WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Image of the United States Capitol Building at night.

Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028

Image Credit: Michael Jowen from Unsplash.

U.S. government agencies have a reputation for occasionally clinging on to outdated technology. Some illustrative examples include the U.S. Department of Defense (DoD) paying Microsoft $9 million to continue supporting the defunct Windows XP in 2015 and a U.S. Government Accountability Office (GAO) report from 2019 documenting multiple agencies using legacy systems with 8 to 50-year-old components. In its findings, the GAO unsurprisingly concluded that such legacy systems using outdated or unsupported software languages and hardware poses a cybersecurity risk.

In the wake of the SolarWinds, Microsoft Exchange, and Colonial Pipeline security incidents that impacted U.S. government agencies and/or U.S. critical infrastructure, President Biden issued Executive Order 14028 to update minimum cybersecurity standards for all software sold to the federal government and throughout the supply chain.

Existing Requirements under FedRAMP, DFARS, and CMMC

The new obligations arising out of Executive Order 14028 add to existing security regulations for certain government contractors and subcontractors.

The Federal Risk and Authorization Management Program (FedRAMP) oversees the safe provisioning of cloud products and services from a Cloud Service Provider (CSP) to any government agency. As part of the FedRAMP authorization process, an accredited Third-Party Assessment Organization (3PAO) assesses the CSP’s controls under NIST SP 800-53, a security framework for federal government information systems. The 3PAO also assesses additional controls above the NIST baseline that are unique to cloud computing.

Contractors who supply products or services specifically to the DoD are subject to the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS standards establish compliance with fourteen groups of cybersecurity requirements under NIST SP 800-171, meant to protect Controlled Unclassified Information (CUI).  

In November 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) framework, which builds upon DFARS. Contractors undergo an audit by a CMMC Third Party Assessment Organization (C3PAO), which issues a certification for the contractors’ assessed cybersecurity maturity level. The certification ranges from CMMC Level 1, indicating a low, ad-hoc maturity, to CMMC Level 5, indicating a high, optimized maturity. As contractors progress further up the DoD supply chain all the way to prime contractors—those working directly with the DoD—the DoD scale requirements for those contractors to meet higher certification levels. Meeting all DFARS controls and 110 controls in NIST SP 800-171 roughly correlates to CMMC level 3.

Cybersecurity Requirements of Executive Order 14028

Continue Reading Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028
Business Affected By GPDR?

Is Your Business Affected By GPDR? Find Out Here!

Over the years, the internet has changed the way we communicate and how we handle day-to-day tasks. There are so many things that we can do via the internet, from sharing documents to paying our bills. All of these are convenient, but these tasks require us to enter personal details.

With so much information that we share online, how can you guarantee that your information will be kept safe? Have you ever wondered what happened to the information you share online, like your bank details, addresses, contacts, etc.

Companies say that they collect this information to serve you better to provide you with more targeted and relevant communication. In turn, you get better customer experience in the end.

The question is, what do they do with that data?

That’s where the GDPR comes in.

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and many companies have taken steps to comply with it; otherwise, they could face fines and other consequences. But what is GDPR and what are the companies that are strongly affected by this change? 

GDPR Compliance: What is it? 

GDPR is the set of rules designed for EU individuals that allow them to have more control over their data. The main goal of this regulation is to make the digital environment simple so that businesses and their customers in the EU can benefit from a digital economy, yet still protect individual privacy. 

The GDPR applies to all companies that sell to the EU, store personal information about EU residents, including EU B2B personal information collected from companies on other continents. 

Which Companies are Affected by GPDR?

As mentioned, companies that sell to the EU, store personal information about EU residents, and have customers in the EU are affected by this.

In addition, GDPR applies to all companies established in the EU, regardless of where their data processing takes place. In fact, even non-EU established companies will be subject to GDPR, as long as the business offers goods and/or services to EU citizens. Therefore, this puts consumers from the EU in the driver’s seat, and businesses must comply with the regulation.

Here are some of the industries that are most hit by GDPR: 

Social Media

Ever since GDPR took effect, social media users have noticed changes in the privacy policies of social platforms they frequent, and they were notified of these changes via email. The reason behind these changes is the GDPR and other privacy laws. 

Companies in the social media marketing industry are one of the most affected by this new regulation. Therefore, social media marketers must disclose and ensure that users know how their data are being used

In addition to that, they need to request full consent from users to use their data outside of what is strictly necessary to provide the social media information society services. 

