Frost Brown Todd Podcast

We all value privacy – at least to some extent. But some of us want to be famous, and all of us want to connect with friends and acquaintances. We like the convenience from technology that requires our personal information to operate. So we share our personal details in many ways, and our data flows like water down a stream into lakes and oceans, some of which we’d prefer to avoid. And our information becomes a piece of society’s knowledge base. Databases like the U.S. Census have essential purposes, but they’re only reliable and complete if we are comfortable sharing our data. How to respect individual privacy and achieve reliable databases? That’s a challenge! In this podcast episode Alex Watson, co-founder and CEO of Gretel.ai, explains two essential phrases to understand how this can be done. Alex founded a security startup called Harvest.ai, which was acquired by Amazon Web Services in 2016, when he became AWS General Manager and it launched its first customer-facing security offering. Gretel.ai is an early-stage startup that offers tools to help developers safely share and collaborate with sensitive data in real-time. Alex explains that privacy is a problem rooted in code, not in compliance. By auto-anonymization, the personal data of an individual is separated from the underlying data so that the database where the information is needed comes to it without identifying the individual. The essential information is shared without allowing someone to know which individual’s information it is. While nothing is hack-proof, auto-anonymization eliminates the link between an individual and data about that individual as it moves to another user. Personal privacy is preserved in the transmission and further use. The other key phrase to understand is differentially private synthetic data. Data Privacy Detective Podcast 55 offers an introduction to the topic. This phrase means that information within a database has been changed to eliminate the ability to trace back the data to a particular individual. The information is private and individual to a person, but as pieces of data are shared for a purpose, they are not traceable to a specific person. The database user only needs the provided information, not the identity of individuals who contributed each piece. There is great public benefit in encouraging people to share sensitive data – e.g., public health databases, sociological research, Census Bureau studies. But people will share their private data only if they are comfortable knowing it will not be misused. Database users should ensure that they do not acquire personal data that identifies individuals without the need to have that information. Auto-anonymization and differentially private synthetic data – two phrases one should know. Their proper usage can achieve privacy by design. This will be an important contribution to creating reliable databases humankind needs to advance public health and other social good. If you have ideas for more interviews or stories, please email [email protected].

Ransomware - a sinister type of cyberattack that installs malware onto a computer system. Once inside a network, the malware encrypts documents, freezing the IT systems of entities and individuals until they pay ransom to regain access to their data. Recent average cost paid to a ransomware syndicate? $333,000, according to Greg Edwards, founder and CEO of CryptoStopper, a leading anti-ransom software provider. www.getcryptostopper.com. Ransomware surfaced in the late 1980’s, when AIDS Trojan was injected through floppy disks. Victims were asked to pay a “license fee” of $189 to a post office box to restore access to their data. Ransomware became ever-more sophisticated. Thanks to Bitcoin and other cryptocurrencies that emerged around 2012, thieves could hide their identity, and attacks mushroomed. Most start through a careless employee who gets phished and permits the villain to enter the enterprise’s system. Malware is unleashed to encrypt data, including on back-up copies held within the enterprise. Ransomware attacks in 2020 show a continuing growth in number and cost. Fileless ransomware appeared, far more likely to succeed than file-based attacks. Smart ransomware disguises itself as though it were Halloween, but it’s all trick and no treat. Major 2020 targets are healthcare systems, which cannot risk their patients’ health and are pressured to pay substantial ransom to release a freeze of critical data. Cybercriminals now offer Ransomware-as-a-Service, available as kits sold on the dark web that include everything needed to get into the business of kidnapping data. Greg Edwards’ company CryptoStopper uses detection technology to trick the ransomware code to fix on it as bait, blocking the infection before it spreads. Watcher files defend against attacks. Most clients are B2B, but the company offers a free of charge download to individuals. When ransomware criminals focused only on encrypting and decrypting data once they were paid, the privacy of data was relatively untouched. This has changed. Now ransomware attackers profit not only from ransom payments but also engage in exfiltration. They acquire and package data for sale on the dark web. Exfiltration releases company and personal data to use by criminals who purchase it for sinister purposes. Can law enforcement come to the rescue? Occasionally, but most attackers are from areas beyond the reach of Interpol and extradition treaties. How can enterprises defend and avoid having data breached and resold? Anti-ransomware products are available. Top tips from Greg Edwards to deal with the risk of ransomware beyond an add-on like his company’s offering: 1. Patch management – update all software and operating system of all devices on a network. 2. Keep anti-virus software up to date. 3. Keep back-ups in off-site locations. If you have ideas for more interviews or stories, please email [email protected].

