Articles Posted in Cybersecurity and Privacy

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.

Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework,

anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.

On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)

and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).

The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.

• Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
• Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.

Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let’s say that the next banner ad I receive isn’t for children’s clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

“Big Data” is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:

This article was originally published in the July 22, 2013 issue of Texas Lawyer.

The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.

A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 – Cybersecurity.

Jim Gatto and James Chang recently published “Mobile Privacy Practices: Recent California developments indicate what’s to come” in the June issue of Computer Law Review International.

The use of mobile applications has seen huge growth in the past few years. As the use of apps become increasingly commonplace, social concerns such as the privacy of app users will increasingly need addressing. California is taking the lead in regulating this important issue. For more information, including an overview of mobile privacy, a summary of California’s stance on how to address the issue, an overview of the state’s principles regarding privacy, its best tips for complying with its principles, and an examination of the privacy related laws outside of California, please read the full article: Mobile Privacy Practices: Recent California developments indicate what’s to come.

Steve Farmer recently published an article in World Data Protection Report titled “Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0.”

What exactly is the ‘”best” solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.