Sign New Hampshire Banking Confidentiality Agreement Later

Industry sign banking new hampshire confidentiality agreement later

uh hi let's see is that working yes audience view 100 okay listen only mode okay i am speaking um let me introduce myself this is navigating data privacy regulations by itg and what we are going to discuss today is all sorts of new laws and things that have happened around the united states or will happen not just the united states but basically the world as well anyway this is what i do um i've been around forever uh i almost i'm a lawyer i also i practiced a whole lot of different types of laws i've written three books uh four books oh yeah there's a new one cosmetology on uh four books on law and economics the most recent one was on the uh cmmc handbook which is uh if you don't know about it that has to do with compliance with uh department of defense contracts when will and the protection of controlled unclassified information is probably going to metastasize over time to just about everything uh and then i also have a bunch of uh i t certifications which are right down there including the comptia casp i am not getting the cissp because i don't speak linux and it's too late now anyway uh what i do for i t i t governance is i do iso training uh implementation and i do the the training for iso lead implementer lead auditor and a lot of the stuff for the uh global uh privacy laws so and that's what i do and so we're going to talk this morning about um this afternoon it depends on where you are on uh cyber security regulations this is the type of stuff that grc does among other things um anyway today's discussion we're going to talk about u.s cyber security laws privacy laws biometric laws and all sorts of the new regulation that is happening and uh who that impacts where when and how um and also we're going to talk about the us regulators which was very expect for me to uh discover and basically how itg can help your firm uh and by the way um spoiler alert uh if your firm if you are doing business these days uh cyber security and privacy laws uh are near you somewhere somehow in some shape or form it's not like that's something that you know it's not like covet 19 uh last march oh that's in china it's never going to come here surpr oh ho and oha yes of course it's going to come here in fact it's already here so these laws are all over the place uh and we're about to get a whole lot more and uh so i'm going to talk about all those all the things that are coming in coming to us okay let's start start with the gdpr you might have heard of the gdpr the fun things to know about the gdpr uh general data protection regulation okay the great thing about the gdpr it's one law for 27 countries and it involves everybody all businesses it involves not just um it involves not just uh you know a large business like google and facebook it involves small businesses it involves the police it involves the government like if you were in france and you were part of the chamber you would have to comply with the gdpr if you're a member of parliament you don't have to fly with gdpr anymore because you're not a member of europe but you have to comply with the uk data protection law so all that it's in it's everywhere it's for all the countries it's really nice because it it's it governs everything and right now it has become the um right now it has become the uh the global norm basically the reason it's become the global norm is because of article 44 which says thou shalt not uh transfer information of eu citizens out of the eu and so as a result since the eu is one of the largest one of the three largest trading blocks all the countries in the world like you know brazil and japan korea and all those other countries that want to export india want to export stuff to the to the eu have said uh oh we have to comply so they're about i don't know at the moment i the last time i looked there were about 20 maybe 25 uh countries that have passed laws that are similar to or quite often they just swallow the gdpr whole like india's new law that they're proposing is almost exactly like the gdpr brazil's new law is like the gdpr uh and so all of this has become basically the global standard now in contrast there is the u.s now what happens unfortunately or fortunately the u.s has all these different types of laws you have you have laws that have that are just for sectors depending on what your business is and then they have laws that are passed by the federal government and those the jurisdiction of those are has to do with stuff that uh is controlled usually by the federal government or or quite often is because of the concept of federal law being arse or as a supremacy concept federal laws are above state laws so they usually go first but there's not that many of them and then of course the problem is because the feds have sort of been um sort of gridlocked for a great period of time uh then the states have gotten into the act and the most famous of the state laws is for example the the california consumer privacy act now the now the callus privacy rights act now the reason for this is because the eu and the us have different regulatory philosophies the eu uh is basically most of those countries were ruled by central authorities since around right after about the 16th century and so they have a feeling their view is that government tends to be sort of all pervasive and it's there and it can sort of help you uh and that's true in the gdpr if you read the gdpr it's not all about whacking you it's about helping your business comply with the law and if you read the uh mitigation the the penalty provisions you'll notice that there are 11 different mitigating provisions so and also those one area if you have to comply with the gdpr that you should check out are the various regulators the they're called supervisory authorities or the old thing was data protection authorities and they have their websites are filled with great information about how to help your company comply with the law and the other thing you have to remember about the gdpr is that it wasn't created in 2018. this it's been the law in europe for over 20 years and i've never read anything from the europeans complaining bitterly about it in fact they're rather they rather they're rather happy about it now it is basically global law now in contrast uh the us government concept of regulation is wants to be very specific we don't like regulation we had a little revolution back in the 18th century against central authority and ever since then we have issues with central authority and one of those issues has to do with regulation so we only like to