Privacy and Cybersecurity: Data Is the New Gold

Webinar – Cybersecurity and Privacy - A How-To-Guide

[Speaker 1 - Elissa Doroff]

Good afternoon and thank you all for joining us today. My name is Elissa Doroff. I'm the cyber technical leader here at NFP. I'm very pleased to have Lisa Sotto from Hunton Andrews in Perth here today to walk us through a How-To on Cybersecurity and Privacy. For those of you who don't know Lisa, she shares her firm's top global privacy and cybersecurity practice and is the managing partner of her New York office.

I've had the pleasure of working with Lisa over the last decade, and I'm very happy she agreed to be here and share her extensive knowledge and experience with us today. Our format will be a 15 minute session, at which point we'll stop and take your questions. So with that, I'm going to turn it over to Lisa to get started.

[Speaker 2 - Lisa Sotto]

All right. Thank you so much. I am delighted to be here. And to speak to you about the incredibly fast paced, landscape that we're seeing now in the cybersecurity and the privacy arena. It's honestly hard to keep up, even for those of us who are working in this area. 24 over seven. It used to be that these were areas of really isn't regulatory compliance.

But now, of course, we're finding that there is deep societal relevance, on both the cybersecurity side and the privacy side. So I'm, I'm aiming to provide you with an overview. It's a high level overview, but the goal is, is to be able to allow you to spot issues as they arise. Next slide please.

And let's go one more. Perfect. All right. Just to give you a sense of my perspective actually back up one if you wouldn't mind. Perfect. Just to tell you where I'm coming from so that you understand my perspective as I'm speaking. We are a law firm. We have, lawyers in, three on three continents, the US and Europe and, Asia.

And, we represent clients across industry sectors. So in virtually every industry sector, if you're very interested in this area, I would commend you to our, blog. And also, no policy practice would be complete without a Twitter handle, which is here. Next slide please. Let's start by talking about the difference between privacy and security, because the two, concepts are often conflated, but really they are two sides of the same coin.

And we need to think about both of these concepts. At the same time. But they are separate concepts. The more subjective, issue is data privacy. And data privacy is really defined by the cultural norms of any particular society and by expectations of individuals with respect to, the privacy of their personal information and how their personal information should be, collected, used and disclosed.

And then once that cultural norm is reasonably well defined in the society, we see the law which always lags a little bit behind, coming in back to codify those expectations. Security is the more objective factor. It's keeping data safe, making sure that confidentiality applies to data, and also making sure that the integrity of data, is secure, meaning that data is not changed, in a way that is problematic for individuals, like a changed birth date or changed, address and Social Security number or, in the non-personal information context, changing the chlorine levels of a water treatment system or the, change data integrity in a way that's particularly harmful, to,

to the population at large. Next slide, please. And one more. All right. So look, this is cybersecurity we now know is a top issue for executives and boards alike. It is at the top of everybody's radar screen. And this issue is absolutely recognized as a fundamental risk issue for companies. It is no longer relegated to, the information security lead who sits in the dusty basement.

Now, the CSO has corner office, and deservedly so, given the environment, we are seeing, of course. This issue impacts every industry sector and these are just some, of the logos of companies that have been hit. And you can see here technology and banking and retail, health care across the board.

Really, just about every industry sector has been hit. And, the vast majority of companies of any size have been hit with, with cyber events of some sort or another. Some are small, others are, just gigantic. So we're also we're seeing not only CEOs impacted and some have resigned, in light of breaches, but also board members are threatened with ouster.

And of course, that means that, these, these issues really rise to the fore. And just some numbers to be aware of the Yahoo breach, breaches. There were a couple of them, affected 3.5 billion user accounts. So that is, essentially half the world. And of course that means that, nearly all individuals have been hit with, some measure of, cyberattack.

Next slide please.

So a couple of interesting statistics here. So in about half the cases, we are not finding these issues ourselves in our own systems. And we are noticing in, in just over half the cases by external parties that we have an issue in our own systems. And that means, for example, the FBI calling to say we saw your data on the dark web, or it might mean, a security researcher letting you know that you have a vulnerability in your systems.

Or it could mean customers calling your, your consumer, lines to say, I used my credit card in one place. It was only with you. And I have fraud on the card. And that sort of will set off a chain of incident response, activities, 31% of victims were reattached within a year. And that's a really stunning number because you would think if you're attacked once, you're going to really shore up your systems, you're going to make sure that you, just about every vulnerability.

