POPULARITY
Send us a textOn this week of Serious Privacy, Paul Breitbarth , Ralph O'Brien of Reinbo Consulting, and Dr. K Royal talk about the controversy with executive changes to the U.S. Federal Trade Commission #FTC, the UK #adequacy extension, and the Norwegian decision about Data Protection Officer #DPO conflicts of interest.Please subscribe in your favorite podcast app - sharing is caring! Powered by TrustArcSeamlessly manage your privacy program, assess risks, and stay up to date on laws across the globe.With TrustArc's Privacy Studio and Governance Suite, you can automate cookie compliance, streamline data subject rights, and centralize your privacy tasks—all while reducing compliance costs. Visit TrustArc.com/serious-privacy.If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us! From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
AWS executive Giancarlo Casella explains how organizations can navigate global privacy regulations and achieve compliant international expansion using AWS's privacy reference architecture.Topics Include:Welcome to executive forum on security and Gen AIIntroduction of Giancarlo Casella from AWS Security Assurance ServicesAWS helps organizations with compliance and audit readinessGlobal expansion requires understanding local privacy lawsGermany and France interpret GDPR differentlyGermany has Federal Data Protection Act (BDSG)France focuses on consumer privacy through CENILRisk of non-compliance includes fines and reputation damagePrivacy laws existed in only 10 countries in 2000EU Privacy Directive of 1990 was prominentBy 2010, forty countries had privacy lawsHIPAA and GLBA introduced in United StatesNow over 150 countries have privacy regulations75% of world population under privacy laws soonRegulations are vague and open to interpretationGDPR example: encryption requirements lack specificityNeed right stakeholders for privacy complianceLegal team must lead privacy interpretationEngineering implements technical privacy aspectsRisk and compliance teams coordinate evidence gatheringData Protection Officer oversees entire programCIO, CTO, CISO alignment creates strong foundationSecurity transforms from bureaucratic to revenue enablerAWS develops cloud-specific privacy reference architectureIndustry standards provide guidance frameworksAWS privacy reference architecture focuses on cloud specificsData minimization and individual autonomy are keyCase study: Middle Eastern AI company expands to CanadaCompany used CCTV at gas stationsCreated privacy baseline and roadmapData flow documentation essential for complianceContinuous compliance strategy helps enable successAligning stakeholders across different organizational linesFuture of US federal privacy regulation discussedDiscussion of responsible AI usage requirementsParticipants:Giancarlo Casella - Head of Business Development and Growth Strategies, AWS Security Assurance ServicesSee how Amazon Web Services gives you the freedom to migrate, innovate, and scale your software company at https://aws.amazon/isv/
Liliana Acosta (DPO, Utah State University) es abogada especializada en protección de datos, gobernanza y gestión de riesgos, formada en Colombia y habiendo trabajado también en Guatemala. Con ella hemos analizado las particularidades asociadas a estructurar y gestionar un programa de protección de datos en Estados Unidos, incluyendo actividades de marketing en el ámbito universitario y diferencias importantes en lo relativo al solapamiento normativo y la gestión de encargados o sub-encargados. Referencias: Liliana Acosta Santacruz en LinkedIn FERPA: Family Educational Rights and Privacy Act GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act COPPA: Children Online Privacy Protection Act Utah Consumer Privacy Act Utah Government Data Privacy Act NIST Privacy Framework
John Martin is an accomplished cybersecurity leader with over 30 years of experience driving strategic initiatives, optimizing IT operations, and mitigating risks for complex organizations across on-premise and cloud infrastructures. He has a proven track record in building high-performing teams, implementing robust security frameworks, and delivering innovative solutions. Skilled in navigating complex regulatory environments, such as HIPAA, GLBA, and NIST, he is able to seamlessly collaborate with C-suite executives, board members, and technical teams to achieve business objectives while maintaining a strong security posture.
Today Laura and Kevin speak with Cybersecurity Expert Craig Petronella and founder of the Petronella Technology Group. They speak about cybersecurity and disaster recovery after events such as Milton and Helene and how you should test your cyber practice with table-top exercises. Craig shares some scary ransomware stories. He also gives tips on how to get into cybersecurity in 2024. We get into some of the overlooked compliance risks and new regulations. Craig is a true expert!Craig and the Petronella Technology Group have helped 5,000+ businesses stay safe from network attacks and fully comply with their industries' regulations, including CMMC and NIST for defense industrial base contractors, HIPAA and HITECH for medical practices, GLBA for banking and finance, FTC compliance, Sarbanes Oxley and more. Craig is also the author of 8 cybersecurity and compliance books, including the Amazon #1 bestseller How HIPAA Can Crush Your Medical Practice.With 30+ years of experience, Craig is well-known and highly regarded in the U.S. cybersecurity industry. He has served as a compliance consultant and conducted onsite risk assessments for over 500 medical practices, hospitals, and business associates, across the country, protecting them from hackers halfway around the world in places like Ukraine, Russia, and China. Craig holds MIT certifications in AI, blockchain, cybersecurity, and compliance.
E&I Host: David Manz, Business Partnerships Manager, Facilities & InteriorsGuest: Brian Kirk, Vice President, Cybersecurity Services, Strata Information Group (SIG)Join Brian Kirk from Strata Information Group (SIG) to discuss the crucial elements of incident response planning in higher education. Discover the essentials of crafting an effective Incident Response Plan (IRP) and how compliance with GLBA requirements can protect student data. Brian also highlights the importance of proactive cybersecurity measures and the benefits of tabletop exercises in preparing your institution for potential threats. Tune in for expert insights on strengthening your cybersecurity strategy. Relevant Links:E&I SIG ContractSIG Cyber SolutionsSIG WebsiteCooperatively Speaking is hosted by E&I Cooperative Services, the only member-owned, non-profit procurement cooperative exclusively focused on serving the needs of education. Visit our website at www.eandi.org/podcast.Contact UsHave questions, comments, or ideas for a future episode? We'd love to hear from you! Contact Cooperatively Speaking at podcast@eandi.org. This podcast is for informational purposes only. The views expressed in this podcast may not be those of the host(s) or E&I Cooperative Services.
