The document summarizes a webinar on privacy and security updates. It discusses three main topics: 1) the benefits of self-reporting data breaches to authorities, as companies that cooperate are viewed more favorably, 2) that a risk management approach is better than relying solely on firewalls since sophisticated attackers can breach any system, and 3) new rules under the USA Freedom Act and a court ruling that now require specific, relevant requests for government access to metadata and call for independent review of such requests.
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
Presentation to Canadian in-house counsel on data breach response and crises communications. Dan Michaluk and Ian Dick of Hicks Morley and Karen Gordon of Squeaky wheel communications.
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
Presentation delivered at the Cybersecurity for the Board & C-Suite "What You Need to Know" Cyber Security Summit Sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies' Institute for Homeland Security, Cybercrime and International Criminal Justice. Shawn Tuma, Cybersecurity & Data Privacy lawyer at Scheef & Stone, LLP in Frisco and Dallas, Texas.
The presentation date was September 13, 2016.
As a cybersecurity and privacy attorney, Shawn Tuma spends much of his time assisting clients proactively prepare for the legal aspects of cybersecurity incidents and respond to incidents when they occur. His work with management, legal, as well as the technology departments, and focus on the legal aspects of cybersecurity, gives him unique insight into how the non-technical areas of companies understand and evaluate cybersecurity.
In his presentation, Tuma will explain how, in his experience, the traditional fear, uncertainty, and doubt – the fear -- that has been used to “sell” cybersecurity has now gone too far and has created a feeling of hopelessness in many companies that has led many to simply quit trying. Instead of always focusing on the fear, he will explain how cybersecurity professionals should help empower companies to do what they can, even if they can’t do everything, so that they can at least improve their cybersecurity posture even if they can’t become “secure.”
Tuma will explain how recent legal and regulatory compliance developments encourage companies to take this approach by doing what is reasonable and provide specific action items that virtually all companies can implement to better themselves in this regard – especially if they find themselves in an incident response situation.
After completing this session, you will:
• Understand why cybersecurity is as much a legal issue as it is a business or technology issue.
• Understand how most legal and regulatory compliance actions support a “take reasonable measures” approach instead of a “strict liability” approach to companies’ pre-breach activities.
• Understand the need to, and how to, focus on the basics of risk and preparation for mitigating such risk.
• Understand the 2 primary legal and regulatory compliance areas that pose the most risk to companies and key action items that can help mitigate that risk.
• Know the 3 pre-breach must-haves for every company to have in place.
• Understand the importance of cybersecurity and privacy focused contractual agreements have on companies and how such agreements can be negotiated.
• Understand why selling the FUD impedes all of these objectives and harms companies’ cybersecurity posture more than it helps.
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Third-Party Risk Management: How to Identify, Assess & ActTrustArc
Risks in today's climate are continuing to evolve with respect to third-parties. With so many employees working remotely, we depend day-in and day-out on third-party technologies, data sources and providers. It’s important for every business to ensure that there's automation of a privacy program that is based on a deep understanding of risk, as well as, the management and mitigation plans for the associated risks that are assumed.
Along with regulatory compliance such GDPR, CCPA, HIPAA or Privacy Shield, one of the most important components of a privacy and security risk management program is understanding and managing your third-party risk and compliance. At the same time, you’re struggling to keep up with privacy assessments and security audits about your own data handling practices.
Join this webinar to learn how organizations are automating the process of identifying, assessing and acting on internal and third-party privacy risks to create robust and compliant privacy management programs.
This webinar will review:
- Third-party risk considerations every organization needs to be aware of;
- The importance of risk mitigation for inherent and residual risks of business processes, systems and third-parties, and company entities;
- And how the TrustArc Risk Profile helps fully-automate both company and third-party risk management for organizations.
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
The Nymity Privacy Management Accountability Framework(™) and the TrustArc Privacy and Data Governance Framework have come together! During this webinar, you will learn all about the integrated framework and how to use the Frameworks that you have been used to for many years going forward. The integrated framework will soon be publicly available and will be supported by all of TrustArc’s software solutions.