The problem, of course, is that our, our, today's threat actors are very sophisticated, and they're finding vulnerability, these that we haven't identified ourselves. The other very interesting statistic is this, statistic of 51 days, known as dwell time. And that is the time that a threat actors sitting in our systems unidentified. So think of this, translate this to the physical world and think about a thief sitting in a basement bathroom.

That's rarely used. And sitting there for 56 days before we identify the thief's presence in our house. Next slide please. As I mentioned, the landscape, is very, very sophisticated now, and we really can break, down the threat actors into three buckets. First, we see traditional hackers. And this is mostly can be categorized as organized crime.

These are very well organized, groups of criminals and have very, carefully orchestrated, attacks. And their infrastructure is, is mature. So they're in it for pecuniary gain. They're looking to make money. And it's a very, very good way to make money. It's often a, a crime that can't be prosecuted because criminals are sitting, far out of our jurisdiction, out of our reach.

And, they're sitting in countries where there is no extradition. We're also seeing, quite a bit of activity, of course, by nation states. And I, the previous slide, I had the DNC listed, and of course, we know we're very, very much on guard now, during this election season, because nation states are certainly, very active right now.

And of course, we're seeing activity from Russia, from China, North Korea, from Iran. So, quite a bit of activity by nation states. And then I'll also mention hacktivists. Hacktivists are sort of loose confederations of, really anarchists who are looking to do enormous damage to systems. And they might, for example, commit a DDoS attack to city denial of service where they'll, they'll throw a couple of terabytes of data at a, at a website to bring down the website.

And we see that happening. Now more and more, where are they going after they're going after personal information that they can sell. Social security numbers are always nice. Payment card numbers that, are fresh and have not expired, can be, sold easily on the dark web. The dark web, by the way, is the UN indexed web.

And generally get to it. Two four. I would not recommend it. But, that's where most of the criminal activity takes place. The threat actors are also going after R&D, for example, trade secrets, and confidential business information. This is valuable data. And they can, they can certainly monetize, some of this data.

We're also seeing them going after cloud environments. You know, a cloud environment is a treasure trove of data because the cloud environment has, everybody's data in it. And so it's really a very significant, amount of information and a good way of going after, multiple companies at once. How are they doing it? Well, mostly through social engineering, and mostly through phishing.

So phishing is very much, a, a vector to watch out for. A lot of our clients, do mock phishing exercises. And unfortunately, we don't do very well, in, in mock phishing exercises because we as humans, if we're told to press a button, we press a button. If we are asked to do something we tend to want to please and we do it.

And that's why it's called social engineering. Because the threat actors know that we will tend to press that button. And so we see relatively high numbers of failures. And when we send out mock, phishing emails. And so training and awareness is so critical over and over and over to push out those training, training modules and business awareness communications.

We're also seeing credential stuffing. Credential stuffing means recycling of credential. So there are, millions and millions of credentials on the dark web. And those credentials, unfortunately, again we tend to use we're human. We tend to use our passwords over and over, as well as our usernames. Those are all on the dark web.

They're generally there for the taking. They're not worth very much because there are so many of them. But if you throw a bunch of credentials, a, a banking site, for example, some may in fact work. And that's what the threat actors are doing. We're also seeing, the threat actors getting through vendors.

We might have a fortress around our systems, but our vendors, may not, and they may have authorized access to our systems. And so they are, the threat actors are getting in through the vendor systems into our fortress like systems. So our moat, doesn't really work well, even if it's filled with alligators, because the bridges down to vendors to walk right over that bridge into our fortress.

And the same is true for insiders, because insiders have, to have authorized credentials. So they're in and they're authorized very, very hard to root out an insider threat. And so what we're seeing now is a huge amount of ransomware. And, the ransomware that we're seeing now is it's really particularly pernicious because not only are the threat actors locking up systems, but they are also taking data first.

So they're still trading data from our systems, and then locking our systems, and then they send a, a ransom note. And the ransom note asks for quite a bit, often, many millions of dollars. And they tell you in the ransom note that they'll give you the decryptor and they will refrain from publishing your data on their website if you pay them X amount.

And so we're seeing threats from groups like E Gregor is a new one that we're seeing. It's only a couple of weeks old. And then Mayes, is a little bit older. It's several months old. So, really there's there are new variants of ransomware, all the time. Cyber extortion. Also, we're seeing in droves where, for example, the CEO might get an email that says, I have 15 million of your records.

If you would like, come back, you need to pay me 200 Bitcoin. And here's how you should be in touch. So we're seeing quite a bit of that as well. This is email compromise. We see it. It's rampant in its wire transfer diversion, where you might be in the middle of a deal. And, the other party says to you via email, I've just changed my wire transfer instructions.