Episode Description:In this episode of Tim Talks, we dive deep into the complexities of privacy laws impacting the automotive industry with our special guests, privacy attorney Nicole Newman from L2 Partners, and senior attorney Joshua Talcovitz from Kurkin, Forehand, and Brandes. Learn about the challenges dealerships face regarding outdated privacy laws, such as the Florida Security and Communication Act, and how these laws are being leveraged in lawsuits that could affect your dealership. Nicole and Joshua provide invaluable insights on how to protect your dealership from these legal pitfalls and proactive measures you can take to stay compliant.Guests and Contact Information:Connect with Joshua Talcovitz on Linkedin and contact at jtalcovitz@kfb-law.comContact Nicole Newman at nnewman@l2partners.net Show Notes:[00:00] Introduction: Tim Cox introduces the focus of the episode – the importance of leadership in the automotive industry and the growing concern over compliance with privacy laws.[00:17] Industry Challenges: Tim Cox highlights the need for the automotive industry to stay compliant with laws like GLBA and TCPA, with a focus on protecting dealerships.[01:19] Guest Introduction: Tim Cox introduces privacy attorney Nicole Newman and senior attorney Joshua Talcovitz.[02:07] The Florida Security of Communications Act: Nicole Newman and Joshua Talcovitz discuss the law being used to file lawsuits against dealerships for their chat features.[03:13] Understanding Consent: Nicole Newman explains the lawsuits stemming from improper consent in dealership online chats and how CarNow is helping dealers protect themselves.[05:14] Wiretap Law Application: Joshua Talcovitz expands on the outdated wiretap laws and how they are misapplied to modern chat features on dealership websites.[07:49] Who's Behind the Lawsuits: Joshua Talcovitz reveals how digital privacy advocates, or individuals looking to profit from lawsuits, are targeting dealerships.[10:18] Court Cases & Outcomes: Joshua Talcovitz details the legal landscape, including small claims courts, and the potential for these cases to escalate to class-action lawsuits.[14:53] How Dealerships Can Protect Themselves: Nicole Newman and Joshua Talcovitz share proactive steps dealerships can take, such as adding cookie banners and updating privacy policies.[18:09] Two-Party Consent States: Nicole Newman lists states with two-party consent laws and why dealerships must be extra vigilant in those areas.[20:12] Practical Solutions: Tim and his guests discuss practical steps dealerships can take to avoid lawsuits, including working closely with their web providers.[24:07] Final Thoughts: Joshua Talcovitz and Nicole Newman encourage dealerships to fight these lawsuits rather than settle, in order to prevent a flood of future legal actions.[27:00] Call to Action: Tim Cox wraps up with a call for dealerships to be proactive, protect themselves, and reach out to CarNow or legal experts for guidance.
In this eye-opening episode of "Facts Not Feelings," we delve deep into the complexities of data privacy and compliance in the automotive industry under the Gramm-Leach-Bliley Act (GLBA). Join our expert panel, including industry leaders Brian Pasch, April Simmons, and Tom Kline, as they unravel the challenges and strategies for navigating GLBA compliance. Discover the impact of data handling in auto retail, the role of vendors, and the essential steps dealerships must take to safeguard consumer data. This episode is a must-watch for automotive professionals committed to data security and legal compliance. Stay ahead of the curve with our actionable insights and expert advice!3 Main Takeaways The Gramm-Leach-Bliley (GLB) Act has clear obligations for dealers when it comes to customer data privacy and security, but many vendors have been slow to comply. This puts dealers at risk of fines if their vendors are not securing customer data properly.Dealers should be taking steps to comply and protect themselves, such as sending letters to vendors requesting compliance confirmation, documenting communications, and considering customer data platforms to better control data flow. Having cyber insurance can also help mitigate risks.Data breaches and fines are inevitable in the industry. When they happen, it will force vendors and dealers to take GLB Act compliance much more seriously. Being proactive now is important to limit risks and liabilities.Connect
Last week, the FTC announced that it had finalized its rulemaking to add data breach notification provisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. As expected, the new provisions require non-bank financial institutions to provide notice to the FTC of data incidents meeting certain thresholds and detail the trigger for, and content and timing of, the notice. The FTC's proposal elicited only 49 comments, perhaps because most stakeholders thought that the new requirements were inevitable and would be fairly routine. After all, the federal banking agencies have long required data breach notification under GLBA, every state in the country has a data breach law, and the Commission was only proposing that notice be given to the FTC, not to consumers. https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/safeguards-snafu-the-anomalous-new-provision-in-the-ftcs-gramm-leach-bliley-safeguards-rule Jessica Rich jrich@kelleydrye.com (202) 342-8580 www.kelleydrye.com/Our-People/Jessica-L-Rich Subscribe to the Ad Law Access blog - www.kelleydrye.com/subscribe Subscribe to the Ad Law News Newsletter - www.kelleydrye.com/subscribe View the Advertising and Privacy Law Resource Center - www.kelleydrye.com/advertising-and-privacy-law Find all of our links here linktr.ee/KelleyDryeAdLaw Hosted by Simone Roach
In this episode of Business Ninjas, Terri Delfino, CMO at FormAssembly, joins Kelsey, where they talk about how FormAssembly helps collect, connect, and protect data digitally.FormAssembly is a secure data collection platform that enables organizations to gather and automate data. With FormAssembly, organizations can improve efficiency using the drag-and-drop form builder that can be up and running in minutes. Dedicated to helping organizations become better stewards of the data entrusted to them, FormAssembly provides governance and visibility into data collection processes, while giving end-users a powerful, easy-to-use solution for collecting and leveraging data.The FormAssembly platform offers robust integration to Salesforce and advanced security, compliance, and privacy capabilities such as HIPAA, GDPR, GLBA, and more. Learn more: https://www.formassembly.com/ -----Do you want to be interviewed for your business? Schedule time with us, and we'll create a podcast like this for your business: https://www.WriteForMe.io/-----https://www.facebook.com/writeforme.iohttps://www.instagram.com/writeforme.io/https://twitter.com/writeformeiohttps://www.linkedin.com/company/writeforme/ https://www.pinterest.com/andysteuer/Want to be interviewed on our Business Ninjas podcast? Schedule time with us now, and we'll make it happen right away! Check out WriteForMe, more than just a Content Agency! See the Faces Behind The Voices on our YouTube Channel!
Join us in our latest episode as we delve into the intricacies of the GLBA Safeguards Rule with expert guest Nanci McKenzie We'll break down the pivotal mandates of the GLBA Safeguards Rule and discuss its significance in ensuring the privacy and security of information for organizations. Plus, get insights into the roles of federal agencies, such as the Federal Reserve, NCUA, OCC, SEC, and FDIC, in upholding and enforcing these standards. Don't miss this comprehensive look into the world of data privacy and regulation!
