POPULARITY
Imagine if the tiny tracking code behind personalized ads and website recommendations were suddenly considered unlawful. That's exactly what's happening in the growing legal battle over cookies and tracking pixels across the country with new fronts opening. In this episode of The Data Chronicles, we examine plaintiffs' efforts to expand the web tracking litigation battleground by claiming that unconsented use of web trackers constitutes a data breach under the California Consumer Privacy Act (“CCPA”), which entitles comes with statutory damages and a private right of action. Scott Loughlin is joined by Hogan Lovells litigators Aidan Coleman and Jay Ettinger to break down the legal implications of new case law on this issue and discuss what's at stake for the internet as we know it.
Hosted by Simone Roach from a blog post from Aaron J. Burstein, Alysa Z. Hutnik, Alexander I. Schneider, and Meaghan M. Donahue On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co., resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and requiring Honda to pay a $632,500 fine. The announcement marks the Agency's most far-reaching enforcement action, and the first to stem from the CPPA's July 2023 announcement that it was reviewing the data privacy practices of connected vehicle manufacturers and related technologies.
In today's podcast, we discussed the critical area of consumer protection law, focusing on consumer privacy. Consumer protection law covers a broad range of areas including product safety, false advertising, fair credit reporting, debt collection practices, warranties, consumer contracts, and unfair trade practices. Due to the increasing importance of protecting personal data in the digital age, we concentrated on consumer privacy.Consumer privacy is centered on protecting individuals' personal information from unauthorized collection, use, and disclosure. This information, known as Personally Identifiable Information (PII), includes names, addresses, phone numbers, email addresses, social security numbers, credit card details, browsing history, and location data. Protecting this data is crucial to prevent identity theft, financial fraud, and other harms. Strong privacy measures empower consumers by giving them control over their data and fostering trust between individuals and businesses, which is essential for a healthy digital economy.Protecting consumer privacy is necessary for several reasons: to prevent identity theft and fraud, to safeguard sensitive information from being misused for discriminatory practices, to give consumers rights over their data, and to build trust between consumers and businesses.Key regulatory frameworks that shape consumer privacy law include the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The GDPR emphasizes principles such as data minimization, purpose limitation, and obtaining explicit consent before processing personal data. It also gives individuals rights to access, correct, and erase their data. The CCPA grants California residents the rights to know what data is collected, to request its deletion, and to opt out of its sale. These regulations show a global trend toward stricter controls over how personal data is handled.Despite these regulations, challenges remain, including data breaches, pervasive tracking and surveillance of online activities, targeted advertising practices, complexities of cross-border data transfers, and emerging technologies.Enforcement mechanisms, such as regulatory bodies and judicial remedies, are essential for effective consumer privacy protection.Consumer privacy law will continue to evolve in response to technological advancements and the increasingly global nature of data flows. Enhanced consumer empowerment tools and ongoing regulatory innovation will likely shape future legal developments.
In this episode of French Insider, Sheppard Mullin partners Jonathan Meyer, Liisa Thomas and Carolyn Metnick join host and French Desk Co-Chair, Valérie Demont, to explore the evolving landscape of cybersecurity and privacy under a new Trump administration. What We Discussed in This Episode: What is CISA and what is its role in cybersecurity? What can we expect from the Trump administration regarding cybersecurity? Could we see less regulation but greater enforcement? Might there be more stringent regulation with respect to cyber attacks and private ransomware? Where does the United States currently stand in terms of privacy law? What is the current status of state and federal privacy laws in relation to the healthcare industry? In terms of privacy, where could enforcement be headed under the incoming administration? How do the various state attorneys general and federal agencies coordinate on enforcement? What enforcement trends should businesses be aware of, and what do they need to focus on? What specific enforcement trends are we seeing in the healthcare space? Generally speaking, what types of penalties could result from enforcement actions? Could a company's officers and directors face personal liability, either criminal or civil? How might class action litigation originate from a cybersecurity or privacy incident? What should businesses prioritize in terms of cybersecurity and privacy compliance? About Jonathan Meyer As a partner in Sheppard Mullin's Governmental Practice Group and leader of the firm's National Security team, Jonathan E. Meyer counsels clients on their interactions with federal and state government, as well as national and homeland security, Congressional oversight, cybersecurity, AI, high tech, and transportation security, among other issues. Prior to returning to Sheppard Mullin, Jon served as the Sixth General Counsel of the U.S. Department of Homeland Security from 2021 to 2024. His decades of experience in Congress, the Justice Department and DHS position him to bring an insider's perspective to interactions between private companies and the government. He has defended scores of Congressional investigations and has prepared witnesses for over 100 hearings, including Supreme Court nomination hearings, impeachment hearings, oversight hearings, high tech and antitrust investigations, and civil rights investigations, among others. He has also represented defendants and witnesses in high-stakes Justice Department criminal investigations. The media – including CBS News, NPR, The Wall Street Journal, The New York Times, The Washington Post and Politico – regularly turn to Jon for insight into issues regarding national security, homeland security, government investigations, cybersecurity, immigration, politics and Congress. He has twice been honored with the Secretary of Homeland Security's Outstanding Service Medal, the highest civilian award bestowed by DHS, among numerous other prestigious accolades recognizing his exceptional service. About Liisa Thomas Liisa M. Thomas, a partner in Sheppard Mullin's Chicago and London offices, serves as the Leader of the firm's Privacy and Cybersecurity Team and as the Office Managing Partner for Chicago. As a member of the Intellectual Property Practice, she focuses on privacy, advertising, and unfair competition law. Liisa frequently coordinates global privacy, data security and digital advertising matters for her clients. They value her global insights and familiarity with business systems outside the U.S. With Liisa's assistance, her clients – including major consumer brands, advertising agencies and consumer research companies – are able to navigate thorny data breach disclosure issues, use emerging interactive advertising techniques and create compliant security programs, all while effectively managing their legal risks. Clients praise Liisa's ability to add real value to their businesses, and describe her as "keeping [clients] one step ahead of where [they] need to be." Liisa is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data, praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law." Recognized as an industry leader in privacy, data security and advertising law, she has been honored by Best Lawyers in America, Leading Lawyers Network, Chambers, Super Lawyers, and The Legal 500, for her "broad depth of privacy knowledge." About Carolyn Metnick Carolyn V. Metnick is a partner in Sheppard Mullin's Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams. She represents a range of healthcare industry clients, including hospitals and health systems, physician organizations and digital health companies. Carolyn's practice focuses on healthcare regulatory and transactional matters, with an emphasis on health information privacy and security. In addition to providing guidance on various privacy and security laws, including HIPAA and the California Consumer Privacy Act (CCPA), she also counsels businesses in data breach investigations and compliance with federal and state breach notification laws. Carolyn also advises healthcare clients on issues related to AI, including governance, contractual matters, and data related issues. Additionally, she represents healthcare industry clients in transactional matters, including joint ventures, mergers and acquisitions. Her background as a former litigator helps inform her transactional work. Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). She is also the founder and leader of Sheppard Mullin Healthy AI, an initiative focused on legal issues related to the use of AI in healthcare. About Valérie Demont Based in the firm's New York office, Valérie Demont is a partner in Sheppard Mullin's Corporate Practice Group, where she focuses primarily on U.S. and cross-border mergers and acquisitions and corporate governance matters. As a leader of the firm's French Desk team, she advises foreign companies on the establishment and growth of their operations in the United States, acting as de facto "outside general counsel" for non-U.S. companies in the United States. Valérie has been involved in numerous mergers, acquisitions, joint ventures and dispositions for corporations and private equity funds in the U.S., Europe (including France) and Asia (including India). Not only is she a frequent speaker at events focused on cross-border trade, but she is also an outside pro bono counsel to Girls Who Invest, a nonprofit organization dedicated to increasing the number of women in portfolio management and executive leadership in the asset management industry. Contact Info: Jonathan E. Meyer Liisa M. Thomas Carolyn V. Metnick Valérie Demont Thank you for listening! Don't forget to SUBSCRIBE to the show to receive every new episode delivered straight to your podcast player every week. If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show in Apple Podcasts, Deezer, Amazon Music, or Spotify. It helps other listeners find this show. This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.
