Accelerate: Getting to Your North Star Faster

In May, BakerHostetler’s new Digital Transformation and Data Economy (DTDE) team presented a four-part webinar series for business leaders that covered the legal implications surrounding COVID-19. Panelists, including in-house attorneys and industry experts, discussed how companies can determine where opportunities and vulnerabilities lie in managing, protecting, and leveraging digitization and data assets.

In the May 20, 2020 webinar, “Accelerate: Getting to Your North Star Faster,” the panelists discussed the issues businesses face in accelerating their digital transformation to fuel growth. Continue Reading

Fraudulent Wire Transfer Instruction Changes on the Rise (Again)

Phishing and social engineering attacks to divert wire transfers or invoice payments are not new fraud techniques, but they have recently taken a back seat to ransomware as posing the greatest cyberthreat to businesses. However, over the past few weeks, we have seen a surge in new matters where the fact pattern is the same as it has been for almost a decade:

  • The accounting department starts seeing an increase in accounts receivable for one or more customers.
  • The accounting department follows up on outstanding invoices.
  • The customer reports that he/she already paid the invoices and provides proof of the wire transfer.
  • The accounting department alerts the customer that he/she sent the wire to the wrong bank account.
  • The customer states that he/she was just following the accounting department’s instructions, attaching an email with “new” wire instructions that appeared to come from the accounting department.

Continue Reading

How to Pivot and Transform Your Digital Assets into Alternate Revenue Streams

BakerHostetler’s new Digital Transformation and Data Economy (DTDE) Team presented a four-part webinar series in May that covered the legal implications surrounding COVID-19 for business leaders. Panelists, including in-house attorneys and industry experts, will discuss how companies can determine where opportunities and vulnerabilities lie in managing, protecting and leveraging digitization and data assets.

In the May 13, 2020 webinar, “How to Pivot and Transform Your Digital Assets into Alternate Revenue Streams,” the panelists discussed how their businesses made the transition from traditional tech-savvy and tech-enabled, the lessons learned along the way, and the legal and business considerations that affected these pivots. Continue Reading

Belgian Authority Raises Red Flag for DPOs with Multiple Roles

Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing a DPO who holds another senior role in the organization.

Article 38.6 of the EU’s General Data Protection Regulation (GDPR) allows that a DPO may fulfill other tasks and duties assigned by an organization, provided such duties do not result in a conflict of interest. Since the GDPR came into effect in May 2018, we have seen limited regulatory enforcement focused on the DPO’s role. The Belgian DPA’s fine complicates this landscape and highlights key considerations for organizations with respect to the appointment of a DPO. Continue Reading

Three Paths to Final CCPA Regulations by July 1

The California Consumer Privacy Act (CCPA) requires the California Attorney General (AG) to issue regulations to “further the purposes of the title” by July 1, 2020. As that date quickly approaches, various rumors have been circulating about the status of the final regulations and whether they will actually be issued by July 1, or at all. Some have speculated that due to the current state of affairs related to COVID-19, the AG’s office may not even issue final regulations and that the current draft will become the final version enforced by the AG on July 1. Others have contended that due to the administrative law requirements of California, the AG’s apparent inaction, and a backlog at the Office of Administrative Law (OAL), the final regulations will now inevitably be delayed until Oct.1.

Despite the conjecture, there are three possible ways in which the CCPA regulations might be adopted on or before July 1. Continue Reading

DSIR Deeper Dive: Regulatory Investigation Landscape

HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties.

State attorneys general have been laboratories of privacy enforcement. Over the years, they have devoted significant time and energy to, and played an increasingly active role in, data privacy and security matters. They have used their broad consumer protection authority and authority given them under the HITECH Act to enforce the HIPAA privacy and security rule in order to investigate data security lapses. More recently, we have seen expanded authority given to nontraditional regulators, including state departments of insurance and financial regulation. A number of states have adopted or are adopting a model law promoted by the National Association of Insurance Commissioners that requires 72-hour notice of a cybersecurity event to the state insurance regulator. Continue Reading

DSIR Deeper Dive: The Ransomware Epidemic

Ransomware is among the most common and persistent threats faced by organizations of all sizes. In 2019, the ransomware threat landscape worsened in several significant ways: (1) average demands increased more than tenfold; (2) all industry segments saw increases in attack frequency, with stark increases seen by education and government entities; and (3) several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment.

