California Privacy Act – What Businesses Need To Do, Now.

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

  • Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
  • Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
  • Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
  • Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
  • User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
  • Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
  • No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

Privacy Shield Update from the Federal Trade Commission

On July 16, 2020, the European Court of Justice issued a judgment declaring invalid the European Commission’s Decision 2016/1250/EC of July 12, 2016 on the adequacy of the EU-U.S. Privacy Shield Framework. We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers. Updated on July 21st, 2020.

PrivacyCon 2020 | Federal Trade Commission

The FTC will host its fifth annual PrivacyCon on July 21, 2020. For PrivacyCon 2020, the FTC is seeking research presentations on any topic related to consumer privacy and security. However, we will focus in particular on the privacy of health data collected, stored, and transmitted by mobile applications (“apps”). The call for presentations saught empirical research responding to several questions, including:

What are the risks to consumer data, particularly data held by health apps, and how does the risk vary by product and data type?
Which products are transmitting user data to third parties, who are the recipients, what are the data, and what are the apparent purposes for these transmissions?
Has empirical work assessed consumer perception of the privacy and security of products that handle sensitive information? What factors affect that perception (e.g., endorsement by a credible organization, popularity, representations in the privacy policy, claims in a user interface, paid versus non-paid version)? Are consumer perceptions of the privacy and security of products accurate? How do we know?
What are the tradeoffs between product functionality (including the ability to combine data from various devices) and increased security or increased privacy protections?
Are there unique attributes or characteristics of apps that collect, store, or transmit health data that merit special attention or focus?
The deadline for submissions was April 10, 2020.

PrivacyCon is free and open to the public.

This event will be held online.

via PrivacyCon 2020 | Federal Trade Commission

Simplify For Success

There is tremendous value to simplification. To quote Steve jobs, “Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it is worth it in the end because once you get there, you can move mountains.” We wanted to explore how people and companies achieve simplification in this series of posts.

Data is complex but our solution to managing data need not be complex. Can simplifying what we are doing help us to do more with less?

Simplification is a key focus for many companies and everyone understands how eliminating unnecessary complexity can lead to more successful outcomes. But achieving simplicity is hard. So why is simple not easy and obvious?

First, lack of time to simplify. Your processes or products can get more complex over time as new aspects are introduced. Or your first iteration to achieve your objectives might not be the simplest version – but you are in a time crunch to get that first product or prototype out of the door. In either case, you realize there might be simpler ways to achieve what you are doing, but you just do not have the time to step back and possibly disrupt your current state while redesigning and rebuilding a simpler and a more straight forward version. Again to quote Steve Jobs, “When you first start off trying to solve a problem, the first solutions you come up with are very complex, and most people stop there. But if you keep going, and live with the problem and peel more layers of the onion off, you can often times arrive at some very elegant and simple solutions.”

Second, a perception that simple might be inferior. Often detailed and sophisticated problems require complex solutions. A solution might feel basic or inadequate or not good enough. The thinking can be when the problem we are solving is obviously complex, shouldn’t the solution also be complex?

Finally, simplification efforts get held back by lack of clarity. Clarity around exactly what needs to done and clarity around what exactly is being done in each step of the process. Once that clarity is available, it is easier to eliminate processes or steps that are not adding value and only focus on those that are doing what needs to be done. But this is easier said than done.

So what do you think is the best way to simplify? How does your company view simplification? is the right approach to re-configuring processes to streamline and eliminate unnecessary or repeated parts of the process. Or do you see better results when you start from an innovation focused approach to simplification. Are new advances in technology or radical redesign the only way you can simplify?

If you would like to share your thoughts please let us know.

via Simplify For Success

FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

via FTC Releases Agenda for PrivacyCon 2020 | Federal Trade Commission

The Federal Trade Commission has released the final agenda for its fifth annual PrivacyCon event, which will be held online on July 21, 2020.