The recent hack of MOVEit has serious implications for higher education. MOVEit, an application used by the National Student Clearinghouse and many other institutions to move large files, directly affects numerous higher ed institutions and solution providers. This, coupled with the Gramm-Leach-Bliley Act going into effect in early June of 2023, has (should have) put cybersecurity at the top of mind for college and university decision-makers. In his latest podcast episode, Dr. Drumm McNaughton once again speaks with virtual chief information security officer Brian Kelly, who this time returns to Changing Higher Education to discuss the ramifications of MOVEit getting compromised, tools that can help higher ed institutions protect themselves, all nine elements of the GLBA that colleges and universities must be in compliance with to receive financial aid, what GLBA enforcement could look like, and an online hub that states and higher ed can emulate to ensure students enter the cybersecurity field. Highlights § MOVEit, a third-party tool used by the National Student Clearinghouse and others to move large data pieces, was recently compromised, compromising institutional data. This is having a downstream impact on higher ed since many institutions engage with the NSC. § In addition to performing triage and internal assessments, higher ed institutions must reach out to all of their vendors and contractors and ask if they use MOVEit and, if they are, what they are doing to protect their data. § It is important to have a process in place for vetting third-party risk. EDUCAUSE's HECVAT can help address this and future problems. It's a standard set of questions that institutions can ask third-party vendors about security and privacy. Over 150 colleges and universities use HECVAT version 3.0's questionnaire in their procurement process. Large vendors like Microsoft and Google have completed it. § HECVAT makes it easier for vendors since they don't have to answer bespoke questionnaires from numerous institutions that might have their nuances and differences. It also allows the community of CISOs and cybersecurity privacy practitioners in higher ed to have a conversation around a grounded standardized set of questions. § The Federal Trade Commission's Safeguards Rule, which changed the standards around safeguarding customer information, went into effect on December 9th, 2021. The Gramm-Leach-Bliley Act that took effect in early June of 2023 required higher education institutions to meet the elements of those rule changes. There are nine elements. § The primary rule change is designating a CISO or a qualified individual responsible for protecting customer information or student financial aid data. The second is to perform a risk assessment at least annually by a third party or internally. § The third involves access review controls. Institutions must annually vet employees granted access to information and ensure more people haven't been granted access. Institutions must know where all data resides and that all incoming data is identified. Institutions must ensure data is protected and encrypted when it's being stored and in use, ensure the coding or development of any software that interacts with the Department of Education's data follows secure practices, ensure data that institutions should no longer have or that has aged out has been properly disposed of, and ensure change management has been implemented. Institutions must identify who has access to customer information and annually review their logs. § The fourth ensures that institutions annually validate that these controls are in place and working as intended. The fifth mandates that the individuals who interact with the Department of Education and use customer information are appropriately trained and aware of the risks involved. The sixth ensures institutions have a program and process to address and test for third-party risks. Seventh mandates having a prescriptive plan for responding to incidents, regularly testing and validating the plan to see if it's working, and identifying the lessons learned. The ninth mandates that the CISO annually reports to the board or president. Read the podcast transcript → About Our Podcast Guest Brian Kelly supports the safeguarding of information assets across multiple verticals against unauthorized use, disclosure, modification, damage, or loss by developing, implementing, and maintaining methods to provide a secure and stable environment for clients' data and related systems. Before joining Compass, Brian was the CISO at Quinnipiac University and, most recently the Cybersecurity Program Director at EDUCAUSE. Brian is also an Adjunct Professor at Naugatuck Valley Community College, where he has developed and teaches cybersecurity courses. Brian has diverse experience in information security policy development, awareness training, and regulatory compliance. He provides thought leadership on information security issues across industries and is a recognized leader in his field. Brian holds a bachelor's degree from the University of Connecticut and a master's degree from Norwich University. He has served in various leadership roles on the local boards of the ISSA, InfraGard, and HTCIA chapters. Brian is also a retired Air Force Cyber Operations Officer. About the Host Dr. Drumm McNaughton, the host of Changing Higher Ed®, is a consultant to higher ed institutions in governance, accreditation, strategy and change, and mergers. To learn more about his services and other thought leadership pieces, visit his firm's website, https://changinghighered.com/. The Change Leader's Social Media Links LinkedIn: https://www.linkedin.com/in/drdrumm/ Twitter: @thechangeldr Email: podcast@changinghighered.com #HigherEducation #HigherEdCybersecurity #MOVEitHack
¡Aprende SecTY! EP3.27: Safeguards Rule y sus 9 elementos que debes cumplir (FTC y GLBA) 2nda parte Como parte de algunas dudas que surgieron a raiz del episodio anterior, aclaro algunas preguntas importantes que pueden ayudarte a entender mejor que debes cumplir en la Regla de Salvaguardias de la FTC cuando tu negocio no llega a 5,000 clientes. Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) Episodios recomendados: Ep 2: Regulaciones que aplican a tu negocio: https://aprendesecty.libsyn.com/ep-2-regulaciones-que-aplican-a-tu-negocio Anótate en la lista de espera para el próximo taller de ciberseguridad llamado: Conoce tu información y administra de manera segura AQUÍ-> https://aprendesecty.com/listaparataller Si deseas orientación o evaluación sobre ciberseguridad para tu negocio o capacitar a tus empleados sobre seguridad de información en tu negocio, escríbeme a itsec@sectycs.com para poder ayudarte porque ofrecemos capacitación de seguridad a grupos de usuarios para pequeños negocios. Recuerda: Síguenos en Facebook, Instagram, Twitter y LinkedIN como: @SecTYCS SUSCRIBETE en nuestro canal de YouTube Aprende SecTY: https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw Envíame tus preguntas o recomendaciones a: itsec@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, Stitcher, Google Podcast, Amazon Music y iHeartRadio.
¡Aprende SecTY! EP3.26: Safeguards Rule y sus 9 elementos que debes cumplir (FTC y GLBA) Un programa de seguridad de la información es como un plan detallado que una organización o empresa utiliza para mantener segura su información valiosa. Las instituciones sujetas a las regulaciones vigentes de la FTC (Federal Trade Commision) para GLBA (Gramm-Leach-Bliley Act) deben implementar programas de seguridad de la información a partir del 9 de junio de 2023. Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) Episodios recomendados: Ep 2: Regulaciones que aplican a tu negocio: https://aprendesecty.libsyn.com/ep-2-regulaciones-que-aplican-a-tu-negocio Anótate en la lista de espera para el próximo taller de ciberseguridad llamado: Conoce tu información y administra de manera segura AQUÍ-> https://aprendesecty.com/listaparataller Si deseas orientación o evaluación sobre ciberseguridad para tu negocio o capacitar a tus empleados sobre seguridad de información en tu negocio, escríbeme a itsec@sectycs.com para poder ayudarte porque ofrecemos capacitación de seguridad a grupos de usuarios para pequeños negocios. Recuerda: Síguenos en Facebook, Instagram, Twitter y LinkedIN como: @SecTYCS SUSCRIBETE en nuestro canal de YouTube Aprende SecTY: https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw Envíame tus preguntas o recomendaciones a: itsec@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, Stitcher, Google Podcast, Amazon Music y iHeartRadio.
Today Kevin and Laura talk with Chris Roberts, Boom Supersonic's CISO, about aviation technology, the Concorde, hacking all the things (including the Mars Rover!), building planes, epic beards, DefCon, Back to the Future, hover boards and flying cars! Chris also casually confessed to breaking into prison, money laundering and robbing banks. Chris is the CISO for Boom Supersonic and works as an advisor for several entities and organizations around the globe. His most recent projects are focused within the aerospace, deception, identity, cryptography, Artificial Intelligence, and services sectors. Over the years, he's founded or worked with several folks specializing in OSINT/SIGINT/HUMINT research, intelligence gathering, cryptography, and deception technologies. These days he's working on spreading the risk, maturity, collaboration, and communication word across the industry. Since the late 90's Chris has been deeply involved with security R&D, consulting, and advisory services in his quest to protect and defend businesses and individuals against various types of attack. Prior to that he jumped out of planes for a living, visiting all sorts of interesting countries and cultures while doing his best to avoid getting shot at too often. He's considered one of the world's foremost experts on counter threat intelligence and vulnerability research within the Information Security industry. He's also gotten a name for himself in the transportation arena, basically anything with wings, wheels, tracks, tyres, fins, props or paddles has been the target for research for the last 15 years.Chris has led or been involved in information security assessments and engagements for the better part of 25 years and has a wealth of experience with regulations such as GLBA, GDPR, HIPAA, HITECH, FISMA, and NERC/FERC. He has also worked with government, state, and federal authorities on standards such as CMS, ISO, CMMC, and NIST.Chris has been credentialed in many of the top IT and information security disciplines and as a CyberSecurity advocate and passionate industry voice, he is regularly featured in national newspapers, television news, industry publications and several documentaries. And worst case, to jog the memory, Chris was the researcher who gained global attention in 2015 for demonstrating the linkage between various aviation systems, both on the ground and while in the air that allowed the exploitation of attacks against flight control system.