In addition, during this webinar we will discuss the importance of using a privacy framework as the backbone of your privacy program. How does the integrated TrustArc/Nymity framework relate to the new NIST Privacy Framework for example, or to the ISO 27001 and ISO 27701 standards?
Join this webinar to learn about:
The integrated TrustArc/Nymity Privacy and Governance Framework and how to use it;
The value of using a privacy framework as the backbone of your privacy program;
How to use the integrated TrustArc/Nymity Privacy and Governance Framework in combination with international standards like NIST and ISO.
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
Presentation to Canadian in-house counsel on data breach response and crises communications. Dan Michaluk and Ian Dick of Hicks Morley and Karen Gordon of Squeaky wheel communications.
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
Presentation delivered at the Cybersecurity for the Board & C-Suite "What You Need to Know" Cyber Security Summit Sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies' Institute for Homeland Security, Cybercrime and International Criminal Justice. Shawn Tuma, Cybersecurity & Data Privacy lawyer at Scheef & Stone, LLP in Frisco and Dallas, Texas.
The presentation date was September 13, 2016.
As a cybersecurity and privacy attorney, Shawn Tuma spends much of his time assisting clients proactively prepare for the legal aspects of cybersecurity incidents and respond to incidents when they occur. His work with management, legal, as well as the technology departments, and focus on the legal aspects of cybersecurity, gives him unique insight into how the non-technical areas of companies understand and evaluate cybersecurity.
In his presentation, Tuma will explain how, in his experience, the traditional fear, uncertainty, and doubt – the fear -- that has been used to “sell” cybersecurity has now gone too far and has created a feeling of hopelessness in many companies that has led many to simply quit trying. Instead of always focusing on the fear, he will explain how cybersecurity professionals should help empower companies to do what they can, even if they can’t do everything, so that they can at least improve their cybersecurity posture even if they can’t become “secure.”
Tuma will explain how recent legal and regulatory compliance developments encourage companies to take this approach by doing what is reasonable and provide specific action items that virtually all companies can implement to better themselves in this regard – especially if they find themselves in an incident response situation.
After completing this session, you will:
• Understand why cybersecurity is as much a legal issue as it is a business or technology issue.
• Understand how most legal and regulatory compliance actions support a “take reasonable measures” approach instead of a “strict liability” approach to companies’ pre-breach activities.
• Understand the need to, and how to, focus on the basics of risk and preparation for mitigating such risk.
• Understand the 2 primary legal and regulatory compliance areas that pose the most risk to companies and key action items that can help mitigate that risk.
• Know the 3 pre-breach must-haves for every company to have in place.
• Understand the importance of cybersecurity and privacy focused contractual agreements have on companies and how such agreements can be negotiated.
• Understand why selling the FUD impedes all of these objectives and harms companies’ cybersecurity posture more than it helps.
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Third-Party Risk Management: How to Identify, Assess & ActTrustArc
Risks in today's climate are continuing to evolve with respect to third-parties. With so many employees working remotely, we depend day-in and day-out on third-party technologies, data sources and providers. It’s important for every business to ensure that there's automation of a privacy program that is based on a deep understanding of risk, as well as, the management and mitigation plans for the associated risks that are assumed.
Along with regulatory compliance such GDPR, CCPA, HIPAA or Privacy Shield, one of the most important components of a privacy and security risk management program is understanding and managing your third-party risk and compliance. At the same time, you’re struggling to keep up with privacy assessments and security audits about your own data handling practices.
Join this webinar to learn how organizations are automating the process of identifying, assessing and acting on internal and third-party privacy risks to create robust and compliant privacy management programs.
This webinar will review:
- Third-party risk considerations every organization needs to be aware of;
- The importance of risk mitigation for inherent and residual risks of business processes, systems and third-parties, and company entities;
- And how the TrustArc Risk Profile helps fully-automate both company and third-party risk management for organizations.
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
The Nymity Privacy Management Accountability Framework(™) and the TrustArc Privacy and Data Governance Framework have come together! During this webinar, you will learn all about the integrated framework and how to use the Frameworks that you have been used to for many years going forward. The integrated framework will soon be publicly available and will be supported by all of TrustArc’s software solutions.