Science and knowledge advance through information gathered, organized, and analyzed. It is only through databases about people that social scientists, public health experts and academics can study matters important to us all. As never before, vast pools of personal data exist in data lakes controlled by Facebook, Google, Amazon, Acxiom, and other companies. Our personal data becomes information held by others. To what extent can we trust those who hold our personal information not to misuse it or share it in a way that we don’t want it shared? And what will lead us to trust our information to be shared for database purposes that could improve the lives of this and future generations, and not for undesirable and harmful purposes? Dr. Cody Buntain, Assistant Professor at the New Jersey Institute of Technology’s College of Computing and an affiliate of New York University’s Center for Social Media and Politics discusses in this podcast how privacy and academic research intersect. Facebook, Google, and other holders of vast stores of personal information face daunting privacy challenges. They must guard against unintended consequences of sharing data. They will not generally share with and will not sell to academic researchers access to databases. However, they will consider and approve collaborative agreements with researchers that result in providing academics access to information for study purposes. This access can aim to limit access to identifying individuals through various techniques, including encryption, anonymization, pseudonymization, and “noise” (efforts to block users from being able to identify individuals who contributed to a database). “Differential privacy” is an approach to the issues of assuring privacy protection and database access for legitimate purposes. It is described by Wikipedia as “a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset.” The concept is based on the point that it is the group’s information that is being measured and analyzed, and any one individual’s particular circumstances are irrelevant to the study. By eliminating the need for access to each individual’s identity, the provider of data through differential privacy seeks to assure data contributors that their privacy is respected, while providing to the researcher a statistically valid sample of a population. Differentially private databases and algorithms are designed to resist attacks aimed at tracing data back to individuals. While not foolproof, these efforts aim to reassure those who contribute their personal information to such sources that their private information will only be used for legitimate study purposes and not to identify them personally and thus risk exposure of information the individuals prefer to keep private. “Data donation” is an alternative. This provides a way for individuals to provide their own data to researchers for analysis. Some success has been achieved by paying persons to provide their data or allowing an entity gathering data for research to collect what it obtains by agreement with a group of persons. Both solutions have their limits of protection, and each can result in selection bias. Someone active in an illicit or unsavory activity will be reluctant to share information with any third party. We leave “data traces” through our daily activity and use of digital technology. Information about us becomes 0’s and 1’s that are beyond erasure. There can be false positives and negatives. Algorithms can create mismatches, for example a mistaken report from Twitter and Reddit identifying someone as a Russian disinformation agent. If you have ideas for more interviews or stories, please email [email protected].

COVID-19 has changed the world in dramatic ways. Contact tracing emerged as an approach to fight the pandemic’s spread and save lives. The idea is to notify people who have been in close contact with another person who tests positive for the virus. This should allow the contacted individuals to self-quarantine and take measures not to spread the virus before experiencing symptoms or otherwise learning that they are infected. Australia, a country of about 25 million, has an App called CovidSafe, developed and owned by the federal government. By October 1, 2020, it has been downloaded by about 27% of Australians. The government target is 40%. Sign-up is voluntary. To register, a person provides name, mobile number, postcode and age range. The App must be open on a user’s smartphone with Bluetooth enabled. It does not use GPS location technology. Persons in close proximity for at least 15 minutes will be identified as App contacts and eligible for future notices in case one person learns of a positive Covid test – and if the individual consents to notifying others about this. Results are mixed. In this podcast, Kelly Dickson, a principal lawyer of the Australian law firm of Macpherson Kelley(www.mk.com.au), explains the CovidSafe App and discusses how data privacy and healthcare intertwine. How does CovidSafe work? The app recognizes other registered users’ devices and uploads data to cloud-based central storage controlled by the federal government. Notices go to persons who had close contact when another person posts a positive test. The data is shared with others for 21 days from each contact on a rolling basis, though the Health Ministry may keep the data longer for public health purposes. Encryption and cybersecurity aim to protect the sensitive data and to convince Australians that their personal data is highly secure and shared only for the purpose of public health. Great idea - but how’s it working? Critics say it’s not working as it was conceived. Limited participation and consent result in an undercount of those infected and so limit the impact of the effort. Having smartphone apps live constantly has resulted in a report of loss of functionality and battery drain. When phones lock, the App does not function as intended. There have been inevitable bugs and fixes for the App, which was rushed into a prompt launch. States and territories have their own tracing methodologies (some in traditional hard copy format), with varying work and other restrictions in force. While workplaces are required to have a CovidSafe plan in place, this requires significant human intervention and is prone to haphazard error. Different states report varying degrees of take-up, support and efficacy. Will sensitive healthcare information be misused? While a targeted federal statute covers the security of App collected and shared data, users control whether positive test information will be shared. If a person tests positive, that person may consent – or not – to share the data – and without consent, the system will not accomplish its purpose of notifying others. There’s a CovidSafe Data Store where information is held in the cloud, leaving the possibility of hackers’ accessing both data in flight to and from the cloud and within the Store. September 2020 polling showed a skeptical public, with 57% concerned about security and only 41% confident the government would protect the privacy of data collected. This is despite strong support from the Prime Minister and a lack of overly divisive public sentiment akin to the USA’s mask/no-mask divide. Some critics are concerned that Amazon holds the data or that it is otherwise retained or accessed outside of Australia. If you have ideas for more interviews or stories, please email [email protected].

Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country. Highlights: • Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD. • Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person. • Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians. • Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent as a last resort rather than the first in complying with the law. • A privacy-compliant notice should be posted. • A prevention and emergency plan should be in place for handling breaches. • If a business is compliant with GDPR (or thinks it is), this does not guarantee Brazilian compliance, as there are differences from GDPR. There is probably more flexibility in Brazil for businesses than exists under GDPR, but until an Authority is in place, there is no regulator to discuss ambiguities or obtain advance guidance. • Cross-border transfers take the European approach, with no data localization as required by China, Russia, or India. The data protection authority to be appointed will need to issue standard contractual clauses or otherwise specify what is required. Brazil and the USA are already negotiating about data transfers, with no clear guidance from the Code about what is required of another country’s level of protection by law. • Data Protection Officers (DPO’s) must be appointed for controllers but not processors, with no threshold or de minimis test for this (unlike GDPR). No specific liability is specified for DPO’s, except for willful misconduct common to any relationship. DPO’s can be internal or outsourced. While there is no requirement that the DPO reside in Brazil, Portuguese language skill is practically essential for a DPO. • Regulations will follow in time. Individuals will need to be appointed to the Authority and approved by the legislature, with the aim of having an enforcement agency ready to act by August 2021. Because of Brazil’s prominent position as the giant of South America, one could expect an Iberian approach to personal data privacy throughout South America. Similar but not identical comprehensive codes exist in Chile, Colombia and many other South American countries. If you have ideas for more interviews or stories, please email [email protected].

Robo-calls, phishing, identity theft, ads we didn’t ask for – and worse. How does this happen? How does our personal data get collected, used and sold, without our knowing approval? Data brokers are a primary answer. They are businesses that collect, use, and sell blocks of personal information to a wide variety of buyers. This is not per se a shady business, though it may seem that way to those of us overwhelmed with constant interference by phone, email, pop-ups, and attacks aiming to disrupt our day or steal our assets or identity. Rob Shavell, CEO and co-founder of Abine, a 10-year-old privacy company, gives us a tour of data brokerage. Our personal data is collected in many ways. Some is virtually public – postal address, registered voter information, other ways in which details about us become publicly available. A lot of information about ourselves we contribute to the world – through social media posts, publicity, items we publish. There’s a tension between our instinct for privacy and the desire to be known, even famous if only for a day or two. Sensitive information is held by financial institutions, healthcare providers and others, who are generally restricted by federal and state law from sharing it with others but are themselves victims of a data breach. Information once disclosed becomes available to data brokers, who organize, package and sell the data to others interested in advertising to customers, monitoring behavior, analyzing groups or otherwise seeking data for their legitimate purposes (and otherwise. If you have ideas for more interviews or stories, please email [email protected].

A July 2020 Indian Government Report calls for regulation of Non-Personal Data. Most data privacy laws aim to protect (or not) personal data of people, This Report raises the question whether the world is about to see an explosion of regulation of non-personal data, which could change the business of data and how information flows within and across national borders. Stephen Mathias, head of the Bangalore/Bengaluru office of Kochhar & Co., one of India’s largest law firms, first updates us on two ongoing data privacy topics and then explains a novel approach to non-personal data being considered by the world’s largest democracy. The Personal Data Protection Bill is advancing toward adoption by the Indian Parliament. Patterned on EU principles, the Bill if adopted in its current form would align India generally with GDPR concepts, though with a data localization approach different from EU rules for data sharing across borders. In August 2020 the Modi Government decreed as an emergency measure a ban of certain Chinese apps, grounded in concerns about how the personal data of Indian residents could be provided by the businesses with Chinese authorities. India joins the U.S. in using data and technology as a geopolitical tool against PRC actions that transcend data concerns. For Indian consumers and businesses that represent a large market for Chinese companies and provide services used by many Indian residents, this has raised a backlash from many using Chinese-sourced apps and concern from businesses about the retaliation. Will trade wars be supplemented by data wars? Stay tuned. If you have ideas for more interviews or stories, please email [email protected].

Cloud computing offers a business the prospect of efficiency and savings by improving data storage capabilities and outsourcing computing resources that a business need not build for itself. But when data moves to the cloud, does this raise new troubles and make legal compliance more difficult? Or can it minimize risk and increase compliance with a dizzying array of global data privacy laws? How do cloud computing and data privacy compliance intersect? Lowell Thompson of Genity, a US-based company, discusses in this podcast how a cloud computing service can address this challenge and opportunity. Using encryption technology, Genity offers what it describes as data security by default that aims to bypass data privacy laws of Europe, California, Canada, and other countries. Major data breaches such as Equifax (2017) revealed weaknesses in internal business systems, in that case exposing sensitive personal information of 147 million people from several countries. As a business focused on data, a cloud provider must be attentive to cybersecurity and differing data privacy rules and so may be able to provide greater security and compliance than many businesses can expect of their own personnel and system. When a business contracts with a cloud computing services provider, it should consider several key issues: consent of data subjects, security, control and supervision, and server location. If a server resides in a jurisdiction that requires data localization or requires sharing data with government authorities, this can complicate a business’ data issues. The contract between a business and cloud services provider merits careful review to determine whether proceeding minimizes or increases the risk of data breach and inadvertent violations of differing state and national data privacy rules. Cloud computing has its benefits. But you don’t want a cloud to turn dark with thunder and lightning. Explore the intersection of cloud computing and data privacy in this podcast. If you have ideas for more interviews or stories, please email [email protected].