PrivacyCon 2020 will bring together a diverse group of stakeholders to discuss the latest research and trends related to consumer privacy and data security.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, will give opening remarks to kick off the event and will be followed by six panel discussions. The three morning sessions will focus on research related to health apps, artificial intelligence, and Internet of Things devices. The three afternoon sessions will feature discussions on research related to the privacy and security of specific technologies such as digital cameras and virtual assistants, international privacy, and miscellaneous privacy and security issues.

Links to the research that will be presented at PrivacyCon 2020 are available on the event page. PrivacyCon will take place online from 9 a.m. ET to 5 p.m ET. A link to view PrivacyCon 2020 will be posted on the event page prior to the start of the event. Registration is not required.

CCPA Proposed Regulations Submitted to the Office of Administrative Law

California Attorney General Xavier Becerra submitted final proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will provide guidance to businesses on how to comply with the CCPA and will enable consumers to exercise new rights over their personal information. Under Executive Order N-40-20 related to the COVID-19 pandemic, OAL has 30 working days and an additional 60 calendar days to determine whether the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

A copy of the complete rulemaking package submitted to OAL, including a text of the regulations, can be found at www.oag.ca.gov/ccpa.

The final proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

The short answer? A lot, but not as much as you might have been told…

via So, how much is this damn CCPA thing gonna #$@&%* cost me?! – Rafael Moscatel

ILTA Blackberry and CAPP Presentation

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

Slide4
CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

CCPA Regulations Update

NOTICE OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS AND ADDITION OF DOCUMENTS AND INFORMATION TO RULEMAKING FILE

Update to Proposed Text

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of changes made to the proposed regulations regarding the California Consumer Privacy Act, which were published and noticed for public comment on October 11, 2019.  These changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.  The originally proposed regulations, this Notice, the text of the proposed regulations as modified, and a comparison of the text as originally proposed with the modifications, are available at www.oag.ca.gov/privacy/ccpa.

Update to Documents and Other Information Relied Upon

Pursuant to the requirements of Government Code sections 11346.8, subdivision (d), 11346.9, subdivision (a)(1), and 11347.1, the Department is also providing notice that documents and other information which the Department has relied upon in adopting the proposed regulations have been added to the rulemaking file and are available for public inspection and comment.

The documents and information added to the rulemaking file are as follows:

Accenture Interactive, See people, not patterns. (2019). Available at https://www.accenture.com/_acnmedia/PDF-110/Accenture-See-People-Not-Patterns.pdf.

Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).

Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).  Available at https://iapp.org/news/a/how-the-ccpa-impacts-civil-litigation/#.

Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360.  Available at https://www.law360.com/articles/1202393/print?section=california.

Paternoster, Leon, Getting round GDPR with dark patters. A case study: Techradar (August 12, 2018).  Available at https://www.leonpaternoster.com/posts/techradar-gdpr/.

Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.  Available at https://www.caprivacy.org/post/icymi-summary-of-key-findings-from-california-privacy-survey.

World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018).  Available at https://www.w3.org/TR/2018/REC-WCAG21-20180605/.

The Department is also providing notice that it will not be including the following study in the rulemaking file.

Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt (March 6, 2019).

The entire rulemaking file, which includes the documents referenced above, is available for inspection and copying throughout the rulemaking process during business hours at the location listed below.  In addition, some of the documents are available at www.oag.ca.gov/privacy/ccpa.

The Department will accept written comments regarding the proposed changes or materials added to the rulemaking file between Friday, February 7, 2020 and Monday, February 24, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on February 24, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: PrivacyRegulations@doj.ca.gov

All timely comments received that pertain to the changes to the proposed regulations or the new materials added will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file.  Please limit written comments to those items.