In addition, during this webinar we will discuss the importance of using a privacy framework as the backbone of your privacy program. How does the integrated TrustArc/Nymity framework relate to the new NIST Privacy Framework for example, or to the ISO 27001 and ISO 27701 standards?
Join this webinar to learn about:
The integrated TrustArc/Nymity Privacy and Governance Framework and how to use it;
The value of using a privacy framework as the backbone of your privacy program;
How to use the integrated TrustArc/Nymity Privacy and Governance Framework in combination with international standards like NIST and ISO.
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
This is a presentation I delivered to lawyers attending the Alberta Law Conference. It's was very conceptual in nature, focusing on some of the broader forces affecting employers and employees. The two topics of substance are "information governance" and social media misuse.
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...TrustArc
Watch the webinar on-demand: https://info.trustarc.com/mastering-article-30-compliance-webinar.html
78% of companies need help with conducting a data inventory.
As businesses grapple with the requirements of the GDPR one of the most challenging is the need to create a comprehensive record of all of your data processing activities as required under Article 30 of the GDPR. Recent research from Dimensional Research/TrustArc found that 78% of companies said they needed help with conducting a data inventory. With a project of this scale why re-invent the wheel when you can learn from other privacy professionals who have gone through the process of scoping, communicating, managing and delivering a comprehensive data inventory and mapping project.
Watch this webinar on-demand to hear from in-house privacy professionals and consultants how to:
- build a business case for the data inventory
- involve other departments across the business
- understand benefits of different methodologies – such as a systems or process-based approach
- review the tools and technologies available to help for you
- maintain the inventory over time
To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...MIT Startup Exchange
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT CSAIL Decentralized Information Group. Keynote held at MIT Startup Exchange (STEX) Cybersecurity Innovation workshop (5/28) at MIT on Thursday May 28, 2015, 8:30 AM to 11:30 AM, at One Main Street, Cambridge, MA, USA.
COVID-19: What are the Potential Impacts on Data Privacy?TrustArc
What few expected to happen in these modern times of continuous global travel and interconnectedness, did happen after all. COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events.
Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise. In this webinar, we address the most common challenges organizations currently face.
Watch this webinar to learn about:
-The privacy implications of the COVID-19 pandemic
-What employers can do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees
-How employers ensure good data protection and governance practices for employees working from home
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
In today’s uncertain environment, organizations are regularly confronting new and evolving risks. Data-related risks can stand alone or converge with other enterprise risks, such as third party risk, regulatory compliance risk - such as CCPA and GDPR, security risk, operational and financial risks.
Identifying, understanding, managing, and reporting on data risks across the organization is a critical part of an integrated data governance strategy and essential to enterprise risk management. Organizations that have continuous insights into their evolving risks are able to focus resources on the highest areas of risk and prioritize risk mitigation strategies and plans.
This webinar will review: risk management & privacy, 3rd party vendor risks in today’s climate, top considerations to focus resources on highest areas of risk, risk reporting to management and the board; and the tools & best practices to manage, automate and continuously monitor both company and third-party risk.
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
This presentation focused on cyber security protections for businesses and other law firm clients. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
This presentation focused on cybersecurity protections for law firms and attorneys' ethical obligation to protect client information. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Cyber Liability Insurance Counseling and Breach ResponseShawn Tuma
This presentation focused on how teaching attorneys how to counsel their clients on cyber insurance and guide them through the data breach incident response process. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
GDPR, CCPA, and other privacy regulations have forced companies over the last five years to focus on building out a privacy management program regardless of their size or maturity. Privacy management can range from ad hoc decentralized spreadsheets to fully- optimized, technology- backed solutions, depending on the resources and support provided.
Whether you pulled together the bare minimum compliance requirements or built out an end-to-end privacy management program, the goal is to provide your internal stakeholders actionable insights to make strategic data-driven decisions.
Join this webinar to learn the five signs that signal your privacy management program isn’t built to last and find out how you can get on the road to recovery.
