SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms

On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms.

Regulation S-P

By way of background, Regulation S-P is the SEC’s data privacy regulation that implemented the privacy provisions of the Gramm-Leach-Bliley Act. In particular, this regulation protects the nonpublic personal information of customers, including personally identifiable financial information and consumer lists or descriptions derived from nonpublic information. To protect this information, Regulation S-P requires firms to do two main things.


Deeper Dive: Choose the Right Forensics Firm for the Job

Forensics are a key component of many data incident investigations.  The importance of forensics cannot be overstated.  In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation.

Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation.  Many of the key decisions in an investigation will be driven by forensics.  Does the organization have notification obligations?  Was there access to and/or acquisition or exfiltration of personal information or other sensitive data?  Specifically, what data was accessed or exfiltrated?  When did the compromise start and when did it end?  Are the attackers still in the environment?  Or in a business interruption event such as ransomware, how does the organization get back up and running and get back to work?

Download the 2019 BakerHostetler Data Security Incident Response Report >>

Continue Reading

In BIPA’s Wake, a Wave of New Biometric Privacy Proposals

Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired in part by the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of significant litigation in recent years. Below we provide an overview of notable proposed legislation.

U.S. Federal Law

On March 14, 2019, Senators Brian Schatz (D-Hawaii) and Roy Blunt (R-Mo), introduced the Commercial Facial Recognition Privacy Act. The act focuses on providing notice and obtaining affirmative consent whenever facial recognition technology is used to collect or process facial recognition data for certain purposes.

  • “Facial recognition data” is defined as “any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.”
  • “Facial recognition technology” is defined as technology that “analyzes facial features in still or video images” and is used “to assign a unique, persistent identifier” or “for the unique personal identification of a specific individual.”

Continue Reading

Bill to Expand CCPA Private Right of Action Moves Forward

We have previously written about California SB 561 here, introduced by Senator Jackson (D) and supported by the California Attorney General (AG), that among other things would vastly expand the CCPA’s private right of action and remove the right to cure before the AG can seek civil penalties.  On April 9 the California Senate Judiciary Committee held a hearing on the bill, a recording of which is available here.  The committee voted 6 to 2 to refer the bill to the Senate Appropriations Committee.  There was concern expressed by some members of the committee, including some that voted in favor of moving the bill forward, as to the scope of the private right of action, its impact on businesses and the ambiguity of the current text.  Senator Jackson promised to work with stakeholders to explore potential refinement of the private right of action so long as it maintained the ability for consumers whose CCPA privacy rights are violated (the current law restricts the private right of action to certain types of data security breaches) to seek meaningful redress and not have to rely on the AG to enforce the CCPA.  It was noted that the restriction of the private right of action was fundamental to the compromise that lead to the bill, however, Senator Jacksons and others rejected that as not relevant, or at least not binding.  We had previously encouraged further limitation of the private right of action.  It appears that quite the opposite may be on its way to fruition.  We will continue to monitor its progress.

Deeper Dive: The Scourge of O365 Incidents

A Growing Menace

2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account.

Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, in no small part, to phishing’s low sophistication, easy replication and high profitability for the hackers. Attackers routinely defraud organizations with spoofing emails requesting phony wire transfers or switching the bank information for employees’ or vendors’ direct deposit accounts. Employees acting on fraudulent requests risk the loss of thousands, and in some cases millions, of dollars, not to mention the cost of forensic investigations, notifications to individuals and regulators, and reputational fallout.

Download the 2019 BakerHostetler Data Security Incident Response Report >> Continue Reading

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available under U.S. laws.

Among the challenges facing companies responding to a personal data breach in the European Economic Area (EEA) are both the scope of what constitutes a notifiable breach and the tight time frame for providing notification. “Personal data” protected under the GDPR is defined much more broadly than is “personally identifiable information,” under U.S. laws, and under the GDPR an entity affected by a personal data breach must notify regulators within 72 hours of becoming aware of such a breach, unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” In addition, entities must notify affected individuals in the EEA where the breach is “likely to result in a high risk” to those rights and freedoms. Failure to implement appropriate data protection policies or to properly notify regulators or individuals is punishable by fines of up to 4% of a company’s global annual turnover. Continue Reading

Deter Workforce Snooping in Electronic Medical Records Through Education and Training

On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) and its affiliate, Tri Rivers Musculoskeletal Centers (TRMC). From March 7, 2016, through June 23, 2017, Kalina improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC. In her capacity as a patient information coordinator, Kalina was authorized to access patient information contained in UPMC’s electronic medical record system as necessary to provide services to patients. Among others, Kalina accessed and disclosed the health information involving two individuals who worked at Kalina’s former employer.  Continue Reading

Additional California Bill, AB 25, Proposed to Further Amend the CCPA

Sacramento California outside the capital buildingOn March 25, Assembly Member Chau introduced Assembly Bill 25 (AB 25), which proposes to amend a section of the California Consumer Privacy Act (CCPA), set to take effect on Jan. 1, 2020. This amendment would expressly exclude employees from the definition of a “consumer” under the CCPA.

As currently drafted, the CCPA governs the personal information (PI) of “consumers,” who are broadly defined as California residents. This would, in effect, provide California employees (if their employer is a covered business under the CCPA) a broad range of European-like rights when it comes to their PI. These rights would include the right to request that their employer provide them with a transportable copy of their PI, delete their PI, and provide them with specific information about the collecting and sharing practices for their PI (subject to certain exceptions).

AB 25 proposes to amend the CCPA by creating a carve out to the definition of a consumer. AB 25 would clarify that the meaning of “consumer” under the CCPA does not include a “natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

Fifth Annual Data Security Incident Response Report Released – Managing Enterprise Risks in a Digital World

We are excited to release the fifth edition of our annual Data Security Incident Response Report. This year’s report provides metrics from the 750+ potential incidents our team led clients through in 2018, as well as “Take Action” segments that feature insights from our team on key response items. Because it is our Report’s fifth year, we included a special section that provides a five-year trend summary on core incident response metrics.

When we started, our goal in publishing the Report was to allow our clients to leverage the metrics and insights from our incident response experience to identify practical steps to reduce risk profiles, build cyber resilience, and facilitate incident response preparedness. Along the way, we learned that capturing and checking the data continuously throughout the year enabled us to spot emerging risks and trends faster, which we then convert into our “Cyber Response Intelligence” to improve our delivery of incident response services to our clients. A recent change in ransom demand amounts that occurred in the beginning of 2019 is an example of this intelligence – that change is covered in this Report.

Our 2019 Report continues to draw focus on the basic elements of incident response. For incident response, experience shows that focusing on the basics pays dividends. We leverage experience drawn from thousands of incidents to help entities identify and prioritize key areas to enable incremental improvement in their risk posture and incident response preparedness status.

We will host a webinar to provide more in-depth commentary on the metrics and insights from the Report on April 16 at 11:30 a.m. EDT. Register now >>

For more in-depth analysis on key items in the report, watch for our “DSIR Deeper Dive” posts in the coming weeks.

Download the Report >>

The California Consumer Privacy Act: Frequently Asked Questions

The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1, 2020. In the wake of the CCPA’s passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level.

Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information. Continue Reading