regulate um stuff when we feel is absolutely necessary so we get very very specific when we want to regulate stuff and what happens with that is that it results in this plethora of different types of cyber security and privacy laws which are sometimes difficult to navigate in fact they're sometimes impossible to navigate frankly but uh they also the us government is not so is not so in their regulators not so into helping people uh that is if you go through the entire revenue code internal revenue code and i used to be a tax lawyer i would uh question whether you can find any provision that's that's uh where the irs is supposed to make nicey nicey and tell you how to comply there's not a lot of mitigating provisions in the internal revenue code it just basically says it's your old testament is saying the government is an angry god and will come out and smite you if you don't comply so it's more detrimental and punitive but the difference is that it doesn't if they don't the good news is they don't uh work on this now there are four different types of cyber security laws and you have to know the difference because remember all the laws in the u.s tend to be very specific the first type of cyber security law is um is uh actually there's this is cyber security laws are these only deal with cyber security what they're there to do is to um make sure that you have good cyber security again a good example of that is the new york department of financial services or ny dfs law which only remember how specific these things are this only concerns uh businesses in new york that are subject to the regulation by the new york department of financial services uh they have expanded that now into new york shield and the new york nydfs has something like 17 controls and new york shield for businesses over three million dollars has like 15 controls so that that's how they do it but it's only very specific on these new york uh companies i was just reading last night about massachusetts has a regulation uh 202 mass regulations and that has something very similar and it's for all companies that are doing business in massachusetts those are cyber security laws now sort of in this category are the breach laws and those laws state that if you have a cyber security breach and you've all had one or will have one uh you have to report it to somebody and use the these exist in all 50 states so it does not matter where you do business in the united states there is some law for you uh and it's something that you have to consider when you especially if something happens to you or you get a breach it's always better to have a plan for these things all right then there are these things called privacy laws what are privacy laws well privacy in the united states actually goes back we think oh gosh this is a 20th 21st century dealing no no no it was first proposed by louis brandeis later justice brandeis in 1898 law review where he pointed out that privacy laws are a right so these exist and they can cause major damages and if you don't believe me look at the case of boleo versus gawker you might know mr baleo's name as hulk hogan where he was managed to win a loss win a small lawsuit against the gawker for a mere 114 million dollars anyway so these causes of action do exist one is the sec rules sp which is for companies that are public companies which means your shares are sold on a stock exchange and then of course there's coppa we have to get protect the little kitties children online uh privacy protection act that what that stand for and again we're talking about something very specific uh that's children so but it only has to do with with dealing with children and then there is the recent addition uh now changed the ccpa the california consumer protection act went into effect as of january 1 2020 and so now as of november 4th it's been replaced by the um california um the california privacy rights act which will go into effect uh in um on january 1st 2023 one thing i'll say about california is they like change anyway uh the ccpa which is generally known um and that's not confused with the canadian law which had its first reading uh last november has to go through three readings before parliament then all becomes law and that is something like the canadian uh rights protection act so that has its own set of acronyms but that's coming down the pike just so you're warned if you trade with canada and canada is actually our largest trading partner so the odds are that your company does so so the ccpa noted by the ccpa is that it's a privacy law weirdly enough the cyber security aspect of it is interesting in a different set of laws that's in the california con consumer records act which states you know it's a standard privacy provision that states thou shalt have cyber security appropriate to the data you collect which is and the gdpr same as article 32 if you want to look that one up anyway um interestingly enough that is a different provision than ccpa which is a privacy law and then there are laws which someone got the bright idea of mushing them all together and that is what the gdpr and oddly enough as hipaa is hipaa has three parts to it it's all all of them are 45 164 cfr uh code of of federal register uh which are regulations and that is 164. there's the 300 which is called the um security rule and then the 400 which is the instant response and 500 which is called the privacy rule and by the way there's been a proposed change on that in terms of uh patient access and then of course the gdpr and the gdpr remember the gdpr is goes back to the data protection directive which was passed in 1995 saying that it wasn't there wasn't a lot of change between that and the gdpr but that includes uh privacy and that's for a good chunk of it which is chapter two three uh four uh and then then there's the the security bit which is article 32 uh and then there is the instant response which is 33 and 34. so this it does include it includes all it mushes everything together privacy uh cyber security and everything else and remember their privacy laws are a subset of cyber security laws why because cyber security as we all know is the preservation of uh integrity confidentiality and availability it you can't have privacy unless you protect confidentiality so you can't you need cyber security to get a privacy laws the real question is which law applies to your organization and that's very very very difficult so one way we find out is to find out is to determine um you have to look at first of all you have to consider all the state laws what laws do your states about 25 have specific requirements for cyber security a whole all 50 of them have breach