Key takeaways:
- The five signs that signal your privacy management program isn’t built to last
- What a privacy management program should include to provide actionable insights to make strategic data-driven decisions
The concept of marketplace is to provide a common platform for buyers and sellers to connect with each other for business purpose. The seller/vendor can open their store to list products which they want to sell under defined categories which are defined by admin.
Post US Election Privacy Updates & ImplicationsTrustArc
The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
This is a presentation I delivered to lawyers attending the Alberta Law Conference. It's was very conceptual in nature, focusing on some of the broader forces affecting employers and employees. The two topics of substance are "information governance" and social media misuse.
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...TrustArc
Watch the webinar on-demand: https://info.trustarc.com/mastering-article-30-compliance-webinar.html
78% of companies need help with conducting a data inventory.
As businesses grapple with the requirements of the GDPR one of the most challenging is the need to create a comprehensive record of all of your data processing activities as required under Article 30 of the GDPR. Recent research from Dimensional Research/TrustArc found that 78% of companies said they needed help with conducting a data inventory. With a project of this scale why re-invent the wheel when you can learn from other privacy professionals who have gone through the process of scoping, communicating, managing and delivering a comprehensive data inventory and mapping project.
Watch this webinar on-demand to hear from in-house privacy professionals and consultants how to:
- build a business case for the data inventory
- involve other departments across the business
- understand benefits of different methodologies – such as a systems or process-based approach
- review the tools and technologies available to help for you
- maintain the inventory over time
To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT...MIT Startup Exchange
Building Trust in a Tense Information Society, Daniel Weitzner, Director, MIT CSAIL Decentralized Information Group. Keynote held at MIT Startup Exchange (STEX) Cybersecurity Innovation workshop (5/28) at MIT on Thursday May 28, 2015, 8:30 AM to 11:30 AM, at One Main Street, Cambridge, MA, USA.
COVID-19: What are the Potential Impacts on Data Privacy?TrustArc
What few expected to happen in these modern times of continuous global travel and interconnectedness, did happen after all. COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events.
Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise. In this webinar, we address the most common challenges organizations currently face.
Watch this webinar to learn about:
-The privacy implications of the COVID-19 pandemic
-What employers can do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees
-How employers ensure good data protection and governance practices for employees working from home
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
In today’s uncertain environment, organizations are regularly confronting new and evolving risks. Data-related risks can stand alone or converge with other enterprise risks, such as third party risk, regulatory compliance risk - such as CCPA and GDPR, security risk, operational and financial risks.
Identifying, understanding, managing, and reporting on data risks across the organization is a critical part of an integrated data governance strategy and essential to enterprise risk management. Organizations that have continuous insights into their evolving risks are able to focus resources on the highest areas of risk and prioritize risk mitigation strategies and plans.
This webinar will review: risk management & privacy, 3rd party vendor risks in today’s climate, top considerations to focus resources on highest areas of risk, risk reporting to management and the board; and the tools & best practices to manage, automate and continuously monitor both company and third-party risk.
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
This presentation focused on cyber security protections for businesses and other law firm clients. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
This presentation focused on cybersecurity protections for law firms and attorneys' ethical obligation to protect client information. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Cyber Liability Insurance Counseling and Breach ResponseShawn Tuma
This presentation focused on how teaching attorneys how to counsel their clients on cyber insurance and guide them through the data breach incident response process. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
GDPR, CCPA, and other privacy regulations have forced companies over the last five years to focus on building out a privacy management program regardless of their size or maturity. Privacy management can range from ad hoc decentralized spreadsheets to fully- optimized, technology- backed solutions, depending on the resources and support provided.
Whether you pulled together the bare minimum compliance requirements or built out an end-to-end privacy management program, the goal is to provide your internal stakeholders actionable insights to make strategic data-driven decisions.
Join this webinar to learn the five signs that signal your privacy management program isn’t built to last and find out how you can get on the road to recovery.
