General Privacy & Data Security News & Developments

Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

Austin, Texas, downtown skyline at sunsetThe American Bar Association is holding its upcoming 2018 Business Law Section Annual Meeting at the Austin Convention Center in Austin, TX, from September 13 to 15.

Fox partner Matt Kittay will moderate a panel entitled “Lawyer Ethical Issues in M&A Technology.” Featuring Haley Altman of Doxly, Steve Obenski of Kira Systems, and James Walker of Richards Kibbe & Orbe. The group will discuss ethical issues facing lawyers who use both emerging and globally accepted technology platforms to execute M&A and private equity transactions. The panel will take place on Friday, September 14 from 3:30 PM to 5:00 PM at the Technology in M&A Subcommittee Meeting of the Mergers & Acquisitions Committee. The Fairmont Hotel connected to the Convention Center will host the panel.

For more information and to register to attend the section’s Annual Meeting, please visit the ABA website.

Office copiers retain data on the files they process – securing that data is a must.

Digital copiers pose many of the same cybersecurity risks associated with computers. This is so because theyre also computers. Data thieves know that office copiers run on “smart” technology with hard drives that store information about printed, copied and scanned documents – a potential trove of sensitive data.

 What steps should businesses take to protect the data across a copier’s lifecycle?

 The Federal Trade Commission provides guidance online in Digital Copier Data Security: A Guide for Businesses. The guide details the process from integrating a copier into your company’s information security policies and offers best practices for printing to securing the hard drive after the device has run its course.

Manufacturers can also tell you about the security features of their copiers, which may include:

  • Encryption software that scrambles hard drive data, making it difficult to extract
  • Overwriting functionality that digitally changes data values so files can’t be reconstructed
  • Locking a hard drive via passcode

The FTC’s point is clear: businesses of all kinds are legally responsible for the information stored on digital copiers. In fact, institutions handling personal financial or health care information are required to have security plans for the information processed on digital copiers.

Facebook has failed to prevent its feud with an Austrian privacy activist over the legality of two widely used mechanisms for transferring data between the European Union and the U.S., from reaching the EU Court of Justice.

In a May 2nd ruling, the Irish High Court sided with activist Max Schrems and the Irish Data Protection Commissioner, rejecting Facebook’s request to stay the court’s October 2017 referral of the case to the EU Court of Justice to give the company time to appeal the referral to the Irish Supreme Court.

The decision carries with it potential consequences for thousands of international companies that use model contracts and Privacy Shield for transatlantic data transfers.

Schrems filed a grievance over Facebook’s use of model contracts with the Irish Data Commissioner in 2015 saying that Facebook failed to protect EU citizens’ data from the prying eyes of U.S. law enforcement and intelligence agencies.

The Data Commissioner referred the case to the Irish High Court in May 2016 after determining the compliant was “well founded.” The Irish High Court expanded the scope to include Privacy Shield in its 2017 decision to refer the matter to the EU Court of Justice.

In 2015, the EU Court of Justice invalidated the Safe Harbor accord, then a widely used mechanism for transferring data between the EU and U.S., ruling it failed to adequately protect the privacy of EU citizens. Privacy Shield was created to replace Safe Harbor. Details via Reuters, Fortune and Bloomberg.

In a daylong Privacy Summit at Citizens Bank Park in Philadelphia, the co-chairs of Fox Rothschild’s Privacy & Data Security practice group led a series of panel discussions with leading cybersecurity professionals and government officials.

Elizabeth Litten moderating “Looking Inward: Risk Management Part I”

Fox partner Elizabeth Litten, who serves as Fox Rothschild’s HIPAA Privacy & Security Officer, and partner Mark McCreary, the firm’s Chief Privacy Officer, moderated a two-part panel series examining cyber risk management for protecting company data. The first segment, “Looking Inward: Risk Management Part I,” focused on the best internal company practices, policies and training to combat cyber threats and protect valuable data. “Beyond Company Walls: Risk Management Part II” examined the ways businesses should approach vendor management and cyber insurance to further secure and safeguard their data assets.

Mark McCreary moderating “Beyond Company Walls: Risk Management Part II”

 Litigation partner Scott Vernick moderated the panel “Current State of Affairs in Regulation & Enforcement.” Discussion highlighted the domestic and international data privacy and security obligations relevant to U.S. businesses.

 The summit closed with a thought-provoking keynote address from Eric O’Neill, a former FBI counterintelligence operative who helped apprehend Robert Phillip Hanssen – one of the most notorious spies in U.S. history – who provided memorable insights about corporate diligence and defense.

