Photo of Zenus Franklin

Zenus Franklin

Subscribe to Zenus Franklin's Posts

Zenus focuses on addressing a variety of business and finance matters, including data governance regulations such as GDPR, CCPA, COPPA, PCI-DSS, and state data breach notification laws. He also assists clients with internal policy development, implementation, assessment, training, and incident response management.

Follow: Read more about Zenus FranklinZenus's Linkedin Profile

GDPR Image

The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.

On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.

Continue Reading Freezing the Cloud: Microsoft Takes a Hardline on Data Privacy in the EU

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers.  While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors.  We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.)  As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France.   Earlier this year,  in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.

Continue Reading NYDFS Answers Age Old “To Pay the Ransom or Not Pay the Ransom” Question with Definitive DON’T

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar.
Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance

Last month we discussed California’s Proposition 24, called the California Privacy Rights Act (“CPRA”), and that California voters approved the CPRA on November 3, 2020.  The CPRA amends the California Consumer Privacy Act (“CCPA”), which the final regulations of the CCPA were only recently approved by Attorney General Xavier Becerra in August, 2020. The CPRA makes a few substantial changes to the CCPA, such as additional rights to consumers, additional obligations on businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising, and the creation of a new governing entity to enforce the CPRA. The CPRA is set to become effective on January 1, 2023.  Until then, the CCPA will remain in full force and effect.
Continue Reading Meet the California Privacy Rights Act (CPRA): California Voters Approve Additional Consumer Rights and Business Obligations

In the midst of an unprecedented presidential campaign, you might have missed that California’s Proposition 24, also called the California Privacy Act (CPRA), was poised to amend the California Consumer Privacy Act (CCPA) a mere three months after Attorney General Xavier Becerra approved the final regulations for the CCPA.

On November 3, California voters approved the CPRA by a count of 56% (YES) to 44% (No). In July, we discussed the CPRA’s proposed changes to the CCPA, such as
Continue Reading California Voters Approve California Consumer Privacy Act; Amendments to CCPA

As businesses continue to apply for relief through Small Business Administration (SBA) programs, SBA’s Carol R. Wilkerson announced that nearly 8,000 business owners’ information may have been exposed to unauthorized users on March 29, 2020. This incident only affected the Disaster Loan Program and not the Paycheck Protection Program. The SBA has notified the business owners that may have been affected and offered them a year of free credit monitoring.

At this time, the SBA has stated that the
Continue Reading SBA Data Breach: Disaster Loan Applicants’ Information Possibly Exposed

As the majority of states execute stay at home orders to curb the effects of COVID-19, businesses (and educational institutions) have had to set up ways for employees and students to work remotely. As we have discussed before, companies and employees must make sure both company and employee data is secure while working on home networks and remote devices. Employee use of video conference software is no different. In an effort to keep employees connected and working efficiently, many businesses and educational institutions have had to adopt video conference software in an expedited fashion. This can be seen by looking at Zoom, a video and audio conferencing software. At the end of December 2019, Zoom had approximately 10 million daily meeting participants. Now, in just over several months, Zoom has reached 200 million daily meeting participants. While a useful and effective tool, Zoom has also experienced some challenges with security.  Even in these unique, difficult, and fast moving situations, the Zoom experience stresses the importance of still following best practices in all use of technology to process your company’s data.
Continue Reading COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

As we discussed before, educational institutions are closing campuses and are meeting legal obligations to educate their students by conducting online schooling. Now, some school districts across the country are banning teachers from using Zoom for online schooling during the COVID-19 pandemic due to security and privacy issues surrounding the videoconferencing app.  Reported cases of classroom “Zoombombings” included an incident where hackers broke into a class meeting and displayed a swastika on students’ screens, which led the FBI to issue a public warning about Zoom’s security vulnerabilities. New York City School District and Nevada Clark Public Schools disabled Zoom access, while schools in Utah and Washington State are reassessing its use at the time of this posting.

Amid the raised safety concerns, Zoom responded and advised schools to protect video calls with passwords and to lock down meeting security with currently available privacy features in the software. On March 18, 2020, Zoom added a privacy policy specific for K-12 schools and districts stating that it is “designed to reflect our compliance” with student privacy laws and also posted best practices for teachers to use.

Continue Reading COVID-19 Bulletin: ZOOM Challenges Provide Timely Reminder about Need for Diligence in Managing Privacy and Security and Student Data

While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading How am I supposed to do this? Part Trois: California Attorney General issues CCPA modifications

In our previous COVID-19 bulletin, we discussed the importance of companies maintaining information system and data security while allowing employees to work remotely. Over the last week, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scammers have taken advantage of vulnerable telecommuters. For example, in just the past week, media outlets have reported on the following scams:

  • Email Phishing. According to a Kaspersky study and the FTC, email phishing schemes include the use of organizations’ names that would normally seem legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). The emails have the CDC or WHO logos and headings or have email addresses that, in a quick glance, look to be official (such as cdc-gov.org). The links in these emails may infect the user’s device with malware or even ask them to enter in an email and password for their Microsoft Outlook account.
  • Domains and Apps. There are website domains that appear to keep track of COVID-19 updates and health information. Instead, these domains prompt users to download apps to access this information. In particular, there is an Android App that, once downloaded, infects the device with ransomware and demands payment or else the data on the device will be erased. Additionally, there is an interactive infections and deaths map circulating that is being used to spread password-stealing malware.
  • Goods Delivery. While goods and supplies, such as cleaning and household supplies, are running out at local stores, there are online sellers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Employers, or employees in charge of supplies, should be cautious of online retailers and conduct additional research into the seller to verify legitimacy.
  • Fake Charities. As with any major event or crisis, there are scammers trying to take advantage of people’s good intentions. This can take form in fake charities or fake donation pages. The fake charity can be a completely made up organization or one that closely resembles names of established charities.


Continue Reading Don’t Let COVID-19 Lure You In: Phishing and Malware Attacks Skyrocket During Coronavirus Crisis