Send the money here. Well, that's not really your, counterparty. That's really a threat actor telling you to send the money to the Bank of Indonesia or wherever. Typically a place that is, not quite as easy for our law enforcement to get to. Doxing is where, cybercriminals will pull a lot of information about public from the dark web, and they may make a threat, like, if you don't stop animal testing by Friday.

We know your daughter is at, the Four Seasons in the open, so, these sort of veiled threats. So that's what we're seeing right now. In the threat landscape. Next slide please.

And then the next question is, are there rules to combat this? And the answer is yes, but we have a patchwork quilt. It's very messy. It's very fragmented right now in the United States and overseas as well. Because it's really hard to, to pass laws around data security when the threat actors are so sophisticated and they're changing their tactics constantly.

And so if we mandate, for example, 128 bit encryption, that will be cracked. So we it's very hard to be prescriptive in mandating data security, but we do have a panoply of federal laws. The Federal Trade Commission, has what is known as section five of the FTC act, which prohibits unfair or deceptive trade practices.

And they involve a number of actions against companies under, the FTC act for failure to implement reasonable security. In the health care context, we have HIPAA and as amended by the High Tech Act, which, covers both privacy and data security for covered entities in the health care space. The Gremlins finally act focuses on financial services.

And so banks and others are subject to both the privacy rule and the safeguards rule, which is the security rule, of the gram, which by the act, and the SEC has gotten into, into the act as well. They've been quite active in recent years. They were very inactive in the early years of, cyber events, but quite active more recently.

They formed a, cyber unit a couple of years ago. And they are going after companies for failure to appropriately disclose threats on the state side. A number of states. I won't go through all these grounds. I got some highlights on the state side. There are there are quite a number of basic security laws. Some of them are quite prescriptive, like in Massachusetts, and others are, very general.

For example, they say you need to put reasonable security measures in place. So that's why it's quite patchy. But we really have to think about the highest common denominator, breach laws have done have worked wonders for, really forcing companies to clean up their act on the security side because no company wants to be the one that stands on the roof and raises a red flag to say, we've suffered a data breach.

Right. And that's what happens when you send, as required by law, breaks, notification letters to people whose, personal information was compromised, in your systems. We also have now in California. And I'll talk about this a little bit more on the privacy side, a, a new law, that came, right, that just started, with respect to enforcement on July 1st, the California Consumer Privacy Act.

And while it is mostly a privacy law, there is a portion of it that imposes liability for, for cybersecurity events, for data breaches. And there is a private right of action under the CCPA. So we have now seen a number of plaintiffs, lawyers going after companies for data breaches under the CCPA. There are other security laws for financial institutions, for insurers.

There is an internet of things, new body of law in, in California and Oregon. And there are three states with biometrics laws, Illinois, Texas, in Washington. So if you are capturing biometrics, pay particular heed to these laws, particularly in Illinois, where there's a private right of action and there is a very, very active, caseload around, cases that have been filed with respect to the Illinois biometrics law.

There are some very important industry standards in this space as well. So very important to think about these. The next cybersecurity framework is really about creating an incident response framework within the company. The payment card industry data security standard has, really, changed the landscape with respect to the security of payment cards? I set the ISO standard in the space is very important as well.

And I'll also point out the center for Internet Secure is top 20 critical security controls is very important because in California, when, Kamala Harris was the attorney general, she said that any company that does not implement the CIA's, top 20, is and will not be deemed to have reasonable security in place. And that would, would potentially trigger liability, in California and elsewhere.

Next slide please. Let's talk about some trends that we're seeing. So we are seeing a risk based approach being built into laws. Because every company differs in terms of risk, the volume of data that you have, the sensitivity of the data that you have, your ability to implement technological, modifications. But we're also seeing a, move toward more detailed and prescriptive rules, really prescribing what you need to do on the security front.

I've given you some examples here. And I'll also note that the definition of personal information is very, very expansive. So it includes anything you would think of as personal information like name and address and social Security number, but also, IP addresses that are linked to a particular device. So device prevents device identifiers alone. And could be deemed personal information as well.

The other thing I want to point out, the other very important trend is we're seeing, consent orders and other settlements of actions with governments, whether it's state attorneys general or, the Federal Trade Commission at the federal level. We're seeing all of these settlements build in serious oversight mechanisms. So boards and CEO, those are now in, in many cases responsible for reporting, to the regulators at the federal and state levels, and signing certificate as to, the state of security in their organization.

