If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook. As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents
Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from…
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”
These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.
With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear” and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.
Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.” Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.
In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:
[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.
The Yahoo! class action over the 2013-2014 hacks, affecting 1 billion (later updated to 3 billion) accounts, is poised to settle for $85 million – and the provision of free credit monitoring services for 200 million account holders for 2 years.
While $85 million may seem like a relative bargain compared to the $350 million…
The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement…
While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights…
See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017.
- Are you a contractor within the meaning of European Regulation on data protection?
- Are you subject to EU regulation on data protection?
- What is the main change introduced by the European regulation for contractors?
- What are your obligations as of