European Commission – Data Protection

The European Commission – Data Protection provides links to EC data protection policies, information and services.  The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the EU data protection rules as a result of GDPR, including:

 

 

The Commission provides an interactive infographic with a countdown clock that is a glossy overview that could be useful for a very high level overview of GDPR and its implications to companies. Recently, on March 7, 2018, the Commission updated their  Overview of the National Data Protection Authorities where you can find links to each DPA. Note that many of the DPAs provide their resources in their county’s language, and not in English.

List of Pending 2018 Breach Legislation

While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights in general.  After all, legislators are consumers too. For a quick reference of the legislation being considered in states where you might be affected, bookmark this page:

http://www.ncsl.org/research/telecommunications-and-information-technology/2018-security-breach-legislation.aspx

Email tracking services – are they really worth it?

As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. There’s even a 16% chance any conversational email you receive from your professional contacts, friends, family, etc. is being actively tracked. Most if not all of this, without your consent.

Whether or not services like this are good or evil is really subjective, however if your organization is considering (or already using) an email tracking service, also consider the following:

  • Is the data being gathered without informed consent?
  • If so, have you reviewed your risk exposure with regards to complying with privacy regulations that require informed consent for obtaining information in this manner, such as GDPR and COPPA?
  • What action might the recipients take if they found out you were collecting this information?
  • What audit controls are in place to ensure the information being collected is not being misused?
  • How did you determine the value of the data you are collecting outweighs these risks?
  • Are you in compliance with rules and regulations related to marketing, such as the CAN-SPAM Act and the UK’s Privacy and Electronic Communications Regulations of 2003?
  • If you are adverse to the idea of your organization being tracked, do you have any controls in place to combat this threat?

If you have specific questions about email trackers and the potential risks of using or resisting them, please reach out directly to me or Amy Carlson.

How does your leadership remain aware of cyber security threats?

Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there still seems to be a significant knowledge gap among business leaders with respect to the threats that prominent cyberattacks pose to their organizations. Only 14% of business leaders in this report were aware of the Dyn attack that brought down large swaths of the Internet back in October 2016, and a paltry 8% of those surveyed were aware of the patchable Apache Struts vulnerability exploited in the Equifax data breach.

If executives sponsoring software development and/or acquisition projects do not have at least a basic level of awareness of cyber security threats, they will fail to ensure that application security is successfully built into those projects. Veracode’s survey also found that 65 percent of all internally developed applications did not successfully address the OWASP Top 10 security vulnerabilities. Ensuring your applications are securely designed to avoid these vulnerabilities should be considered a baseline requirement of any software development project. Asking for evidence of secure coding practices from any software supplier should be a baseline requirement of any RFP.

To stay well-informed about cyber security threats, vulnerabilities, trends and risk mitigation strategies, we recommend:

  • Subscribing to alert/advisory feeds like US-CERT, ICS-CERT, The National Vulnerability Database, etc.
  • Joining an information sharing organization – your industry may have an ISAC already; Stoel Rives is a member of the LS-ISAO
  • Following prominent security professionals with easily-digestible blogs, like Bruce Schneier and Brian Krebs
  • Meeting regularly (at least quarterly, but monthly is better) with the person or vendor in charge of your information security program to review threats and action plans
  • Conducting annual risk assessments using a qualified third party to get independent, expert feedback on your overall security posture
  • Requiring all members of your organization participate in regular cyber security training

The more people interact with AI, the more they like it – but that doesn’t diminish their privacy fears

According to a recent Genpact study:

  • Nearly two-thirds of consumers (63%) are worried that Artificial Intelligence is going to make decisions that will impact their lives without their knowledge
  • Less than one-third (30%) are at least “fairly comfortable” with the idea of companies using AI to access their personal data
  • Almost three-quarters (71%) say they don’t want companies to use AI that threatens to infringe on their privacy – even if it improves the customer experience

As AI continues its inevitable expansion into consumer interactions, it’s important to develop strong, transparent and well-communicated privacy policies and practices around the data being accessed by the AI engines – especially before GDPR enforcement takes effect in May of next year.