NSA Releases Guidance on Mitigating Cloud Vulnerabilities

Original release date: January 24, 2020

The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA’s guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers and Analysis Report on Microsoft Office 365 and other Cloud Security Observations for information on implementing a defense-in-depth strategy to protect infrastructure assets.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with California Tech Company Related to Privacy Shield

The Federal Trade Commission has finalized a settlement with a California technology company over allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

The FTC alleged that Medable, Inc., falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

After receiving no comments on the proposed settlement, the Commission voted 5-0 to give final approval to the settlement.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with Utah Company and its former CEO over Allegations they Failed to Safeguard Consumer Data

The Federal Trade Commission has granted final approval to a settlement with a Utah-based technology company related to allegations that the firm failed to put in place reasonable security safeguards, allowing a hacker to access the personal information of more than a million consumers.

The FTC alleged that InfoTrax Systems, L.C. and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of InfoTrax’s business clients. As a result of the company’s alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. The hacker accessed consumers’ sensitive personal information, including Social Security numbers, according to the FTC’s complaint.

As part of the settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. In addition, the settlement requires the company and Rawlins to obtain third-party assessments of their companies’ information security programs every two years.

After receiving no comments on the settlement, the Commission voted 5-0 to finalize the settlement order with InfoTrax and Rawlins.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

FTC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data

The Federal Trade Commission has granted final approval to a settlement with the former CEO of Cambridge Analytica, LLC and an app developer who worked with the company to resolve allegations they used deceptive tactics to collect personal information from tens of millions of Facebook users for voter profiling and targeting.

In its complaint, the FTC alleged that app developer Aleksandr Kogan worked with Cambridge Analytica and its former CEO Alexander Nix to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The FTC alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The Commission recently announced an Opinion that found that Cambridge Analytica, which filed for bankruptcy in 2018, engaged in similar conduct in violation of the FTC Act.

As part of the settlement, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.

The Commission received one comment on the proposed settlement. The Commission voted 5-0 to finalize the order and to send a response to the commenter.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

5 Ideas To Kickstart Your Governance, Risk and Compliance Program in the New Year!

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders

ICRM will not only conduct their spring Board and Business meetings at the MER Conference next May in Chicago, but will also facilitate a panel discussion  “Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders.” 

The panel of experts include: John Isaza, Esq, FAI, Rafael Moscatel, CRM, IGP, CIPM, and Wendy McLain, MLIS, CRM.  The panel of Academic Partners include: Patricia Franks, Ph.D, CRM, CA, IGP – San Jose State University; Gregory S. Hunter, Ph.D, CA, CRM, FSAA – Long Island University, Palmer School of Library and Information Science, and Tao Jin, Ph.D – Louisiana State University, School of Library and Information Science.

The desired outcome is to expand and nurture an ongoing and productive dialogue between our profession and academic institutions to ensure graduates are well prepared to fill current and future positions in key areas of Records and Information Management (RIM) and Information Governance (IG).  If interested in joining us at the MER Conference – go to their website and register for conference.  https://www.merconference.com/

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses

From the US Justice Department

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware

Reward of up to $5 Million Offered for Information Leading to Arrest or Conviction

The United States of America, through its Departments of Justice and State, and the United Kingdom, through its National Crime Agency (NCA), today announced the unsealing of criminal charges in Pittsburgh, Pennsylvania, and Lincoln, Nebraska, against Maksim V. Yakubets, aka online moniker, “aqua,” 32, of Moscow, Russia, related to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present.  A second individual, Igor Turashev, 38, from Yoshkar-Ola, Russia, was also indicted in Pittsburgh for his role related to the “Bugat” malware conspiracy. The State Department, in partnership with the FBI, announced today a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.  This represents the largest such reward offer for a cyber criminal to date.

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Scott W. Brady for the Western District of Pennsylvania, U.S. Attorney Joseph P. Kelly for the District of Nebraska, FBI Deputy Director David Bowdich, Principal Deputy Assistant Secretary James A. Walsh of the State Department’s Bureau of International Narcotics and Law Enforcement Affairs (INL), and Director Rob Jones of the Cyber Crime Unit  at the United Kingdom’s National Crime Agency (NCA) made the announcement.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Benczkowski.  “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.  The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said U.S. Attorney Brady. “Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered.  International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.”