Key takeaways:
- The five signs that signal your privacy management program isn’t built to last
- What a privacy management program should include to provide actionable insights to make strategic data-driven decisions
The concept of marketplace is to provide a common platform for buyers and sellers to connect with each other for business purpose. The seller/vendor can open their store to list products which they want to sell under defined categories which are defined by admin.
At Arithlogic, we believe that there are untapped opportunities in consumers' Path to Purchase that can drive strong marketing ROI for the brands, while delivering value to the consumers.
Our solution is geared to help brands grow their business by enabling strong interventions at each step in the consumer P2P.
Discover how law firms use Rocket Matter law practice management software to run their family law practice.
Jenny Stevens runs through a typical day at the firm for attorneys and staff and give an overview of client intake and adding new matters (including automatic conflicts checking), to tracking and billing time, then invoicing clients, and finally, end-of-month reporting.
Progrma, guia para apoyo de los estudiandes de la BUAP (Benemerita Universidad Autonoma de Puebla) que estudian la licenciatura de Quimico Farmacobiologo
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
There's a Crippling Cyber Attack Coming Your Way! Are we prepared to stop it?Brian K. Dickard
How many of you think that the US power grid can be taken out for an extended time period by a cyberattack? The threat is real and sophisticated, and our ability to mount a coordinated response at both the government and private industry level is limited. This presentation explores the critical issues involved in making meaningful progress to detect and defend against this threat.
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to the meeting of Women's In-House Network - DFW on April 27, 2017.
This presentation included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies and the EU's General Data Protection Regulation (GDPR).
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Are cybersecurity concerns keeping you up at night? Join Paige Boshell and Amy Leopard who lead our Privacy and Information Security Team for a discussion on developing and updating your cybersecurity plan, incorporating industry standards and regulatory guidance from the Financial Institution and Healthcare industries.
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
Cyber security legal and regulatory environment - Executive Discussion
June 16 2015 P&S Update Webinar
1. Privacy & Security Update
June 16, 2015 Webinar
Mike Geske
GESKE COUNSEL, LLC
Washington, DC
202.904.1077
Michael.Geske@GeskeCounsel.com
1
2. 2
Privacy & Security Update
1. Benefits from Self-Reporting Data Breaches to DOJ, FTC
2. Operating Securely: Risk Management v. Firewalls
3. New rules about NSA bulk collection and use of metadata
• USA Freedom Act; and
• ACLU v. Clapper, No. 14-42-cv (2d Cir. May 7, 2015)
3. FTC Statement (May 20, 2015):
If the FTC Comes to Call
Ass’t AG Caldwell Speech (May 20, 2015):
Remarks at the Georgetown Cybersecurity Law Institute
3
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
4. FTC Statement (May 20, 2015):
An FTC data-breach or security
investigation asks:
Despite breaches or data security problems,
were the company’s data security practices,
including its response,
on balance, reasonable?
4
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
5. FTC Statement (May 20, 2015): If the FTC Comes to Call
Company’s response is an essential element of FTC’s inquiry
• Help affected consumers
• Cooperate with criminal, law-enforcement agencies against hackers
“In our eyes, a company that has reported a breach to
the appropriate law enforcers and cooperated with them
has taken an important step to reduce the harm from the breach.
…
It’s likely we’d view that company more favorably
than a company that hasn’t cooperated.”
5
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
6. FTC Statement (May 20, 2015): If the FTC Comes to Call
FTC data-security investigations are non-public
Can request information and documents, including from
• Consumers
• Vendors and banks
• Other companies
• Employees
6
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
7. FTC Statement (May 20, 2015): If the FTC Comes to Call
• Information security plan
• Employee handbooks; training
• Cost effectiveness of available defenses
• Audits, risk assessments
• Privacy policies; security promises to consumers
• Compliance v. policy
• Circumstances of breach
• What happened
• What protections were in place
• What consumer harm is likely; any consumer complaints
• How company responded
7
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
8. Ass’t AG Caldwell Speech (May 20, 2015):
Joint Announcement of FTC Statement
• General View: Hacked companies are victims
Recounts cooperative take-downs of attacks, capture of hackers
• Private sector
• DOJ, FBI, DHS, Secret Service, Dep’t of State, Foreign Law Enforcers
Cybersecurity Unit in CCIPS (Cyber Crime and Intellectual Property Section)
• Self-reporters gain Unit’s expertise,
forensic tools, legal authority for warrants
8
Privacy & Security Update
Benefits from Self-Reporting Data Breaches to DOJ, FTC
9. 9
Privacy & Security Update
Operating Securely: Risk Management v. Firewalls
*NACD Cyber-Risk Oversight Handbook (2014) at 4. You can download a copy of the
Handbook at the NACD website.