So that really is, changing. You know, this is a top down approach, and it really is changing, the way companies are managing their security. Next slide please. So, as I mentioned earlier, the board is very important in, setting the direction of, cybersecurity. And the tone from the top really is, is very critical.

Target was the wake up call here. The and FTC and SEC. Sorry, commissioner at the turn. So, when the target breach happened. So if any company that is not taking cybersecurity seriously is doing so at its own peril. And that really did shake up, corporate America. We now, of course, know that cybersecurity is a fundamental risk issue for, for organizations.

And the board's duties are, grounded in its risk management obligations and its responsibility to, to exercise its fiduciary, duties. We have really very little case law. We have some but very little case law in this space. And the key, items that come out of the case law that exist is that, if the board is appropriately supervising the company's cybersecurity program, that will likely, defeat a claim brought by shareholders to that alleges that they're not, taking their fiduciary duty seriously.

And the other is that the board the other takeaway is that the board must be sufficiently informed in order to make appropriate decisions with respect to cybersecurity oversight, if they're not sufficiently informed that they can't possibly make appropriate and, well, well informed decisions. So very important to make sure your board is, is, very continuously updated on cybersecurity.

There is a risk to board members. And there have been several moves to oust board members after serious, data breaches. And I've listed some here. So, your board has a critical responsibility now, and many directors nervous. And they're, they're pretty hyped up about cyber security. So we've seen a lot of directors who are some of fairly well educated in this area.

Some have been through breaches of their own with their own companies. So they're asking a lot of questions. So we need to be, be quite attuned to the role of the board. That's like this.

So just some best practice principles that I've listed here. And I'll go through some of them. So we need to really understand, as a, as a, board member, we need to understand what the threat environment is for, for that particular company. It's not the same, in every, every company. So we need to understand our own threat environment and what the ground rules are in our systems.

As a as a director, we would want to make sure that we're providing appropriate oversight. With respect to our an information security program that we oversee the budget. Do you have enough money? Is probably the single, question that I hear most often posed by, boards to the chief information security officer. Do you have enough money to get done?

What you need to get done? So a good, good way of, sort of testing the waters there. Management will be held accountable, by the board for, in cybersecurity strategies and preparedness efforts. And we're seeing, boards receiving benchmarking reports, looking at industry peers to figure out where the company falls with respect to, industry peers.

Staying informed, of course, about significant events is very important. So you need to keep, keep letting the board know what's going on. And often, the board will be briefed by external experts, and that that's helpful. It's particularly helpful if there's a, a derivative, suit later and you can point to the number of times the board was briefed on cyber security, the number of times that the board was briefed by outsiders, what kind of benchmarking they did.

And, it is important also to understand and think about whether cybersecurity needs to be built into, the charter of a particular committee. And we're seeing more and more that charters are being revised to include, cyber security responsibilities. And, of course, a board will always ask, do you have your experts identified in advance of an incident?

Do you know what forensic investigator you're going to use, what law firm you're going to use, what PR experts are going to use. And those are all very appropriate questions for boards to ask. Next slide please. So preparedness is key. You know, we can't prevent all security incidents. And I think this is an important point to make, to senior management is don't fire your information security officer just because a breach happens.

It's really impossible to combat a dedicated and, persistent adversary. But we can prepare for these incidents. And when we prepare. Well, it means that we will most certainly mitigate, the harm that comes out of out of a cyber event. So we need to know what data we have. We need to identify the sensitive data and make sure it's appropriate, appropriately classified, and thereby appropriate protections are assigned.

With respect to that data, we need good state of the art information security policies. We need to test our systems frequently for free pen tests and other kinds of testing. And we're, of course, we want to constantly assess the status of our of our security measures. Patches are being rolled out all the time. And we need to apply those patches.

It is critically important to have a good incident response plan, really a state of the art incident response plan because regulators a you need to follow a good roadmap if you have an event and b regulators will ask for it. So it better look good. And then you want to practice that plan through tabletop exercises. I can't stress enough the importance of a tabletop exercise with the executive team, so that they understand what they might be facing, in the event of a real attack.

And they, they are then better prepared to manage a real attack when it, when it happens, because it really is inevitable. We need to understand the risks that our vendors pose that are, employees versus insiders pose, and very much need to think about these risks in, M&A and other sorts of transactions. We could be buying a huge liability if we don't do our due diligence in advance.

In in a transaction, training and awareness is critical, of course, and thinking about your cyber insurance needs is also, critical in advance. And, Allison can certainly fill you in on that. All right, let's go to the next slide, please. So just to quickly take you through a timeline and generally what happens in the event, of a data breach, once we identify the event, we're going to want to mobilize our incident response team and, stabilize our systems.