In today's digital era, where personal data drives decisions and innovation, privacy and data protection have become non-negotiable priorities. Organizations across industries face mounting pressure to comply with complex regulations while maintaining customer trust. This is where IAPP (International Association of Privacy Professionals) certifications come into play. Certifications such as CIPP (Certified Information Privacy Professional), CIPM (Certified Information Privacy Manager), AIGP (Artificial Intelligence Governance Professional), and CIPT (Certified Information Privacy Technologist) help professionals design and sustain robust data protection frameworks. The Growing Relevance of IAPP Certifications With the global surge in data privacy regulations, like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other region-specific laws, organizations now face significant penalties for non-compliance. This environment underscores the demand for professionals who are not only aware of the legal requirements but also skilled in embedding privacy into business operations. IAPP certifications uniquely position individuals to meet these demands, offering structured education tailored to specific roles and challenges in the data protection landscape. View More: Benefits of IAPP Certifications in Building a Strong Data Protection Framework
Alan L. Friel is Chair of Squire Patton Boggs' Data Privacy, Cybersecurity & Digital Assets Practice. He is tier-1 ranked by Chambers, and BTI Consulting Group has named Alan a Client Service All-Star, recognizing lawyers who stand above all others in delivering exceptional client service. In this episode… Evolving privacy regulations like the California Consumer Privacy Act (CCPA) are reshaping the way companies approach data management and compliance. CCPA's proposed draft regulations would require certain businesses to conduct cybersecurity audits, privacy risk assessments, and implement governance surrounding automated decision-making and AI technologies. While these frameworks help protect consumer data, they also introduce operational challenges and increased expenses for companies. How can companies prepare for compliance while effectively managing data and reducing costs? Privacy compliance is more than a legal requirement — it's a vital part of sound business strategy. Navigating compliance obligations requires companies to adopt a proactive approach to data governance. Businesses need to implement good data hygiene practices and conduct privacy risk assessments to identify and mitigate risks. These processes help businesses maintain their data inventory, respond to consumer privacy rights requests, and manage information assets. However, the legal landscape remains complicated, with questions about whether some regulatory requirements may conflict with First Amendment protections. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Alan Friel, Chair of the Data Privacy, Cybersecurity & Digital Assets Practice at Squire Patton Boggs, about the costs, benefits, and legal implications of regulatory compliance. Alan explains why businesses should adopt privacy risk assessments as a best practice, regardless of ongoing legal uncertainties, and discusses the intersection of privacy regulations with free speech rights under the First Amendment. He emphasizes the importance of proactive data management practices and governance to navigate compliance challenges and position businesses for long-term success in a shifting regulatory environment.
In Episode 3 of The Marketing Corner, we had very special guest, Marc Enzor, founder of Geeks 2 You and co-host, Roger LaFaye of LaFaye processing. The Marketing Corner is proudly sponsored by: David Bradley Insurance, Medicare A to Z C Eaton Photography LaFaye Processing dba MiCamp Last Bridge Media Mark Weiss | Sales Performance Strategies In this episode, we'll dive deep into why marketing and cybersecurity are essential for small businesses, how they intersect, and what strategies you can implement to protect and grow your business in the digital age. Why Marketing Matters for Small Businesses Marketing is the lifeblood of any small business. It's the key to building brand awareness, attracting new customers, retaining loyal clients, and driving sales. For many small businesses, particularly those that don't have the luxury of a massive advertising budget, marketing can be the most efficient way to reach target audiences and stand out in the marketplace. 1. Building Brand Awareness One of the most significant benefits of marketing is that it helps establish brand awareness. In a world where consumers are bombarded with options, making your business known is critical. Through consistent branding, targeted content, and customer engagement, small businesses can build a reputation and gain recognition within their industries. 2. Connecting with Customers Effective marketing enables businesses to connect with their audience on a personal level. With the right strategies, small businesses can create a sense of community, respond to customer needs, and build trust. Personalized marketing messages, customer reviews, and interactive social media campaigns help foster relationships that are the backbone of small business success. 3. Driving Sales and Growth At the end of the day, every small business needs marketing to drive sales. Whether it's through online ads, content marketing, or direct outreach, a smart marketing plan ensures you reach potential customers where they are, increasing the likelihood of conversions. The more visibility your business has, the more opportunities you create for growth. The use of tools like Google Analytics, Facebook Insights, and email marketing software helps small businesses track the effectiveness of their marketing campaigns. By understanding what works and what doesn't, businesses can make data-driven decisions that maximize return on investment (ROI). The Growing Threat of Cybersecurity Risks for Small Businesses While marketing helps businesses grow, cybersecurity ensures that growth is not derailed by digital threats. Cybersecurity has become a critical concern for small businesses, as they are increasingly targeted by cybercriminals. The misconception that small businesses are too small to be attacked is one of the main reasons they fall victim to cyber threats. In fact, small businesses often have weaker security systems, making them an easier target for hackers. 1. Data Protection Small businesses often handle sensitive customer information, including payment details, personal data, and confidential communications. Protecting this data is paramount, not only for maintaining trust but also for complying with regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). A data breach can have devastating effects, leading to financial losses, reputational damage, and even legal repercussions. Implementing strong cybersecurity measures, such as encryption, secure payment gateways, and firewalls, is critical to ensure customer data is safe from cybercriminals. Educating employees about phishing attacks and password security can also greatly reduce the risk of breaches.
Welcome to another edition of Brand Stories, part of our On Location coverage of Black Hat Conference 2024 in Las Vegas. In this episode, Sean Martin and Marco Ciappelli chat with Jeswin Mathai, Chief Architect at SquareX, one of our esteemed sponsors for this year's coverage. Jeswin brings his in-depth knowledge and experience in cybersecurity to discuss the innovative solutions SquareX is bringing to the table and what to expect at this year's event.Getting Ready for Black Hat 2024The conversation kicks off with Marco and Sean sharing their excitement about the upcoming Black Hat USA 2024 in Las Vegas. They fondly recall their past experiences and the anticipation that comes with one of the most significant cybersecurity events of the year. Both hosts highlight the significance of the event for ITSP Magazine, marking ten years since its inception at Black Hat.Introducing Jeswin Mathai and SquareXJeswin Mathai introduces himself as the Chief Architect at SquareX. He oversees managing the backend infrastructure and ensuring the product's efficiency and security, particularly as a browser extension designed to be non-intrusive and highly effective. With six years of experience in the security industry, Jeswin has made significant contributions through his work published at various conferences and the development of open-source tools like AWS Goat and Azure Goat.The Birth of SquareXSean and Marco delve deeper into the origins of SquareX. Jeswin shares the story of how SquareX was founded by Vivek Ramachandran, who previously founded Pentester Academy, a cybersecurity education company. Seeing the persistent issues in consumer security and the inefficacy of existing antivirus solutions, Vivek decided to shift focus to consumer security, particularly the visibility gap in browser-level security.Addressing Security GapsJeswin explains how traditional security solutions, like endpoint security and secure web gateways, often lack visibility at the browser level. Attacks originating from browsers go unnoticed, creating significant vulnerabilities. SquareX aims to fill this gap by providing comprehensive browser security, detecting and mitigating threats in real time without hampering user productivity.Innovative Security SolutionsSquareX started as a consumer-based product and later expanded to enterprise solutions. The core principles are privacy, productivity, and scalability. Jeswin elaborates on how SquareX leverages advanced web technologies like WebAssembly to perform extensive computations directly on the browser, ensuring minimal dependency on cloud resources and optimizing user experience.A Scalable and Privacy-Safe SolutionMarco raises the question of data privacy regulations like GDPR in Europe and the California Consumer Privacy Act (CCPA). Jeswin reassures that SquareX is designed to be highly configurable, allowing administrators to adjust data privacy settings based on regional regulations. This flexibility ensures that user data remains secure and compliant with local laws.Real-World Use CasesTo illustrate SquareX's capabilities, Jeswin discusses common use cases like phishing attacks and how SquareX protects users. Attackers often exploit legitimate platforms like SharePoint and GitHub to bypass traditional security measures. With SquareX, administrators can enforce policies to block unauthorized credential entry, perform live analysis, and categorize content to prevent phishing scams and other threats.Looking Ahead to Black Hat and DEF CONThe discussion wraps up with a look at what attendees can expect from SquareX at Black Hat and DEF CON. SquareX will have a booth at both events, and Jeswin previews some of the talks on breaking secure web gateways and the dangers of malicious browser extensions. He encourages everyone to visit their booths and attend the talks to gain deeper insights into today's cybersecurity challenges and solutions.ConclusionIn conclusion, the conversation with Jeswin Mathai offers a comprehensive look at how SquareX is revolutionizing browser security. Their innovative solutions address critical gaps in traditional security measures, ensuring both consumer and enterprise users are protected against sophisticated threats. Join us at Black Hat Conference 2024 to learn more and engage with the experts at SquareX.Learn more about SquareX: https://itspm.ag/sqrx-l91Note: This story contains promotional content. Learn more.Guest: Jeswin Mathai, Chief Architect, SquareX [@getsquarex]On LinkedIn | https://www.linkedin.com/in/jeswinmathai/ResourcesLearn more and catch more stories from SquareX: https://www.itspmagazine.com/directory/squarexView all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegasAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Welcome to another edition of Brand Stories, part of our On Location coverage of Black Hat Conference 2024 in Las Vegas. In this episode, Sean Martin and