“One of the defining characteristics of these attacks is that they
can penetrate virtually all of a company’s perimeter defense
systems, such as firewalls or intrusion detection systems:
Intruders … exploit all layers of security vulnerabilities
until they achieve their goal.
In other words, if a sophisticated attacker targets a company’s
system, they will almost certainly breach them.”*
10. All risks are not the same;
All data are not crown jewels.
10
Privacy & Security Update
Operating Securely: Risk Management v. Firewalls
*Principle 5 is discussed on pp. 4 & 14 of the NACD Cyber-Risk Oversight Handbook. The NACD Handbook is expressly
consistent with CKS guidance to avoid “siloed” thinking. See pp. 7, 13.
NACD Handbook Principle 5:
“Board-management discussion of cyber risk should include
identification of which risks to avoid, accept, mitigate, or
transfer through insurance as well as specific plans
associated with each approach.”*
11. DOJ White Paper, Best Practices for Victim Response and Reporting
of Cyber Incidents (Apr. 29, 2015).
NIST, Computer Incident Handling Guide,
Special Publication 800-61 Rev. 2 (Aug. 2012).
NIST, Framework for Improving Critical
Infrastructure Cybersecurity (Feb. 12, 2014).
CSIS/DOJ Active Cyber Defense Experts Roundtable,
Summary of Topics and Views (Mar. 10, 2015).
11
Privacy & Security Update
Operating Securely: Risk Management v. Firewalls
12. 12
Privacy & Security Update
Operating Securely: Risk Management v. Firewalls
Have a Response Plan
• Actionable: personnel, procedure, equipment
• Identify and protect cyber assets
• Collect, preserve data about incident
• How to continue operations while responding to attack
Make contacts/relationships prior to breach with
• Local FBI field office, DHS (NCCIC), state law enforcement
• Consultants, lawyers
Do NOT “hack back”
• Generally unlawful under U.S. statutes
• Risks warfare with an unknown adversary
• Unlikely to succeed
13. 13
Privacy & Security Update
Operating Securely: Risk Management v. Firewalls
ORDER OF CYBER-RISK MANAGEMENT DECISIONS
1. Data, assets, services meriting most protection
Who must have access
Under what conditions
2. Appropriate protections and limits for each rank
3. Test, review, learn, amend
Before and after next hack
14. ACLU v. Clapper (2d Cir. May 7, 2015)
Specific, relevant request required for government access
USA Freedom Act (June 2, 2015)
Metadata still collected
Held by companies not NSA
Specific, relevant request required for government access
Independent amici at FISC, FISC-R
14
Privacy & Security Update
USA Freedom Act and ACLU v. Clapper
15. Wise Agnostics
Will USA Freedom Act be effective?
Executive Order No. 12333
Director Clapper admittedly and demonstrably lied under oath to Congress
Mandated reports will not be under oath, just statutorily mandated
How long will Communication providers keep the data?
Where and under what conditions
Integrity matters
Data-wealthiest man of all history is now a data-begger
15
Privacy & Security Update
USA Freedom Act and ACLU v. Clapper
16. MICHAEL R. GESKE
Leader, CKS Privacy & Security
GESKE COUNSEL, LLC
202.904.1077
Washington, DC
GeskeCounsel@Outlook.com
Editor's Notes
FTC in particular realizes that companies may be reluctant to share information with government (particularly an agency with as broad a mandate as Section 5 of FTC Act) when not compelled to do so, because the same agency can use that same information in a consumer protection action.