On June 30, 2020 China enacted a National Security Law applicable in Hong Kong. The UK and USA governments reacted negatively, stoking fears that this could mean the end of the one-country-two systems concept. Front-page news abounds about the meaning, the reach, and the political implications. But what about business and normal life, about Hong Kong’s role as a global financial and technology center? How does one understand the impact on data privacy? Does this mean a replacement of Hong Kong law or will it be Hong Kong business as usual? In this podcast Pádraig Walsh of Tanner De Witt Solicitors, a leading Hong Kong law firm, guides us. If you have ideas for more interviews or stories, please email [email protected].

Colombia made personal privacy a fundamental right in its 1991 Constitution. A 2008 law protected personal financial information, and in 2012 Colombia adopted Law 1581, a broad code across all sectors, modeled generally on the European/Iberian approach. Angela María Noguera Moreno, of counsel with the Colombian law firm of Vanegas Morales Consultores and an IAPP-certified Information Privacy Professional/Europe, explains in this podcast the Colombian approach to protecting personal data. Colombia requires all businesses to protect personal data. Consent of the data subject, the individual, is the keystone requirement. All controllers and processors of personal data must comply with the requirements of Law 1581 and decrees that function as regulations implementing the code. Responsible parties are both controllers and processors of personal data. Personal data categories include not only sensitive (financial, medical, religious, political) and non-sensitive (business or email address) types of data, but what Colombia calls “semi-private” data, such as information about an individual’s credit history. The data protection authority is the Superintendence of Industry & Commerce, which can levy fines and even close a business for violating data privacy laws. Colombia is now in a transition from formalistic compliance (posting website notices and policies) to a compliant society that protects personal data in practice. Superintendence officials expect compliance beyond simply posting policies. This is an approach under way generally in South America, though some countries like Ecuador and Panama did not adopt a general law until 2019. Listen to this podcast for an overview of how this important South American country aims to protect personal data privacy. If you have ideas for more interviews or stories, please email [email protected].

Cookies in the internet sense are packets of data that a persons’ computer receives when visiting a website. Without a cookie sent by an online retailer, every time one moves to a different page on a site, the visitor would need once again to supply account data and other information – a terrible burden! But cookies also represent a potential threat, as disguised cookies can install viruses or malware on our computers, and supercookies and zombie cookies pose other threats to personal privacy. Because a cookie can represent a third party that is accessing personal information of someone visiting a website, website owners and operators must consider whether the data streams arising from this use and the sharing with cookie senders amount to activity governed by the CCPA (or other states with similar or evolving data protection laws). William Morriss, an attorney with Frost Brown Todd, LLC who advises numerous tech and other companies about software and internet matters and himself a former computer programmer, explains in this podcast the link between cookies and California and discusses what a business can do to determine its cookie status and comply with the CCPA if required to do so. Make it a New Years Resolution for 2020 to get ahead of the cookie compliance curve so that cookies don’t become commercial indigestion!

Medical data are considered particularly sensitive personal information. Laws and regulations in most countries, including the USA and throughout Europe, generally aim to restrict sharing such information with the target of building privacy walls around each person’s data. But making such health data available more broadly is key to improved medical care, research and the advance of health science. Finland is the first country known to have adopted an approach to allow third parties to access health data for the purposes of scientific research, drug and health technology development and knowledge-based management in social and health care. Researchers, service developers and other legitimate data users will be able to collect, combine and process data from Finnish registries smoothly and securely. While most data will be anonymized, for particular applications individual identities can be shared. Those seeking access to such information will apply to a central authority that will screen applications to approve legitimate uses of Finland’s substantial database. It will accept applications for access starting in early 2020. Helsinki attorney Markus Myhrberg, member of Lexia explains how this will work in this podcast with the Data Privacy Detective. Markus heads Lexia’s IPR, data protection and marketing practices. The Finnish Act on the Secondary Use of Health and Social Data was adopted on March 13, 2019 and became effective on May 1, 2019. The text of the Act is available in Finnish, in Swedish and in English. If you have ideas for more interviews or stories, please email [email protected].

California Consumer Privacy Act (CCPA) and the so-called European "right to be forgotten" are hot topics as summer turns to autumn. With the CCPA coming into effect on January 1, 2020 amendments to modify it abound in the legislature. Stay tuned for a final Act! Even so, the driving force behind the Act’s passage, Alistair Mactaggart, is not trusting the legislature. Watch for voters to decide directly what California’s law will be in 2020 at the same time they vote on America’s president. The EU’s "right to be forgotten". Media announced a victory for Google from the European Court of Justice (ECJ), claiming that the "right to be forgotten" under GDPR cannot be enforced outside the European Union and its 28 (soon to be 27?) countries. The ECJ’s September 24 ruling was on Google’s request for a preliminary ruling on appeal from the French Government’s 2014 order that Google delink globally its search engine from sites containing embarrassing or out of date information. The "right to be forgotten" still raises some questions. Where will the lines be drawn? Could governments order a business to remove truthful but embarrassing information about an individual gained from a police report? If the story was published in a book, do those pages need to be torn out of history? Where will the balance between freedom of the press and individual privacy land? This is a task now for courts and a risk for website and media businesses. If you have ideas for more interviews or stories, please email [email protected].