Marco Ciappelli chat with Jeswin Mathai, Chief Architect at SquareX, one of our esteemed sponsors for this year's coverage. Jeswin brings his in-depth knowledge and experience in cybersecurity to discuss the innovative solutions SquareX is bringing to the table and what to expect at this year's event.Getting Ready for Black Hat 2024The conversation kicks off with Marco and Sean sharing their excitement about the upcoming Black Hat USA 2024 in Las Vegas. They fondly recall their past experiences and the anticipation that comes with one of the most significant cybersecurity events of the year. Both hosts highlight the significance of the event for ITSP Magazine, marking ten years since its inception at Black Hat.Introducing Jeswin Mathai and SquareXJeswin Mathai introduces himself as the Chief Architect at SquareX. He oversees managing the backend infrastructure and ensuring the product's efficiency and security, particularly as a browser extension designed to be non-intrusive and highly effective. With six years of experience in the security industry, Jeswin has made significant contributions through his work published at various conferences and the development of open-source tools like AWS Goat and Azure Goat.The Birth of SquareXSean and Marco delve deeper into the origins of SquareX. Jeswin shares the story of how SquareX was founded by Vivek Ramachandran, who previously founded Pentester Academy, a cybersecurity education company. Seeing the persistent issues in consumer security and the inefficacy of existing antivirus solutions, Vivek decided to shift focus to consumer security, particularly the visibility gap in browser-level security.Addressing Security GapsJeswin explains how traditional security solutions, like endpoint security and secure web gateways, often lack visibility at the browser level. Attacks originating from browsers go unnoticed, creating significant vulnerabilities. SquareX aims to fill this gap by providing comprehensive browser security, detecting and mitigating threats in real time without hampering user productivity.Innovative Security SolutionsSquareX started as a consumer-based product and later expanded to enterprise solutions. The core principles are privacy, productivity, and scalability. Jeswin elaborates on how SquareX leverages advanced web technologies like WebAssembly to perform extensive computations directly on the browser, ensuring minimal dependency on cloud resources and optimizing user experience.A Scalable and Privacy-Safe SolutionMarco raises the question of data privacy regulations like GDPR in Europe and the California Consumer Privacy Act (CCPA). Jeswin reassures that SquareX is designed to be highly configurable, allowing administrators to adjust data privacy settings based on regional regulations. This flexibility ensures that user data remains secure and compliant with local laws.Real-World Use CasesTo illustrate SquareX's capabilities, Jeswin discusses common use cases like phishing attacks and how SquareX protects users. Attackers often exploit legitimate platforms like SharePoint and GitHub to bypass traditional security measures. With SquareX, administrators can enforce policies to block unauthorized credential entry, perform live analysis, and categorize content to prevent phishing scams and other threats.Looking Ahead to Black Hat and DEF CONThe discussion wraps up with a look at what attendees can expect from SquareX at Black Hat and DEF CON. SquareX will have a booth at both events, and Jeswin previews some of the talks on breaking secure web gateways and the dangers of malicious browser extensions. He encourages everyone to visit their booths and attend the talks to gain deeper insights into today's cybersecurity challenges and solutions.ConclusionIn conclusion, the conversation with Jeswin Mathai offers a comprehensive look at how SquareX is revolutionizing browser security. Their innovative solutions address critical gaps in traditional security measures, ensuring both consumer and enterprise users are protected against sophisticated threats. Join us at Black Hat Conference 2024 to learn more and engage with the experts at SquareX.Learn more about SquareX: https://itspm.ag/sqrx-l91Note: This story contains promotional content. Learn more.Guest: Jeswin Mathai, Chief Architect, SquareX [@getsquarex]On LinkedIn | https://www.linkedin.com/in/jeswinmathai/ResourcesLearn more and catch more stories from SquareX: https://www.itspmagazine.com/directory/squarexView all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegasAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
On this episode of Ropes & Gray's California Law for Asset Managers podcast series, asset management partner Catherine Skulan is joined by data, privacy & cybersecurity partner Ed McNicholas to discuss recent developments in California privacy law. California's privacy laws can implicate a wide range of managers—from those based in the state to those that simply have California investors. Catherine and Ed delve into the implications for asset managers of the California Consumer Privacy Act (CCPA) of 2020 and its amending legislation, the California Privacy Rights Act (CPRA), which became enforceable for violations after July 1, 2023.
By Adam Turteltaub There's no General Data Protection Regulation (GDPR) in the US. Absent a comprehensive, national privacy law, states have stepped in to fill the gap. As Adam Greene (LinkedIn), Partner at Davis Wright Tremaine explains in this podcast, that's creating some complications. The California Consumer Privacy Act (CCPA) already differs from subsequent laws in several states which use language reminiscent of the GDPR. And while there are many similarities, some differences are substantial. For example, some state laws are targeted at businesses, not non-profits. That's an important distinction for healthcare with so many non-profit institutions. Perhaps the greatest challenge for organizations is figuring out which standard to follow, if any. Do they take a state-by-state approach, or one national approach based on the toughest state laws? Whatever the choice, it's important to determine what data you have since there may be limits on collection and a requirement to share that data with consumers who want to see it. Listen in to learn more about what the states are requiring and what you need to do to meet their expectations.
Welcome to Health-e Law, Sheppard Mullin's podcast exploring the fascinating health-tech topics and trends of the day. In this episode, Sheppard Mullin partners Carolyn Metnick and Michael Orlando join Phil Kim to discuss the firm's experience at HIMSS Global Health Conference 2024 in Orlando. The conference is one of the leading health IT educational gatherings and draws visionary CIOs, top-level executives, dedicated healthcare providers, and health IT professionals to cover the latest trends in digital health, including AI and cybersecurity. What We Discussed in this Episode: Were there any noticeable shifts in vendors from HIMSS 2024? What sort of role did AI play in this year's conference? How were conversations around AI different this year versus last year? How can AI help with healthcare equity and patient disparities? What was the discussion around cybersecurity? How can ocular imaging technology change the business model for healthcare delivery and patient care? About Carolyn Metnick Carolyn Metnick is a partner in Sheppard Mullin's Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams. Carolyn represents a range of healthcare industry clients, including hospitals and health systems, physician organizations and digital health companies. She advises on healthcare regulatory and transactional matters, focusing on health information privacy and security. Carolyn advises clients on a range of privacy and security laws, including HIPAA and the California Consumer Privacy Act (CCPA). She also counsels businesses in data breach investigations and compliance with federal and state breach notification laws. Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). Carolyn also represents healthcare industry clients in transactional matters, guiding clients through joint ventures, mergers and acquisitions, and advising on healthcare regulatory issues. Her background as a former litigator helps inform her transactional work. About Michael Orlando Michael Orlando is a corporate and intellectual property transactions partner in the firm's San Diego (Del Mar) office. He is Co-Team Leader of the firm's Technology Transactions Team, and a member of the Life Sciences and Digital Health teams. He founded a software-as-a-service (SaaS) business prior to attending law school, and worked at a publicly-traded biotechnology company on an in-house secondment, and uses that experience in bringing a practical, business-oriented approach to his engagements. For over 20 years he has been assisting innovators, cutting-edge technology companies and other organizations develop, acquire, sell, and commercialize intellectual property assets, including technology licensing, commercial agreements, strategic partnerships, research, development and collaboration contracts, manufacturing and supply arrangements, outsourcing, and corporate transactions. About Phil Kim A partner in the Corporate and Securities Practice Group in Sheppard Mullin's Dallas office and co-lead of its Digital Health Team, Phil Kim has a number of clients in digital health. He has assisted multinational technology companies entering the digital health space with various service and collaboration agreements for their wearable technology, along with global digital health companies bolstering their platform in the behavioral health space. He also assists public medical device, biotechnology, and pharmaceutical companies, as well as the investment banks that serve as underwriters in public securities offerings for those companies. Phil also assists various healthcare companies on transactional and regulatory matters. He counsels healthcare systems, hospitals, ambulatory surgery centers, physician groups, home health providers, and other healthcare companies on the buy- and sell-side of mergers and acquisitions, joint ventures, and operational matters, which include regulatory, licensure, contractual, and administrative issues. Phil regularly advises clients on matters related to healthcare compliance, including liability exposure, the Stark law, anti-kickback statutes, and HIPAA/HITECH privacy issues. He also provides counsel on state and federal laws, business structuring formation, employment issues, and involving government agencies, including state and federal agencies. Contact Information Carolyn Metnick Michael Orlando Phil Kim Thank you for listening! Don't forget to SUBSCRIBE to the show to receive new episodes delivered straight to your podcast player every month. If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show on Apple Podcasts, Amazon Music, or Spotify. It helps other listeners find this show. This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.
In this episode of State of Identity, host Cameron D'Ambrosi welcomes Greg Leighton, Vice Chair of the Privacy and Incident Response Team at Polsinelli, for a deep dive into the evolving landscape of data privacy and security. Discover how technology's rapid advancement outpaces legal frameworks, prompting novel challenges for businesses and legal professionals, and how Polsinelli navigates this dynamic terrain. Find out how changes in laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) impact businesses, leading to innovative compliance and risk management strategies. From the implications of web-tracking lawsuits to the regulatory focus on AI and automated decision-making, this conversation sheds light on the key issues keeping clients at night and the complex interplay between technology, law, and privacy. Gain insights into Greg's thoughts on data governance and the future of digital identity, as well as the intriguing potential of generative AI in enhancing and complicating the privacy landscape.
