recommendations can be found in the NIST guidelines, accessible on the NIST’s website.


Shata L. Stucky is an associate in the firm’s Privacy & Data Security practice, resident in its Seattle office.

Data privacy and securityFox Rothschild partner and firm Chief Privacy Officer Mark G. McCreary sees a trend: Law firms are increasingly recognizing that naming a lawyer to lead data security and privacy efforts is “an essential ingredient in good risk management.”

In an article for Law360 entitled “Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO,” McCreary writes:

“To understand the role of the CPO — and why that person ought to be a lawyer — it’s important to distinguish the role they fill from that of the chief information security officer or CISO, who is typically a nonlawyer and leads the firm’s information technology department.”

We invite you to read his full article.

 

Cybersecurity workforce
Copyright: Tawatdchai Muelae / 123RF Stock Photo

Cybersecurity positions are increasingly difficult to fill and the long-term prospects for the industry don’t appear to be getting any brighter, Ericka Chickowski warns at the blog DARKReading. More than 25 percent of organizations take six months or longer to fill priority positions, she reports in “Desperately Seeking Security: 6 Skills Most In Demand.”

By 2022, Chickowski notes, there will be a global shortfall of cybersecurity workers of 1.8 million people, according to the Global Information Security Workforce Study conducted by Frost & Sullivan.

Read more at DARKReading

Yesterday, a massive ransomware attack now known as “Petya” spread across the globe in a similar fashion to the WannaCry cyberattack in May. In an Alert today, Fox Chief Privacy Officer and Partner Mark McCreary breaks down what we know about the attack, how to address it if your organization falls victim to it, and how to minimize the risks of future attacks:

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim.

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

To read Mark’s full discussion of the Petya attack, please visit the Fox Rothschild website.

Mark also notes that “I continue to stress to clients that in addition to hardening your IT resources, the absolute best thing your business can do is train employees how to detect and avoid malware and phishing.  In-person, annual privacy and security training is the best way to accomplish this.”

Yesterday we witnessed new ransomware spread across the world with incredible speed and success, bringing businesses to their knees and home users learning for the first time about ransomware and why computer backups are so important.

With over 123,000 computers infected, experts believe the “WannaCrypt/WannaCry/WCry” attacks have stopped after researchers registered a domain that the software checks before encrypting.  However, nothing is stopping someone from revising the software to not require that check and releasing it into the wild.  In other words, do not expect the infections to stop.

To battle the malicious software, Microsoft took the highly unusual step of issuing updates for versions of Windows that have reached their end of life and otherwise are not supported (e.g., Windows XP, Windows 8, and Windows Server 2003).  WannaCrypt/WannaCry/WCry did not even try to target Windows 10 machines, but that does not mean Windows 10 machines cannot be affected and encrypted by the ransomeware.  The blog describing Microsoft’s efforts can be found here and is worth reading.  Although your business may normally take a wait and see approach to software updates to avoid conflicts with other programs, this is a situation you should fast track that process.

If there is any silver lining here, it is that it may lead to more organizations to focus harder on computer security and efforts to battle malicious attacks similar to WannaCrypt/WannaCry/WCry.  Having seen first hand from clients the panic and feeling of helplessness caused by WannaCrypt/WannaCry/WCry in mere hours, it seems likely that companies are starting to better understand the risk, loss of productivity and costs that can be associated with a ransomware attack.

Below is a screenshot of the WannaCrypt/WannaCry/WCry software on an infected machine.  (Note the financial aid offer in the last line of the “Can I Recover My Files?” paragraph.  The bad guys must have a public relations firm!)

wannacrypt