Increased Ransom Demands. In our 2019 report, we dedicated a quarter page to ransomware, with the average ransom paid for the matters we handled being $28,920 and the largest payment being $250,000. For the 2020 report, we dedicated a full page to the epidemic, with the average ransom paid for matters we handled jumping to $302,539 and the largest payment being $5.6 million. Questions had arisen in years past as to why ransomware demands seemed relatively low. By deploying ransomware, the threat actors were crippling a company’s ability to function but would often settle for a five-figure ransom while the victims were losing hundreds of thousands or millions of dollars a day due to the business interruption. Whatever the reasons, threat actors changed their approach, and 2019 was the year they were ready to increase the stakes. 2020 has only seen these trends continue.

Continue Reading

CCPA Compliance Meets Trade Secret Protection: A Peaceful Coexistence?

Since the California Consumer Privacy Act (CCPA) went live on January 1, 2020, businesses have been working to develop procedures for lawfully complying with requests from California consumers relating to their personal information. Such requests may provoke a vexing question for which there currently is no definitive answer in the CCPA: What is the business obligated to do if information that would be responsive to a consumer request includes legally protectible trade secret data either owned by the business or held subject to confidentiality restrictions imposed by third-party data sources?

Generally, the CCPA allows California consumers to request that a business disclose the specific pieces of personal information the business has collected. “Personal information” (PI) is broadly defined to include data elements such as IP address, device identifier, browsing history and other internet activity, geolocation data, and inferences drawn about the consumer’s psychological or behavioral attributes. The consumer also may request that the business delete any PI about the consumer that the business has collected. Continue Reading

Privacy Litigation in the Age of Coronavirus

Now that new cases of COVID-19 appear to be waning in the United States, those of us stuck in our homes are asking the same question: How long before things get back to normal? The answer from epidemiologists appears to be no time soon, as any actions to completely lift the severe social distancing restrictions currently in place will lead to another spike in infections, at least until we can find a vaccine. At the same time, the economy is in jeopardy and jobless claims are already in the tens of millions, and rising. It is a brutal dilemma. Either let millions die or condemn tens of millions to economic hardship.

A solution in some parts of the world has been to combine rigorous testing with tracking and surveillance. This approach has apparently worked with varying levels of success in parts of Asia and elsewhere. In the United States, technology companies have taken note and are developing capabilities to enable a similar approach. These efforts include, notably, a joint effort by Apple and Google to develop a cellphone application programming interface designed to operate independently of any central health authority. In addition, numerous developers are rushing to make tracking and surveillance tools that work via the acquisition and storage of a user’s health status, biometrics, geolocation, and proximity to others. Continue Reading

Positioning for What’s Beyond the Horizon: What Digital Transformation and the Data Economy Mean for You

BakerHostetler’s new Digital Transformation and Data Economy Team (DTDE) is presenting a four-part webinar series in May where attorneys will cover legal implications surrounding COVID-19 for business leaders. Panelists, including in-house attorneys and industry experts, will discuss how companies can determine where opportunities and vulnerabilities lie in managing, protecting and leveraging digitization and data assets.

In the May 6, 2020 webinar, “Positioning for What’s Beyond the Horizon: What Digital Transformation and the Data Economy Mean for You,” the panelists provided insight into how companies and individuals are reacting to COVID-19. They discussed how hiring trends indicate the larger role digital transformation and the data economy will have, both now and in a post-COVID-19 world.

Click here for a recording of the webinar. Click here to for more information and to register for the next three webinars in this series.

Continue Reading

LexBlog