response laws then there are a lot of them have data disposal laws so you have to be very careful about how you dispose of data that's in almost all states public companies remember those are the ones that sell securities they have they have specific privacy requirements that are in part of the securities exchange commission uh laws and regulations and then of course there are financial companies that have their own types of laws if you do business in new york and it's not just banks or brokerage uh that they include uh stuff like uh car dealerships because they often loan money so they're part of that and then there is the outsourced financial regulations called finra and they have their own regulations and then of course there's healthcare under hipaa if you are either if you deal with healthcare data if you're a healthcare service provider or if you handle uh basically healthcare information any of that information you're under these type of laws now these are these those are the state laws these are the federal laws i talked about copa hipaa and then there's one that uh never comes up which is graham leech bluely that and then if you're involved in education you have to worry about ferpa and then there is the fair if you're if your work for equifax or something like that there is the fair credit that regulates credit use uh and then there is uh s can spam uh the robocall one which is the tcpa and the electronic wiretap now most of these were passed over the last 50 years and you'd say well well what so what what how do these apply to us today well oh ho and aha they do because uh what's happened is the regulators have gotten enormously creative in how they use these laws we'll see that a little later on in the lecture now uh for data security laws uh these this is a a recent map it is it is a map that was is is basically 2018 so it's not something that um that is it's been updated since then and we'll see a more recent map but this is how fast this stuff changes and it literally changes uh overnight so you can you know you'll be thinking well this is one law and then like we put together a ccpa thing and then and then now they passed the uh the california privacy rights act and or the gdpr was fairly stable until they they started working on on the on the transfer document aka shrams2 so all this will change and it'll change even more radically coming up pretty soon the reason for that is we're getting a lot of state laws there's a lot of action in the states because the federal feds really haven't been able to do very much so what has happened is the states have jumped into it now last year because of covet most of the state legislators begin their terms in um on january 1st now the length of those terms depends on your state and they're all over the place some states have a legislative session every other year in uh my state where i live in rhode island it goes through sort of junish uh in california it sort of goes to july but then there's sort of hiccups that go through november uh nd it's it's really very difficult to keep up with this thing but right now is sort of the silly season so expect a whole bunch of laws that at least will be introduced i'm not sure if they'll pass we won't know until the fall but um you'll see a whole bunch of new laws the big ones now that actually have been passed are the ccpa the new york shield act which has about 15 controls for companies over 3 million and if you're under 3 million then you get something like five controls but you're not left out so don't worry and then there's massachusetts they have a they have a privacy law now uh or they're coming up they also have a very nice i looked at it last night it has 16 controls for cyber security and then there's nevada and maine most of these are those nevada and maine are really very specific the main is only for uh telephone companies and nevada is mostly for companies that collect information but it depends where you work so these are the general provisions that you start seeing in most of these laws there is a lot of consistency with these things so i believe that it's possible to if you look at this list you can sort of and consider all the things on the list you will get an idea of what you need in your in your privacy framework and your policies procedures when you put that in the first thing you'll need what's really important is to understand um that you need a notice and getting your privacy notice correct is very important now most american companies started in putting in privacy notices in uh the late 90s the reason uh they they reason is they thought this would help them with customers uh it didn't uh the app with a very very few exceptions with financial and hipaa um you are or you know certain states like new york california you don't have to have a privacy notice you don't have to have anything so and the real problem is with these things that if you're going to do it if you're going to put one of these things in um make sure you get it right because uh uh facebook got fined five billion dollars for a violation of privacy no for violation of it of a 1905 act the unfair business practices law of 1905 and all states have these laws they're called udap statutes unfair deceptive practice so if you put something in your privacy notice that says you do one thing and you do another that's an unfair deceptive practice so be very careful about how you draft these things and be very careful just you know to walk the walk and and talk the talk if it's in the notice you better be doing it uh and it's very a lot of these a lot of these privacy laws do have these things now in the united states we like opt out which is opposed to an opt-in the difference is that let's say i have a piece of of information private information that you know um let's say i'm left-handed uh that is piece of private information it's identifiable to me and it could i may be interesting for me under the gdpr if you want to use that piece of information you have to have you have to get a lawful basis it's like if you wanted to use my car you can't come along and just say oh i want to use this car i'm going to jump in and drive away that's that's the facebook view of data uh you have to have a contract you have we have to have a rental agreement i have to say okay i will allow use my car and you know we sign something that's what all this consent business is all about now in the united states opt out is you do have rights but they only pop up if after you claim them so you can use anybody's information until they say wait a minute that's mine stop it uh then then you have to then you have to say hands up oh sorry and so do you want