There are also other strict rules that GDPR expects social media companies to do, such as: 

  • Users have the right to be forgotten, which means that users now have the right to delete all their data. 
  • Companies that collect information directly from users must inform users within 72 hours after a data or security breach is detected. 
  • Plain language must be used in all privacy policies and explanations regarding users’ data. 

Despite this drastic change in the social media industry, users can highly benefit from this shift in data privacy rights. 

Online Retail

GDPR has become a challenge for online retail companies as it urges them to make changes that make many brands rethink their strategies. Due to GDPR restrictions, like limitations with the use of third-party information, or limitations on sharing of user information to third parties, it has become a challenge for online retailers to thrive. 

However, these changes have its advantages as well because it puts online retailers on better standing with consumers. This will help them build a more trustworthy relationship with consumers today, which is crucial in today’s digital environment. 

Digital Banking

Undeniably, the effects of GDPR to financial services are significant. GDPR has made the privacy of users their primary concern. The main principle of GPDR is “incorporating privacy and data protection” considerations into all sectors that use personal information, which is critical for the digital banking industry

Your Business Affected By GPDR

Although GPDR encourages best practice and data compliance, it comes with a side effect. Digital bank owners see the new regulation as costly and can affect their projects further. Therefore, many have their reservations that lead to them to be hesitant to invest because they fear they would get it all wrong. 

However, there are many benefits when digital banks comply with data privacy law. For one, it will provide them with more opportunities for innovation and investment because it’s more than regulatory compliances. In fact, it’s a profitable strategy in which bank owners can make bolder decisions and enter new territories due to the integration of data protection into core development strategies. 

Secondly, GPDR compliance allows digital bank owners to more ethically handle data—a huge advantage in the industry. 

Finally, GPDR provides digital defense by considering internal and vendor security, and reinforcing good data handling processes that banks can follow should there be a security breach. 

Cloud Computing

Cloud computing companies are also affected by GPDR, due to the sensitivity of customers’ information in the cloud. Since cloud service providers host various types of data, they often deal with sensitive and classified information, which could fall under the wrong hands.

Another challenge is the externalization of privacy because businesses that get a cloud service expect privacy agreements and commitments that they shared with their customers and staff will still work. However, if the cloud service provider operates in various locations, the rights of data owners may be subject to different regulations and requirements. Therefore, it’s advisable to have a customized agreement with a cloud computing company when it comes to privacy commitments. 

In a Nutshell

It’s been years since GPDR came into effect. Today, it still remains as a rigorous compliance process. However, GPDR has brought many opportunities that can improve strategies and deliver more innovation in the market. 

Even if you’re not in any of the industries listed above, as long as you operate a business that sells products online to EU individuals, you need to consider GPDR -compliance; otherwise, you could risk facing hefty fines or lose customers.

So, if you’re unsure whether your company is GPDR compliant, contact someone with GDPR experience to assess your GDPR compliance.

GDPR for US Citizens

Does GDPR Apply to US Citizens?

The General Data Protection Regulation (GDPR) is the most detailed data privacy legislation that Europe has ever passed. It took effect on May 25, 2018, and flipped the digital landscape.

In this legislation, all individuals and institutions in Europe are bound to GDPR compliance in protecting the personal information of its clients. The European Union created this regulation to ensure that the personal privacy rights of European citizens are protected at the EU level GDPR requirements create a uniform system of rules for data processing activities.

This article will further discuss the scopes and limitations of GDPR as it is applied to the US and its citizens.

United States (US) Inclusion to GDPR

While it is based on European Union (EU) legislation, this ground-breaking data security and privacy regulation extends significantly beyond the EU’s and the European Economic Area’s geographical borders (EEA). In some areas, it encompasses the United States of America, the EU’s second largest trade partner.

The GDPR’s entire purpose is to safeguard the personal data of EU citizens and residents. As a result, the legislation extends to entities that manage certain data regardless of whether they are in the EU, a concept recognized as an “extra-territorial effect.”

As specified in Article 3 of the GDPR, the law’s geographical reach is not limited to businesses in the EU/EEA. The legislation extends the GDPR’s processing rules to businesses based outside of the EU/EEA if the following two requirements are met:

  • Provides goods or services to EU/EEA citizens (even in the absence of commercial transactions); or
  • Controls or tracks the activities of consumers inside the EU/EEA.