If your business is particularly interested in collaborating on AI projects, consider checking out MIT’s “Systems That Learn” research initiative.

Funds transfer fraud in real estate transactions has seen an explosive increase this year

As a firm with a large real estate practice, we are keenly aware of the risks of wire transfer fraud in real estate transactions – which has exploded from a reported $19 Million in 2016 to almost $1 Billion in 2017.

Often this fraud is the result of the hacker compromising a legitimate email account and ‘camping out’ – quietly maintaining a foothold in the account and reading emails but not taking any action – until it’s time for a funds transfer to occur.  The attacker will then use information from the email thread to change the wiring instructions: for example, by sending a last-minute change to the transfer account from a compromised agent’s email, leveraging DocuSign as the ‘agent’ to send the bogus instructions, or even calling the victim with last-minute changes while pretending to be from the title company.

How can you protect yourself?

  • Be wary of any closing or wiring instructions sent via email, and verify by phone or in person with settlement personnel that all instructions are correct.
  • Do not act on any changes to previous instructions without first contacting the agent/agency using their published contact information – versus any contact information you receive by phone or voicemail – and re-verifying the instructions.
  • Consider completing the wire transfer while in the presence of an agent, just to be sure.
  • If you are victimized, contact the FBI immediately.

While it’s possible the FBI can leverage the Financial Fraud Kill Chain to recover stolen funds it’s far from certain, any recovery may only be a portion of the funds, and the process takes long enough that you’ll likely fall out of escrow. For additional information on safely managing real estate transactions, please reach out to any one of our real estate lawyers, including Sylvia Arostegui or Devin McComb.

CNIL’s GUIDANCE FOR PROCESSORS – ANSWERS TO YOUR MOST PRESSING QUESTIONS

See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017.

  • Are you a contractor within the meaning of European Regulation on data protection?
  • Are you subject to EU regulation on data protection?
  • What is the main change introduced by the European regulation for contractors?
  • What are your obligations as of May 25, 2018?
  • Where to start?
  • If I use another subcontractor, what are my obligations?
  • The current contracts with my clients they need to be changed?
  • What is my role in the event of data breach?
  • What is my role as part of the impact assessment?
  • Can I get the one-stop mechanism?
  • What are my obligations if I am not established in the EU?
  • What are the risks in case of breach of my obligations?
  • Example of contract terms subcontracting

PIAs & DETERMINATION OF RISK UNDER GDPR – THE LATEST:

The Article 29 Working Party updated the Guidelines on PIAs and evaluation of risk guidance on October 4, 2017:

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

CNIL created a PIA Infography to outline the main principles. Keep your eye out for these additional tools, which CNIL is currently developing to assist with the GDPR PIA requirement:

  • A PIA Guide and free software to assist in determining when a DPIA is required, and to help perform the PIA
  • A framework for conducting DPIAs on connected objects
  • A case study
  • A list of processing activities that require a DPIA and a list of those that are not subject to the DPIA requirement

Big Data is amazingly useful … and risky

Per the Freedom of Information Act, US citizens have the right to access information from the federal government. We can visit Data.gov to search the more than 197,000 current datasets currently indexed on the site. While the intent is to leverage that data for the public good, there’s also an enormous amount of information available that could be used by bad actors to gather information about individuals, like the physicist in this article.

For any organization that has privacy obligations and large data sets, it’s crucial to establish good data governance standards to limit the risk of the “mosaic effect” – where overlapping large data sets that may seem individually “de-identified” can result in re-identification through analysis of the aggregate data. Consider what information you’re making accessible, and to whom, and whether or not those with access could use the data to re-identify confidential subjects.

For more on the risk of the mosaic effect, click here.

LexBlog