We may have a live attacker in our system, so we need to make sure that we understand, if we have a live attacker and whether we can use our communication systems. For example, can we use our email, or do we need to communicate out in some out of hand, method of communication? When do we want to bring in law enforcement?

Do we need to bring in law enforcement? Very important question. The FBI. I'm quite bullish on bringing in the FBI. Or we have criminal activity. They they're often very helpful in providing indicators of compromise to us so that we can look in our systems for these issues. We conduct a fulsome investigation, through a typically using a third party forensic firm.

We always want to hire that firm through counsel to, seek to protect the prevalent. It's the best way to at least try to protect legal privilege. We are at the same time conducting a legal analysis. Do we have what laws do we need to comply with? Do we have personally identifiable information, for example, in our systems that will require notification?

Do we have other information, that will require notification to regulators, for example, in, in, in, critical infrastructure space in the banking space. And then we'll, we'll craft our notifications, push those out. You can bet there's going to be regulatory follow up like state agencies will write letters. The FTC might asking you questions and lawsuits inevitably will follow.

We're seeing just a raft of lawsuits now in the data breach space. And we always want to do a postmortem at the end of the day. What have we done wrong? What can we do better next time? Next slide please. So a quick word on liability and ramifications. We are seeing quite a bit of regulatory enforcement in the space.

Congress is getting into the act. There have been, quite a number of, congressional hearings on, both data breaches and cyber, and privacy issues. The payment card fines could be hefty when there's a, compromise of payment card information. Litigation generally ensues when there's a breach of any size. And of course reputational damage can be quite problematic.

Generally, companies can bounce back, from a reputational hit if the company handles breach well. And that's why preparation is so critical. Make sure you've practiced your incident response plan so you know what you're doing. Make sure you have, at least the rudiments of holding statements in advance, and notifications in advance so that you're not scrambling at the last minute to put all of this in place.

There could be significant financial loss resulting from, the criminal behavior, for example, and wire transfer fraud. You've just sent out $2 million or $20 million to the criminals. And that money, if it's not recovered within the first 2440 eight hours, you can consider that gone. It is expensive to investigate. It is expensive to notify individuals.

And then remediation costs could be coming as well. And of course, CEOs are blamed. And board members are often blind as well. Next slide please. So some lessons learned. Criminals are very sophisticated now. Really sophisticated. They're staying one step ahead of us. We keep fighting yesterday's battle. And that is very challenging. The threat actors are often using anti forensic tools.

So they're trying to cover their tracks, which makes detection, much more complex. And the timing of notification has changed. We used to have the luxury, years ago of no social media. And so it wasn't so easy for dissemination of knowledge, around these events. But now with social media, it is any information that about, about a cyber event just gets out there so quickly.

So we need to respond fast. To, to these issues, credit monitoring has become somewhat de rigueur now. It's not critical and certainly doesn't help, in many instances, for example, where there's a, compromise of a payment card, but, it is expected in many circles and in some ways it's required for, data such as Social Security numbers.

Individuals are really now much more sensitized to these, these events. Everybody's gotten a breach notification letter or many occasion letters. So we see we see real sensitivity and that's good. But it also is a bit of a pain in the neck when you're trying to deal with an event. And again, focus on this issue must come from the top.

We need we need direction, directly from the top on these issues. Next slide please. All right, let's just dive right into privacy. And I do want to leave some time for questions as well. So why do we care. Why is privacy important. Well data is everything now. And, it's been said that data is the new normal.

It's certainly recognized as a critical asset for most organizations. And we think about various risks, like, legal compliance risk, which is just baseline. You need to comply with law, period. But on top of that, you need to think about your ethical obligations, because reputational risk in this space is very high potentially. So we need to sort of layer on ethics on top of legal compliance.

And also think about what, you know, as was colloquially and your investment risk in reticence risk. We invest in new companies, we invest in new technologies. We do M&A transactions, for example, and we don't think about privacy issues. And we're going to lose, on the other hand, if we are too afraid to use our data, we're also going to lose because you can bet that your competitors are, using data in robust ways.

And, we're going to lose market share. So the key, of course, is to balance all of these risks. And, we do that through often privacy by design, where we're building in privacy, at the start and not trying to retrofit privacy later on because as we all know, consumer trust, employee trust is everything. And without that, we are it's a losing proposition.

I'll just note here that there is a real focus now, and this is fairly new over the last couple of years on data ethics and on discrimination, where algorithms are now found to have built in bias biases. So, there's a real effort to try to, to remedy that. Next slide please.