it back what do you want me to do with it that type of thing that's the difference once once you object you say that's mine then you get the sort of property rights remember what the gdpr is it's a property law it defines your property rights in your data okay all these the other thing these things have in common is an access request remember i mentioned hipaa and what they do is they say you have the right to get your data back uh occasionally you have the right to have it erased you have a right to find out how much data people have it varies from statute to statute but all these laws have statements about what you can see some laws have under certain circumstances have a right of erasure you just take out all my information under california law it's absolute under the gdpr it's it's it's relative uh some laws you have the right to prevent sales you cannot sell my information anybody all the laws require you protect the information remember it's not yours uh you got from somebody else and they have rights in it uh whether they know it or not but you should be able to protect it and also you have um the causes of action are different the big one what in the united states we have an administrative enforcement and the right of private action the right of private action can be devastating and we'll see like that there are also a whole bunch of proposed state laws these are potential ones that are coming down the pipe we won't know until the fall but we arizona has a couple washington wants to adopt the gdpr illinois is is going crazy they have the biometric act but there are these laws that be considered as we speak all over the country now how many are going to be enacted i have no idea but it you know it depends on how many people show up in a covent environment but this is going to be a hot topic for the foreseeable future until we get a federal law and i don't know that may be happening soon um the big thing these days remember we're very specific in the united states we don't have these big you know big laws like the gdpr we have to only um regulate what happens to your big toes on on the third sunday in lent so this is one of those things so everybody's loves the biometric privacy acts so there's a whole bunch of them as you see right here there's a several proposed some exist independently some are part of bigger laws uh and their or their aspects like arkansas has thrown biomedical information into its breach law uh the new york has a proposed biometric information act that just came in and the big one is the illinois bible the bpia and they're also that's caused all sorts of litigation now remember the enforcement there are two types of enforcement there's the regulator enforcement and unless your name is mark zuckerberg that's not your problem or there is the right of private action and a right of private action means that plaintiff's attorneys and as one person appropriately referred to them feral hogs um will come in and they'll get a class together and if you know it doesn't matter because if each member of the class gets a dollar there you quite often are millions of members of this class and that and because of contingency that could be mean really big money for whoever's whoever the lawyer is so if there's a right or private action that gives a right of every individual to enforce the law and that makes everybody into their own attorney general now these are the privacy laws right now and you've noticed that they there are a whole bunch of them that exist they're signed like maine nevada and then there's a whole bunch that are being considered or there's a task force or they're in committee or whatever but they're all over the place and uh they will get will get more and more of them as time goes on unless there's a federal law which is i don't have the faintest idea whether or not that is that is you know coming our direction okay so we don't know whether or not we will have a federal law but it's it's it's definitely possible all right now as i've said earlier oh this is the ccpa the real issue with uh litigation in the united states has to do with the concept of negligence 50 of the actions in the united states go off on negligence now negligence like every other cause of action has elements with negligence it's a duty failure to to do that duty uh approximate cause and damages so if i'm driving down the road i have the duty to protect drive safely if i'm tapping on my iphone uh and not being aware of where i am i am failing on that duty if i run into you then that's approximate cause i caused the accident but then i have to have damages like i total your car and and made you so you can't walk those are major damages the problem with with um uh negligence in terms of breach is damages because quite often if somebody steals a a credit card the losses are covered by someone else so the actual claimant has no damages so a lot of those have been thrown out under a supreme court case by the name of spokayo but ccpa came in with something special they have legislative damages they say if you've had a security breach your damages equal 100 what whatever they are we're going to just say the equal hundred dollars and that's a hell of an incentive for a private action so you'll come in with a private action on underneath just say okay i get each of my each of my uh clients in the class action which have similar cases because there was one breach have get a hundred dollars well how many are how many records were lost oh uh you know a million so you know that works out to be a hundred million dollars and a contingency fee on that would be about 30 million dollars and there's not a plaintiff's lawyer in on the planet who wouldn't salivate and try to get a chunk of that action so this is these are all the uh litigation that are going on as we speak and they're all if you notice a couple things they're all in california because the ccpa except for this one in minnesota they're all in federal court uh for a variety of reasons uh and but so we're gonna see probably more and more litigation uh coming out of these things and these things can be life-changing uh in other words there will not be any anything left um because that you know if a hundred million dollars or put you out of business and if you don't know that ask gawker um so they got they lost 114 million and of course now are out of business so that's a big chunk of change there um now the other weird thing is are these are these um uh federal regulators now what with what the federal regulators are doing it's it's off the charts it's weird like remember i told you the ftc sue got five billion dollars out of facebook by enforcing a 1905 law