The United Kingdom’s Information Commissioner’s Office (“ICO”) is a great resource for companies looking for clear DPA guidance. The ICO has provided a Guide to the GDPR which is very targeted and comprehensive as well as resources for organizations including several guides. Getting Ready For GDPR Resources is a nice package of information prepared by the ICO to assist smaller companies. Companies can also quickly report breaches when necessary. The ICO also provides a search capability of the Register Of Data Controllers.
- Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)
- Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)
- Guidelines on the application and setting of administrative fines (wp253). In multiple language versions.
- Guidelines on Transparency under Regulation 2016/679 (wp260) [adopted, but still to be finalized]
- Guidelines on Consent under Regulation 2016/679 (wp259) [adopted, but still to be finalized]
- Guidelines on the Lead Supervisory Authority (wp244rev.01)
- Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
- Guidelines on the right to “data portability” (wp242rev.01)
- Guidelines on Data Protection Impact Assessment (DPIA) (wp248rev.01)
Additional “News” from the Art. 29 WP may be found here. Despite prominence on the Commission’s website, the Commission stated on December 12th, 2017 that the Art. 29 WP does not speak for the Commission (see here). Guidance, opinions and other statements of the Art. 29 WP are generally given a great deal of attention by those affected by GDPR because it is composed of the following:
- A representative of the supervisory authority(ies) designated by each EU country;
- A representative of the authority(ies) established for the EU institutions and bodies;
- A representative of the European Commission.
On March 27, 2018, the Commission posted a new link to the Article 29WP archives from 1997 to November 2016.
The European Commission – Data Protection provides links to EC data protection policies, information and services. The Commission provides the official GDPR text in multiple languages, describes the European Data Protection Board and its responsibilities, provides detailed guidance and resources on data transfers outside the EU, and some focused discussion of the changes to the EU data protection rules as a result of GDPR, including:
- Rights for Citizens
- Rules for Business and Organizations
- What is Personal Data?
- What Does GDPR Govern?
- What Constitutes Data Processing?
- What Are Data Protection Authorities?
The Commission provides an interactive infographic with a countdown clock that is a glossy overview that could be useful for a very high level overview of GDPR and its implications to companies. Recently, on March 7, 2018, the Commission updated their Overview of the National Data Protection Authorities where you can find links to each DPA. Note that many of the DPAs provide their resources in their county’s language, and not in English.
Recently, I have been asked several times where there are good, official resources on GDPR. The following series of posts provide links to these resources. We will post additional resources from time-to-time.
While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights in general. After all, legislators are consumers too. For a quick reference of the legislation being considered in states where you might be affected, bookmark this page:
As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. There’s even a 16% chance any conversational email you receive from your professional contacts, friends, family, etc. is being actively tracked. Most if not all of this, without your consent.
Whether or not services like this are good or evil is really subjective, however if your organization is considering (or already using) an email tracking service, also consider the following:
- Is the data being gathered without informed consent?
- If so, have you reviewed your risk exposure with regards to complying with privacy regulations that require informed consent for obtaining information in this manner, such as GDPR and COPPA?
- What action might the recipients take if they found out you were collecting this information?
- What audit controls are in place to ensure the information being collected is not being misused?
- How did you determine the value of the data you are collecting outweighs these risks?
- Are you in compliance with rules and regulations related to marketing, such as the CAN-SPAM Act and the UK’s Privacy and Electronic Communications Regulations of 2003?
- If you are adverse to the idea of your organization being tracked, do you have any controls in place to combat this threat?
If you have specific questions about email trackers and the potential risks of using or resisting them, please reach out directly to me or Amy Carlson.
Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there still seems to be a significant knowledge gap among business leaders with respect to the threats that prominent cyberattacks pose to their organizations. Only 14% of business leaders in this report were aware of the Dyn attack that brought down large swaths of the Internet back in October 2016, and a paltry 8% of those surveyed were aware of the patchable Apache Struts vulnerability exploited in the Equifax data breach.