So look, as I said, we're living in the information age. Squarely in the information age, long past the industrial, industrial era. So we are we are grappling with data issues, and we know now that there are privacy laws in so many countries around the world. For example, I'll just note that, the United States is the only first world country to not have a comprehensive data protection law in place.

And by the way, data protection is the same as privacy. It's just a different lexicon of different jurisdictions. And many second world and third world countries, many have, data protection, comprehensive data protection laws in place. What we have in the United States is a sectoral regime, meaning we regulate industry by industry sector. So we have financial privacy laws and health privacy laws, and privacy laws that, manage data provided online by kids.

But we don't have a comprehensive privacy law at the federal level in this country. That will change. We don't know when, but it will change where. And I think we're certainly looking at, a federal privacy law and comprehensive law in the next few years. I just want to note here that a country's approach to privacy is very much based on, historical the historical backdrop.

So, for example, Europe has an extremely, stringent, data protection regime. And there's a very good reason for that. Data, and files and dossiers were used to prosecute, in World War Two and in other, time frames as well. But certainly there's a real reference back to the Holocaust for with respect to the use of data to persecute, you know, we think about how we use data in this country.

As we market people to death in other jurisdictions, data was used to put people to death. So we think of data in the United States as a consumer protection interest. Whereas in other countries it's considered data protection is considered a fundamental human right. Next slide please. This slide just gives you a sense of what the rest of the world thinks of us.

It's dated. So don't count on this. As fully accurate, but, the white shows countries that are, are considered to have really no data protection laws in place. And blue is, countries that have comprehensive protection in place and red is where they're working on it. So you can see that the United States is white.

So there are many who consider us to not have appropriate, or, obviously European adequate data protection laws in place. Next slide please. On the federal side, we have a number, as I said, sectoral laws there, we have the FTC act, which is a consumer protection, prohibiting unfair or deceptive trade practices. And the FTC has brought a number of actions, both on the privacy side and the security side.

HIPAA regulates the health care space requirements. Bliley. The financial space, we have a separate reporting act which regulates privacy with respect and security with respect to consumer reporting agencies. Can't spam is the reason why we have all the unsubscribe button at the bottom of marketing emails? We regulate video privacy. This comes from the nomination of a judge four to the Supreme Court and, some in Congress sort out his video rental records.

And then as soon as, as they heard, they passed the Video Privacy Protection Act. The Driver's Privacy Protection Act, regulates data from state DMVs. There was a murder committed, because of records obtained by a private investigator from a state, DMV. And that's that was the impetus for passing the DPA, and other laws as well.

The Telecom Consumer Protection Act, where you can register your, your phone number on the Do Not call list. And, it was for that some telemarketing. And copied children's Online Privacy Protection Act regulates the collection of data online from children under the age of 13. And the very first privacy law really in the world was the Privacy Act of 1974.

You'll recognize that as the time of Watergate. And this is a law that regulates privacy with respect to the use of data from the federal government. Next slide, please. On the state level, there are hundreds of privacy laws. And I'm going to focus us in, in just a minute on the California consumer Privacy Act.

But I just wanted you to get a sense of the types of privacy laws that we see at the state level. Really, hundreds of them. So it is it is difficult. It is a very complex environment to try to navigate through when you're thinking about regulatory compliance. Next slide please. Okay. So the CCPA, I mentioned that I was going to talk about, the CCPA.

Why? It is the first comprehensive privacy law in the United States. It only applies to, California residents. But it is it is comprehensive in that it, it spans across industry sectors. So it is not sectoral. It grants California consumers, which are really California residents, rights over their data, and they can access their own data that can delete data, subject to exceptions, and they can opt out of the sale of their data.

And that's why you see on the bottom of some websites now, a button that, you can push if you're a California resident to opt out of the sale of data. There is also a mandate to have very detailed disclosures and a privacy policy. And also requirements with respect to service providers, companies, sure that their service providers are, not using data in an untoward ways.

There's a training requirements as well. And as I mentioned earlier, the enforcement deadline was July 1st. So, we are certainly seeing some activity on the enforcement front and a failure to comply could result in a really quite a sizable, penalty amount. Next slide please.

So the stakes have never been higher. Really. You know, I say that on this slide, and that's really true. If we look at Facebook's eye popping $5 billion, settlement, with the FTC, that that really makes sense for, and then there have been other settlements as well for Facebook, Equifax, $700 million settlement and some others.

British Airways and Marriott, fined potential fines by the UK Information Commissioner's Office. Those are those are not final yet, but you can see that there are some really big numbers here. And, these numbers are only going up. Next slide please. Okay. So how do we deal with all of this. We are we have a nest going globally.