Therefore, organizations in the USA and other countries worldwide are covered under this regulation as long as they meet one of the above-mentioned conditions.

If a US business is required to comply with the GDPR requirements, it has the same stringent conditions as businesses based in the EU.

The GDPR regulates personal data processing activities in a variety of ways. Personal data can include identities, contact numbers, computer details (e.g., IP addresses, position data), biometric data, images, and videos.

US Citizens Inclusion to GDPR

Does GDPR apply to US citizens? It’s perplexing to think about what occurs when Americans enter a country in the European Union considering the EU’s General Data Protection Regulation (GDPR). Does this legislation cover them?

Since the GDPR is a European Union law, it is easy to think that it just refers to all citizens of the Union. That is not entirely the case. Citizenship has little bearing on the GDPR’s geographical scope, and the GDPR never uses the terms “citizens” or “residents.” Instead, the GDPR simply refers to data subjects “in the Union,” with data subjects defined as “an identified or identifiable natural person.”

 GDPR Apply to Us Citizens

GDPR is not expressly concerned with an individual’s status as an EU resident. GDPR protects someone who lives in or visits an EU region. If an American travels to France, make a transaction in a shop, and are asked to include their name and address on an invoice, the shop must protect their information per GDPR requirements. They must be granted the same GDPR privileges and freedoms as all EU residents.

Individuals are granted certain privileges and liberties under the GDPR. The legislation imposes some restrictions on how businesses can use the personal details. It makes no difference where the business is located or has an office in any EU country. The regulations of GDPR exist whether a company collects or handles the personal data in the Union.

There is currently no law in the United States that protects the privacy of all citizens, only select categories of people, or industries. The Health Insurance Portability and Accountability Act (HIPAA), for example, establishes security measures to safeguard the privacy of patients and health plan members. It is applicable only with confidential health information gathered, processed, used, or transmitted by a HIPAA-covered body.

GDPR compliance will be easier for HIPAA-covered organizations if they apply the same standards in protecting all concerned individuals and their records. Adopting a more holistic approach to data security is more important to meet the GDPR requirements.

Relationship Between Location and Citizenship

The GDPR is location-based, not citizenship-based. The distinction between citizenship and place exists when we discuss non-EU people residing in the EU versus EU citizens residing beyond the EU, or when the good or service is provided inside or outside the boundaries of the EU.

Recital 14 of the GDPR notes that “This Regulation shall extend to all natural persons, regardless of their ethnicity or place of residence, concerning the collection of their personal details.” Below are example scenarios where GDPR can be applied:

Scenario 1:

A US citizen is on holiday in Germany. He places an online order for dinner from a Berlin restaurant and delivers it to the hotel where he is staying.

The GDPR legislation applies to this scenario since the ‘data subject’ (US citizen) is in an EU country and is supplying personal data for a good or service in the EU. The citizenry of the data subject is not significant.

Scenario 2:

A US citizen residing in Spain visits the website of a US clothing retailer and places an order for a dress, specifying her EU delivery address. The US clothing retailer advertises that it sells to Spain and offers the dress for sale in Euros.

The GDPR applies since the (i) data subject is currently residing in the EU, (ii) orders using an EU address  and (iii) the US clothing retailer offers its goods to individuals in the EU. In this scenario, both the citizenship of the data subject and the store’s location are not significant.

Conclusion

GDPR plays an important role because it strengthens the security of European data subjects’ rights and clarifies the obligations of businesses who handle personal data to respect these rights.

The GDPR requirements center on the data processing activities, not citizenship, it includes personal data and information gathered from any EU country and includes either an EU or non-EU resident who is living or visiting an EU.

Any US business or company serving customers in the EU/EEA — or tracks their behaviour within this region — should consider GDPR compliance. The legislation protects US citizens who use their information abroad in the EU.

GDPR compliance comes with strict measures to penalize non-compliant businesses and organization if they fail to meet the GDPR requirements. giving this legislation a fang to regulate and protect EU data privacy values against violators.

Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Continue Reading Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?
Map of the United States - State Privacy Laws

State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow

Image Credit: Free-Photos from Pixabay.

Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.

In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law. 

As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.

Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.

*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.

The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.

Scope

The WPA would apply to legal entities that:

Continue Reading State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow
1 2 3 10