I don’t mean to ruin your holiday weekend, but we thought to send out a friendly reminder on the next set of rolling deadlines and requirements from New York’s financial services cybersecurity law (23 NYCRR 500). A regulated organization that must comply with the law, or “covered entity,” is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” in New York state. Not all requirements apply to all businesses subject to the law, as there are several exemptions. That said, as applicable, the following requirements should be in place by Sept. 3, 2018.

  • Encrypt, encrypt, encrypt. As we wrote about this summer, you can never undervalue encryption as a tool to not only prevent threats, but improve overall compliance. Regulated organizations must implement security controls, including encryption, to protect information in transit over external networks and information at rest. Encryption is not mandated, but a company is expected to evaluate its capability to encrypt and find reasonable alternatives, if not possible. Regular review of such controls is required. See Section 500.15.
  • Train and verify. Organizations must continue to develop and document a training and awareness program to educate employees on organization policies to safeguards information, to include auditing employee compliance. See Section 500.14.
  • Audit. Regulated organizations must maintain an audit trail of all systems and financial transactions and keep such records for (at least) five years. Other requirements apply. See Section 500.06.
  • Security of applications.  Regulated organizations need to develop and maintain the administrative safeguards (policies and procedures) to ensure any newly developed applications used by the organizations meet the necessary security requirements. See Section 500.08.
  • Data retention policy and schedule. Organizations need to develop or update their data retention and destruction policy to ensure timely removal and destruction of personal information that is no longer required for business operations. Exceptions exist for legal requirements or the feasibility of such retention and deletions. See Section 500.13.

As always, we encourage you to consult the law and your legal counsel, as needed, to determine what requirements apply to your business and what exemptions may be available. But, as we see across the country, including Ohio recently, states are continuing to demand good data governance from businesses in all sectors that use sensitive and personal information. Ok, go enjoy the last few days of summer.

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading Proactive Approach to Cybersecurity Pays off in Ohio with New Data Protection Act

Taft summer associate Jordan Jennings-Moore contributed to this article.

In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.

Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.

During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)

Continue Reading Don’t Be Too Big for Your Breaches! Why Encrypted Data Can Be the Best Way to Avoid a Data “Breach”

Rebekah Mackey, Taft summer associate, contributed to this article.

Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.

The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.

Continue Reading So Goes California, So Goes the Country?: The Golden State Again Breaks New Privacy Law Ground

As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.

  1. “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves.  As with HIPAA, there is no such thing as a stamp of “compliance” approval.  And, like bragging about your information security, warranting that you are “compliant” is just asking for that claim to be challenged.  “Compliance” will be a moving target with a law that has yet to go into effect.  Work toward meeting the requirements, but don’t ever think you have achieved all of them (or that your vendors or subcontractors have).
  2. See this as an opportunity.  Don’t ignore the law’s requirements and its applicability to your business, no matter how small.  Get informed and make good risk-based decisions on how to implement, if at all. I am advising many clients to see GDPR as an opportunity to get their global data governance act together.  Here in the States, I often like to say, “if you can make California happy with your information privacy practices, you can likely make any other state happy too.”  Well, if you can satisfy the EU’s requirements, chances are you can meet any country (or company’s) requirements. So, don’t look at this as just a compliance requirement.  It is an opportunity to upgrade your business plan.  The reality is good information privacy and security practices  will be the cost of admission to competition for business.
  3. It’s all about the (personal) data.  Before you take the plunge into GDPR compliance, make sure you actually process “personal data” for “data subjects”  that are “in the Union.”  Be it for employees or customers, do you process the personal data of individuals that are in the EU when you process such data?  Maybe you don’t collect “personal data” or maybe those individuals are not “in the Union.”  It is not about citizenship or residency.  Is the data subject in the Union or do you process personal data?  If not, you may not have to comply.
  4. You are not alone.  Loads of companies are struggling to figure out if GDPR applies and what, if any, things they need to implement to meet the law’s requirements.  And yes, even companies in the EU are struggling.  Keep calm and carry on.  It is a marathon and not a sprint.
  5. Just get started. You may not be “compliant” on May 25, 2018–or even May of 2019 for that matter.  What is important is that you have a plan and start to execute it – just like with data here in the U.S.  Do you at least have a plan and a story to tell when something bad happens?

That’s it.  Short and sweet.  Now, back to the fun.

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.

Continue Reading Alabama Rolls with Tide as Last State to Adopt Breach Notification Law

In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.