There are different data protection laws in different jurisdictions. And this is really challenging because, companies don't operate in a single state or single country. They operate globally. If nothing else, they have a website that operates globally. So it is very difficult to comply with what is truly a cacophony of data protection laws in different countries.

So you have to think at a higher level. And I think about this is flying high to fly 40,000ft, you avoid flying into buildings. If you fly low, you are going to hit and there's going to be some friction. So you really need to think and a high level about, embedding both privacy and security, into all of your processes with a global in, in a, in a, in a global program, that crosses jurisdictions complying with law is absolutely baseline.

But we need to think a little bit more broadly than that and think more about, an ethical and, really appropriate safeguards for your organization. A number of companies that we work with will say always we put consumers first, we put humans first. And that's the lens, to which they look at absolutely everything, whether it's new technologies, new marketing initiatives, M&A transactions, they will think about the individual first.

And, I would say here, it's not just about the customer, it's also about your employees and other individuals whose data you may have. And think about humans first. And this is true as well, with respect to data discrimination that we're now really very focused on. So I will stop there. And I'm very happy.

[Speaker 1 - Elissa Doroff]

Yeah. So thank you so much, Lee. So we, see, we. Okay, we just have one question here. The question is knowing that there are all sorts of requirements across the board in the US, would following the 20 CIS controls and GDPR be strong enough for being in compliance across the board?

[Speaker 2 - Lisa Sotto]

Great question. So the GDPR, you know, is it is more about privacy. Although there are security, there are quite a number of serious security provisions in the GDPR. But it's very, heavy on the privacy side. The GDPR. So let me, let me go back a little bit to 1995. The Data Protection Directive, came out in 1995, in the EU.

So the EU has had very stringent data protection mandates for many years, and the GDPR was really just to modernization of existing, principles. And of course, a lot of new principles were put in place. But this regime has been in place for many, many years. The EU got out ahead, frankly, of everybody else.

And I wish the United States had done so. I wish the US had passed a good, practical, strong. But strategically practical, privacy law ten years ago that that would have become, the global, benchmark. But we didn't we really failed to do that. And so the GDPR, has become that it's been it's become sort of the benchmark globally that other countries are now, focusing their, their AI on.

And many countries have passed laws that are essentially identical to the GDPR, and in part because they want to, be considered to have adequate data protection laws in place so that they can freely transfer data back and forth to the EU. As a trading partner, but also in part because it's a very, very comprehensive law and it's easy us to take something that's been, sourced heavily and implement that in your own country.

And Brazil, for example, is a country that has, very recently, implemented, a law that looks very much like the GDPR. The year 20, is great, but it's not the be all, end all. You need to also think about the cybersecurity framework. Looking at ISO, there are very many U.S. companies that are ISO certified, and it's gaining in popularity.

But a lot of U.S. companies are, calling themselves ISO conforming, meaning they'll, they'll focus on the ISO, security, rules and think about how they can what what's appropriate for their own organization and put those in place. So unfortunately, we have to think more broadly than just this year. 20 also, if you take payment cards, you must, yes, this is, an absolute mandate on the payment card industry data security standard.

[Speaker 1 - Elissa Doroff]

Great. Thanks so much. So we have another question. Regarding, does the CCPA require notification or does California's data breach notification laws still control those obligations?

[Speaker 2 - Lisa Sotto]

Yeah. Good question. The breach notification law still controls so that's what we need to look at from a, a California perspective. Of course, there are 54 breach notification laws in the United States. So the 50 states plus Guam, U.S. Virgin Islands, Puerto Rico, Puerto Rico and DC, have that patient laws in place.

And this is what I mean by the fragmented approach and have really complexities to comply, with all of these laws. And this is only one small area of data breach notification. So, California actually is, is a is a very important law in the data, in the data breach notification space because it requires a particular template, for breach notification.

So we see now many organizations just using the California template, globally, because it's easier just to, to put out one form of letter than multiple forms of letters. So yes, look to the California breach notification law where the CCPA comes into play is there is a, there's a provision in the CCPA that says that to the extent you suffer a data breach, and it is, because you didn't have reasonable security in place, then you could be subjected to a private, claim.

And, there have been a number of plaintiffs, counsel now who have in fact brought, because of this by the right of action and brought, lawsuits against companies that have suffered data breaches, and had California consumers affected.

[Speaker 1 - Elissa Doroff]

Great. Thankfully. So here's another really good question. What are the common mistakes that you're seeing companies make in the privacy space? I know this could be all over, but maybe top three.