Sean was joined by Elliot Golding of McDermott Will & Emery to discuss all things HIPAA Privacy and Security, Information Blocking, and a few more critical aspects of cybersecurity! This episode is a must for all medical practices, hospitals and health systems to ensure your compliance with the ever-changing landscape! Elliot is Sean's go-to when it comes to Data Privacy and Cybersecurity! About Elliot Golding: Elliot Golding (CIPP/US) is a partner in McDermott Will & Emery's Data Privacy and Cybersecurity Practice. Elliot provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a focus on health care/life sciences, technology (including "digital health"), ecommerce, financial, and other sectors that frequently handle personal information. His practical approach helps clients balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, the Internet of Things, data monetization, online advertising technology, big data and Artificial Intelligence/Machine Learning tools (particularly in the health research context). He has extensive experience helping clients navigate the patchwork of evolving legal standards and best practices, including:--Federal laws, such as HIPAA/HITECH, Information Blocking and Interoperability Rules, 42 CFR Part 2, GLBA, COPPA, health research rules, marketing rules (TCPA, CANSPAM, etc.), --US state laws, such as CCPA (and for coming laws in CA, CO, VA, CT, and UH), CMIA, CalFIPA, laws governing sensitive health and financial information, and state laws governing security and breach notification--industry standards (such as DAA/NAI self-regulatory principles, PCI-DSS, and security standards (such as NIST and ISO). Elliot has also handled hundreds of breaches and security incidents through all aspects of investigation, notification, remediation and engagement with regulators. He has received awards for his expertise from numerous publications, including Bloomberg and Global Data Review. Elliot also chairs several American Bar Association committees including the Privacy, Security and Emerging Technology Division; E-Privacy Law Committee, and Biotechnology, Healthcare Technology, and Medical Device Committee.
Please join Troutman Pepper Partner Chris Willis and his colleagues Mark Furletti, Joe Reilly, and Christine Emello for the last installment of a special three-part series about the Consumer Financial Protection Bureau's (CFPB) new small business lending data collection and reporting final rule — the Section 1071 rule. Part 3 focuses on specific areas, including highlighting those we worry will be especially troublesome for small business lenders.CFS Partner Mark Furletti focuses his practice on federal and state consumer and small business lending and payments laws, including those that apply to payment cards, buy-now-pay-later transactions, vehicle-secured loans, lines of credit, unsecured loans, and deposit products. He counsels consumer and small business financial services providers, including banks, on regulatory compliance, and defends them in class-action litigation and government supervisory and enforcement matters. He also advises merchant receivables purchasers, companies that specialize in online small business lending, and companies that interact with their customers electronically or set up recurring billing arrangements with their customers.CFS Partner Joe Reilly regularly represents lenders, fintech startups, neobanks, and mortgage servicers in enforcement matters, including informal investigations and examinations by the CFPB, OCC, Federal Reserve, FDIC, SEC, numerous state agencies, and mortgage government-sponsored enterprises, such as Fannie Mae. His compliance counseling work covers the entire range of consumer and business lending laws and rules under TILA/Reg. Z, ECOA/Reg. B, UDAAP, EFTA/Reg. E, the Fair Credit Reporting Act, debt-collection laws, GLBA privacy provisions, state licensing regimes, and others.CFS Associate Christine Emello focuses her practice on consumer financial services matters, with an emphasis on disputes, litigation, investigations, and examinations. She has worked on both federal and state court cases in jurisdictions across the U.S. She also represents banks, fintechs, and financial services companies in regulatory examinations and investigations brought by state and federal regulators, including the CFPB, the DOJ, and state attorneys general.
This week on Privacy Please, we dive into an oldie but a goodie. The FTC Extends Deadline to Comply with GLBA Safeguards Rule Until June 9, 2023.
By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It's not, however, only banks that fall under GLBA's umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: Have a qualified individual to implement and enforce an information security plan Conduct a periodic cybersecurity risk assessment Implement cybersecurity controls to manage those risk Document who has access to customer data Assess the risks of applications that can access the data Securely destroy old data Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it's important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.
The Burr Cybersecurity and Data Privacy Podcast is dedicated to keeping businesses and industry professionals in-the-know about Cybersecurity and Data Privacy issues. The team covers topics, trends, and developments in Cybersecurity and Data Privacy, while also discussing the fundamentals of the law.In this episode, Associate Brenton Thompson discusses the Gramm-Leach-Bliley Act, which is typically referred to as GLBA, and the new rules from the Federal Trade Commission, or the FTC, that amend GLBA privacy rules.
There are few things you need to know about me. I'm a Sneakerhead. I have a very eclectic range of music, & believe R&B, true R&B, may be the best genre ever. Next to Js, my only other addiction is Diet Dr. Pepper. The other thing you must understand about me is I'm loyal to a fault. I'll protect my friends & loved ones at all costs. This same loyalty extends to my clients. You all know at this point, I tell it like it is. I can be politically correct when needed. Today is not one of those days. Buckle in folks.How much do you truly own as a business? Perhaps the better question is: do you know how much you should own? Would you be able to ask the right questions in order to obtain this mystical answer? In a world where GA4 & GLBA are creeping closer to whatever date Google chooses to make & re-make, owning your data becomes a necessity. As I sit in meetings, I'm constantly amazed at how many times dealers ask for their OWN data & X company refuses to provide it. Why? The data belongs to them, not to advertising, CRM, websites, or insert X's data. Stop the madness! Numerous times, the dealer doesn't know what to ask, resulting in a hostage situation. Liam Neeson shouldn't need to intervene to find all the ransomed data. When it comes to your data, remember the words of J Holiday, Mya, & about every R&B singer “Baby, It's Yours!”As a business partner, you demonstrate full transparency & integrate everything. This allows the dealer to see what is truly happening. When a vendor chooses to not follow this protocol, there's a lack of transparency & trust is lost. Dealers shouldn't rely on a report that is 100% one-sided & without any way to verify any of the data presented to them. Why do we have to keep having this conversation?An overview of some tools that are constantly under the thumb of certain companies when the DEALER should be the owner:Google Analytics/GA4 AccountSearch ConsoleAccess to all viewsAd Words, Search Console & ConnectedGoogle Business ProfileAll GBP 360 ToursGBP ChatFacebook & Business ManagersSocial AccountsReputation Management ToolsCRM & CRM ReportingAs long as the information is securely administered to the appropriate party, it's dealer's decision on where information is delivered NOT the CRM CompanyWebsiteRemember you own certain assets even if you part ways. Think about this: blogs, photos, videos, everything that was created.ChatAll Third Party ProvidersLet BZ Consultants Inspect What Should Be Expected
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Deep dive into new CISA Cybersecurity Performance Goals (CPGs) for healthcare and critical infrastructure NSA releases new “hacker's playbook” for operational technology (OT) cyberattacks American Hospital Association (AHA) endorses the Healthcare Cybersecurity Act draft bill Gramm-Leach-Bliley Act (GLBA) amendments become effective this December that may bring healthcare into scope for GLBA security requirements and enforcement Massive ransomware outage for CommonSpirit Health impacting over 142 hospitals and the Epic MyChart EHR platform Advances in quantum computing for encryption and the potential for “Q-day” events that could expose all encrypted data to unauthorized decryption HHS warns of abuse of common security and system administration tools that are being abused by attackers CISA alert about Daixin Team ransomware gang targeting healthcare PACS environments via VPN and RDP attacks New stats and guidance on public cloud security trends and recommendations