If executives sponsoring software development and/or acquisition projects do not have at least a basic level of awareness of cyber security threats, they will fail to ensure that application security is successfully built into those projects. Veracode’s survey also found that 65 percent of all internally developed applications did not successfully address the OWASP Top 10 security vulnerabilities. Ensuring your applications are securely designed to avoid these vulnerabilities should be considered a baseline requirement of any software development project. Asking for evidence of secure coding practices from any software supplier should be a baseline requirement of any RFP.
To stay well-informed about cyber security threats, vulnerabilities, trends and risk mitigation strategies, we recommend:
- Subscribing to alert/advisory feeds like US-CERT, ICS-CERT, The National Vulnerability Database, etc.
- Joining an information sharing organization – your industry may have an ISAC already; Stoel Rives is a member of the LS-ISAO
- Following prominent security professionals with easily-digestible blogs, like Bruce Schneier and Brian Krebs
- Meeting regularly (at least quarterly, but monthly is better) with the person or vendor in charge of your information security program to review threats and action plans
- Conducting annual risk assessments using a qualified third party to get independent, expert feedback on your overall security posture
- Requiring all members of your organization participate in regular cyber security training
According to a recent Genpact study:
- Nearly two-thirds of consumers (63%) are worried that Artificial Intelligence is going to make decisions that will impact their lives without their knowledge
- Less than one-third (30%) are at least “fairly comfortable” with the idea of companies using AI to access their personal data
- Almost three-quarters (71%) say they don’t want companies to use AI that threatens to infringe on their privacy – even if it improves the customer experience
As AI continues its inevitable expansion into consumer interactions, it’s important to develop strong, transparent and well-communicated privacy policies and practices around the data being accessed by the AI engines – especially before GDPR enforcement takes effect in May of next year.
If your business is particularly interested in collaborating on AI projects, consider checking out MIT’s “Systems That Learn” research initiative.
As a firm with a large real estate practice, we are keenly aware of the risks of wire transfer fraud in real estate transactions – which has exploded from a reported $19 Million in 2016 to almost $1 Billion in 2017.
Often this fraud is the result of the hacker compromising a legitimate email account and ‘camping out’ – quietly maintaining a foothold in the account and reading emails but not taking any action – until it’s time for a funds transfer to occur. The attacker will then use information from the email thread to change the wiring instructions: for example, by sending a last-minute change to the transfer account from a compromised agent’s email, leveraging DocuSign as the ‘agent’ to send the bogus instructions, or even calling the victim with last-minute changes while pretending to be from the title company.
How can you protect yourself?
- Be wary of any closing or wiring instructions sent via email, and verify by phone or in person with settlement personnel that all instructions are correct.
- Do not act on any changes to previous instructions without first contacting the agent/agency using their published contact information – versus any contact information you receive by phone or voicemail – and re-verifying the instructions.
- Consider completing the wire transfer while in the presence of an agent, just to be sure.
- If you are victimized, contact the FBI immediately.
While it’s possible the FBI can leverage the Financial Fraud Kill Chain to recover stolen funds it’s far from certain, any recovery may only be a portion of the funds, and the process takes long enough that you’ll likely fall out of escrow. For additional information on safely managing real estate transactions, please reach out to any one of our real estate lawyers, including Sylvia Arostegui or Devin McComb.
See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017.
- Are you a contractor within the meaning of European Regulation on data protection?
- Are you subject to EU regulation on data protection?
- What is the main change introduced by the European regulation for contractors?
- What are your obligations as of May 25, 2018?
- Where to start?
- If I use another subcontractor, what are my obligations?
- The current contracts with my clients they need to be changed?
- What is my role in the event of data breach?
- What is my role as part of the impact assessment?
- Can I get the one-stop mechanism?
- What are my obligations if I am not established in the EU?
- What are the risks in case of breach of my obligations?
- Example of contract terms subcontracting