Welcome to Health-e Law, Sheppard Mullin's podcast exploring the fascinating health-tech topics and trends of the day. Our digital health legal team, alongside brilliant experts and thought leaders, share how innovations can solve some of healthcare's (and maybe the world's) biggest problems if properly navigated. In this special episode, partners Sara Shanti and Caroline Metnick join Phil Kim to discuss Sheppard Mullin's recent attendance at ViVE 2024, the premier conference for digital health innovators primarily focusing on optimizing patient care and improving the patient user experience. What We Discussed in this Episode: What were some notable takeaways from ViVE 2024? How is AI poised to improve healthcare delivery? How might virtual care models help reduce burnout among clinicians and improve access to care? How were the perils of AI addressed, particularly its potential to perpetuate healthcare bias? Including automating bias. Why is ethical AI governance critical in healthcare? How is data driving both opportunity and risk in the healthcare sector? How stakeholders struggle with data fragmentation and data as a valued asset. About Carolyn Metnick Carolyn Metnick is a partner in Sheppard Mullin's Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams. Carolyn represents a range of healthcare industry clients, including hospitals and health systems, physician organizations and digital health companies. She advises on healthcare regulatory and transactional matters, focusing on health information privacy and security. Carolyn advises clients on a range of privacy and security laws, including HIPAA and the California Consumer Privacy Act (CCPA). She also counsels businesses in data breach investigations and compliance with federal and state breach notification laws. Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). Carolyn also represents healthcare industry clients in transactional matters, guiding clients through joint ventures, mergers and acquisitions, and advising on healthcare regulatory issues. Her background as a former litigator helps inform her transactional work. About Sara Shanti A partner in the Corporate Practice Group in the Sheppard Mullin's Chicago office and co-lead of its Digital Health Team, Sara Shanti's practice sits at the forefront of healthcare technology by providing practical counsel on novel innovation and complex data privacy matters. Using her medical research background and HHS experience, Sara advises providers, payors, start-ups, technology companies, and their investors and stakeholders on digital healthcare and regulatory compliance matters, including artificial intelligence (AI), augmented and virtual reality (AR/VR), gamification, implantable and wearable devices, and telehealth. At the cutting edge of advising on "data as an asset" programming, Sara's practice supports investment in innovation and access to care initiatives, including mergers and acquisitions involving crucial, high-stakes and sensitive data, medical and wellness devices, and web-based applications and care. About Phil Kim A partner in the Corporate and Securities Practice Group in Sheppard Mullin's Dallas office and co-lead of its Digital Health Team, Phil Kim has a number of clients in digital health. He has assisted multinational technology companies entering the digital health space with various service and collaboration agreements for their wearable technology, along with global digital health companies bolstering their platform in the behavioral health space. He also assists public medical device, biotechnology, and pharmaceutical companies, as well as the investment banks that serve as underwriters in public securities offerings for those companies. Phil also assists various healthcare companies on transactional and regulatory matters. He counsels healthcare systems, hospitals, ambulatory surgery centers, physician groups, home health providers, and other healthcare companies on the buy- and sell-side of mergers and acquisitions, joint ventures, and operational matters, which include regulatory, licensure, contractual, and administrative issues. Phil regularly advises clients on matters related to healthcare compliance, including liability exposure, the Stark law, anti-kickback statutes, and HIPAA/HITECH privacy issues. He also provides counsel on state and federal laws, business structuring formation, employment issues, and involving government agencies, including state and federal agencies. Contact Information Carolyn Metnick Sara Shanti Phil Kim Thank you for listening! Don't forget to SUBSCRIBE to the show to receive new episodes delivered straight to your podcast player every month. If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show on Apple Podcasts, Google Podcasts, Amazon Music, or Spotify. It helps other listeners find this show. This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.
In this episode of GovTech Today, hosts Russell Lowery and Jennifer Saha delve into the complex topic of privacy and regulatory frameworks in California. They discuss European regulations influencing California legislation, such as the General Data Protection Regulation (GDPR), and discuss local laws such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The hosts evaluate the roles of the CCPA and CPRA, especially pertaining to consumer rights, data brokers, and the wider implications for businesses and internet companies. They also outline the role of the California Privacy Protection Agency (CPPA) in enforcing these laws. The discussion concludes with reflections on the rapid pace of tech innovations like AI, the importance of understanding and managing these technologies' impact, and the necessity for businesses and individuals to keep abreast of regulatory changes.00:05 Introduction to the Episode00:26 Understanding Privacy Laws in California00:52 Exploring the California Consumer Privacy Act03:06 The Impact of CCPA on Data Brokers03:34 Introduction to the California Privacy Rights Act03:46 Understanding the Role of the California Privacy Protection Agency04:41 The Regulatory Process and Challenges06:54 The Impact of Privacy Laws on Businesses08:14 The Future of Privacy Regulations and AI12:33 The Importance of Compliance and Collaboration15:18 Looking Forward: Upcoming Legislation16:05 Conclusion and Final Thoughts
How US Companies Are Managing Privacy? What are the steps being taken for complying with privacy laws? What are the challenges that companies face? How is AI & ChatGPT creating new challenges? Odia Kagan and Punit Bhatia will discuss this and more in this episode. KEY CONVERSATION POINTS What is GDPR in one word? How do US companies view GDPR? What triggers privacy conversation? How do you see the US federal law when it comes to AI regulation? How organizations control legislations ABOUT THE GUEST Odia Kagan is a Partner and Chair of GDPR Compliance & International Privacy Practice at Fox Rothschild LLP, a US national law firm. Odia has advised more than 200 companies of varying industries and sizes on compliance with data related regulation including: AI and biometrics regulation, GDPR, the California Consumer Privacy Act (CCPA) and other US data protection laws. With an emphasis on assessing future trends and a pragmatic, risk based approach, Odia provides clients with practical advice on how to design and implement their products and services in a compliant manner. Odia holds 3 law degrees, 5 bar admissions and 7 privacy certifications (CIPP/US/E, CIPM, CDPO, C-GDPR/P, FIP, PLS). You can follow her on https://www.linkedin.com/in/odiakagan/ or X at @odiakagan. ABOUT THE HOST Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy. Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one's value to have joy in life. He has developed the philosophy named ‘ABC for joy of life' which passionately shares. Punit is based out of Belgium, the heart of Europe. RESOURCES Websites www.fit4privacy.com , www.punitbhatia.com, https://www.linkedin.com/in/odiakagan/ Podcast https://www.fit4privacy.com/podcast Blog https://www.fit4privacy.com/blog YouTube http://youtube.com/fit4privacy --- Send in a voice message: https://podcasters.spotify.com/pod/show/fit4privacy/message
California's data privacy regulations, primarily embodied in the California Consumer Privacy Act (CCPA) and its extension through the California Privacy Rights Act (CPRA), constitute a pioneering and influential framework. These regulations, effective from 2018 and further strengthened in 2020, set a standard for data protection not only within the state but also across the national and global economy. In this episode of Corruption, Crime and Compliance, Michael Volkov explores the nuances of the CCPA and CPRA, and the evolving data privacy landscape.You'll hear Michael talk about:The lack of a federal data privacy law in the United States has led to a complex patchwork of state laws. Businesses are faced with the challenge of navigating these varied regulations, which contributes to compliance complexities.California, through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), is a leader in data privacy regulation in the United States, with implications for both the national and global economy. The CPRA, enacted in 2020, establishes the California Privacy Protection Agency (CPPA) to enforce the law robustly.The CPRA introduces critical changes, including: Protection of employee and business-to-business personal information, which is now subject to the same privacy protections as consumer personal information. Enhanced consumer rights, such as the right to access, delete, and correct their personal information, and the right to opt out of the sale of their personal information.Companies are now obligated to implement reasonable security precautions and undergo annual cybersecurity audits and risk assessments.In addition to California, other states such as Virginia, Colorado, Utah, Iowa, and Connecticut have also enacted data privacy laws that echo the GDPR. Businesses must stay up-to-date on evolving compliance requirements and adapt their systems accordingly.Compliance issues comprise risk assessments, impact assessments, adherence to data breach requirements, and compliance with notification standards. Companies are developing systems based on the most stringent set of laws to guarantee compliance.KEY QUOTES“We have a patchwork of laws that apply in the United States. Unfortunately, we continue to suffer from the absence of a federal data privacy and breach notification law. Congress has tried for years to broker a deal here, but it has never been able to overcome strong lobbying forces. Whether it's high tech trial lawyers, law enforcement, or other gadflies, the public continues to suffer.” - Michael Volkov“Many commentators have suggested that California's data privacy laws and regulations are starting to look closer and closer to the EU's GDPR regime.” - Michael Volkov“To me, we're getting into a more strict regulation. We already have, under the California Consumer Privacy Act, a requirement to have on your website: an ‘opt out' in terms of any information that you may provide to a website, that it can't be used by the entity for sharing or selling or whatever consumer products purposes. So keep tabs on the California events.” - Michael VolkovResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group
Brandon Wiebe, General Counsel and Head of Privacy at Transcend, offers tips about implementing data governance frameworks and how to utilize software in the process. Brandon's company is a privacy platform that helps legal and compliance teams automate data compliance tasks. Brandon explains that most data privacy laws, like the General Data Protection Regulation (GDPR) in the EU and U.S. state laws like the California Consumer Privacy Act (CCPA), generally require similar things of companies: notice at the time of customer data collection implementation of data security obligations that companies have a lawful basis for collecting information and that use of the information is consistent with the companies stated purpose for collecting it individuals have the right to opt out of data sale or sharing. Despite the many data privacy laws already enacted and new ones on the horizon, Brandon is quick to emphasize that data privacy teams should not let perfect be the enemy of good. They must get started somewhere in their data privacy policy journey. He says the best place to start is an organizational data map detailing all the places in a company's tech stack holding data subject to privacy regulations. Once a company has its data mapped, it can more easily comply with customer requests for information as permitted under data privacy laws and can also ensure it is not keeping more data than needed. Brandon also touches on why AI can complicate data privacy efforts, but also notes that artificial intelligence can also assist with data privacy efforts.