Subscribe to Higher Ed Advisor: https://connect.bakertilly.com/higher-ed-advisor-podcastFollow Baker Tilly on LinkedIn: https://www.linkedin.com/company/bakertillyus/Learn more about The University of Southern Mississippi: https://www.usm.edu/
It's Monday and we are on our way to Viva Las Vegas Baby for Digital Dealer! Can't wait to see you all there. Before we hop on a plane, let's chat about Friday and our chat with Better Vantage Point's Tom Kline. What did you learn? What insights did you gain? What was your take away?This week I am so excited to meet and see so many of you in person. Launching Leaders first annual kick off is this year and so stoked to see so many incredible females crush this industry!Follow Tom: https://qrco.de/bdN0mCYoutube: https://bit.ly/3rGunPpApple: https://apple.co/3yslvAsSpotify: https://spoti.fi/3SWMkW0Let BZ Consultants Inspect What Should Be Expected: https://qrco.de/bcqqFoMore on Gramm-Leach-Bliley Act (GLBA): https://bit.ly/3C8qk30How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act: https://bit.ly/3M269bwFTC's Privacy Rule and Auto Dealers: https://bit.ly/3dXETyBFollow, subscribe, rate, and never miss a show!Chapters0:00 Start0:52 Viva Las Vegas: So excited to finally attend Digital Dealer and be in person at a conference live in person and see you all!3:25 Tom Kline: Wow, Wow, Wow! What an incredible conversation we had on Friday with him. What was your biggest take away from GLBA chat? For me there were so many! I loved Tom's point about that without inspecting what you expect, you do not have a compliance program. You must audit everything.#FactsNotFeelings #MovingAutomotiveForward #GLBA #GrammLeachBlileyAct #GLBASafeguardsRule #Compliance #FTC #TomKline #BetterVatangePoint #ADF #XML #DigitalDealer #Consultant #Podcast #Automotive #CarConsultant #AutomotiveConsultant #CarTalk #CarDealership #WomenInAutomotive #LaunchingLeaders #WomenInBusiness #AutomotiveMarketing
Tom Kline from Better Vantage Point & I've been speaking about GLBA for bit. Last week I dove into the Facts Not Feelings archives where Chris Tragesz, a cyber security forensics specialist, sat down with me at the first of the year in “What's the Biggest Risk?” Following up from “We're Gonna Need A Bigger Megaphone,” Tom & I are diving into GLBA & ripping off the Bandaid. What happens when you rip off the Bandaid? It stings at first. The pain's instantaneous, but gets better a lot quicker than a slow painful death!What makes this episode different? How can we bring more value? Tom Kline! Tom recently gave a GLBA presentation to the NIADA National Policy Conference. He has 30 years of dealership ownership experience. He now excels in dealership dispute, compliance, risk mitigation, & consulting with his company Better Vantage Point. Next, simplify the talking points. A lot of acronyms & scary terms are used. We want to make this easy, breezy, Cover Girl!Gramm-Leach-Bliley Act (GLBA): https://bit.ly/3C8qk30The Privacy of Consumer Financial Information Rule of the GLBA: https://bit.ly/3M269bwFTC's Privacy Rule & Auto Dealer FAQ: https://bit.ly/3dXETyBFollow Tom: https://qrco.de/bdN0mCLet BZ Consultants Inspect What Should Be Expected: https://qrco.de/bcqqFoFollow, subscribe, rate, & never miss a show!Chapters0:00 Start2:24 GLBA: What? Why? How do ADF/XML forms fit into the Gramm-Leach-Bliley Act?3:58 Gramm-Leach-Bliley Act history. When's the deadline for dealers?4:32 What's the first, biggest, & most complicated component of the GLBA in Tom's mind? 6:12 Quick ADF/XML leads tutorial:7:32 Do you know that the definition of PII (Personal Identified Information) is changing?8:57 To reiterate the last few minutes, there is no one solution that can make you 100% GLBA compliant.11:07 What's “First Party Data”?12:14 What's a Compliance Management System (CMS)? Do dealerships need one?15:15 What are the penalties for violating GLBA? GLBA fines?16:25 What are the main bullet points of GLBA and FTC Privacy Rules that Dealers should be implementing right now? #1 Securing Data #2 MFA: What is MFA (Multi-Factor Authentication)? Which product does Tom recommend? #3 Education: Did you know that you need to train all of your employees? Are you having all employees sign a policy?19:40 Dealers can use GLBA software to handle about 30% of the heavy lifting when managing vendors.21:35 Phishing Tests: Will this truly be implemented in house? It'll take a massive culture shift in some stores. 23:46 Unless you have an audit function behind your compliance program you don't have a compliance program!24:51 How much insurance do I need? What's Risk Appetite?31:02 Are Reputation Management companies sufficient?39:52 Dealers need to audit their websites to ensure compliance with advertising laws. 44:43 Lightning Round#FactsNotFeelings #MovingAutomotiveForward #GLBA #GrammLeachBlileyAct #GLBASafeguardsRule #FTC #TomKline #BetterVantagePoint #ADF #XML #Podcast #Automotive #CarConsultant #AutomotiveConsultant #CarDealership #WomenInAutomotive #WomenInBusiness
End of month, bring it! After Friday's episode “Outsourced BDC: The Good, The Bad, The Ugly” with Robin Wilson, I think we are all ready to take on the world! I love how she knows who she is, knows the importance of being a trailblazer and leans into it, and does everything possible to move this industry forward. Robin will be the first to lend a helping hand to whomever needs it.Robin and I's conversation is live anywhere you get your podcasts and will be on Youtube tomorrow (Thursday).Apple: https://apple.co/3dF9W21Spotify: https://spoti.fi/3C8S20TYoutube: https://bit.ly/3dNUeS2Connect with Robin Wilson: https://qrco.de/bdIeygSometimes our singular voice isn't enough and we need that extra assistance. Sometimes we need a bigger megaphone. Maybe you are promoting an event. If people only hear your voice alone, it will eventually fall on deaf ears. There need to be other voices to validate this event, conference, or whatever the “thing” is to legitimize it.I will take this a step further. Since June I have been diving into GLBA and the fact there is no one seems to be working towards the resolution of the ADF/XML portion. There are companies left and right charging dealerships a lot of money to be “GLBA Compliant.” HOWEVER, when pushed about this ginormous other portion, they all fall short. My voice is not enough. My voice is not loud enough. It is going to take a MUCH bigger and louder megaphone. Enter Brian Pasch. Who is listening now? Who is paying attention now? It takes all of us to move this industry forward. It takes all of us collaborating and rowing the boat in the same direction to accomplish the bigger goal.Connect with Brooke and BZ Consultants Group: https://qrco.de/bcqqFoChapters0:00 Start1:39 What Were You Key Takeaways from Robin and I's Conversation4:11 There are times when our singular voice isn't enough and we need a little extra help. Sometimes we need a bigger megaphone. Maybe you are promoting an event. It will eventually fall on deaf ears if people only hear your voice. Other voices are needed to legitimize this event, conference, or whatever this "thing" is.5:09 Furthering this thought. GLBA and the lack of progress on the ADF/XML section have been on my mind since June. It is common to see companies charging dealerships to be an "GLBA Compliant"; however, when confronted with the ginormous other portion, none of them rise to the occasion. My voice is not enough to make a difference. My voice is not loud enough. It is going to take a MUCH bigger and louder megaphone. Enter Brian Pasch. Who is listening now? Who is paying attention now?7:48 In order for this industry to progress, we all need to work together. Our bigger goal can be achieved only when we work together and row the boat in the same direction.Follow, subscribe, rate, and never miss a show!#FactsNotFeelings #MovingAutomotiveForward #TakesAllOfUs #BiggerMicrophone #GLBA #ADF #XML #Collaboration #BrianPasch #LouderMicrophone #OutsourcedBDC #BDC #RobinWilson #ProsAndConsOfExternalBDC #BenefitsofOutsourcingBDC #InHouseBDCVsOutsourceBDC #ShouldIHaveAnOutsourcedBDCCompany #BZConsultants #BZConsultantsGroup #FactsNotFeelingsFriday #EpicBDC #HowToRunASuccessfulBDC #WhenToOutsourceYourDealershipBDC #CustomerJourney #CustomerExperience #Consultant #Podcast #Automotive #CarConsultant #AutomotiveConsultant #CartTalk #CarDealership #WomenInAutomotive #WomenInBusiness #AutomotiveMarketing
Tim Cox is joined by John Acosta, CEO at VTech Dealer I.T., and Paul Jensen, Operations Manager at Qvale Auto Group, for an exciting and informative conversation. They discuss the new safeguards put out by the FTC, how dealerships can remain compliant with recent updates to the Gramm-Leach-Bliley Act (GLBA), and other ways to ensure your dealership operations are secure.