well they are now using all sorts of weird laws like the treasury they're using a law designed to uh deal with with uh people laundering money offices of foreign asset control and they're using that against firms that pay ransom so if you pay ransom and bitcoins to get out of you know to get your information back to get the key to get it unencrypted you are might be violating something and you might hear from from who the treasury department why because you violated the foreign asset control act for by paying ransom i mean it's it's or another big one is you sing in the newspaper a lot and a lot of people are are saying that you know we should use antitrust class actions against facebook and google and the thing about anti-trust class action is you get travel damages so this isn't we're not we're back to the you know the trust busting that occurred in you know under the under the first roosevelt in like 1907. the okay there is privacy regulation in the american disability act so you're gonna get you're they're using that one i mean it's okay right we don't have a gdpr but it don't mean that the other laws aren't out there and all these you know and all these uh regulators are using these to to deal with privacy like the the consumer financial protection bureau you haven't heard very much of that because that wasn't looked on on with favor by the previous administration however that is elizabeth warren's baby uh and now that biden's in that is going to they just have teeth they the the new head of it was one of the more active members of the fcc so that's got a whole new you know ball game there and that's going to be and that they have the ability to regulate privacy notices also under the new uh california or i believe it's called that california privacy rights act they've established a new regulator a regulator it's sort of like a european supervisory authority it's called the california protection protection agency the uh the new canadian law has one of these too so we're going to see new regulators with new laws coming up with new cause of action if you don't get your privacy act together so it's going to be all sorts of fun and games so just just because you know you thought you thought you were out of it oh no no no no just because the gdpr doesn't apply to you does not mean that something won't apply to you i mean the foreign asset control come on that's clever i like it um okay i would talk about the gdpr the this is a list of all the countries um that have laws right now similar to the gdpr this is a partial list i mean there's there's malaysia i know is in there vietnam is in there uh so there's all sorts of countries all over the world there's i know kenya um uh qatar uh aided whole um there are even privacy laws under sharia law in saudi arabia apparently um muhammad when he wrote that felt that it's very commercially oriented and he felt that you had to be you know respect privacy and contract so it's part of sharia law so this is it's part of doing business everywhere it's not like uh well we can ignore it because it's where you know we don't do anything with europe if you do business anywhere outside the united states uh you you're probably going to have to deal with some aspect of it or some aspect of some privacy law japan for example does not have the gdpr but it has uh changed its laws so they adapt to the gdpr so it's similar okay now what are you going to do about it so what you do there's five steps this is you know basically out i think as a lawyer uh and as a cyber security guy i prefer the cyber security guy um is you know the you have to ask certain questions to find out what how you if first first question is if this a law applies to you the next question is how do you you know how what do you do to compliance so the first question is which laws apply and remember in the united states we're all about we don't we only want to regulate certain companies and not all companies so what we have done is we've come up with definitions and the definitions tend to be very specific you know we will regulate you if you have black cats that walk around the black on walk on sunday so and that always that always comes up is the question is well is that cat black you own it do you actually own it is that a question does it walk around on sunday or maybe that sunday night or maybe what's the law really mean does that mean a time when we can see the cat you know and so you know the litigation is is can be incredible these definitions are meant to narrow the view of the law but they can they can actually expand it i mean yeah you've got this picture of a black cat on your wall that means it applies to you uh and this is the very same thing it's very important to data and analysis is very important what's really important there is data mapping now a lot of these things sound automatic well okay fine but i get it the data mapping is does the data get go through a state or jurisdiction that it has privacy we don't want to do that to paint a butt well you might want to do it if you want implement your zero trust because part of your cyber security architecture now will depend on where your data is and what your data is doing what what what are the various assets on your platform and that gets you to your next one inventory risk assessment what is inventory risk assessment besides being enormous nasty thing to do the whole point of risk assessment is to determine what what your crown jewels are don't you don't need to protect everything uh you do need to protect your good stuff but how do i know which is my good stuff well you take a look at it you make a list of what stuff you have and of course the most important stuff you have is your data remember in the girl days in the century i'm from um you know the real expensive stuff was the hardware not anymore what we're doing now is all businesses data is not you know accessories it's not something n the side it is your business it's central to everything you do don't worry about your your physical supply chain worry about your digital supply chain because that's that's where your real issues are going to come in okay policies and procedures what you mean i got to write this down well yeah if you don't write it down how are you going to know what you're doing if you don't know what you're doing how do you know if you're going to do it right how do you know how do you change it and how do you teach somebody else how to do it so and then the real problem is how you do you demonstrate it to a regulator that's why you need all that oh it's that paper it's because you've got to demonstrate it you got to teach somebody and hopefully you've got to improve