Category Archives: Compliance & Regulation

Wyden’s Consumer Data Protection Act: How to Be Compliant

in C-Level, Compliance & Regulation • Last Updated: 1/8/2019
Wyden’s Consumer Data Protection Act: How to Be Compliant

Will 2019 be the year the US gets its own GDPR-like privacy law? Since my last post in this series, privacy legislation is becoming more certain to pass. Leaders from both parties are now saying they will focus on privacy in 2019. Consider yourself warned! I’ll continue my journey from last time into the Wyden legislation since it’s a good baseline. Sure there are other bills, but they share some common elements. I’ve already discussed Wyden’s…

Wyden’s Consumer Data Protection Act: Preview of US Privacy Law

in C-Level, Compliance & Regulation • Last Updated: 1/8/2019
Wyden’s Consumer Data Protection Act: Preview of US Privacy Law

The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and it’s happening here in the US. There is now a very good chance that significant data privacy legislation will come to the US soon. I’ll go out on a limb, and say in 2019. But if not next year, then certainly in 2020. Yes, we’ll…

NYDFS Cybersecurity Regulation in Plain English

in Compliance & Regulation • Last Updated: 11/13/2018
nydfs cybersecurity regulation title and logo for

In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. Unusual at the state level, this new regulation includes strict requirements for breach reporting and limiting data retention. Like the GDPR, the New York regulation has rules for basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program. Unlike the…

How Varonis Helps with the California Consumer Privacy Act (CCPA)

in Compliance & Regulation • Last Updated: 10/29/2018
How Varonis Helps with the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020. It not only gives ownership and control of personal data back to the consumer but holds companies accountable for protecting that data. The CCPA gives California residents four basic rights in relation to how companies collect and store their personal information: Transparency: the right to know what personal information a company is collecting about them, where that data came…

NIST 800-171: Definition and Tips for Compliance

in Compliance & Regulation • Last Updated: 6/29/2018
security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information. NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines. NIST itself is a non-regulatory Federal agency responsible…

The Average Reading Level of a Privacy Policy

in Compliance & Regulation • Last Updated: 7/11/2018
privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data. While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for…

EU NIS Directive (NISD) Holds Surprises for US Online Companies

in Compliance & Regulation • Last Updated: 6/21/2018
EU NIS Directive (NISD) Holds Surprises for US Online Companies

Last month, a major data security law went into effect that will impact businesses both in the EU and the US. No, I’m not talking about the General Data Protection Regulation (GDPR), which we’ve mentioned more than a few times on the IOS blog. While more narrowly focused on EU “critical infrastructure”, the NIS Directive or NISD also has some surprising implications for non-EU companies not remotely in the business of running hydroelectric plants or…

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

in Compliance & Regulation • Last Updated: 5/24/2018
[Transcript] Attorney Sara Jodka on the GDPR and HR Data

In reviewing the transcript of my interview with Sara Jodka, I realize again how much great information she freely dispensed. Thanks Sara! The employee-employer relationship under the GDPR is a confusing area. It might be helpful to clarify a few points Sara made in our conversation about the legitimate interest exception to consent, and the threshold for Data Protection Impact Assessments (DPIAs). The core problem is that to process personal data under the GDPR you…

[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

in Compliance & Regulation • Last Updated: 5/9/2018
[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

In the second part of my interview with Dickinson Wright’s Sara Jodka, we go deeper into some of the consequences of internal employee data. Under the GDPR, companies will likely have to take an additional step before they can process this data: employers will have to perform a Data Protection Impact Assessment (DPIA). As Sara explained in the first podcast, internal employee data is covered by the GDPR — all of the new law’s requirements…

NIST 800-53: Definition and Tips for Compliance

in Compliance & Regulation • Last Updated: 5/4/2018
nist 800-53

NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day. The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing…

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

in Compliance & Regulation • Last Updated: 5/3/2018
[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

In this first part of my interview with Dickinson Wright attorney Sara Jodka, we start a discussion of how the EU General Data Protection Regulation (GDPR) treats employee data. Surprisingly, this turns out to be a tricky area of the new law. I can sum up my talk with her, which is based heavily on Jodka’s very readable legal article on this overlooked topic, as follows: darnit, employees are people too! It may come as…