Startup Privacy Policies
Welcome to Barclay Damon Live: Cyber Sip™ episode 42, “‘California Emissions': Is the CCPA a Bellwether for the Rest of Us?” Michelle Merola, leader of Hodgson Russ's Cybersecurity & Privacy Practice, returns to talk with host Kevin Szczepanski about the changing landscape of privacy laws and specifically how California leads the way with its recently revised California Consumer Privacy Act (CCPA). Kevin and Michelle review the changes, which make the law even more consumer friendly, and touch on how other states across the country may follow suit (or not). Topics include the new regulatory agency the state has established as well as how even businesses based outside California may need to comply with the law. Listen now for this vital information.
The California Privacy Protection Agency (CPPA) and California Office of Attorney General (OAG) are publicly pressing ahead with enforcement now that they have the authority to enforce the California Consumer Privacy Act (CCPA) as of July 1st. While the agencies did not announce headline grabbing enforcement decisions at the start of the month, there were some notable developments. https://www.adlawaccess.com/2023/07/articles/ccpa-update-agencies-push-ahead-with-enforcement-as-superior-court-delays-new-regulations/ Alysa Hutnik ahutnik@kelleydrye.com (202) 342-8603 https://www.kelleydrye.com/Our-People/Alysa-Z-Hutnik Alexander Schneider aschneider@kelleydrye.com (202) 342-8634 https://www.kelleydrye.com/Our-People/Alexander-I-Schneider Subscribe to the Ad Law Access blog - www.adlawaccess.com/subscribe/ Subscribe to the Ad Law News Newsletter - https://www.kelleydrye.com/News-Events/Publications/Newsletters/Ad-Law-News-and-Views?dlg=1 View the Advertising and Privacy Law Resource Center - https://www.kelleydrye.com/Advertising-and-Privacy-Law-Resource-Center Find all of our links here linktr.ee/KelleyDryeAdLaw Hosted by Simone Roach
Please join Troutman Pepper Partner Chris Willis and his colleague Kim Phan as they discuss the new California Privacy Rights Act (CPRA) and the creation of the California Privacy Protection Agency (CPPA), California's first state agency focused exclusively on privacy. They also dive into the CPPA's recent amendments to the California Consumer Privacy Act (CCPA), discussing the timeline, overview, and technical guidance for companies. And with 23 topical areas of regulation — what we can expect from the CPRA's next set of rules.
We are pleased to introduce a new Ropes & Gray podcast series, California Law for Asset Managers, which explores California state laws of importance to asset managers.This series will examine California state privacy, lobbying, fee disclosure and other laws that are relevant to asset managers that are, or are thinking about becoming, active in the state. California's privacy laws can implicate a wide range of managers—from those based in the state to those that simply have California investors. And given the importance to many sponsors of partnerships with state and local pension plans, two episodes will focus on lobbying and fee disclosure issues that asset managers must grapple with when dealing with these plans. We will look to provide updates on these matters and insights into other relevant California law matters for asset managers in later podcasts.On this opening episode, asset management counsel Catherine Skulan is joined by data, privacy & cybersecurity counsel Kevin Angle to discuss recent developments in California privacy law. Catherine and Kevin delve into the implications for asset managers of the California Consumer Privacy Act (CCPA) of 2020 and its amending legislation, the California Privacy Rights Act (CPRA), which becomes enforceable for violations on or after July 1, 2023.
How to manage challenge of multiple privacy laws with Nia Castelly and Punit Bhatia in The FIT4Privacy Podcast E087 (trailer) Firstly, startups must understand the applicable privacy laws and regulations in their jurisdiction. For example, in the United States, the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two important regulations to be aware of. Startups must ensure that they are complying with the requirements of these regulations, such as providing clear and concise privacy notices, obtaining appropriate consent for data collection and processing, and implementing adequate data security measures. Secondly, startups should consider adopting privacy best practices. This could include conducting regular privacy impact assessments, implementing privacy by design principles, appointing a data protection officer, and providing privacy training to staff. Startups should also regularly review and update their privacy policies and procedures to ensure they are keeping pace with changes in the regulatory landscape and their own data processing activities. Finally, startups must be transparent with their customers about their data collection and processing practices. This means being clear about what data is being collected, how it will be used, who it will be shared with, and how long it will be retained. Startups must also provide customers with options for controlling their data, such as the ability to opt-out of marketing communications or to request deletion of their personal information. Overall, privacy compliance is a critical consideration for startups, and should be integrated into all aspects of the business from the outset. By taking a proactive approach to privacy, startups can build trust with their customers, avoid legal and financial risks, and differentiate themselves from competitors. This is an extract from the full episode of The FIT4PRIVACY Podcast. If you like this, you will enjoy the full episode. RESOURCES Websites: www.fit4privacy.com , www.punitbhatia.com , https://checks.google.com/ Take advantage of our Free GDPR training: https://www.fit4privacy.com/course/free Blog: www.fit4privacy.com/blog Podcast: www.fit4privacy.com/podcast YouTube: http://youtube.com/fit4privacy Email: hello@fit4privacy.com --- Send in a voice message: https://podcasters.spotify.com/pod/show/fit4privacy/message
Talk Python To Me - Python conversations for passionate developers
We all know that privacy regulations are getting more strict. And that many of our users no longer believe that "privacy is dead". But for even medium-sized organizations, actually tracking how we are using personal info in our myriad of applications and services is very tricky and error prone. On this episode, we have Thomas La Piana from the Fides project to discuss privacy in our applications and how Fides can enforce and track privacy requirements in your Python apps. Links from the show California Consumer Privacy Act (CCPA): oag.ca.gov 30 Biggest GDPR Fines So Far: tessian.com Website fined for Google Fonts: theregister.com Fides on Github: github.com Fides: ethyca.com Bunny.net Fonts: fonts.bunny.net DBT: getdbt.com eBFP Kernel tools: ebpf.io nox: nox.thea.codes rich-click: github.com Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Mastodon: talkpython Follow Michael on Mastodon: mkennedy Sponsors Microsoft Founders Hub 2023 Sentry Error Monitoring, Code TALKPYTHON Talk Python Training
Dr. Eric Cole from Theon Technology discussing how the rollout of The California Consumer Privacy Act (CCPA) could impact businesses, the latest developments, and what this means for future data breaches. Ben's story talks about a case of an overbroad warrant for Ring Doorbell data. Dave looks at software liability and whether it may see increased scrutiny from the Biden administration. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. The privacy loophole in your doorbell Cybersecurity's Third Rail: Software Liability Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Tune in to the second episode of Ropes & Gray's podcast series The Data Day, brought to you by the firm's data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray's Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Kevin Angle, a Boston-based counsel. Join us as we discuss recent enforcement by the California Attorney General, including a new round of enforcement sweeps, actions by the California Privacy Protection Agency, and the relationship between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Tune in to the second episode of Ropes & Gray's podcast series The Data Day, brought to you by the firm's data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray's Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Kevin Angle, a Boston-based counsel. Join us as we discuss recent enforcement by the California Attorney General, including a new round of enforcement sweeps, actions by the California Privacy Protection Agency, and the relationship between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Today on That Tech Pod, Laura and Kevin speak with CCPA & CPRA Co-author Rich Arney and Boltive CEO Dan Frechtling. Dan Frechtling is CEO of Boltive, providing publishers and ad exchanges the tools they need to monitor and audit their programmatic ads, and the added benefit to identify the source & block the bad ones—setting a new standard for accountability & protection that our industry desperately needs. Frechtling has led B2B SaaS businesses since 1999. Prior to Ad Lightning, he was President of G2 Web Services, acquired by Verisk, where he expanded G2's cyber security solutions to detect brand damaging activity and transaction laundering. He was also GM/VP at Hibu, VP at Stamps.com and Sr. Associate for McKinsey. He has an MBA with Distinction from Harvard Business School and a BS with High Honors from Northwestern University. Follow Boltive on LinkedIn and Twitter.Rick Arney is a board member of Californians for Consumer Privacy and a co-author of the California Consumer Privacy Act (CCPA) and Proposition 24 - the California Privacy Rights Act (CPRA), the most comprehensive and groundbreaking consumer privacy laws in the United States. In addition to co-authoring both laws, Rick participated in all aspects of campaigning including signature gathering, media (both TV and Radio), finance and campaign strategy. He has an Economics BA with honors from Stanford and an MBA from Harvard and is a Fulbright Scholar.
Stacey Schesser, the California Attorney General, will be speaking on the topic of “Enforcing & Implementing California's Landmark Privacy Laws.”In this panel discussion, Ms. Schesser will provide an insider's perspective on the enforcement of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). She will discuss the various tools at her disposal for ensuring compliance, as well as the challenges and opportunities presented by these laws to businesses.Ms. Schesser will also offer practical advice for compliance, and an update on the latest developments in California's privacy landscape.
In August, California Attorney General Bonta announced the first-ever California Consumer Privacy Act (CCPA) enforcement action, a $1.2M settlement with Sephora. While CCPA gives consumers a wide range of rights, it creates a series of obligations for businesses.This groundbreaking Sephora case involved an overlap in marketing and privacy that many brands are now assessing: targeted advertising data collection and opt-out policies.
By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It's not, however, only banks that fall under GLBA's umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: Have a qualified individual to implement and enforce an information security plan Conduct a periodic cybersecurity risk assessment Implement cybersecurity controls to manage those risk Document who has access to customer data Assess the risks of applications that can access the data Securely destroy old data Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it's important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.
