To celebrate Privacy Day (Jan. 28), here are updates on selected recent developments in cybersecurity and data privacy, as well as some tips on the use of personal information.
1. Internet of Things - Security by Design
Devices connected to the internet (“IoT devices”) often have access to critical and highly personal information about their users. Security vulnerabilities or deficiencies can cause the unauthorized disclosure or modification of highly sensitive information collected by an IoT device. Recent events have also demonstrated that IoT devices can be turned into a conduit for harmful attacks on other equipment connected to the internet. These deficiencies are receiving attention from consumer protection agencies and class action litigators.
Recent litigation and enforcement actions indicate that IoT device manufacturers are expected to adopt security measures to help protect the data collected and processed by these devices. IoT manufacturers are expected to build security into each device at its creation and use ongoing measures to ensure security throughout the life of the product and service. As part of the security by design process, manufacturers are expected to conduct privacy and security risk assessments, as well as to minimize the amount of data they collect and retain. Manufacturers should also consider testing products’ security measures before launching them, monitoring their products throughout their life cycle, and—to the extent feasible—patch known vulnerabilities.
Ransomware is a key threat for enterprises. Ransomware takes advantage of weak IT safeguards. Taking the following actions may help to prevent and mitigate loss from ransomware:
maintaining the most updated operating system version to help ensure security;
updating firewalls, and antivirus and malware software;
training employees to raise awareness about strong passwords, social engineering, and social media use;
frequently backing up your data off-network or to the cloud;
adding a response plan for ransomware to your company’s written security incident response plan; and
- purchasing or updating existing cybersecurity liability insurance that includes coverage for ransomware.
3. EU General Data Protection Regulation
It is well known that the EU General Data Protection Regulation (GDPR) will apply to the processing of personal data for entities established in the EU/EEA, effective May 25, 2018.
It is less known that it also applies to the processing of personal data of EU/EEA residents by an entity that is not established in the EU/EEA, including if the processing relates to the offering of goods or services to these individuals or the monitoring of an individual’s behavior.
The GDPR creates significant obligations for non-EU/EEA entities. For example:
there are stringent rules for what can qualify as “consent” to the processing of personal data of EU/EEA data subjects;
companies must document their data protection and compliance activities in writing and keep detailed records that may be reviewed by the applicable supervisory authority;
companies must designate in writing a representative in the EU/EEA (with exceptions);
companies must promptly respond to a breach of security. They must notify the competent supervisory authority “without undue delay” and, if feasible, no later than 72 hours after the breach occurs;
if the breach is likely to result in a high risk to the rights and freedoms of individuals, the company must also inform the data subjects of the breach without undue delay, unless an exception applies;
there are significant administrative fines attached to violations of the GDPR, and each Member State may define other penalties applicable to infringements of the GDPR. Fines for violations of the basic GDPR principles can reach EUR 20 million or 4 percent of the total worldwide annual turnover of the company for the preceding financial year, whichever is higher.
4. United Kingdom - Brexit
Despite Brexit, UK businesses should continue with (or indeed commence) their General Data Protection Regulation (GDPR) compliance programs. The UK will implement the GDPR, and the GDPR will apply to UK companies that process EU personal data even after the UK has left the EU.
5. China - Cybersecurity Law
China recently adopted a new cyber security law. The law, to be effective on June 1, 2017, reiterates and strengthens the existing regime protecting personal information of individual users. Network operators must safeguard the secrecy of personal information collected. The collection and use of personal information must follow the principles of legitimacy, rightfulness, and necessity. Data collectors must disclose their data collection practices and obtain individuals’ consent. In case of a breach of security, network operators must report the breach to the relevant authority, and must contact affected users.
Although these requirements and constraints apply to “network operators” only, other business operators who collect consumers’ personal information by other means should consider following the same principles and guidance.
6. Personal Privacy - Social Media
Beware of the potential pitfalls of social media. Explore and understand the privacy settings on your social media accounts to help ensure you are comfortable with how your information is shared.
Think carefully about what you post to your social media account, including who may see it and how it may be perceived now and in the future. Even if you deactivate your social media account, or delete old posts, pictures, and other content, your information still may be retained on social media backup servers, in copies of webpages cached (i.e., saved) by search engines, and by third parties.
7. Personal Electronic Privacy
In terms of maintaining your personal electronic privacy, there are certain measures you can take as well:
cover your laptop’s camera when not in use can prevent hackers from being able to view what you are doing without your knowledge;
practice safe browsing;
take advantage of the full-disk encryption that may be already offered on your computer;
use a privacy screen to help prevent others from potentially seeing confidential and/or protected information as they sit next to you on public transportation, or in airports and other public places.