What a weekend! I am still trying checking my pulse from the UNC/Duke game! UNC handed Coach K his first ever loss, his final loss at Cameron indoor, and then defeated him in his final game as Duke's head coach...assuming he doesn't pull a Tom Brady! We have one hellavu game tonight! Huge congrats to South Carolina as they cut down the nets in the Women's Tourney! A big thanks to Chris Tragasz for being on the show Friday and kicking off the weekend off right as dove into the simple security "hacks" for dealerships and a brief overview of the Gramm-Leach-Bliley Act (GLBA). Check out Tim Cox's Tim Talks for more info on the GLBA. To keep the security theme going, this week we have Privacy4Cars Founder Andrea Amico on the show. I will be chatting with him about his company and how he is moving the industry forward by keeping our data secure. It really is not that difficult to not be a dick, so don't be one. Dealerships: please own your own data. Please. If a vendor, yes a vendor, as a business partner would NEVER tell you otherwise, tells you that you don't need to own it, it doesn't concern you, they will handle it, RUN like Forest!! As a business, you should always be the Admin/Owner of your data/systems. Privacy4CarsFollow AndreaFollow Chris on LinkedInMore on Gramm-Leach-Bliley Act (GLBA)How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley ActFTC's Privacy Rule and Auto DealersBZ ConsultantsEnjoy and don't forget to subscribe, share, comment, and rate the show. Listen wherever you get your Podcasts! SpotifyAppleAmazon PodcastCastBoxGoogle PodcastStitcher#BZConsultantsGroup #BZConsultants #BZ #FactsNotFeelings #FactsNotFeelingsFriday #MondayRecap #DigitalMarketing #OwnYourData #AndreaAmico #Privacy4Cars #PrivacyPolicy #ChrisTragasz #CyberSecurity #DigitalForensics #Security #RiskManagement #EmailSecurity #GrammBlileyLeachAct #GLBA #GLBACompliance #GLBAPrivacyRule #Automotive #MobiltyOptions #CarMobilityOptions #SubscriptionServices #CustomerExperience #SubscriptionServices #Consultant #BrookeFurniss #UNCDuke #NCAAChampionship
Is your business “significantly engaged” in providing financial products or services of any kind? Then you need to know about the updates to the Safeguards Rule. Let's see what they are with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. Join us for our next CLE at noon Pacific time on Wednesday, March 30th where we'll explore the impact of the Pandora Papers on the legal industry and the practical, cybersecurity lessons for attorneys and their clients. https://www.eventbrite.com/e/anatomy-of-a-hack-pandora-papers-tickets-255528421387
The FTC's recently updated rule implementing GLB standards for safeguarding customer information replaces the flexibility previously given to financial institutions in developing an information security program with new prescriptive requirements. Our discussion topics include what these new requirements mean for specific aspects of such programs, assigning employee responsibility, conducting risk assessments, installing access controls, using encryption, and who is covered by the rule. We also offer suggestions for what issues financial institutions should consider in preparing to implement the new requirements and our expectations for enforcement. Alan Kaplinsky, Ballard Spahr Senior Counsel, hosts the conversation, joined by Kim Phan, a partner in the firm's Consumer Financial Services Group, and Doris Yuen, an associate in the Group.
Episode 108: Welcome to this week's episode. If you have attended an investigator conference, there is a good chance you know our guest today. We are welcoming Judy Shea from JT Palmer and Associates. Our topic today is Bank searches and the G.L.B.A. We attack this tough topic and try and shed some light on permissible purposes for Bank searches. Let's jump right in with Judy Shea and your host, Private Investigator, Matt Spaier Links: Matt's email: MatthewS@Satellitepi.com Linkedin: Matthew Spaier www.investigators-toolbox.com Judy on linkedin: Judy Shea Judy Email: judy@jtpalmerassociates.com Judy Phone number: 817-894-3539 PI-Perspectives Youtube link: https://www.youtube.com/channel/UCYB3MaUg8k5w3k7UuvT6s0g Sponsors: https://apps.crosstrax.co/signup/index/refcd/LY3R7VUW69 https://merlinlocate.com/ https://siisinsurance.com/ https://irbfocus.com/Rosa/apply?UTM_SOURCE=PI_Perspectives&UTM_MEDIUM=Podcast&UTM_CAMPAIGN=Investigtive&UTM_CONTENT=Evergreen_Leads https://piinstitute.com/
The term Chinese wall, as it is used in the business world, describes a virtual barrier intended to block the exchange of information between departments if it might result in business activities that are ethically or legally questionable. In the United States, corporations, brokerage firms, investment banks, and retail banks have used Chinese walls to describe situations where there is a need to maintain confidentiality in order to prevent conflicts of interest.Over the years, large financial institutions have used Chinese wall policies as a means to self-regulate their business dealings by creating ethical boundaries between departments. However, these efforts have not always been effective. Thus, the Securities and Exchange Commission (SEC) has enacted regulations governing how financial institutions share information. The SEC has implemented fines, penalties, and legal consequences for companies that break these regulations.The need for a Chinese wall in the financial industry became more critical after the enactment of the Gramm-Leach-Bliley Act of 1999. The law repealed federal regulations prohibiting companies from providing any combination of banking, investing, and insurance services. The GLBA reversed restrictions on such combinations that had been in place since the Great Depression. The GLBA also enabled the creation of today's financial giants such as Citigroup and JPMorgan Chase.
GLBA Audits can be confusing and extremely overwhelming. In this episode, our GLBA Guru & Security Strategist, Daniel Gibson, takes us through how to prepare for an audit, what you need to know, and who you need to involve in order to ace your audit. Including what an auditor expects you to have prepared! Find out more in this detail-filled episode full of GLBA tools and guidance.