In August, California Attorney General Bonta announced the first-ever California Consumer Privacy Act (CCPA) enforcement action, a $1.2M settlement with Sephora. While CCPA gives consumers a wide range of rights, it creates a series of obligations for businesses.This groundbreaking Sephora case involved an overlap in marketing and privacy that many brands are now assessing: targeted advertising data collection and opt-out policies
By Adam Turteltaub With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged: SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit. How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does. When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give. Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should. Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps. Listen in to learn more about having a successful data security standard audit.
In this episode of Data Basement, we're discussing the crucial role that product managers play in ensuring data privacy for their companies and users. With the increasing importance of data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), product managers must understand how to handle and protect sensitive customer information. here we discuss the importance of incorporating privacy by design into product development, creating clear and concise privacy policies, and managing user consent. Whether you're new to the field of product management or a seasoned pro, this episode will provide valuable insights on how to tackle the challenges of data privacy. Tune in to learn more! --- Send in a voice message: https://anchor.fm/databasement/message
To anyone hoping that California's updated privacy law would help to simplify privacy compliance in the U.S., sorry. That doesn't seem to be the case. Instead, the California Privacy Rights Act (CPRA), which takes effect on Jan. 1, seems set to muddy the privacy landscape even more. “CPRA is this unique kind of beast that has complicated privacy significantly for organizations in the U.S.,” said Sarah Bruno, a partner at the law firm Reed Smith, on the latest Digiday Podcast. One aspect of the CPRA needing clarification is the difference between the law's “contractor” and “service provider” labels. “A contractor is a company that you make data available to, and a service provider's a company that processes the data on your behalf. That's not super clear, is it? We need more clarity on that,” Bruno said. The CPRA does clarify some aspects of California's existing privacy law, the California Consumer Privacy Act (CCPA), which took effect in 2020. It covers the sharing of data for cross-contextual behavioral advertising purposes, which helps to resolve the CCPA's Rorschach-esque definition of sale that caught Sephora in the crosshairs of California's attorney general. The CPRA's addition of sharing data has “eliminated the question that we had with [the CCPA's definition of] sale,” said Bruno. Besides, for as much as the CPRA may mix up the U.S. privacy picture for companies, the more prominent complicating factor remains the absence of a comprehensive federal privacy law. “We're still going to have these nuances until there's a federal law that addresses this,” Bruno said.
In this episode of Commitment Matters, Mary speaks with Sylvia Smith Turk, Division President at Stewart Title Company, and co-chair of ALTA's State Legislative and Regulatory Action Committee. During their conversation, Sylvia or Mary mentioned: AS co-chair of ALTA's State Legislative and Regulatory Action Committee (SLRAC), Sylvia gave a great update on its work, including how it has evolved in the past few years and recent speakers like PRIA and UNC (I couldn't quite tell if this was an M or N – to figure out who this was. Can you help?) The subject of Redaction is complex, as Sylvia explains – highlighting concerns from both the business and consumer perspective. Learn more about Data Redaction in Government Documents in this primer. ALTA also offers a number of resources on their Redaction and Record Shielding page.Discriminatory Covenants also remains a topic at the forefront in our industry. Sylvia talks about how these illegal and unenforceable restrictions can still do harm and this CLTA article offers a look at questions you may be askingSylvia reports that the Uniform Law Commission is drafting language around restrictive covenants and is a great way to get involved in the discussions. Here's a link to the Restrictive Covenants in Deeds Committee.Mary and Sylvia tag team to offer a brief 101 on the topic of Data Privacy and ALTA provides a number of educational tools to help you get up to speed on the subject.California passed the California Consumer Privacy Act (CCPA) back in 2020, with the basic posture that a consumer's data is their own, but both Sylvia and Mary talk about how much more in-depth this legislation – and its implementation - truly is; and how it has added pressure for a Federal bill.The Gramm-Leach-Bliley Act already requires the title and settlement industry to ensure privacy of consumer date and Data Privacy statements have been provided for years because of this.Wire Fraud continues to increase in our industry. Check out this helpful document from TLTA on how to avoid and respond. As Sylvia mentions, ALTA provides a number of resources as well. HELOC transactions are back in Sylvia world and HousingWire recently posted an article noting they are “raging back.” Read that here.Foreclosures are slowly increasing as well, but Sylvia notes they are nowhere near what had been the norm in the 2010's. ATTOM reports on the first six months of 2022's Foreclosure Activity here.As Sylvia mentioned, Cash Buys are still a thing, too. This article estimates almost a third of U.S Home purchases are this type of transaction right now.Mary and Sylvia recount their experiences with advocacy and legislation. The ALTA Advocacy Summit Is a great way to dip your toe in these waters and both host and guest encourage you to get involved!Got a topic or guest idea you want featured? Leave a voice message at 214.377.1807 or email podcasts@ramquest.com. Don't forget to subscribe, rate, and review this podcast on Apple Podcast, Spotify, or wherever you listen to podcasts, or visit RamQuest.com/podcast to download the latest episode. Lastly, we love to see when and how you're listening. Share our posts, or create your own and tag them: #CommitmentMattersPodcast
How a California statute works in practice In August 2022, California's Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora's website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires. Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer's ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers' personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.” Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
In this episode of The Workplace podcast, CalChamber employment law expert Matthew Roberts and CalChamber policy advocate Ashley Hoffman discuss the current state of the California Consumer Privacy Act (CCPA) and how it will affect employers starting January 1, 2023.
Dan Frechtling, CEO of Boltive, joins David and Deb to share how his Privacy Guard service helps media companies, technology companies, and consumer brands find, block, and replace invasive advertising, including those with malware, data leakage, and other potential California Consumer Privacy Act (CCPA) or EU General Data Protection Regulation (GDPR) violations. Dan tells a compelling story about his migration to data security and provides background on how advertising algorithms work. He also describes why advertising is so enmeshed in our web experience and what that means for the future of data protection. During the discussion, Dan gives a shout-out to our own CCPA Litigation Tracker, which helps companies stay abreast of litigation involving the CCPA.
Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team. What should you talk about? How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer? Story about Kim Jones at Vantiv – things have changed Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites. The opposite of Satisfaction is No Satisfaction. The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction Achievement Recognition The work itself Responsibility Advancement Growth Factors for Dissatisfaction Company policies Supervision Relationship with supervisor and peers Work conditions Salary Status Security So, what will make a board member satisfied? Today, cyber security IS a board-level concern. In the past, IT really was only an issue if something didn't work right – a hygiene problem. If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied. Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds . According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams. And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background. That extends to your choice of language and terminology as well. Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy. Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully). Show how your cybersecurity initiatives and efforts reduce multiple forms of risk: financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk. You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats . Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning. Show your board how to avoid running afoul of these emerging requirements. And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality. That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along. Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?" Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC. The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors. They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats". The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do. So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy. In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover. Our second question is, how often should we be updating the Executive leadership team? Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis. We recommend quarterly or semi-annual updates to give more touch points on important topics. You can draw parallels to quarterly financial statements. Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year. What should we brief the executive leadership team? Let's look at what's required by law. The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations. Section 500.04 provides additional information about CISOs. It states: Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO"). The regulations also state: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. These types of requirements aren't confined to Wall Street. The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct. It states that: The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis. So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks. Many more regulatory bodies do; these are just offered as examples. If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation. You likely have a regulatory requirement to brief your board or leadership on a periodic basis. That's fine. But have you ever asked yourself, what do I want in return? Hmm. What you want is for your board to set the security culture from the top. Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization. ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization. One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices. Their ISMS Policy statement begins with: The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations. If you can get a formal declaration of support from the top, your job is going to be a whole lot better. Otherwise, you might just end up being the Chief Scapegoat Officer. Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly. Those four focuses are: Cyber Risks and Responses Cyber Metrics A Cyber Roadmap that Identifies High Profile Programs and Projects Cyber Maturity Assessment Let's dig in. With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks. Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues. As a practical matter when briefing cyber risks, never just share a risk and walk away. Executives hate that. Be sure to talk about what you are doing as a CISO to mitigate this risk. Usually in Risk Meetings executives look for a few things about any risk. What is it? What is the likelihood of it to occur? What is the impact if it does occur? What are we doing about it? How much does it cost to fix? However, this isn't a risk approval meeting where we need to go into that level of detail. So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk. For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team. When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm. You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter. In summary you are acknowledging that your company has Cyber Risks which can harm the organization. You are protecting the organization the best you can given the resources available to your team. If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount. This creates a business decision to give you additional headcount, which is a great discussion to have. Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program. You could call these the metrics that matter. Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks. Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil). Please note we have a link to it in our show notes. Please, please, please read about the OWASP Threat and Safeguard Matrix. It's a short five-minute read, and you will be glad that you did. What does the Threat and Safeguard Matrix teach us about cyber metrics? It says all good metrics show a status, a trend, and a goal. Status shows where we are right now Trends show if the project, program, or company is getting better or worse Goals show the end state so we know when we are done and if we should be happy with our current progress The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas: technology, people, process, and environment. Technology-based metrics show things like how fast we are patching devices and how well are our servers and laptops configured. Think about it, if you have servers that are internet-facing which are not patched then it's just a matter of time until bad actors will cause your company (and you) a really bad day. This isn't something that you can wait on. So, your organization needs to continually track progress and burn these numbers down as quickly as possible. So, let's do something about it. Start by looking at your company's security policy that defines the patch timelines for high and critical vulnerabilities. It might say something such as we require critical vulnerabilities to be patched in 15 days and high vulnerabilities to be patched in 30 days. From that security policy you create a Service Level Agreement for the IT department to meet. So, you measure the percentage of your servers that have zero high and critical vulnerabilities greater than that 15 or 30-day window. Yeah, it's going to look terrible in the beginning when your IT department shows that only 30% of its servers are patched according to the enterprise service level agreements. But transparency brings reform. When the CIO sees that these metrics are routinely being briefed to the CEO and executive leadership team, then things will change. The CIO will say "not on my watch" and usually lead the IT team to make the changes needed to improve patching. Another metric category we see from the OWASP TaSM is People. When we think about cyber threats to people we usually think about phishing. So, during your monthly phishing exercises record your click rates and your reporting rates. Since each phishing exercise is different you should benchmark your organization against other organizations who took the same phishing exercise. You can say we had 5% click-through compared to our industry vertical that scored 7%. If you are doing better than your peers, then you can show you are following best practices and meeting the legal term of due care. These metrics might lower your cyber insurance costs. These metrics could also be extremely helpful if your company were sued as a result of a data breach that begin with successful phishing attacks. So, measure them each month and make good progress. The third metric category is Process-based metrics. Here you can monitor things like your third-party risks by looking at your processes that track how many of your third parties pass a review, have active ISO 27001 or SOC 2 Type 2 reports, and have recently passed penetration tests. Another process you might look at is what percentage of your critical applications performed adequately during both a Disaster Recovery exercise and a Business Continuity Plan exercise. These metrics are helpful during Sarbanes-Oxley (SOX) attestations and other regulatory reviews. The fourth and last metric category defined by the OWASP TaSM is Environment-based metrics. This refers to things outside of your organization that you don't control. Even though you don't control them they can have a substantial impact on your organization. You can think of countries passing new cyber or data privacy laws, regulators asking for new information and compliance activities, and malicious actors and fraudsters taking interest in your company all as examples of environment-based factors. Please don't confuse environmental factors with saving the Earth. This is not the context you are looking for. Environment metrics could be used to show how many legitimate phishing attacks your organization stopped when someone reported a phishing attack, and the Incident Response Team confirmed it wasn't a false positive. Note these are actual phishing attacks not phishing exercises. This is an important metric because it shows that despite email protection tools in place, things got passed it. If you notice a 500% increase in confirmed phishing attacks you might need to buy additional tooling to interdict them. Another metric you might look at is how many reported help-desk tickets your organization responded to that were caused by a cyber incident. These types of metrics can help inform management just how big the malicious attacker threat is and can be used by you to justify additional resources. Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update. Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix. The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects. Executives want to see the big picture on how you are evolving the program. So, show them a roadmap that says over the next three years here is the big picture. For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process. We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies. In 2023, we will shift our focus towards improving our website security. We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do. We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor. We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing. In 2024, we will then shift our focus to improving our software development process. We will be purchasing a tool to gamify secure software development amongst developers. This should lower the cost of vulnerability management. We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly. When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned. The last major category is a Cyber Maturity Assessment. Essentially you want something that independently measures the effectiveness of the entire Cyber Program. For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program. Consider hiring an independent auditing company to measure your organization's security maturity. You will get something that says here's the top fifteen domains of cyber security. Today, on a scale of one to five, your organization measures between a two and four on most of the domains. Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains. You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three. This can be something you show in a spider graph or radar chart. You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed. This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively. So, let's summarize. We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent. Remember, satisfaction and dissatisfaction are not opposites. The opposite of dissatisfaction is no dissatisfaction. That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it. Focus on risk reduction, and how your program is helping your organization work toward that goal. We talked about why we need to brief management and how often. Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it. In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed. Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives. We covered the four things you should include in your executive briefings: cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment. By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy. Lastly, don't forget to look up the OWASP TaSM model. It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.) The link to that is in our show notes. Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft. Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn. We would love to help others with their cyber tradecraft. Thanks again and until next time, stay safe. References https://www.mindtools.com/pages/article/herzberg-motivators-hygiene-factors.htm https://threataware.com/a-cisos-guide-to-cybersecurity-briefings-to-the-board/ https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf https://www.spencerstuart.com/research-and-insight/cybersecurity-and-the-board https://www.sec.gov/investment/im-guidance-2015-02.pdf https://piregcompliance.com/ciso-as-a-service/what-regulations-require-the-designation-of-a-chief-information-security-officer-ciso/ https://proteuscyber.com/privacy-database/ny-dfs-section-50004-chief-information-security-officer https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-Cyber-Risk-Management-Code-of-Conduct.pdf https://www.gs1india.org/media/isms-policy-statement.pdf https://owasp.org/www-project-threat-and-safeguard-matrix/
32% of firms in Ireland say they are “not prepared at all” for a future which will preclude them from using 3rd party cookies. In March of 2021, Google Chrome, the world's biggest browser, announced the phasing out of third-party cookies, which are a key component of online advertising, and enable a company to effectively target particular audiences for their products or services. By late 2023, third-party cookies will no longer be supported on the search engine. The EU's General Data Protection Regulations (GDPR), alongside other international regulations like the California Consumer Privacy Act (CCPA), are likely to make them obsolete within the next few years. A bane on businesses, a boon for internet users The average person will have their internet usage tracked and monitored every day through the use of cookies. The new GDPR guidance will put power back in the hands of ordinary internet users, making it easier for them to avoid being tracked online. However, many businesses, having not dealt with not tracking internet usage of consumers in years, have their complaints, with only 10% of companies surveyed feeling fully prepared for a future without cookies. The Compliance Institute, who rolled out a survey of 144 compliance professionals within Irish organisations nationwide, say the results speak to a severe lack of communication between the two departments that will play the most crucial roles in ensuring that businesses successfully adapt to the new changes, namely the compliance and marketing departments. The stats The lack of collaboration between the two could very well prevent the organisation from fulling its regulatory duties and meeting the requirement of data protection legislation. How prepared is your business for a cookie-less future? Very prepared 12% Somewhat prepared 56% Not prepared at all 32% In your view, do compliance and DPO teams have a clear understanding of what personal data is obtained and processed by your company via third party cookies? Yes 42% No 58% How great a role does the compliance function within your organisation have in aspects of marketing such as first & third-party cookies and data capture? Very involved 23% Somewhat involved 31% Not involved much 23% Not involved at all 23% Further highlights from the Compliance Institute Cookie Survey reveal: 6 in 10 say compliance and data protection teams within their organisation do not have a clear understanding of how 3rd party cookies are used within the organisation 46% say the compliance function within their organisation has little to no involvement in aspects of marketing such as first & third-party cookies and data capture Cookies: The next dinosaur? Speaking of the findings, Michael Kavanagh, CEO of Compliance Institute, said: “The findings highlight a sharp knowledge gap that exists within compliance and data protection departments of Irish organisations, and it seems that this is largely due to a communication blockage with the people in the business that are at the forefront of this type of data collection and utilisation i.e. those whose expertise and responsibility lies in marketing”. “Major changes are coming down the tracks and there will be no getting around this. All organisations will be forced to change their practices, and find other ways to collect information needed to research the market and target key audiences while keeping within the boundaries of data protection laws”. “But it is very hard to see how the GDPR requirement for data protection by design and default is being effectively implemented if nearly 6 in 10 respondents have little or no involvement in first- and third-party data strategies and data capture, and 32% have no involvement at all in the development of alternative strategies”. “There is no way that these organisations can effectively prepare for the changes, unless they change their strategy and allow for and enable much clearer lines of communication. Marketers need to do more to engage with the...
Looking back even just five years ago, the privacy landscape looked nothing like it does today – there was no General Data Protection Regulation (GDPR), no California Consumer Privacy Act (CCPA), and the demands on businesses were much different. In the first episode of Privacy Abbreviated, hosts Catherine Dawson and Dona Fraser are joined by … Continue reading The State of Privacy: How Did We Get Here? →
About Gordon G. Summers and ECMRMIG: Privacy solutions and Technology strategies. Product Owner and product development strategies. Workgroup director for enterprise architecture governance strategies. Company cyber security architectural strategies. Lead and direct the preparation of governing principles to guide decision-making pertinent to infrastructure architecture. Produce all architectural strategies, BPM processes for the organization including the following: Zachman Framework for Enterprise Architectures framework for the development. Open Group Architectural Framework (TOGAF) for accurately defining processes for Government Clients. Federal Enterprise Architecture for all federal client work. Gartner Methodology as part of the ECMRMIG enterprise architectural practice. Earned Value Management system (EVMS) for management of all resources, cost, budgets of the company. Services, products marketing strategies. Privacy using technology company. ECMRMIG is an advocate for achieving Total General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and future author ownership policies. Engaging New Audiences Through Smart Approach Headquartered in Laurel MD, ECMRMIG is a Privacy Information Governance organization with technology packages including Privacy best practice standards, Security best practice standards, EVM (EARN Value Management), (Safe-agile) Scaled Agile development methodology. At ECMRMIG, our focus is to provide data privacy governance. ECMRMIG is an advocate for achieving Total General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and future author ownership policies.
