CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Smart Cities Face Hacking Threat

Posted on: August 15th, 2018

By: Ze’eva Kushner

As you sit in traffic, frustrated and wondering why the city or municipality cannot do something to ease congestion, know that a city’s use of internet-connected technology to make your commute better may also invite hackers to wreak havoc on your city.

Traffic is just one of many problems that “smart cities” use internet-connected technology to address.  A smart city can set up an array of sensors and integrate their data to monitor things like air quality, water levels, radiation, and the electrical grid.  That data then can be used to automatically inform fundamental services like traffic and street lights and emergency alerts.

Smart city technology provides many benefits to city management, including connectivity and ease of management.  However, these very same features make the technology an attractive target for hackers.  In a recently released white paper, IBM revealed 17 vulnerabilities in smart city systems around the world.  Some of these risks were as simple as failing to change default passwords that could be guessed easily, bugs that could allow an attacker to inject malicious software commands, and others that would allow an attacker to sidestep authentication checks.  Additionally, use of the open internet rather than an internal city network to connect sensors or relay data to the cloud presents an opportunity for hackers.

Atlanta is an example of a smart city that is attempting to improve its efficiency by employing smart city technology, with its focus being mobility, public safety, environment, city operations efficiency, and public and business engagement.  Atlanta knows all too well how crippling a hack can be, as it suffered from the ransomware attack in the Spring that kept residents from services such as paying their water bills or traffic tickets online.  The hacking threat to smart cities is real and significant.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

Posted on: July 30th, 2018

By: Jonathan Romvary

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].

California Passes New Comprehensive Data Privacy Law

Posted on: July 16th, 2018

By: Kacie Manisco

California has passed a sweeping data privacy law that will result in dramatic changes to how businesses in the state handle consumer data. AB 375, which will take effect on January 1, 2020, grants consumers more control over and insight into the dissemination of personal information, but imposes significant obligations on certain businesses in order to achieve those goals.

The law will apply to any California business that: (1) has an annual gross revenue over $25 million; or (2) alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

The new legislation is similar in nature to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide residents of California the most comprehensive consumer privacy rights in the country. To that end, AB 375 requires covered businesses to give California residents:

  • The right to seek disclosure of any personal information collected by the business, up to twice a year;
  • The right to be informed of what categories of data will be collected, prior to its collection, and to be informed of any changes to this collection;
  • The right to request deletion of information collected by the business;
  • The right to opt-out of the sale of personal information;
  • Mandated opt-in before the sale of a minor’s information;
  • Protection of consumer data through reasonable security procedures and practices.

Additionally, one of the most significant aspects of the law creates a private right of action for any consumer for data breaches, without the requirement that the consumer prove injury before being awarded damages. The law provides, “any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.

While AB 375 does not take effect until 2020, California businesses should begin the process of reviewing these new complex requirements and evaluating the applicability of the regulations to its operations. Specifically, businesses should begin to assess the types and scope of data it currently collects (and has collected and stored in the past) that may be covered by the law. Moreover, organizations should minimize their exposure in handling personal data, keeping only the data directly necessary for business and legal needs.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Cyberrisks to Contractors and Securing Proper Coverage

Posted on: June 29th, 2018

By: Barry Brownstein

Increasingly sophisticated hackers have targeted personal and business data held by companies like Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc. during the past decade. The construction industry is just as susceptible to these risks as any other industry.  As construction projects increase in size and there is more sharing of data related to buildings and projects, and as more of that sharing becomes electronic, cyberrisks increase as well.

Contractors and their business partners hold personal information about their clients and employees, and they are increasingly using more electronic means to exchange data and survey construction projects. A significant threat for companies in the construction industry comes from the open and increasingly connected network between those in charge of a project and their various subcontractors and business partners, who need swift and seamless access to plans and other sensitive data to do their part of the work.

Many companies in the construction industry assume that since they have policies that cover losses stemming from physical and property damage, any infiltration into their systems that result in the loss of access to sensitive information is covered by such insurance.  However, most commercial general liability policies carve out cyberthreats from coverage.  While contractors can still make claims under more traditional policies and may find that some of their losses are covered, relying solely on these protections may be dangerous and result in uncovered losses.

Specialized cyberinsurance can fill in the gaps left by commercial general liability policies that do not account for losses caused by damage to virtual information systems, and ensure that any damages, injuries or delay caused by downstream contractors or business partners are covered as well. Once policies are in place, contractors need to revisit them regularly to account for changes in the cyberthreat landscape as they relate to the construction industry.

If you have any questions or would like more information, please contact Barry Brownstein at [email protected].