All about the Gramm-Leach-Bliley Act and the Do-Not-Call Registry! --- Support this podcast: https://anchor.fm/mortgagelenderdiary/support
Brian Murphy, a security specialist at GreyCastle Security, is a technology, information security, and risk management professional. He assists with the development and implementation of cybersecurity solutions for a variety of industries. Brian has knowledge of PCI, SOX, GLBA compliance requirements, as well as ISO and NIST standards and regulations.On this episode we talk about: How we are constantly doing risk assessments in our everyday life. At least, we should be. How using analogies and stories help people connect with something new, like cybersecurity. Shifting the mindset to ensure the cybersecurity team's goals tie back to the business' goals. The importance of culture and providing an environment where employees and the cybersecurity team are constantly learning.
¡Aprende SecTY! Verifica cuáles regulaciones de la industria aplican a tu negocio. Cada una aplica a las compañías dependiendo de la información que manejen. Es importante conocer cuales te aplican para poder cumplir con ellas y evitar multas. SOX : https://www.ucipfg.com/Repositorio/MAES/MAES-04/BLOQUE-ACADEMICO/Unidad-3/lecturas/Caso_Enron_2.pdf https://www.soxlaw.com/ GLBA: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act PCI-DSS : https://www.pcihispano.com/que-es-pci-dss/#:~:text=El%20est%C3%A1ndar%20PCI%20DSS%20se,Comerciantes%20(merchants)&text=Entidades%20emisoras%20(issuers) https://www.pcisecuritystandards.org/ HIPAA: https://www.hhs.gov/hipaa/for-professionals/security/index.html https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html GDPR: https://gdpr-info.eu/ FISMA: https://csrc.nist.gov/projects/risk-management Enseñamos a mejorar la seguridad de información en tu negocio y en tu vida. Síguenos en Facebook, Instagram, Twitter y LinkedIN como @SecTYCS Envíame tus preguntas o recomendaciones a: itsec@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos por medio de: iTunes/Apple Podcast, Spotify, Stitcher y Google Podcast.
The California Consumer Privacy Act, which took effect at the beginning of 2020 and has had both regulatory and statutory amendments since then, has been described as “GDPR for California,” and it has effects far beyond the Golden State as it applies to companies that collect the personal information of California residents, wherever they are headquartered. On the ABA Banking Journal Podcast, ABA VP Kitty Ryan discusses: Circumstances in which CCPA may apply to banks apart from exemptions for data covered by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act The extent of CCPA’s application outside of California Different compliance approaches banks might take based on their market footprints, business activities and the applicability of exemptions New consumer rights added to CCPA in a successful November 2020 ballot initiative, as well as a newly created California privacy regulator Additional resources: ABA staff analysis of CCPA ABA staff analysis of August 2020 CCPA rules ABA staff analysis of the California Privacy Rights Act, the November 2020 initiative ABA Frontline Compliance Training course on consumer privacy that includes CCPA
On the heels of recent significant Office for Civil Rights (OCR) breach settlements—one related to the Protected Health Information of 6 million individuals and an allegation related to systemic noncompliance with HIPAA rules—Foley Partner Jennifer Rathburn talks with Brian Resler a Vice President for Engagement for Stroz Friedberg, an Aon company, to discuss practical and approachable steps you need to take to tweak your cybersecurity program to be better prepared for any potential attacks. Jennifer Rathburn focuses her practice on helping clients prepare for and respond to data breaches, as well as complying with HIPAA, 42 CFR Part 2, GDPR, GLBA, FERPA, and other federal and state privacy laws. She is also co-founder of the Midwest Cyber Security Alliance, a nonprofit, nonpartisan collaboration of stakeholders focused on promoting awareness of hot cybersecurity and privacy issues as well as advocating for more effective solutions. Brian Resler manages teams assisting clients in responding to data breach and cybersecurity incidents, developing and implementing information security programs, and conducting digital forensics for litigation. Prior to Stroz Friedberg, Brian spent about 25 years as a State and Federal Prosecutor, most recently as a litigation supervisor for the U.S. Department of Justice Computer Crime and Intellectual Property Section, supervising and advising on cyber and intellectual property prosecutions around the country.
Khadija Gbla is a feminist and human rights activist from Sierra Leone. She works as a cultural consultant, a keynote speaker and an anti-FGM campaignerDirector of Khadija Gbla Cultural Consultancy & Desert Flower Centre Australia.She is an award Winning Human Rights Activist.__________________________We really value reviews and feedback so if you could leave us a review on iTunes or my website at jennawatts.com.au/podcast that would be fab!If you have a friend you would like to nominate, a topic you would like to hear about or an individual you like to hear from, then I would love to hear from you. You can email me me at jenna@jennawatts.com.auThank you for the support of 21st Century Women, designed to celebrate and support women (YOU!).
We discuss the modifications with Lauren Valenzuela, Corporate Counsel for Performant Financial, a provider of technology-based solutions to assist debt recovery. Our topics relevant to the debt industry include the potential impact for debt collectors/other service providers indirectly collecting consumer data; changes for processing household requests; availability of GLBA/other exemptions; issues for users of artificial intelligence; relationship of CCPA opt-outs and FDCPA C&D requests; areas needing more clarification.
In episode 95 of our monthly show we’re joined by special guest Rebecca Herold, the “Privacy Professor”. Rebecca is a well known expert in the privacy and cybersecurity community and gives us an update on what she’s been working on, what her thoughts are on the current state of privacy regulations (CCPA, GLBA, etc), and […] The post Rebecca Herold “The Privacy Professor” appeared first on The Shared Security Show.
GDPR/ NYDFS/ CCPA and other State, Federal and Supra-regional regulations coming online quickly. Governments are driving Security, Privacy & Compliance throughout the world. Since there is not an overriding set of Federal laws such as GLBA, many organizations in the US are unprepared for the upcoming deluge of regulations. Gain an understanding of what is coming and learn ways that you can help future organizations cope with and plan for a "50 States" strategy in an uncertain future. As well as prepare yourself for an uncertain future. About the speaker: Leon Ravenna, CISO - KAR Auction Services - Leon has over 25 years' experience in Healthcare, Financial Services and Technology companies. He leads Global Security Strategy, Execution, Privacy and Compliance services.Leon is currently CISO of a $2.4B multi-national company in the auto auction, salvage and financial services space. Providing Security, Privacy & Compliance expertise for over 17,000 employees. Leon has led nationwide support, Web & CRM development efforts, data center builds, heavy infrastructure for SaaS companies in the medical and financial space.Leon has extensive experience in Regulatory, Compliance & Privacy having managed ISO27001, HIPAA, SSAE-16, PCI and NIST system builds and audits. In addition to holding a PMP, Leon is one of a very small group world-wide to hold 6 major Global Privacy certifications including CIPM, CIPP/C and CIPP/E, CIPP/G, CIPP/US and FIP.
GDPR/ NYDFS/ CCPA and other State, Federal and Supra-regional regulations coming online quickly. Governments are driving Security, Privacy & Compliance throughout the world. Since there is not an overriding set of Federal laws such as GLBA, many organizations in the US are unprepared for the upcoming deluge of regulations. Gain an understanding of what is coming and learn ways that you can help future organizations cope with and plan for a “50 States” strategy in an uncertain future. As well as prepare yourself for an uncertain future.
The CCPA takes effect on Jan. 1, 2020. In this podcast, we take a close look at the CCPA's coverage and unique features, the scope of its "GLBA exemption," third party issues, private actions and enforcement remedies, federal privacy law initiatives and the CCPA's influence on state initiatives, and steps for companies facing CCPA compliance.