 View the Event

 

Data privacy and security
Many company leaders appear to understand and recognize cyber threats, but far too few have implemented vital defenses.

In the fourth quarter of 2017, we spearheaded a sweeping, cross-industry survey of chief executives to gauge corporate cybersecurity preparedness. The results revealed important organizational issues.

The survey showed C-suite corporate leaders know their companies’ data is at risk but are not taking adequate measures to protect that data.

  • Awareness: More than half of C-level officers recognized their companies were at high or very high risk of a data breach. Three quarters said they had been hit recently by phishing attacks.
  • Inaction: Despite that, 53 percent of executives admitted their cybersecurity and data privacy budgets are insufficient to respond to a breach. Nearly a third don’t train all their employees on data breach prevention, a basic component of cybersecurity.

“Cyberattacks are growing in frequency and severity,” said Mark McCreary, Fox’s Chief Privacy Officer and co-chair of its Privacy and Data Security Practice. “Companies should take steps to manage that risk and prevent breaches, but it requires a clear-eyed, systematic approach.”

Survey findings offer big-picture takeaways to bolster a company’s approach to cyber threats and their prevention. The report examines five key areas of cybersecurity readiness:

  • Breach response plans
  • Budget priorities
  • Cyber liability policies
  • Determining risk severity
  • Training effectiveness

How does your organization compare? Read the full report.

 

Recent news that Facebook has suspended research firm Cambridge Analytica for improperly collecting users’ personal data without their knowledge may not constitute a classic “data breach,” but it poses real risks for the popular social media platform.

Fox Rothschild Partner Scott Vernick, founder of the firm’s Privacy & Data Security Practice, discussed the implications for Facebook, and the next steps the company should take, in an interview with the TD Ameritrade Network.

“Consumers do select companies and want to do business with companies that have control over their data and that can secure their data,” Scott said. “In turn, If you lose consumer confidence, you lose advertiser confidence, so that is the challenge for Facebook.”

View the full interview here.

The cost of cybercrime continues to rise, driven by increasingly sophisticated cybercriminals and a growing pool of new and often unsophisticated internet users, according to a new report from internet security firm McAfee and the Center for Strategic and International Studies.

“Cybercrime is relentless, undiminished, and unlikely to stop. It is just too easy and too
rewarding, and the chances of being caught and punished are perceived as being too low,” the report states.

The report, “Economic Impact of Cybercrime—No Slowing Down,” estimates cybercrime costs the global economy $600 billion a year, or 0.8 percent of global GDP, up from $500 billion in 2014.

It lists five trends that are most responsible for the increase:

  • Cybercriminals adopting new technologies.
  • Growth in new internet users, often from countries with weak cybersecurity.
  • The rise and growth of Cybercrime-as-a-Service.
  • Growth in cybercrime “centers” such as Brazil, India, North Korea, and Vietnam.
  • Improved black markets and digital currencies facilitating monetization of stolen data.

Security magazine also published a summary of the report.

Username and password login fields, online security
Usernames and passwords were exposed in a number of reported data breaches.

According to the monthly report from the Identity Theft Resource Center, the health care industry suffered more data breaches in January than government, educational and financial sectors combined.

Medical and health care-related data breaches accounted for 26.7 percent of the verified 116 data breaches in early 2018. The report defines a breach as a cybersecurity incident in which personal information such as emails, medical records, Social Security numbers or driver’s license information, is exposed and made vulnerable to risk.

While the report identifies “Business” as the sector most affected by data breaches, the category broadly encompasses many types of major service providers in retail, hospitality, trade, transportation and other industries.

For more detailed statistics of data breaches by industry, download the ITRC report.

The Federal Trade Commission (FTC) has offered businesses an updated anti-phishing toolbox. It’s contained in new guidelines the agency has issued for preventing cyberattacks. Share the recommendations with your IT department to provide your email servers and networks with the latest defenses. Doing so sends a message that your company takes the threat to personal information seriously and is taking prudent and reasonable steps to protect it.

Here are the email authentication technologies the FTC recommends:

  • Sender Policy Framework (SPF) – requires a business to designate the IP addresses it uses to send emails
  • DomainKeys Identified Mail (DKIM) – authenticates the source and integrity of messages
  • Domain Message Authentication Reporting and Conformance (DMARC) – reports on and excludes unauthenticated email sources.

The FTC has additional recommendations. Chief among them? Make sure your software is at the strongest security setting. It should block delivery of unauthenticated messages and scan attachments for sensitive personally identifiable information (PII).