What do Ecuador, San Diego, the FBI and Bayfront HMA Medical Center have in common? They’re all in data privacy news this first week of fall 2019. This podcast episode checks the data privacy temperature around the world this week. If you have ideas for more interviews or stories, please email [email protected].

Sometimes it seems the United States is more a loose federation than a national government. States have a major role in law-making. Data privacy is no exception. A recent law adopted by the State of Maine differs greatly from the California act that will come into force on January 1, 2020. Maine’s law will be effective on July 1, 2020. This podcast hits the highlights of it. Melissa Kern, Co-Chair of Frost Brown Todd LLC’s Privacy and Data Security Team explains that the Maine law applies to broadband internet access services – the folks who bring us access to the internet – not website hosts, not everyone holding personal data – but providers like ATT and Spectrum as well as regional internet access providers. If a provider has even one customer in Maine that is billed for service there, the Maine law applies. There’s no safe harbor threshold. If you have ideas for more interviews or stories, please email [email protected].

Encryption is often thought of as the basic and best cybersecurity approach to protecting data in transit or in flight. As guest Ken Morris, CEO and founder of KnectIQ, argues, it’s not. Encrypting data is an essential practice, but it’s really not the problem or the solution. Instead, any organization must consider its keys. Best practices in cybersecurity in 2019 require new technologies that address the role of and threats to keys. Once a hacker gets access to a key, the data are there to be taken, even without the data controller or processor knowing that the thief has entered the storeroom. As the day of quantum computing approaches, it will become ever more certain that encryption alone is inadequate to protect data in flight. This is becoming known to the authorities. And that is not an idle thought. Article 32 of the EU’s Global Data Protection Regulation, GDPR, forces possessors of personal data to consider the “state of the art” in deploying systems to protect personal data. And the increased sophistication of corporate espionage demands new thinking on how to prevent data break-ins. This podcast is a primer on how to think differently about cybersecurity and how the best practices of yesterday are no longer those of today. If you have ideas for more interviews or stories, please email [email protected].

One country, two systems – that’s the 50-year agreement that led to Hong Kong’s becoming part of China in 1997. This remains an evolution in progress. Hong Kong retains many of its systems independent of the PRC and yet is part of China. What does this mean for data privacy and the rules that apply to business in this powerhouse commercial center? Padraig Walsh, a privacy leader at the prominent Hong Kong law firm of Tanner De Witt, provides insight into how multinational firms should view Hong Kong for digital services. Hong Kong’s 1996 data privacy law was a pioneer at the time in establishing a legal framework for protecting personal data and regulating companies that handle data flows as controllers or processors. If one asks is it like China’s or the EU’s or the USA’s approach to data privacy, the answer is that it is much more like the EU or USA approach than China’s. It was adopted in the final months of British sovereignty. If you have ideas for more interviews or stories, please email [email protected].

No business or individual wants to be the victim of a disaster. Cyber-attacks can cause exactly that. Individuals are the first line of defense for personal privacy and cybersecurity. For businesses, it’s essential to train everyone associated with data systems to avoid letting hackers and other criminals into the network that holds data, Dr. Gleb Tsipursky explains in this podcast how disaster avoidance requires an approach based on emotional intelligence and training based on human psychology. While firewalls, policies and procedures are essential for protecting a company’s data flows, so is effective training of personnel – of employees, contractors, others who hold the keys to accessing a company’s computer systems. Freezes of entire company systems caused by ransomware, thefts of financial and intellectual property by hackers, improper releases of personal data of customers – these and other crimes of the digital age are often caused by one individual’s careless acts in letting a thief enter a business’ digital gateway. If you have ideas for more interviews or stories, please email [email protected].

The EU’s General Data Protection Regulation (GDPR) turned one year old on May 25, 2019. What’s been the experience? Kim Walker, Co-Chair of the Privacy Team of Shakespeare Martineau, a premier UK law firm, provides insight into how this comprehensive law of personal data privacy has unfolded in the United Kingdom. If you have ideas for more interviews or stories, please email [email protected].

India is about to enact a comprehensive data privacy law that will force global and Indian businesses to revise their approach. Stephen Mathias, Co-Chair of the Tech Team at Kochhar & Co., one of India’s premier law firms, explains how India will shift from relatively lax regulation of data privacy to one of the world’s most protective regimens once the new bill is enacted. If you have ideas for more interviews or stories, please email [email protected].

What do serial killers, employees who don’t want their fingerprints shared and a U.S. Senator have in common? Data privacy. In this podcast, Victoria Beckman, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team, discusses this and other news. If you have ideas for more interviews or stories, please email [email protected].