We explore the affect of the FTC’s proposed amendments to the GLBA Privacy Rule, which affects only motor vehicle dealers, and the broader GLBA Safeguards Rule, which applies to all non-bank financial institutions under FTC jurisdiction. The FTC has shifted from a flexible approach to data security to a more prescriptive one that mandates specific elements for information security programs. We will discuss the potential impact of this shift and opportunities for companies to influence the final rules.
Recently, New Mexico passed a new data breach notification law in March. Once it is signed there will only be 2 states that don't have their own notification rules, Alabama and South Dakota. What do all the state laws mean when you are also required to do HIPAA notifications. Most of them say that if you are subject to GLBA or HIPAA the notification laws do not apply to you. But, it is always best to be sure you know what your state requires. HIPAA says that as long as it is more strict than state laws then HIPAA takes precedence but many times states are now enacting stronger legislation in some areas. California and Texas developed some pretty extensive requirements that apply to CEs and BAs in their states. Massachusetts also added their own twist beyond HIPAA. More info at HelpMeWithHIPAA.com/98
The finance industry is increasingly being held accountable for the security, confidentiality and integrity of non-public customer information. By protecting nonpublic personal information (NPI) and personally identifiable information (PII), businesses in the banking and financial services industry can protect private information including: customer financial records, social security number, income, and account numbers. Organizations that experience a data breach where un-encrypted data is lost can suffer fines reaching into the millions of dollars, as well as face indirect costs like brand damage and customer loss. Download this podcast to learn about: Meeting data security compliance requirements (GLBA, FFIEC, PCI DSS, etc.) Examples of NPI and PII that need to be encrypted Encryption and key management How to take advantage of the GLBA’s “safe harbor” protection for privacy notices
While designing computer systems and their underlying protocols, architects impose functionality, security, and privacy requirements or policies with which the designed systems and protocols should comply with. These requirements and policies are generally written in natural language and more often than not they are not complied with in the implementations due to ambiguity, misinterpretation of the requirements, or developer errors. Non-compliance with the requirements can not only have security, privacy, and utility consequences but also can have safety implications. One possible solution is to express the requirements in some formal language. In addition to eliminating ambiguities and misinterpretations of the requirements, this also enables application of formal verification techniques to check for compliance of the implementation against the desired requirements or the policies. Formal verification techniques can be applied for checking compliance in potentially three different settings. In the first setting,compliance checking is performed statically before a system or a protocol is deployed. In the second setting, a runtime monitor can be deployed alongside the system or the protocol, and the monitor provably disallows the system or the protocol to take non-compliant actions. Finally, compliance can be be checked in a post-hoc fashion by capturing all the relevant runtime events in an audit log which can then be scrutinized for non-compliance. In this talk, I will present demonstrative examples of using formal verification techniques for compliance checking in each of these settings. About the speaker: Omar Chowdhury is a Post-Doctoral Research Associate at the Department of Computer Science at Purdue University. Before joining Purdue, he was a Post-doctoral Research Associate at Cylab, Carnegie Mellon University. He received his Ph.D. in Computer Science from the University of Texas at San Antonio. His research interest broadly lies in the field of Computer Security and Privacy. He is specifically interested in applying formal verification techniques for developing efficient compliance checking mechanism for computer information systems with respect to applicable privacy regulations like HIPAA and GLBA. He has won the best paper award The ACM Symposium on Access Control Models and Technologies (SACMAT). He has also served as a program committee member in ACM SACMAT and ACM CCS.
Individuals have the privacy expectation that organizations (e.g., bank, hospital) that collect personal information from them will not share these personal information with mischievous parties. To prevent unauthorized disclosure of personal information by organizations, US federal government has put forward privacy legislation like HIPAA and GLBA. Violation of these privacy regulations can bring down heavy financial penalties for the organization. To maintain compliance with all the relevant privacy regulations, organizations collect day-to-day privacy events in an audit log which is periodically checked for compliance. The audit logs capturing the privacy sensitive events tend to be large and due to the cost-effectiveness of cloud infrastructures, outsourcing the audit log storage to a third party cloud service provider is now a viable option for organizations. As the audit logs can possibly contain customers' sensitive personal information, protecting confidentiality of the audit log data from the cloud service provider and other malicious parties should be a major objective for the organization. One possibility is to encrypt the audit logs before uploading it in the cloud storage. However, encrypting the audit log with any semantically secure encryption scheme might prohibit the organization from automatically check compliance of the audit log. Theoretical solutions like fully homomorphic encryption is not practically viable in this scenario. In this talk, I will present two very simple audit log encryption schemes that reveal enough information so that the organization can run an automatic compliance checking algorithm over the encrypted log. With empirical evaluation we demonstrate that, our enhanced compliance checking algorithm incurs low to moderate overheads for our cryptographic schemes, relative to a baseline without encryption. About the speaker: Omar Chowdhury is a Post-Doctoral Research Associate in the Department of Computer Science at Purdue University. Prior to joining Purdue University, he was a Post-Doctoral Research Associate in Cylab, Carnegie Mellon University. He received his B.Sc. in Computer Science & Engineering from Bangladesh University of Engineering & Technology and his Ph.D. in Computer Science in the University of Texas at San Antonio. His research interest lies in investigating fundamental issues in Computer Security and Privacy. He is interested in developing novel access control features and technologies. His current research focuses on using formal verification techniques to design efficient security and privacy policy analysis and enforcement mechanisms. Specifically, he is interested in developing efficient algorithms for checking compliance of practical privacy policies like HIPAA and GLBA. He has won the best paper award The ACM Symposium on Access Control Models and Technologies (SACMAT). He has also served as a program committee member in The ACM Symposium on Access Control Models and Technologies (SACMAT).
Individuals have the privacy expectation that organizations (e.g., bank, hospital) that collect personal information from them will not share these personal information with mischievous parties. To prevent unauthorized disclosure of personal information by organizations, US federal government has put forward privacy legislation like HIPAA and GLBA. Violation of these privacy regulations can bring down heavy financial penalties for the organization. To maintain compliance with all the relevant privacy regulations, organizations collect day-to-day privacy events in an audit log which is periodically checked for compliance. The audit logs capturing the privacy sensitive events tend to be large and due to the cost-effectiveness of cloud infrastructures, outsourcing the audit log storage to a third party cloud service provider is now a viable option for organizations. As the audit logs can possibly contain customers' sensitive personal information, protecting confidentiality of the audit log data from the cloud service provider and other malicious parties should be a major objective for the organization. One possibility is to encrypt the audit logs before uploading it in the cloud storage. However, encrypting the audit log with any semantically secure encryption scheme might prohibit the organization from automatically check compliance of the audit log. Theoretical solutions like fully homomorphic encryption is not practically viable in this scenario. In this talk, I will present two very simple audit log encryption schemes that reveal enough information so that the organization can run an automatic compliance checking algorithm over the encrypted log. With empirical evaluation we demonstrate that, our enhanced compliance checking algorithm incurs low to moderate overheads for our cryptographic schemes, relative to a baseline without encryption.
Organizations need to comply with a growing number of data privacy regulations. Patrick discusses the various regulations - such as PCI, HIPAA/HITECH, and state privacy laws - as well as how to meet the regulations and what it is like to have an audit.