“The Zeus scheme was one of the most outrageous cybercrimes in history,” said U.S. Attorney Kelly.  “Our identification of Yakubets as the actor who used the moniker ‘aqua’ in that scheme, as alleged in the complaint unsealed today, is a prime example of how we will pursue cyber criminals to the ends of justice no matter how long it takes, by tracking their activity both online and off and working with our international partners to expose their crimes.”

“Today’s announcement involved a long running investigation of a sophisticated organized cybercrime syndicate,” said FBI Deputy Director Bowdich. “The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted today, which represent a continuing trend of cyber-criminal activity emanating from Russian actors, were particularly damaging as they targeted U.S. entities across all sectors and walks of life. The FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

“Combatting cybercrime remains a top national security priority for to the United States,” said INL Principal Deputy Assistant Secretary of State Walsh. “The announcements today represent a coordinated interagency effort to bring Maksim Yakubets to justice and to address cybercrime globally.”

“This is a landmark for the NCA, FBI and U.S. authorities and a day of reckoning for those who commit cybercrime,” said NCA Director Jones. “Following years of online pursuit, I am pleased to see the real world identity of Yakubets and his associate Turashev revealed.  Yakubets and his associates have allegedly been responsible for losses and attempted losses totalling hundreds of millions of dollars. This is not a victimless crime, those losses were once people’s life savings, now emptied from their bank accounts.  Today the process of bringing Yakubets and his criminal associates to justice begins.  This is not the end of our investigation, and we will continue to work closely with international partners to present a united front against criminality that threatens our prosperity and security.”

Yakubets and Turashev Indicted in Relation to “Bugat” Malware

A federal grand jury in Pittsburgh returned a 10-count indictment, which was unsealed today, against Yakubets and Turashev, charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of “Bugat,” a multifunction malware package designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers.  Later versions of the malware were designed with the added function of assisting in the installation of ransomware.

According to the indictment, Bugat is a malware specifically crafted to defeat antivirus and other protective measures employed by victims.  As the individuals behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called “Cridex,” and later “Dridex,” according to the indictment.  Bugat malware was allegedly designed to automate the theft of confidential personal and financial information, such as online banking credentials, and facilitated the theft of confidential personal and financial information by a number of methods.  For example, the indictment alleges that the Bugat malware allowed computer intruders to hijack a computer session and present a fake online banking webpage to trick a user into entering personal and financial information.

The indictment further alleges that Yakubets and Turashev used captured banking credentials to cause banks to make unauthorized electronic funds transfers from the victims’ bank accounts, without the knowledge or consent of the account holders.  They then allegedly used persons, known as “money mules,” to receive stolen funds into their bank accounts, and then move the money to other accounts or withdraw the funds and transport the funds overseas as smuggled bulk cash.  According to the indictment, they also used a powerful online tool known as a botnet in furtherance of the scheme.

Yakubets was the leader of the group of conspirators involved with the Bugat malware and botnet, according to the indictment.  As the leader, he oversaw and managed the development, maintenance, distribution, and infection of Bugat as well as the financial theft and the use of money mules.  Turashev allegedly handled a variety of functions for the Bugat conspiracy, including system administration, management of the internal control panel, and oversight of botnet operations.

According to the indictment, Yakubets and Turashev victimized multiple entities, including two banks, a school district, and four companies including a petroleum business, building materials supply company, vacuum and thin film deposition technology company and metal manufacturer in the Western District of Pennsylvania and a firearm manufacturer.  The indictment alleges that these attacks resulted in the theft of millions of dollars, and occurred as recently as March 19, 2019.