The Data Privacy Detective turns the spotlight on five American data privacy developments in a conversation with Melissa Kern, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team. 1. California’s data privacy law, CCPA, comes into force in 2020. It’s occupied attention because of California’s size and its potential extraterritorial application. It provides limited rights for individuals to sue companies that violate CCPA, restricted to certain cases of data breach. Privacy advocates were disappointed when the California State Senate rejected a bill to empower individuals to sue companies that violate any part of CCPA, a big win for the tech sector in America’s largest state. 2. In the absence of an overarching U.S. law, the statutory action in data privacy has been on a state level, as in California. But the Network Advertising Initiative foresees the need for national standards and intends to fill that role as a Self-Regulatory Organization (SRO) rather than have a national law that could be less friendly to business interests. It issued a revised Code of Conduct 2020. A key upgrade requires opt-in consent of persons whose location data will be collected from various devices. 3. WhatsApp users were stunned to learn that spyware could be implanted on their phones without their knowledge. WhatsApp promptly issued an upgrade to be downloaded at no charge that was said to fix this stealth attack, permitted by exploitation of a buffer-overflow vulnerability. Another privacy embarrassment for Google, though one promptly addressed. 4. San Francisco became the first city known to prohibit use by city agencies of facial recognition technology. Other cities are considering similar bans. Unlike local laws banning cameras to catch drivers going through red lights, this ban restricts the use of analytical technology without barring devices that take photos without our express okay. 5. Google is rolling out settings on its Chrome browser that will enable users to delete 3d-party cookies. This will be optional, as some individuals may want to go to their grocery store and have their device tell them about a discount on their favorite foods and beverages without being asked. Others find it creepy that our whereabouts are not only being monitored by third parties but are used to stay in touch with us without our asking them to come along for the ride. If you have ideas for more interviews or stories, please email [email protected].

The May 2-3, 2019 International Association of Privacy Professionals Conference featured leading U.S. officials and participants in the data privacy field. Mike Nitardy, a certified Privacy Professional (U.S.) and data privacy attorney at Frost Brown Todd LLC shares highlights from the conference. If you have ideas for more interviews or stories, please email [email protected].

Picture frontline employees – like those at a motel’s front desk. In come ICE agents with gold badges asking to see guest logs, aiming to identify and track down undocumented aliens. What’s the desk attendant to do? Most likely, cooperate without thinking it through. This led to costly problems for Motel 6 – a $12 million settlement in the State of Washington alone. The lesson is this – don’t let frontline employees decide whether to turn over personal data of guests or customers. That’s a big decision that should be made at a higher level, in sync with the company’s privacy policy. This podcast explores what happened to Motel 6 and draws lessons for what a business should do to safeguard the privacy of customer data. If you have ideas for more interviews or stories, please email [email protected].

Businesses have far more personal data than they think they have, and information expands by the hour. This is a key finding from an April 2019 Data Privacy Maturity Study from Integris Software – www.integris.io. Data flows change daily, and yet many businesses rely on spreadsheets and annual surveys to learn what data they house, resulting in inaccurate information that risks reputation and non-compliance. Kristina Bergman, Integris’ founder and CEO, offers important insights in this podcast about how business can deal more effectively with avalanches of data and blizzards of national and state data privacy regulation through an automated approach to the inventory of data. If you have ideas for more interviews or stories, please email [email protected].

Businesses hold vast amounts of digital and hard copy data. Much is personal data regulated by differing country and state laws and rules. The first step towards personal data privacy compliance is to know what personal data are held by a company. But traditional means of inventorying personal data undercount and are almost always behind the curve of time. Network analytics is the answer to this challenge. In this episode, the Data Privacy Detective has a conversation with 1touch’s CCO Mark Wellins, and they explore how to discover, map and flow data in a more comprehensive and timely way than traditional methods allow. If you have ideas for more interviews or stories, please email [email protected].

Data incidents arise regularly for businesses. The perpetrators range from sophisticated scoundrels seeking a quick ransom payment, to foreign governments conducting industrial espionage, to thieves seeking inside information, to distant hackers seeking personal data to sell on the dark web. When an incident arises, companies turn to legal counsel as part of the response team. In this podcast, Bob Dibert, a Frost Brown Todd attorney with 30 years’ experience and a veteran of data incidents, discusses how incidents arise and how they’re handled. There’s a three-step approach when an incident arises: 1. Contain: Immediately aim to stop further leakage and prevent additional harm from arising. 2. Counsel and Plan: Promptly analyze the scope and nature of the incident, what needs to be done to address it both immediately and longer term. 3. Remediate: Solve the problems, remedy the damage, notify those affected if required. If you have ideas for more interviews or stories, please email [email protected].

The European Commission issued its second review of how the EU PrivacyShield is working in late December 2018. Over 4,000 U.S. firms have signed up so far for this method of dealing with the GDPR (General Data Protection Regulation) of the European Union that protects personal data of its residents. The Commission’s report approves U.S. efforts to support the bilateral agreement that supports the Privacy Shield, with one important matter to be address in February 2019. If you have ideas for more interviews or stories, please email [email protected].