This statement is a slight paraphrase. But what the FTC Statement from May 20 does is unpack it so that a company knows what the FTC does in a breach investigation and how it does that.
Non-public means the FTC can’t disclose whether a company is under investigation prior to taking some additional official action, e.g., an administrative action or lawsuit. That generally suggests it’s in an investigated entity’s interest to cooperate in the first instance.
But for all its protestations about “looking for cooperation” on investigating hacks, FTC is still a prosecutorial entity.
There are two warnings here, too, though they are not ever stated expressly.
If you don’t give FTC cooperation in the form of providing the information it needs, it can get that information elsewhere and will do so. Putting FTC to that trouble removes FTC’s incentive not to cause the company any trouble.
If necessary, the FTC has broad powers to fact check what you tell the FTC to ensure its accuracy. So don’t play games here.
Audits, risk assessments:
1.Keep legal advice and work product, legal assessment of potential claims separate
2. Audits implies testing of the plan.
Employee handbooks and training: It’s one thing to have a plan, quite another to have people internalize that plan in their everyday business plans
Particularly, IT folks. It’s one thing to say employees can’t bring their own devices, but IT folks are constantly allowed to tae stuff home for work on thumb drives. That’s Edward Snowden. Taking classified info (classic No BYOD) took it all out.
FTC Section 5.
CCIPS is in DOJ Criminal Division
Why? Users, customers, and even IT staff are individually and collectively the source of most breaches.
On June 10, 2015, BBC.com “Kaspersky Lab Cybersecurity firm is hacked” (leading supplier of anti-virus software. Malware was spread through the MS Software Installer files which even sophisticated IT staff routinely user to install programs on remote computers
Insurance that covers cybersecurity losses are much better than even a couple years ago, but you must still expressly ask about and understand any exclusions
Subcontracting certain tasks to vendors or other non-employees
DOJ Best Practices white paper provides an outline of how to start preparing a plan. Written with small to medium sized companies in mind.
Surveys (by, e.g., PwC; Cisco 2015 Annual Security Report ) show that fewer than half of large firms, and a much smaller percentage of small and medium firms have a plan.
DHS (Nat’l Cybersecurity & Communications Integration Center) is 24/7: share and receive info about an ongoing incident to/from gov’t, other victims
Incident data is not just computer logs or other IT databases or reports: Breaches often accompanied by emails, phone calls, communications
All 56 FBI Field Offices have a Cyber Task Force or Inftaguard chapter. Hold regular outreach sessions with private sector. Call them.
One size does not fit all; but the government documents I have referenced so far, provide a conceptual framework for how to go about generating, executing and revising a cyber-risk management , and explaining why it’s better to consider certain questions before others when assembling or revising a cyber Risk response plan.
First, ask: question 1: We nee to unpack three important insights buried there.
A. Some companies generates profit by mining data that they have collected on their customers and selling the insights from that mining; retail banks on the other hand make money by making the confidential, sensitive , traditionally private data they hold about their customers freely and easily available to those customers. How the company makes money will guide your ranking. This process must be revisited and revised
And let us recall that cyber attacks are not just data hacks. Even bricks & mortar assets are more often than not wired to communicate through networks, the so-called Internet of Things. Services, e.g., legal advice and representation are now entirely dependent on the successful operation and security of private and public networks.
This results of identifying and ranking the value of the data, assets, and services cannot be carved in stone.
The value of each to the company’s mission may change over time, which means that the level of protection each deserves will change, too
The ability to protect each item changes over time as cyber attacks moprh
The cost of protection changes constantly, too. The title of this section is prime example: not long ago, and still today for most companies, having a good firewall was the best protection on offer. So great cost and effort was devoted to that; but as hackers have found ever more successful ways of penetrating firewalls, we have switched to a risk management model because firewalls are routinely breached
Only after identification and ranking of assets at risk, can a company decide what protections would be reasonable, i.e., cost-effective, for each type. Otherwise, you’ll just be chasing the latest fashion. That’s how we got to everyone thinking a firewall is enough and suddenly that is not true but the majority of companies have no plan to find additional, aklternative plan. No one is suggesting that every company will get it right