Yakubets Charged in Relation to “Zeus” Malware

A criminal complaint was also unsealed in Lincoln today charging Yakubets with conspiracy to commit bank fraud in connection with the “Zeus” malware.  Beginning in May 2009, Yakubets and multiple co-conspirators are alleged to have a long-running conspiracy to employ widespread computer intrusions, malicious software, and fraud to steal millions of dollars from numerous bank accounts in the United States and elsewhere.  Yakubets and his co-conspirators allegedly infected thousands of business computers with malicious software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal money from victims’ bank accounts.  As with Bugat, the actors involved with the Zeus scheme were alleged to have employed the use of money mules and a botnet.

Yakubets and his co-conspirators are alleged to have victimized 21 specific municipalities, banks, companies, and non-profit organizations in California, Illinois, Iowa, Kentucky, Maine, Massachusetts, New Mexico, North Carolina, Ohio, Texas, and Washington, identified in the complaint, including multiple entities in Nebraska and a religious congregation.  According to the complaint, the deployment of the Zeus malware resulted overall in the attempted theft of an estimated $220 million USD, with actual losses of an estimated $70 million USD from victims’ bank accounts.  According to the complaint, Yakubets’ role in the Zeus scheme was to provide money mules and their associated banking credentials in order to facilitate the movement of money, which was withdrawn from victim accounts by fraudulent means.

An individual charged as John Doe #2, also known as “aqua,” was indicted in District of Nebraska in case number 4:11-CR-3074.  The indictment in that case charges that individual and others with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud related to the Zeus scheme.  As alleged, the complaint unsealed today associates use of the moniker “aqua” in the Zeus scheme to Yakubets.

In case number 4:11-CR-3074, two of the co-conspirators of “aqua,” Ukrainian nationals Yuriy Konovaleko and Yevhen Kulibaba, were extradited from the United Kingdom to the United States.  Konovalenko and Kulibaba both pleaded guilty in 2015 to conspiracy to participate in racketeering activity and have completed prison sentences that were imposed.  Konovalenko and Kulibaba were previously convicted in the United Kingdom, after an investigation conducted by the Metropolitan Police Service, for their role in laundering £3 million GBP on behalf of the group responsible for the Zeus malware.

State Department $5 million USD Reward

The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering a reward of up to $5 million for information on Yakubets.  Cyber threats are a top national security threat to the United States, and the Department of State’s TOC Rewards Program is one of the many tools used by U.S. authorities to bring significant cybercriminals to justice.  Congress established the TOC Rewards Program in 2013 to support law enforcement efforts to dismantle transnational criminal organizations and bring their leaders and members to justice.  The U.S. Department of State’s Bureau of International Narcotics and Law Enforcement Affairs manages the program in coordination with other U.S. federal agencies.

In addition to NCA, the law enforcement actions taken related to these two prosecutions were assisted by the efforts of law enforcement counterparts from The Netherlands, Germany, Belarus, Ukraine, and the Russian Federation.

The FBI’s Pittsburgh and Omaha Field Offices led the investigations of Yakubets and Turashev with assistance by the FBI’s Major Cyber Crimes Unit and Global Operations and Targeting Unit.  The prosecution in Pittsburgh is being handled by Assistant U.S. Attorney Shardul S. Desai of the Western District of Pennsylvania, and the prosecution in Lincoln is being handled by Senior Counsel William A. Hall, Jr., of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Steven A. Russell of the District of Nebraska.  The Criminal Division’s Office of International Affairs provided significant assistance throughout the criminal investigations.  The Department’s National Security Division also provided investigative assistance.

The details contained in the indictment, criminal complaint and related pleadings are merely accusations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Continue reading

FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield

The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.

In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.

The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.

The Commission voted 5-0 to issue the Opinion and Final Order.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

We’ve Won! 1st place in our 2019 Information Management Today MVP Awards

The people have spoken and our article, “7 Ways to Prepare Data in the Age of Privacy and Information Governance,” has won 1st place in the 2019 Information Management Today MVP Awards Other category! Thank you to all of our subscribers!

Article reprinted below!

Content may still be king, but now the rights to some of it may belong to the people! In response to the EU’s General Data Protection Requirement (GDPR) and recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size but each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.