it and all this stuff of course requires training because we don't want people doing stupid things like let's say you're the uh dean uh and former president of the american bar association of a large law school in uh let's say a south carolina and you just happen to violate privacy by uh emailing to all members to of your of the graduating class to point out that they just failed the bar whoops if that you know that fortunately that happened south carolina so all what's his name has hubbard has to do is make an apology but he was just not train dropped properly he didn't think about it and so and it's not all we're gonna train you know the the custodian we're you gotta train the top guys because those are the people are gonna get who mess up you know that's a good question okay which laws what do you do that's very important what do you do where do you do it uh you have to find out what data do you collect some data is some of that is more important than others i mean do you collect health care data financial data that's uh like under the gdpr there's all sorts of laws in the united states not not europe in the united states that deal with something called sensitive data driver's license social security numbers all that good stuff that's sensitive debt that makes a difference uh wants to see there um okay where do you collect it you the great thing is about data is you have to remember that um is that laws are limited by borders data isn't that didn't go anywhere so that means but if if the law is the data is in the jurisdiction then the jurisdiction has power to regulate it or decide anything about it where do you transfer it i mean this is the big thing in europe because they basically said thou shalt not uh with the end of privacy shield they said the we don't really want you transferring stuff to the united states and we're going to make it really really difficult for you until there is probably a new regulation a new agreement which will probably come on later this year one hopes but it's really difficult how do you translate who are you customers partners who's in your data supply chain because remember all those big hacks target marriott british airways anthem all those big things that was through their supply chain they had pretty good cyber security but they just their their partners were weren't all that good so and you have to figure out what your jurisdiction is and where this stuff is determine all these things okay what type of data do you have we looked a little bit about that we looked at health care data financial of course payment card you take credit card then of course you're under pci dss regulations category 9 data that's that's the sensitive stuff in the gdpr the weird thing about category 9 it depends where you are so like category 9 include health care of course political religious beliefs racial sexual orientation uh and weird things like union membership which is really uh eu-oriented political opinions if you get into different countries that's going to change like in india they're very sensitive about caste so that becomes an article nine that potentially comes article mine now in the united states under the new uh uh california law they have a new definition called sensitive data and sensitive data something else that's usually the definition of stuff that you have to report if you've been breached in a lot of the 50 state laws so it's very important to know what data you've got and you got to know where it is i mean is it in the united states is the non-united states is up the cloud is it on-prem it's a server in the back room is it on hilda's presence whatever is it's really important to understand that where did you get that data i mean who gave it to you did he get it from a partner did you buy it did you someone get on your law on your website and sign up um did you get it from an employee it's you know it's very important to determine where you got that data and that also remember it ain't yours just because it's data doesn't necessarily mean that it's that it's it's you know it's it belongs to you i mean in the old days we used to have stuff called phone books and you know you wanted your name and a phone book because it proved you weren't living with your parents anymore so that was important have your own phone number did you care about that no you wanted everybody to know that is that information you know valuable can you monetize it on the dark web no so who cares but if it's you know your health care information or your financial information or your password or something like that that's a that's a whole different you know kettle of fish there so you have to be very careful about understanding whose data you actually have how do you intend to process it and you have to remember that process means oh i'm just going to crunch it no that means storage that means transfer that means move it anywhere in flight you need to encrypt it are you what are you going to do with it i mean and that makes a big difference and then the big thing is what rights do you have in the data i mean is it something you created um they always talked about well that is the new oil well that's great but the oil doesn't belong to you it's the real issue with that little statement and no one really thought about that wait a minute wait a minute that i i just want to get it's like the company that went out and scraped the web for a bunch of facial issues of pictures that they want to use for creating a biorecognition a facial recognition program well that was a nice idea except the pictures they scraped didn't belong to them and of course they're in big litigation now there yeah yeah think about this um what sort of data is it remember all these things have little little uh acronyms associated with the credit card information is electronic protect health care information is it personally identifiable information remember that isn't defined uh but the the definite these definitions tend to over a lot of these laws you tend to if you read enough of them and god knows i do um you see the definitions get very sort of repetitive because these guys copy each other controlled unclassified information that's the real sleeper uh that puppy because remember the department of defense cmmc only control only is departmental controlled unclassified information there are 70 categories of cui out there hmm what does that tell you that tells you the cmmc might metastasize intellectual property of course biggie uh also think about the applications in terms of where your uh data is going uh also think your about your assets your hardware especially iot iot is i mean that's um missed ir i want to say 8223 