Consumers

  1. Your choices matter most. I beat this drum pretty heavily, but it is true. While technology, the marketplace and even the law will serve to provide you some protections and redress when it comes to privacy and security matters, the biggest impact on protecting your personal information are the choices you make with respect to that information. What information you share, with whom (which companies) and under what conditions are all things you can control.
  2. Read the privacy policy. I joke in the interview that no one really reads my work in the privacy policies I write for my business clients. Well, there is a little truth in all jokes. Studies show the numbers on how many people read posted policies before providing their personal data, or even know what a privacy policy is, range from 10% to as many as 50%. Taking five minutes to review how a company collects, uses and shares your information can be enlightening and may make you question your patronage of that company. The terms of the privacy policy wouldn’t have stopped Cambridge from doing what it did with the Facebook data, but you would at least know how Facebook claims to share your information.
  3. Read the terms and conditions. Probably less appetizing than reading a privacy policy is reading the terms and conditions for any online transaction in which you engage. These are important too, but not just for privacy. These terms govern ownership of data, intellectual property rights and authorized and unauthorized uses—by the company and by you. It is all about risk. If you value the data involved in any transaction, or the opportunities it provides, take the time to read the agreement.

Businesses

  1. It’s a matter of trust. Have a privacy policy. And honor it. Privacy is all about trust. To be sure, Facebook is facing legal and regulatory fallout over this recent issue. However, the biggest impact might come in losing customers and reputational harm. Indeed, many are swearing off Facebook, especially considering this is the latest in a long line of privacy and security related issues for the company. Companies that want to earn customer loyalty, and indeed loyalty that might get them through a privacy or security crisis WHEN not IF it happens, will get a grip on their data and back-up their privacy promises in their privacy policies and terms of use. Better yet, ask yourself: Can we survive such a breakdown in our customers’ trust?
  2. Audit. Get up in your third parties’ business. Facebook could have verified that Cambridge actually deleted the Facebook profiles. Rather, it took a contractual attestation to the fact and allegedly did nothing more. Not always a bad idea, but if you are entrusting third parties to handle your customer’s sensitive data or data in large amounts, use your agreements as an opportunity to ensure that the third party uses the same (or better) safeguards than you do and reserve the right to verify. Not only does this prevent bad things from happening, it shows your customers, regulators, and opposing counsel that you take privacy seriously.
  3. Data is your business. I do not care what industry in which you operate—you are a data business. Get smart about the data you collect, store, share and destroy. Take the time to classify your data and map your data throughout your organization and with third parties. Write policies and procedures for how your data will be used properly and what is prohibited. Write agreements with your third parties and with your customers that are easy to understand and place a priority on data protection. And get insurance. Even with all the best practices, you WILL have a data incident. It is not IF but WHEN. Plan and invest in protection for not only your customer data, but the survival of your business and its reputation.

Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data.  The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her Social Security Number.  This is yet another new wrinkle in such phishing attempts and should serve as a reminder about being diligent in continually monitoring and improving your cybersecurity program.

Last year alone, cybercriminal activity increased 38%. While cybercriminal activity comes in different forms,  90% of all successful cybersecurity attacks begin with phishing emails. That’s right, 90%! If you are wondering whether this should alarm you as a business owner, IT SHOULD. That’s because the greatest workplace threat to data security is rarely cyber-hackers. As we have shared before, the biggest risks are employees making things easy for hackers or violating policies themselves. Every day, millions of employees read their emails. Consequently, in reading those emails, every day thousands of employees unknowingly open phishing emails, downloading malware viruses to their computer and company databases.

Continue Reading Data security: The bad guys are stepping up their game. Are you?

U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.

But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined broadly) as belonging to the person identified by the data, or “data subject.” The company collecting the data has a limited license to use that data in legitimate ways – as described in one article, a company can only use the data in ways that “wouldn’t surprise them or make them uncomfortable.”

It is unsurprising, then, that under the GDPR, the specific concepts of fair notice and consent are also more robust than in the U.S. This post will give an overview of the notice requirements under the GDPR, and a future post will explore the consent requirements.

Continue Reading What’s in a notice? Privacy notices under the GDPR

Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets the bad guy into the building. And, unlike the technological safeguards that can cost you thousands of dollars, remedying the issues with employees doesn’t have to cost a lot time or money. However, it can still have the biggest payoff. Here are three easy things you can do to immediately reduce the risk to your sensitive information, and in doing so, truly make “security everyone’s business.”

Continue Reading The Enemy Within: Why Employees Top the List of Security Risks Each Year (and what you can do to make sure yours don’t)