Notably, while many companies are already familiar with records retention laws, these latest controls also introduce a duty to destroy data once no longer required for a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents a number of logistical hurdles.

However, directives on how you may use your customer’s data or any other information you store doesn’t necessarily have to be burdensome. In fact, these new guardrails present numerous opportunities to implement better governance, monetize the lifecycle of information assets and foster trustworthy relationships that can actually enhance the customer experience.

These 7 tips can help prepare your data to support an IG strategy:

  1. Automate Retention Schedules – Legal and compliance requirements are the cornerstones of corporate governance programs. Yet tracking the multitude of historical and emerging state, federal and international laws and regulations that affect your data decisions can be a monumental task that even the most robust law departments aren’t prepared for. Consider leveraging SaaS software to keep your Risk, Compliance and Legal staff current on the latest citation changes to these nuanced instructions. These tools empower you to defensibly destroy and cleanse costly data no longer useful to your organization.
  2. Cover Your Assets – Satisfying new compliance requirements like GDPR and CCPA means it’s not enough to simply know what kinds of records you keep, you need to know what systems they’re kept in and how that data flows between them. That’s why Chief Data Officers and Enterprise Architects are increasingly embracing asset management tools that not only perform diagnostics on their application stack but allow them to inventory their attributes and map related processes that inform long-term strategic roadmap planning. Tools like these also help support application rationalization projects which in turn aid in classification and disposal of unneeded data.
  3. Introduce Big Buckets – The biggest challenges with enforcing retention across an enterprise are “event triggers” that complicate how long sets of records must be retained. For example, an employee file might be held X years following a termination “event.” Big Bucket strategies allow you to simplify and group “like” records together to support more efficient destruction actions while assuming some risk. Work with your governance partners to determine reasonable standards for a Big Bucket policy and quantifying the acceptable amount of risk your company is willing to assume to achieve cost and efficiency benefits.
  4. Enforce Legal Holds – Cleansing your data lakes and silos to save costs and minimize risk is an exercise in defensible destruction but requires awareness of outstanding legal holds. A company that spoliates evidence subject to a legal hold, even without malice, can be fined and suffer adverse inference litigation rulings resulting in unfavorable judgments. Additionally, healthy oversight of records under a preservation hold doesn’t just make good legal sense, it can also help better identify opportunities for even more defensible destruction, cost reduction and risk mitigation.
  5. Activate File Analysis – The tricky thing about new laws like the CCPA is that they require companies to find and produce data for the consumer wherever it exists. That can be a cumbersome test for many entities that have hundreds or thousands of repositories. Luckily, advanced File Analysis tools can plug directly into your network and help quickly identify sensitive and personally identifiable information (PII). They can also help you deduplicate records and find redundant, obsolete and trivial data clogging your systems, also known as ROT. These tools produce a tangible ROI that management can point to as a prime example of why IG works.
  6. Embrace Content Migrations – Unless you’ve only lived in one home your entire life, you’ve probably experienced the cathartic process of cleansing your old wares in preparation for a move. Bringing in a new content management system is not much different and it’s a unique opportunity to apply retention to your data, discard ROT and provide employees with more accurate knowledge resources.
  7. Bake-in Best Practices – Information Governance is not a “one and done” proposition, it’s a rinse and repeat discipline that only works when management sees to it that organizational culture is along for the ride. These days a basic understanding about data handling is vital for every new hire. Concepts like records retention, data protection and privacy should be part of any overall corporate training plan.

By complementing policy frameworks and toolsets with the types of Information Governance approaches noted here we can better enable our workforce to hone their knowledge skills, achieve defensible destruction and improve audit outcomes. In effect, we are future proofing ourselves for a business world destined to face increased scrutiny and under siege from data breaches and privacy issues with seemingly no end in sight. IG is the bright light at the end of that tunnel.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Announces Settlements with Four Companies Related to Allegations they Deceived Consumers over Participation in the EU-U.S. Privacy Shield

The Federal Trade Commission has reached settlements with four companies that allegedly misrepresented their participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States. The FTC also alleged that two of the companies failed to comply with Privacy Shield requirements.