China should never be viewed through a foreign lens. And yet, what other lens do we have from the USA or most of the world but to do just that? Bloomberg News reported two statistics on November 21, 2018 that will shock most non-Chinese citizens – “By the end of May, people with bad credit in China have been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.” If you have ideas for more interviews or stories, please email [email protected].

Russia governs personal data of its residents based on a generally applicable law. As a federal country, Russia has rules below the federal law, but they conform to standards set by statute throughout the nation. Though not as comprehensive as Europe’s broadly extensive General Data Protection Regulation (GDPR), Russia’s statute aims to protect the personal data of Russians similar to the GDPR’s approach. Concepts of consent of persons to use their data, privacy by design, data minimization, cybersecurity minimum standards and other principles are augmented by a data localization focus different from the GDPR.

The internet was once viewed as an instrument of freedom. It freed communications across borders, aided the ability of people to rally against repressive governments, dramatically lowered entry barriers to sellers of goods and services across borders. But like many good things, the internet has been increasingly harnessed to repress – or more neutrally to assist those in control of government to keep their power and a watchful eye and long arm over those who threaten their view of public order, The Freedom House report is a disturbing compilation of the rise of digital authoritarianism. The study of 65 countries that hold 87% of the world’s internet users found a decline in freedom from June 2017-May 2018 in 26 nations compared to gains in 19. If you have ideas for more interviews or stories, please email [email protected].

Because U.S. states employ over 16 million people and hold the data of almost all American residents, state governments are major targets for data villains seeking to obtain data about us. How safe is our personal information in the hands of state governments and what security challenges must states address to better protect personal data? Podcast guest Trey Grayson is a veteran of these issues, having served as Kentucky’s Secretary of State for eight years and later as director of Harvard’s Kennedy School of Government’s Institute of Politics and member of the President’s Commission on Election Administration, which reviewed the 2012 election. Trey is now a principal of the public policy firm CivicPoint and an attorney with Frost Brown Todd LLC. As an attorney and public policy expert, Trey offers guidance on the state of cybersecurity and state-held data in episode 26 of the Data Privacy Detective podcast.

The EU’s GDPR requires businesses outside the EU to appoint a “representative” in a member state and a Data Protection Officer in the EU to consult on and monitor data privacy matters. In this episode, Alessandro Di Mattia joins us to explore the definitions and requirements surrounding these positions and the roles they play in protecting consumer personal data according to the GDPR.

The California Supreme Court faced a challenge that may have been the first stone cast in a global debate about free expression on the internet. The case centered on a San Francisco law firm that got a one-star YELP review from an unhappy former client. When the firm’s YELP rating dipped from 5.0 to 4.5 the law firm successfully sued the reviewer for a defamation claim. YELP was not originally a party to the case, but when the judgment ordered YELP to remove the information, YELP refused. If you have ideas for more interviews or stories, please email [email protected].

“California enacts the strictest online privacy law in the country!” trumpeted CNN/Tech. A statute passed unanimously in the legislature and immediately signed by Governor Brown, AB 375, had the support of large tech firms and privacy advocates. It moves California in the direction of the European Union, granting rights to California consumers concerning personal information they share online. The Data Privacy Detective turns his magnifying glass on this statute. It will have an impact. If California were a country, it would boast the world’s fifth largest economy. California has citizen initiative rights that let people propose laws enacted by a popular vote, bypassing the legislature. Enraged by the Cambridge Analytica scandal of data shared by Facebook that ended up sold without consumers’ direct knowledge for political campaign purposes, a wealthy Californian tired of waiting for the legislature to act. He promoted an initiative aimed at creating tough consumer data privacy protections. Alarmed by the proposal, California’s large tech community backed a quick legislative response that is a compromise compared to the initiative language. It was drafted, enacted, approved and signed into law in about a week, and the initiative leader withdrew his effort and supported the outcome. See www.caprivacy.org. If you have ideas for more interviews or stories, please email [email protected].

Businesses not located in the European Union have tried to understand whether the General Data Protection Regulation (GDPR), applies to them. And if it does, or if it might, one of the puzzles has been whether a non-EU business needs to appoint a natural person or legal entity to be its “representative” or a natural person to be its “Data Protection Officer” for dealing with EU and its Member States’ Data Protection Authorities (DPAs). This podcast focuses on that question. If you have ideas for more interviews or stories, please email [email protected].

How did U.S. businesses deal with the launch of GDPR? And what’s its immediate impact on how U.S. businesses address personal information they have? The Data Privacy Detective turns the magnifying glass to this question, focusing on small and mid-sized (SME) U.S. businesses that hold personal data of Europeans. Most coverage about GDPR is about titanic battles of tech giants whose business models are based on monetizing customer data. My spyglass turns to a different subject: How did SMEs in the United States deal with GDPR? The clear majority of them do not sell personal data of Europeans, but instead collect and use it for ordinary business purposes, such as marketing goods and services, employing personnel, collecting payment and other processing that has nothing to do with surreptitious use of such personal information beyond the obvious. If you have ideas for more interviews or stories, please email [email protected].

