Cyber (Data Privacy)
-
Data privacy is a sub-function of data security, and involves the proper handling of data to ensure the privacy of the individual or entity to whom the data belongs, once a third-party is granted authorized access to such data through various data security methods (such as encryption, identity management software platforms – IMSPs, key management, multi-device management, multi-factor authentication and passwords).
-
Drafted and negotiated privacy-compliant agreements for all components of the enterprise privacy infrastructure, affiliates, audit services, cloud computing as a service (CCaaS), cross-border technology development, data sharing, data transfer, general data protection, hardware as a service (HaaS), indemnification, intellectual property rights protection, licensing, limitation of liability, security services, service level agreements (SLAs), software-as-a-service (SaaS), outsourcing, technology services, vendor contracts that require vendors to maintain data-privacy procedures, websites (disclaimers, end user license agreements – EULAs – privacy policies, terms of service, terms of use).
-
Drafted and implemented bring your own device (BYOD) corporate policies, and managed software and hardware vendors to segregate access of such BYOD users to personal and sensitive enterprise data.
-
Typical crisis management activities, such as: liaison with government investigators and regulators; management of forensic SMEs and related services providers; preparing legal responses to global multijurisdictional privacy breaches; public relations with shareholder representatives.
-
Typical data governance activities, such as: conducting internal cybersecurity governance and due diligence legal assessments; design and implementation of a data governance architecture that ranks and stores information by personally-identifiable characteristics and types; design and implementation of data governance systems (such as the ethical stewardship of data); risk mitigation assessments for artificial intelligence (AI) use in applications and smart devices; training for management and personnel on cybersecurity issues.
-
Typical data privacy activities, such as: compliance reporting obligations; court action to removal of search results from Google through injunctions; data collection; data exfiltration (a form of data theft that occurs when malware or a malicious person implements an unauthorized data transfer from a device, also commonly called data extrusion or data exportation); data storage; data theft; data use; identity theft; governmental investigations; litigation; network intrusions; ransomware attacks; state breach notification requirements; unauthorized system access.
-
Typical data privacy areas of concern, such as: advertising; artificial intelligence (AI); augmented reality (AR); behavioral engineering; blockchain; copyright infringement and rights; crowdfunding privacy; cyber-attacks and piracy; cybercrime and espionage; cybersecurity; data scraping; domain name squatting and hijacking; ecommerce privacy; e-discovery; employee hacking; fraud; internet of things (IoT); mobile applications; online defamation and harassment; patents; smart contracts; strategic network disruptions; tracking (cookies); trade libel; trade secrets; trademarks; virtual reality (VR).
-
Typical incident preparedness and response activities, such as: contracts with mitigation providers, such as credit monitoring, data recovery, forensics, public relations and reputation management SMEs; contracts with prevention providers, such as cyber auditors, encryption services, penetration ("pen") testers, and "white hat" hackers; design and implementation of incident response plans, handbooks, play books.
-
Typical litigation activities, such as: conducting internal audits and investigations; management of all domestic and international litigation.
-
Typical tabletop testing (focused meetings to discuss a simulated emergency situation, discussing concrete plans to manage the operational details of the simulated emergency and aftermath) activities, such as: conducting on-site simulated emergency scenarios, working directly with those stakeholders who might be affected, to assess decision structures; developing custom scenarios based on the perceived vulnerabilities of the enterprise infrastructure; debriefing sessions with the stakeholders and management to discuss the perceived efficacy of the simulated emergency situation; partner with forensic SMEs to provide a high level of realism for the simulated emergency situation.
-
Implemented enterprise-wide data protection and privacy corporate policies, directives, documentation, playbooks, protocols and procedures related to privacy.
-
Legal support for completing the (PTA) form (which must include: a detailed enumeration and description of the IT system and the type, origin and collection method used to capture personally-identifiable information – PII; a statement indicating whether such IT system and data collection method is intended to be a privacy sensitive system, as defined under Department of Homeland Security – DHS – guidelines; and, a disclosure statement, indicating whether additional privacy documentation, such as a privacy impact assessment – PIA – to assess whether the PII was being properly isolated and maintained or systems of records notice – SORN – may be required), used when certifying various information technology (IT) systems that are undergoing the certification and accreditation (C&A) process pursuant to the Federal Information Security Management Act (FISMA), to determine if such IT systems properly isolate and maintain PII.
-
Legal support for developing a privacy information map (PIM) to identify PII and controlled unclassified information (CUI) – information processed within the Federal government that requires compartmentalizing or dissemination controls pursuant to government policies, laws or regulations, but which is not classified under Executive Order 13526 or the Atomic Energy Act – that may have been processed or stored in enterprise IT applications and databases to ensure that such identified CUI and PII are classified properly, reclassifying or redacting all non-CUI and non-PII, to reduce such CUI and PII to the minimum required for the proper performance of a documented agency function.
-
Implemented an enterprise-wide corporate policy to search for any privacy-related information in all applications, to verify that the existing data flow diagrams were current, and if not, to make the necessary corrections.
-
Participated in cross-functional privacy committee meetings.
-
Implemented enterprise-wide corporate policies to manage, mitigate and remediate CUI and PII breach procedures.