[Speaker 2 - Lisa Sotto]

Right. I think one of the biggest mistakes is to not pay attention to, consumer demands. And by that, I'll give you a more concrete example of that. So less so in the United States, but very much so overseas is if you get, a request, by somebody to understand what data you have about them and access request, it's really important to respond, timely to those requests.

Any kinds of individual rights requests. And we are now we're now seeing a real, push by individuals to exercise their privacy rights. So, I would I would suggest that companies put in place, frameworks in advance of getting a trove of these, and then we're going to see, really, I think over the next few years, we're going to see, a spate of, of, rights requests come in to all organizations.

So we need to be, prepared in advance to manage those. I will tell you that we've worked with some companies to respond to access requests, where the response has been tens of thousands of pages long because we do need to provide things like browsing history. And when somebody goes on your website, capturing browsing history is really, laborious and provides a huge volume of information.

So responding to access requests, deletion requests and the like just absolutely opt out requests, absolutely critical. Other error errors that we see is our failure really to, to provide, accurate and, materially complete, privacy representations typically in the form of a privacy policy or privacy notice on, on your website. We've seen some privacy notices that are, just really astounding in how old they are or how inaccurate they are in, representing, the information practices of a company.

So it's really important that policy notices be, considered and reconsidered and reconsidered. And actually, the CCP requires this because they've, they require, that you have that you visit your privacy notice, annually and, that you re data to you must, have an up to date privacy notice on your, on your website, or in other areas, for example, we might, need a hard copy privacy notice to hand out in certain settings, like a trade show in Europe, for example.

So, there I think it's it is it is absolutely critical to continue to understand your data practices and reflect those data practices accurately in a privacy policy. And I'll just, name one more. And that is the failure to understand, your data flows. So you can't do any of this. Well, unless you know what data you have, and what the life cycle of that data is.

So what are you collecting? How are you using it? To whom are you disclosing it? How are you disposing of it? At the end of the day, all of that is sort of the cradle to grave management of data is absolutely critical. And without knowing what data you have and what the what the, lifecycle of that data is, you really can't provide the appropriate privacy protections.

[Speaker 1 - Elissa Doroff]

Right. Thanks so much. So one last question before we close out for today. You know, this is a really long answer and gets a little more, interesting biometric information, but really quickly, do you feel it's safe to use a fingerprint time clock for our employees?

[Speaker 2 - Lisa Sotto]

I wouldn't do it in Illinois without your complying with paper. So, as I mentioned earlier, Illinois has the only biometrics law with, that contains a private right of action. And there's been a lot of activity, many, many lawsuits, including, lawsuits around, employee time. Classes use fingerprints. I just hate passwords.

I think passwords needed to go years ago. I think they're really dangerous. And we are not using, for the most part, 16 digit passwords. I just read the statistic yesterday. I'll repeat it to you. Takes an hour to crack an eight. Character password, and it takes 7000 hours to crack a 16 digit password.

So what are we mostly use an integer passwords or less? You know, fewer than 50 characters. So passwords really need to be replaced. Do we replace passwords with biometrics? Yes. It's a good way to authenticate, people, but your biometrics are singular. They're unique. And you cannot replace them.

So it's a little bit, you know, nerve wracking. While security's, you know, very much an issue to think about, providing your, your retinal scans or scans or facial templates, your fingerprints, in order to authenticate you when you know that those, those biometrics are immutable and you would never be able to replace them if they were compromised.

So the short answer is, we have a ways to go, before we really have a very good, strong method of authenticating people. But I would absolutely push everyone, to, implement multi-factor authentication. So you're not relying just on one, credential. You're relying on multiple factors like, getting a code, via your phone and entering the code.

So I'll stop there.

[Speaker 1 - Elissa Doroff]

Great. So thanks so much, Lisa. So I just want to remind everybody on the call that for those companies that do purchase cyber liability insurance, a lot of these preparedness and proactive risk mitigation services that Lisa was talking about, such as social engineering and phishing campaigns, privacy awareness training, tabletop exercises and more. A lot of these are available for free if you purchase insurance through the cyber insurance carrier, independent of insurance.

I'd encourage anybody on the call to contact me or your NFP broker to learn how we can partner up with the right law firms, such as Lisa's and or a cybersecurity firm to provide the right risk mitigation tools and transfer solutions, and work with you to make sure that those needs are met. So with that being said, I'd like to thank everybody for their time today.

And, by all means, be free to reach out to us, supplemental after this. If you have any questions. So thanks again and have a great rest of your day.