there is another standard out there which has so much control iot is these things can be a major disaster area because you know they're hard to update they're hard to patch sometimes they're even hard to control their physical environments because they're out out the wild somewhere where other people with bad guys can get to them medical equipment these things weren't designed with security so one of the ways into the network could be your cat scan i mean it's just you always have to think about these you also have to consider about the services these what it inventory and risk asset where do i get daas is that privacy law no that's for implementation of zero trust so these things these things uh have all sorts of have all sorts of stuff that are going on in terms of uh the various ways you deal with them and it's not just privacy it's how you consider it's how you consider your uh it's how you consider your in total security uh architecture the other way we help is through basically training in terms of instant response and uh iso 27000 and talking about cyber security in terms of various types of uh of methodology in terms of training for to help you cope with all these various types of problems okay now that's what we're doing we're doing we're doing a privacy as a service which is basically sort of me at this point uh and that is to answer your questions in terms of all these laws that are going to change and i promise you in 40 years of doing this i have never seen laws change like this uh and the reason is quite simple is because we need to have a uh is because we have um is because we have a major problem this it's one of the largest it is probably the largest criminal activity by far you know it's larger than every other criminal activity in the world you know beats out drugs and everything else you know hands down and so what are you going to do you're going to pass laws okay 10 minutes to spare we are into the question area so let's see we want questions okay okay uh okay beyond usd okay that's the problem with stamping beyond the u.s state laws there are uh six territory laws and a district you know okay what's the best what's the best law uh beyond that well what i would do is uh first of all you have to figure out where your in information is to start off with um and then you have to figure out you know what your territories are where your information what your information's what your information is and where it's going there are certain really basic things that are sort of consistent with all these laws one is is um transparency so that goes back to 1905 uh as the audience of the game is to make sure that you tell people um what you are doing with all their with their wither information what you intend to do with it uh and do not i have this wonderful chart of using my courses and some of these privacy notices are longer than books i've written they're you know literally five thousand six thousand words uh and if you've got a privacy notice that's that's long it's done wrong i'll tell you why these things get like that is because um you send them to out the lawyers lawyers steal the privacy notice from somebody else's throw and then say oh that's not enough i better throw something else in there and then there's this i better put something else in there like that and then there's that and then the marketing department gets a really cool idea and says oh we ought to start doing this and they don't and the marketing department never talks to the lawyers so the other while the lawyer is saying well we don't do that the marketing department department is doing that and it's a real issue with your privacy notice so you've got to be very careful with those because they're out there anybody can read them they they're you know you want to stay below the radar with these things you don't want to go out there the second issue which are consistent with all these things are subject access requests if you get a a request from somebody to get rid of their information do so however be very very careful because these things are being used for fraud and for it's called discovery in the law if people are using it to find out information so let's usually it happens it happens a lot in divorces so uh an estranged and very angry spouse will they have they know that there's other spouses password stuff like that and they have all their identity information so they write a letter with the social security number the passwords and all that stuff and say please give me all the information and of course the information includes all sorts of romantic emails to somebody else which can be very embarrassing so be very careful about who you get information to because if you give it to the wrong person that's a breach the last thing and most important of course the more most difficult thing that you have to deal with in terms of compliance with these global laws is um cyber security now uh at itg uh we do the iso 27000 thing why that so i have drunk the kool-aid on that the reason you do iso 27000 is because it's not like pci or dss and i think it's really important it's a management system it's an information security management system it's a quality control it's like six sigma or you know uh there's no there's a couple of them out there but the whole point about cyber security the best way to get cyber security is to manage the process and try to continually improve is this going to you know make sure you you don't get hacked of course not but uh what it will do is hopefully limit the damages uh from if you do and also make you aware of the obligations that you owe to your to your uh to your customers and clients remember don't worry about actually don't worry about the regulators the real thing is if you get breached your real damages are going to be you know the damages to your brand you're going to start paying more interest a moody's will downgrade you in a s in a mana second if they find out you've got bad cybersecurity you're going to go from an a plus to a b minus overnight and that's going to increase the amount of money that your your debt is going to have to pay uh you won't be able to get cyber insurance because you know the insurance companies don't want you so it's it's very very important and all these things are sort of below the line and then of course the worst thing you're going to lose is the trust of your customers and partners so yes you should comply with all the laws but if you have issues with these areas that's not that's not what's going to cost you money what's going to cost you money is the fact that you're going to you know you're going to blow your business uh and that and that is the