-
Managed the legal aspects of privacy baseline requirements (PBRs), for compliance with the European Union (EU) General Data Protection Regulation (GDPR) guidelines, including program-level and project-level privacy controls.
-
Reviewed and updated all enterprise-wide privacy documentation regularly, pursuant to the ever-changing domestic, international and global privacy legal landscape.
-
Legal support for front-line and non-front-line licensing of foreign security operatives pursuant to the Security Information Authority (SIA) under the United Kingdom (UK) Private Security Industry Act 2001.
-
Compliance with the privacy requirements of the Bank Secrecy Act (BSA) (as amended by the USA PATRIOT Act), Brazil Law 13.709 Lei Geral de Protecao de Dados Pessoais (LGPD), California Confidentiality of Medical Information Act (CMIA), California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Children’s Online Privacy Protection Act (COPPA), China Cybersecurity Law (CSL), Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Communications Decency Act (CDA), Computer Fraud and Abuse Act (CFAA), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Digital Advertising Alliance (DAA), Digital Millennium Copyright Act (DMCA), Do-Not-Call Implementation Act (D-N-C), Electronic Communications Privacy Act (ECPA), Electronic Fund Transfer Act (EFTA), Electronic Signatures in Global and National Commerce Act (e-SIGN Act), Equal Credit Opportunity Act (ECOA), European Union (EU) Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), EU General Data Protection Regulation (GDPR), EU Market Abuse Regulations, EU Payment Services Directive Two (PSD2), Fair and Accurate Credit Transactions Act (FACTA), Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), Financial Industry Regulatory Authority (FINRA) Rule 3230, Customer Information Protection (CIP) rules, Gramm-Leach-Bliley Act (GLBA) Financial Privacy Rule (FPR), Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA), Illinois Biometric Information Privacy Act (BIPA), International Organization for Standardization (ISO) 27000, Maine Privacy Act, Massachusetts Data Protection Act (MDPA), National Institute of Standards and Technology (NIST) 800-53 and 800-171, Network Advertising Initiative (NAI), New York State SHIELD Act, Payment Card Industry Data Security Standard (PCI DSS), Pen Registers and Trap and Trace Devices Statute (Pen-Trap Statute), Right to Financial Privacy Act (RFPA), Sarbanes-Oxley Act (SOx), Securities and Exchange Commission (SEC) Privacy of Consumer Financial Information (Regulation S-P), SEC’s Office of Compliance Inspections and Examinations (OCIE), Statement on Auditing Standards (SAS) 70, Stored Communications Act (SCA), Student Online Personal Information Protection Act (SOPIPA), Swiss Federal Data Protection Act (DPA), Systems and Organizational Controls (SOC) 1-3 reports, Telephone Consumer Protection Act (TCPA), Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), United Kingdom (UK) Financial Conduct Authority FCA), UK Financial Services Authority (FSA), UK Takeover Code, Vermont Data Broker Law (DBL), Video Privacy Protection Act (VPPA), Wiretap Act (WA).
-
The stringent requirements of the privacy-related laws noted above, for keeping personal and sensitive data private and secure, have resulted in the necessity for data mapping (the practice of identifying each piece of data as personal, sensitive, or not in the metadata of each file, and then ensuring that each such piece of data can be located and retrieved anywhere within the enterprise infrastructure at any moment upon demand).
-
In particular, under the CCPA, any individual or consumer dealing with any entity which either has an annual gross revenue greater than $25M, or buys or sells the personal information more than 50,000 consumers or households, or earns more than half its annual revenue from selling any consumer information, and which handles any personal data that may relate to any individuals or consumers that may pass through any personal computer, phone application, server, smart device or any device collecting or logging any such personal data within the state of California, has the right to: know what personal data is being collected about them; have access to such data upon their request; know whether such data is being sold to anyone;know exactly to whom such data is being sold;opt-out of having such data sold to anyone; and, have the ability to request that any or all of such data be immediately deleted.
-
Legal support for budget initiatives regarding planning for privacy mitigation actions.
-
Risk analysis for planning required programming and infrastructure support.
-
Collaboration with hardware and software subject matter experts (SMEs) to map safe paths for importing and exporting PII and sensitive data from and to other domestic and international jurisdictions.
-
Developed and implemented corporate policies in the United States (US) and Binding Corporate Rules in the European Economic Area (EEA), EU and related jurisdictions.
-
Drafted corporate policies and controls to mitigate data privacy issues (such as the handling of tracking cookies) resulting from outsourced and shared services and various information technology (IT) platforms.
-
Developed and implemented ethical violations reporting hotlines and staff monitoring tools for email, internet and telecommunications, throughout the enterprise.
-
Conducted data privacy audits for all PII and sensitive data in connection with joint ventures, mergers, acquisitions and dispositions (collectively, M&A) and other major transactions.
-
Consultation regarding the contrasts between the Freedom Of Information Act (FOIA) and domestic and international privacy laws.
-
Developed and implemented to Electronic Discovery Reference Model (EDRM)-compliant privacy corporate policies for discovery, e-discovery and electronic document retention protocols, procedures throughout the enterprise.