In separate actions, the FTC settled Privacy Shield cases against:

In addition to allegations that each company falsely claimed to participate in the EU-U.S. Privacy Shield framework, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.

In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

“The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.”

The Department of Commerce administers both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, while the FTC enforces the promises companies make when joining the programs. With today’s announcement, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016.

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the four companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

CCPA Rulemaking Activities – Upcoming Hearings

CPA Rulemaking Activities – Upcoming Hearings

On October 10, 2018, the Attorney General released proposed regulations for the California Consumer Privacy Act of 2018 (CCPA).  The California Department of Justice (DOJ) will hold four public hearings to provide all interested persons the opportunity to present statements or comments on the proposed regulations, as detailed below.  The hearings will begin promptly at 10:00 a.m. and will conclude when the last speaker has finished their presentation.  Please note that attendees may be required to go through building security before entering each venue.  For more information about the public hearings, and to RSVP, please visit: https://www.oag.ca.gov/privacy/ccpa/rsvp.

The deadline to submit written comments is December 6, 2019 at 5:00 p.m. (PST).  Comments may be submitted via email (PrivacyRegulations@doj.ca.gov), mail (Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013), or at the public hearings.

Please visit www.oag.ca.gov/privacy/ccpa for information about the DOJ’s CCPA rulemaking process, including the following newly added pdfs:  Tips on Submitting Effective Comments and Information about the Rulemaking Process.

PUBLIC HEARING DATES

Sacramento
December 2, 2019; 10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814

Los Angeles
December 3, 2019; 10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013

San Francisco
December 4, 2019; 10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102

Fresno
December 5, 2019; 10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

Say Hello To Pika, The Privacy Pup!

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Click here to take charge of your data challenges by contacting us today for a free consultation. We offer free 1-hour IG and CCPA workshops for interested companies.

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

A California company has agreed to settle Federal Trade Commission allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

In its complaint, the FTC alleged that Medable, Inc.—which provides technology solutions to business customers operating in pharmaceutical, biotechnology, and research industries—falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. While the company initiated an application with the Department of Commerce in December 2017, it did not complete the steps necessary to participate in the framework.

The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program. With today’s announcement, the FTC has now brought a total of 17 enforcement actions related to the Privacy Shield framework since it was established in 2016.

As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with Medable was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

Google pushes out important updates about the California Consumer Privacy Act (CCPA)

On Monday, November 18th, Google AdSense pushed out the following updates regarding the California Consumer Privacy Act:

from Google:

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect personal information from California residents. The new law goes into effect on January 1, 2020.
Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.
These service provider terms will be made available alongside new tools for partners to enable restricted data processing. Restricted data processing is intended to help partners prepare for CCPA. Some partners may decide to send a restricted data processing signal for users who click a CCPA opt-out link. Other partners may decide to enable restricted data processing for all users in California via a control in our products. Subject to the service provider terms, we will act as your CCPA service provider with respect to data processed while restricted data processing is enabled. You can refer to this article for more information on restricted data processing and to determine whether restricted data processing meets your CCPA compliance needs. Please also refer to our Help Center articles for Ad ManagerAdMobAdSense for more information on enabling restricted data processing.
Please see privacy.google.com/businesses for more information about Google’s data privacy policies.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

FTC Slaps InfoTrax and its CEO with Severe Cybersecurity Order

Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

As a result, hacker gained access to personal information of a million consumers, agency says

via FTC Press Release

A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.

InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.

In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:

  • inventory and delete personal information it no longer needed;
  • conduct code review of its software and testing of its network;
  • detect malicious file uploads;
  • adequately segment its network; and
  • implement cybersecurity safeguards to detect unusual activity on its network.

In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”

As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.

InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.

The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.

As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.