real reason for that we want to do all this stuff okay let's see okay so the best way yeah the best way to comply with all these things is you really have to get get all that stuff straight if you can possibly do that is um is try to get first of all get get your privacy notice correct um if you need help with that the best way to do that is to go on to look at the gdpr examples i was i checked out the uh the senior which is the french supervisory authority of data protections because the problem is now the british are out of the eu we can't use the ico information commissioner's office website to help us but i was looking at which is the committee nacional informatics and uh interestingly enough it you can read it in english they have you know so you can read anything in english if you go to their website they're they're a wonderful source i mean there are tons of wonderful sources out there i mean it's the great thing about tech is that we there there's just enormous amounts of people who are happy to help and a lot of the information is totally free um but there's tons of information out there to help you get your privacy notices notices correct but in order to do that you got to know where your information is and what it's doing and where did you get it and that comes into importance in terms of your security architecture especially if you're going to try to implement zero trust which is is something all this you know it's not these things are not separate issues that one i want to get to they are all part of the same process of managing uh how we deal with information okay number one number two get your um subject access request right make sure you have a methodology for dealing with that uh and make sure that doesn't you don't get lost with that type of stuff uh and the last thing of course is get your cyber security and it's really important to um make the point about doc about cyber security is it's also important to be able to demonstrate all this that's where the policies and procedures come in uh the other great thing about iso is i think it's a bulletproof protection against a negligence action in the uni ed states for a breach because one of the elements of negligence is failure to um is negligent are you negligent i mean are you instead of driving or you're playing with your phone so you're not following best practices of safe driving if you're playing with your phone but if you are following iso 27000 you are following the best international practices for cyber security protection did you get a breach yes i did but i was using my the best practices it's like uh you know with medical malpractice was the doctor using the best practices in the area yeah the patient died but it's not his fault because they were following the best practice of that particular of that particular area at that particular time now you're not if you're a surgeon in uh dubuque you're not required to have the same set of skills and training as the head surgeon at mass general uh but the great thing about about the iso is that it's an international standard and it's recognized the world and you also don't have to prove it i mean this cyber security standard cmmc they're all great but the problem is that if there's no certification body they lose one of the most important aspects of any of these cyber security and that is audit and audit is deals with an old issue having to do with principal and agents which is basically agent cheat and so what you have to do is you have to watch the little buggers and the way you do that is to audit or buy or you have in or you have an independent audit and that and if you look at the cmmc uh creation is basically they come around to that and said that's what we're going to do we're going to certify everybody because no one was complying with the law they were just saying yeah we'll get around to it so they just said well we're not going to play that anymore we're going to audit you and you have to make sure that people are doing the right thing and the great thing is with iso when the neglect actually just whip out your certificate wave in front of the judge and there's your motion to dismiss right there so yeah i mean you might somebody's gonna have to bring it for something else god knows what that's gonna be there are a lot of uh and what you're gonna see now is that's the fight i believe in congress is the question of whether or not this gets enforced with a right of private action and like the the bipa that's a right or private action and they've had a plethora of lawsuits there so and it's being fought out in new york they want a right private action and they just introduced a law it's it's another biometric law a right of private action they the canadian law i believe has something like that so it really comes down to about enforcement they don't quite do it that way in europe but the odds of having a regulator show up especially if you have a breach if you come above the radar then you know you could have issues in this area okay i don't see any more questions okay uh let's see we'll discussion that they've got that okay uh where else uh in the case of these laws are being legislated across the u.s do any of these laws deal the same way uh as special category of yes they do yeah i mean special yeah they it they do there's of course because they're so segmented there are laws for biometric information the laws for health care information there's laws for financial information but they they sort of get down the list we don't have any laws you can't really do it for religious and political things because of the first amendment that doesn't exist in europe but there are areas that are are sensitive and that it's it's in it's now in the california privacy rights act i don't know if it'll make its way there will be something about sensitive information in the federal law i don't know how they'll define it so it'll be i'm sure it'll be social security number healthcare uh biometric information don't use that um don't use that for two-factor authentication use something else uh bad idea because you you'd also want to have the other way thing is you have to have a a retention policy oh it is looks like it's two o'clock and or you know two o'clock 201 actually so i have to leave um and thank you all for coming if you want more information i believe that the slides will be sent to everybody who gets registered if not feel free to contact us or feel free to send me any questions uh uh the uh have any doing anything okay uh let's see we have to stop sharing okay uh thank you very much and um we'll be giving these over time i'll be giving some more and feel free to sign up thank you you