GDPR, the European Union’s effort to protect personal data, has dominated the efforts of businesses to deal with personal data across borders. Less noticed is China’s evolving system of controlling, regulating and protecting the personal information of its people. On May 1, 2018, China issued standards for personal information protection.

In this podcast episode, the Data Privacy Detective discusses the background to the EU / U.S. and Swiss Privacy Shield and how it relates to the new requirements of the EU General Data Protection Regulation (GDPR)that will take effect on May 25, 2018. If you have ideas for more interviews or stories, please email [email protected].

In this podcast, the Data Privacy Detective turns a magnifying glass to how businesses located outside the EU can gather and use personal data that originates in the EU without violating the GDPR. Businesses inside the EU are actively working to bring their policies and procedures in line with the GDPR, with the benefit of many years of practice under the 1995 EU Directive that required EU countries to adopt laws based on a common background and similar principles to what becomes a directly binding regulation on May 25, 2018. For businesses beyond EU borders, how do they determine if GDPR’s extraterritorial reach affects them and what should they do about it?

The Data Privacy Detective explored in prior podcasts the broad scope of personal data, the differences between controllers and processors and other matters, including how processing can be lawful. That includes several specific, limited instances when acquisition and use of personal data can be legitimate in the absence of express consent of the persons whose data are held.

The EU’s GDPR – the General Data Protection Regulation – becomes law on May 25, 2018. This podcast explores what processing of personal data as defined by the GDPR is considered lawful. “Processing” is defined very broadly by Article 4.2 to encompass a wide variety of ways in which personal data are held or used. Article 6 describes what constitutes “Lawfulness of Processing.” It lists six alternatives for when processing is lawful. The first and most basic is if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Express consent is at the heart of the European approach to personal data protection. But consent is not the sole basis for lawful processing of personal data.

The GDPR defines personal data very broadly. But it is not an all-encompassing effort to protect all personal data from every conceivable use or misuse. “Personal data” is defined by Article 4.1 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This defines personal data to include relatively non-sensitive information such as a phone number or email address, as well as more sensitive information such as biometric, genetic and other information about a person. The GDPR does not protect the data of legal entities. Only personal data of natural persons are addressed. Business, non-profit organization and government data are not covered. (Recital 14). Only data that relate to an identified or identifiable natural person are regulated by the GDPR. (Article 4.1)

Businesses collect, use and store personal data. It’s unavoidable. An email address, phone number, birthdate, postal address – these are all personal data that allow someone to identify or contact an individual. Other information is far more sensitive, such as health information, religious preference, political beliefs, race or ethnic origin, sexual preference, and financial details. The European Union’s General Data Protection Regulation (GDPR) classifies businesses that hold personal data as controllers or processors. The GDPR applies directly to both controllers and processors, but in different ways. This podcast explores the meaning of controller and processor and how cross-border businesses can meet the differing requirements imposed by the GDPR.

How does a non-EU business know if it must comply with the GDPR? And what specific things are required if the answer is yes? This podcast explores these questions, detailing the specific activities that require a non-EU business to comply with this EU regulation. Merely having a website is not enough. But if a company aims to sell goods or services to Europeans or to monitor the behavior of EU citizens or residents, compliance is expected. Conducting a data inventory and creating a data map are first steps to determine how a cross-border business can deal with the GDPR and comply with its requirements.

On May 25, 2018 the European Union’s General Data Protection Regulation becomes law – not just within the EU but everywhere in the world in some respects. It is deliberately extraterritorial. The EU is serious about compliance with the GDPR. Fines can be as high as 4% of a company’s gross revenues or 20 million Euros. The Data Privacy Detective launches a thorough exploration of the GDPR with this podcast, starting with the history, the context and the GDPR’s basic aim of protecting the personal data of its citizens and residents.

In this podcast, the Data Privacy Detective talks about tech support scams with Michael Severini, Director of Information Security for one of America’s large law firms, Frost Brown Todd LLC. A tech support scam can start with a phone call claiming to provide computer support and security. But increasingly this scam pops up when you click on a website and your screen freezes, with a warning page that your pc is infected and you need to call a toll-free number immediately for help. If you have ideas for more interviews or stories, please email [email protected].

The risk of the Internet of Things (IoT) is far more than a stolen credit card number or a banking loss. The risk could be mortal and pervasive if a critical device is hacked and a malicious command is issued through the IoT.

Phishing is an effort by cybercriminals to use bait in the guise of a familiar email address to hook you into revealing your sensitive information. This podcast tells a real story of two college professors who were initial victims of a clever evolution of a phishing scam.

On July 25, 2017, the FBI issued a TLP:AMBER alert on its Cyber Watch system about an elaborate cyber-criminal attack underway by sources believed to originate from Iran. The Alert lists about 200 domain names and IP addresses that individuals and businesses should avoid. The Alert lists four actions that all persons and businesses should take to avoid being harmed, not only by this attack, but to address the burgeoning rise of malware and other attacks against our data privacy and use of the internet.