Privacy laws in different countries. Privacy laws apply to both public and private sector actors. United States. The Constitution of the United States and United States Bill of Rights do not explicitly include a right to privacy. Currently no federal law takes a holistic approach to privacy regulation. In the US, privacy and associated rights have been determined via court cases and the protections have been established through laws. The Supreme Court in Griswold v Connecticut, (1965) found that the Constitution guarantees a right to privacy against governmental intrusion via penumbras located in the founding text. In 1890, Warren and Brandeis drafted an article published in the Harvard Law Review titled "The Right To Privacy" that is often cited as the first implicit finding of a U.S. stance on the right to privacy. Right to privacy has been the justification for decisions involving a wide range of civil liberties cases, including Pierce v Society of Sisters, which invalidated a successful 1922 Oregon initiative requiring compulsory public education; Roe v Wade, which struck down an abortion law from Texas, and thus restricted state powers to enforce laws against abortion; and Lawrence v Texas, which struck down a Texas sodomy law, and thus eliminated state powers to enforce laws against sodomy. Legally, the right of privacy is a basic law which includes: 1. The right of persons to be free from unwarranted publicity 2. Unwarranted appropriation of one's personality 3. Publicizing one's private affairs without a legitimate public concern 4. Wrongful intrusion into one's private activities In 2018, California set out to create a policy promoting data protection, the first state in the United States to pursue such protection. The resulting effort is the California Consumer Privacy Act (CCPA), reviewed as a critical juncture where the legal definition of what privacy entails from California lawmakers' perspective. The California Consumer Protection Act is a privacy law protecting the residents of California and their Personal identifying information. The law enacts regulation over all companies regardless of operational geography protecting the six Intentional Acts included in the law. --- Send in a voice message: https://anchor.fm/law-school/message Support this podcast: https://anchor.fm/law-school/support
Connecticut became the fifth state to pass comprehensive privacy legislation when Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” into law. Connecticut joins California, Virginia, Colorado, and Utah in enacting new privacy laws that take effect in 2023. Out of fifty states in the U.S., ten percent have now passed a comprehensive privacy law. Effective July 1, 2023, the Connecticut law adopts a general framework of definitions, consumer rights, and compliance obligations based on concepts of data controller and data processor from the EU's General Data Protection Regulation (GDPR), and the right to opt out of the “sale” of personal data as first articulated in the California Consumer Privacy Act (CCPA). Overall, the Connecticut law mirrors Colorado's privacy law but then borrows select concepts from the California, Virginia, and Utah laws. The result is a hybrid of the pre-existing state laws, but not a law that introduces significant contradictions or unique compliance challenges. The following are highlights of the Connecticut law Blog: Contacts: Alysa Z. Hutnik Alexander I. Schneider Hosted by Simone Roach Produced by Jeff Scurry
The increasing number of states enacting privacy laws means more privacy litigation. From the webinar of the same name, on this podcast the two co-chairs of Kelley Drye's Consumer Class Action Defense practice discuss: - California Consumer Privacy Act (CCPA) and related laws covering privacy - California Invasion of Privacy Act (CIPA) (Cal. Penal Code § 631, 632) - Telephone Consumer Protection Act (TCPA) (47 USC 227) - Video Privacy Protection Act (VPPA) (18 U.S.C. 2710) - Illinois Biometric Information Privacy Act (BIPA) Webinar link: Contacts Lauri Mazzuchetti Partner lmazzuchetti@KelleyDrye.com (973) 503-5910 Bio: https://www.kelleydrye.com/Our-People/Lauri-A-Mazzuchetti Becca Wahlquist Partner bwahlquist@kelleydrye.com (213) 547-4916 Bio: https://www.kelleydrye.com/Our-People/Becca-J-Wahlquist
In this episode of Commitment Matters, Mary speaks with Steve Tjaden, Senior Vice President and Chief Privacy Officer at Old Republic Title Insurance Company. View Steve's LinkedIn profile here. Learn more at oldrepublictitle.com.During their conversation, Steve or Mary mentioned: Steve points out that consumer privacy and data is constantly evolving. Protecting personal data is just as important as protecting title data. California was the first to enact Privacy laws at the state level. Steve says ideally, there should be more federal laws.Now, Virginia and Colorado have privacy laws, which Steve says are critical to the title industry. Utah also recently passed new privacy legislation. Steve mentions the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to disclose how they use customer information. Within the last month, 30 states have introduced some type of privacy legislation. The California Consumer Privacy Act (CCPA) requires businesses to provide several different privacy notices, this could include a preliminary privacy report or certain privacy notices on their website.When issuing a title policy, it's important for lenders to be thoughtful about the consumer's data. Steve says to use the “Common Sense” data sharing rule. It's the idea that people should manage others' data the same way you would want your data handled.Encryption is a basic tool for critical for keeping your data and the data of those you correspond with safe.Steve says to be mindful when working with third parties. Watch for their data procedure and read through their data agreements, noticing how they are using your data.Review your company's GLBA Privacy notice every year. Note changes within how and who you share information. If your website doesn't have a Privacy notice, Steve says you need one!ALTA provides a number of resources that outline various state's data privacy legislation.If you'd like to contact the Commitment Matters podcast, email podcasts@ramquest.com. Don't forget to subscribe, rate, and review this podcast on Apple Podcast, Spotify, or wherever you listen to podcasts, or visit RamQuest.com/podcast to download the latest episode. Lastly, we love to see when and how you're listening. Share our posts, or create your own and tag them: #CommitmentMattersPodcast
Do you want to become a Credible & Authoritative Privacy Pro?Odia Kagan unearths the secrets! In this value-packed episode, we reveal why investing in training can make the difference between a mediocre career and a truly fulfilling one. Odia shares the strategies that has really helped her to build a successful career and how you too can achieve the career you've always dreamed of. Discover: Why you can't rely on a template privacy notice How the world is going to be different after the end of third party cookies How US States are using GDPR as the benchmark for new privacy laws Why being passionate about privacy will lead you to success And so much more… Odia Kagan is a Partner and Chair of GDPR Compliance & International Privacy Practice at Fox Rothschild LLPOdia has advised more than 200 companies of varying industries and sizes on compliance with GDPR, the California Consumer Privacy Act (CCPA) and other US data protection laws. With an emphasis on a pragmatic, risk based approach, Odia provides clients with practical advice on how to design and implement their products and services in a compliant manner. Odia holds 3 law degrees, 5 bar admissions and 5 privacy certifications (FIP, CIPP/US/E, CIPM, CDPO). If you want to make it as a successful Privacy Pro and take your career to a new level - You can't afford to miss out on this episode Listen Now... Connect with Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/ (https://www.linkedin.com/in/kmjahmed/) Connect with Odia on LinkedIn: https://www.linkedin.com/in/odiakagan/ (https://www.linkedin.com/in/odiakagan/) Join the Privacy Pros Academy Private Facebook Group for: • Free Weekly LIVE Training • Free Data Privacy ‘How To' Guides • Latest Data Protection Updates • Reports on GDPR Enforcement Action • Have Your Questions Answered by The King of Data Protection Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro (https://www.facebook.com/groups/privacypro)
In this episode of Supply Chain Now, Scott & Greg welcome Tim Quinn with Candid & Kevin Coy with AGG to the podcast. Kevin Coy is Co-Chair of Arnall Golden Gregory's Privacy Practice. Kevin focuses his practice on advising privacy-sensitive organizations on domestic and international privacy law and policy matters concerning a wide range of personal data. Kevin also represents clients before the Federal Trade Commission and other agencies on privacy, data breach and data security law issues. Kevin also advises clients on state privacy laws, including state consumer reporting laws and the California Consumer Privacy Act (CCPA), as well as international data protection laws including the European Union's General Data Protection Regulation (GDPR). Kevin also advises clients on privacy policies, online privacy issues, the conduct of privacy impact assessments and privacy best practices. Tim Quinn is decisive and results-oriented technology executive, entrepreneur and leader with over 25 years diversified experience in supply chain, transportation, and IoT. Tim has extensive experience leading start-ups, high growth tech companies, and professional services consulting firms. Tim has proven success in driving digital transformation and building and leading effective teams and executing strategic plans to gain market share, new product marketing, and new product development by combining pragmatic and hands-on tactical efforts. Tim is a solutions oriented architect known for uncovering hidden opportunities, directing groundbreaking strategies, and forming strategic alliances with C-Suite business leaders. Upcoming Events & Resources Mentioned in this Episode: Subscribe to Supply Chain Now and ALL Supply Chain Now Programming Here: https://supplychainnowradio.com/subscribe Leave a review for Supply Chain Now: https://ratethispodcast.com/supplychainnow Connect with Scott on LinkedIn: www.linkedin.com/in/scottwindonluton/ Connect with Greg on LinkedIn: www.linkedin.com/in/gswhite/ Connect with Kevin on LinkedIn: https://www.linkedin.com/in/kevinlcoy/ Connect with Tim on LinkedIn: https://www.linkedin.com/in/timquinn42/ Supply Chain Now Ranked #3 Supply Chain YouTube Channel: https://tinyurl.com/yazfegov Download the Q3 2020 U.S. Bank Freight Payment Index: freight.usbank.com/?es=a229&a=20 Listen to the Replay of The Connected IoT Supply Chain: https://supplychainnow.com/the-iot-connected-supply-chain Check Out News From Our Sponsors: U.S. Bank: www.usbpayment.com/transportation-solutions Capgemini: www.capgemini.com/us-en/ Vector Global Logistics: vectorgl.com/ Verusen: www.verusen.com/ This episode was hosted by Greg White and Scott Luton. For additional information, please visit our dedicated show page at: https://supplychainnow.com/episode-519.