-
Management of complaints, injunctions, subpoenas and requests from domestic and international governmental agencies, courts, individuals, investigators, partners, regulatory bodies and stakeholders.
-
Collaboration with software and hardware SMEs to address all practical PII and sensitive data issues within the enterprise infrastructure, such as any cloud-computing issues, cookies, online behavioral trackers and web-based processing of data.
-
Legal support for the management of data privacy and security breach reporting.
-
Filing of any required legal notices with the relevant governmental authorities.
-
Authored data privacy handbooks and playbooks, and conducted privacy training for management and personnel.
-
Experience with the Vermont Data Broker Law (DBL) which regulates businesses categorized and identified under the DBL as "data brokers" (such as, Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future), which are entities engaged in the business of knowingly collecting and selling the PII of a consumer (such as the consumer's address, biometric data – such as fingerprints or retina scans, date of birth, mother's maiden name, name, personal information about family members, place of birth, Social Security Number, and any other type of information that if shared, would result in the identification of the subject with relative ease), with whom the data broker has no direct relationship to other companies (except if such data broker is only selling proprietary information it has gleaned through its own direct fully-disclosed activities directly with the consumers).
-
Experience with dark data (PII consumer information that businesses collect without having any current use for such data, but such businesses store such data in the hopes of being able monetize such data in a transaction with some third-party – such as a data broker – for some purpose at some future time), which is dangerous to the consumer because the businesses that collect such dark data generally do not employ data mapping technologies to classify such dark data as PII or not, generally do not inform the consumer that such dark data is being collected, and generally do not take robust steps to protect and secure such dark data.
-
Familiarity with privacy issues related to cyberbullying, cyberstalking, dogpiling (), online pornography harassment of individuals (such as "revenge porn" and "sextortion") and online harassment of pornography actors, and what steps may be taken to remedy or mitigate the situation.
-
Procurement and management of cyber liability and related insurance lines.
-
Familiarity with the seven proactive principles of privacy by design (the design of modern devices that includes built-in privacy controls that can only be activated or deactivated by the user), first articulated by Ann Cavoukian, Ph.D. in 1995, and which should be adopted voluntarily by all device manufacturers:
-
Performed jurisdictional research on all the domestic jurisdictions and 121 international jurisdictions, to create a matrix comparing privacy laws.
-
Data subject access requests (DSARs) (requests for personal information to organizations located in international jurisdictions) pursuant to international privacy laws, such as the Canadian PIPEDA and the EU GDPR.
-
Identity management software platforms (IMSPs) (also known as identity and access management – IAM – applications) manage information about each individual user to facilitate their login to various other platforms within the enterprise.
-
At a minimum, IMSPs should provide: access options (authorization or restriction of access for certain individuals to access certain information to certain persons throughout the enterprise); directory and user repository management (RM) applications to track access by users to the various areas of the enterprise software system; identity federation (delegating an the authentication responsibility for logins to a trusted external third-party, in which federation partner is either an identity provider – IdP – or a service provider – SP); multi-factor authentication (MFA) (which is the use of various multiple methods to create a chain of authentication methods – from the simple, such as a strong password, to the medium, such as a text message to the individual's cell phone with a randomly-generated pass code that expires relatively quickly, to the complex, such as biometric methods, including fingerprints or retina scans); password management options and self-help options for regenerating passwords; security analytics (SA) for auditing and compliance management; and, single sign-on (SSO) capability (the ability to login to the entire enterprise information system only once, subject to any restrictions placed on the individual by the system administrators, without any further need to login to each application or database individually).
-
Research, testing, use, recommendation, specification and procurement of various identity management software platforms (IMSPs), such as 1Password, ADAudit Plus, Amazon Cognito, Auth0, Avatier Identity Anywhere, Azure Active Directory, BeyondTrust Endpoint Privilege Management, Bitium, Broadcom Layer7 Identity Management, Centrify Identity Service, CyberArk Privileged Account,EmpowerID Security, IBM Cloud App ID, IBM Security Verify Access, Idaptive Next-Gen Access, Identity Automation, IdentityIQ, Imprivata OneSign, Intermedia AppID Enterprise, JumpCloud Directory-as-a-Service, Kaseya AuthAnvil, Keeper for Business, LastPass for Business, ManageEngine ADManager Plus, Micro Focus, miniOrange, My1Login, NetIQ IDM, Omada Identity Suite (OIS), One Identity, OneLogin, OnSemble, Optimal IdM, Oracle Identity Governance, Oracle Identity Management, Ping Identity Platform, PortalGuard, Radiant Logic, RingCaptcha, RingLead, RingCaptcha, RingLead, Rippling, RSA SecurID Suite, SailPoint Identity as a Service (IDaaS), Salesforce, SAP Customer Data Cloud, Saviynt, SolarWinds Access Rights Manager (ARM), SecureAuth, SecZetta, Simeio, Symantec VIP, TeamsID, The Okta Identity Cloud, Tools4ever, Ubisecure, Varonis Data Security Platform, VMware Workspace One, WatchGuard AuthPoint,WSO2 Identity Server, Zoho Vault.
Last updated 201119_2348