Tag: data protection

Categories
FCPA Compliance Report

FCPA Compliance Report: DOJ on AI and Data/Intellectual Property Protection

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this special edition, Tom welcomes Jessica Nall, a partner at Baker McKenzie who leads the firm’s West Coast investigations and compliance practice, and Maria Piontkovska, a Senior Associate in the same practice group.

We deeply dive into their article about the recent speeches by Department of Justice representatives at the ABA White Collar Conference on the new DOJ whistleblower program, AI, data protection, and intellectual property protection.

Jessica Nall and Maria Piontkovska are prominent legal professionals specializing in white-collar defense and corporate investigations. Jessica, a seasoned attorney with over 20 years of experience, leads Baker McKenzie’s white-collar practice in California, and Maria is a skilled US white-collar attorney originally from Ukraine.

Both regard the ABA White Collar Conference as an essential platform for the defense bar, government investigators, and compliance leaders to gather for discussions and networking. Nall sees the conference as vital for disseminating new compliance expectations and enforcement trends announced by government officials. At the same time, Piontkovska highlights the importance of the direct line of communication with these officials, providing insights straight from the source.

Their perspectives on the conference are shaped by their extensive experiences in the field and drive their contributions to the discussions and policies related to white-collar defense and compliance.

Topics Covered in This Episode:

  • Key Figures Discussing Trends in Compliance
  • Corporate Transparency Incentive Initiative
  • Financial Incentives for Anti-Corruption Self-Disclosure
  • Navigating Risks: AI in Corporate Compliance
  • Data Mapping for International Data Security

Resources:

Jessica Nall on LinkedIn

Maria Piontkovska on LinkedIn

Compliance Steps After ABA White Collar Crime Conference

United States: Department of Justice announces new corporate compliance directives for AI along with increased penalties for AI-related misconduct

Baker McKenzie

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Regulatory Ramblings

Regulatory Ramblings: Episode 42 – The Intersection of Digital Assets and Data Protection with Jonathan Crompton

Jonathan Crompton is a partner at the law firm Reynolds, Porter & Chamberlain (RPC), based in Hong Kong. There, he helps companies and individuals navigate complex cross-border disputes and investigations involving their Asian operations. He specializes in commercial matters (particularly for the retail industry), financial services, technology-related disputes, and cyber incidents.

As the lead for RPC’s ‘ReSecure’ cyber incident response service in Asia, he advises local and multinational clients on cyber-attacks, data privacy, and law enforcement investigations. He also helps clients worldwide recover money transferred to Hong Kong bank accounts as a result of cyber and other frauds.

Jonathan advises on all forms of disputes, including litigation before national courts and arbitral tribunals operating under various rules (in particular, the HKIAC, ICC, and UNCITRAL) and on investigations by regulators (notably financial services regulators such as the Securities and Futures Commission). His clients include senior individuals, asset managers, and leading multinational corporations and brands. As a result of RPC’s predominantly ‘conflict-free’ model for financial services disputes, Jonathan represents senior individuals and companies in claims brought by or against leading banks where other firms are often unable to act.

He is also a founding member of the Hong Kong chapter of the Crypto Fraud and Asset Recovery (CFAAR) network, the first global association for such professionals. The London chapter was launched in London in 2021, and the Hong Kong chapter was formed in August 2022.

In this episode of Regulatory Ramblings, Jonathan chats with host Ajay Shamdasani about his background, upbringing, and how he ended up in the legal profession. The bulk of the conversation, however, is devoted to data protection and digital assets, specifically the February raid of the offices of WorldCoin by the Hong Kong Office of the Privacy Commissioner (PCPD). They discuss the PCPD’s expression of concern about WorldCoin’s collection and storage of iris scans in exchange for its WorldCoin token (WLD).

As Jonathan points out, the case was a clear example of the increasing intersection of personal data protection principles and digital assets. The conversation also covers his recent LinkedIn post in which he stated that Privacy Commissioner Ada Chung’s action was further proof that she was flexing her existing powers—even before the amendments to the territory’s Personal Data (Privacy) Ordinance are expected to be enacted within the next year.

They also discuss the shape Jonathan envisages those amendments taking, the recent cases he has seen in his practice involving virtual assets, digital contracts, and cybersecurity, and related emerging methodologies, trends, and themes.

Podcast Discussion:

  • 3:01  Journey from Military Roots to Legal Frontiers
  • 11:00  Perspectives on Legal Specialization in the Virtual Asset Sphere
  • 20:52  Understanding Cryptocurrency Fraud and Legal Challenges in Recovery
  • 29:16  Assessing the Efficacy of Asset Tracing Rules in Cryptocurrency Fraud Cases
  • 38:12  Money Mules, Cybercrime, and the Evolution of Financial Fraud
  • 42:48  Complexities of Cybercrime and Deepfake Deception in Financial Fraud
  • 45:29  Insights into Crypto Regulation and Risk Management from CFAAR
  • 59:34  Intersection of Personal Data and Digital Assets: Insights from WorldCoin and NFTs
  • 1:05:52  Personal Data Privacy: Insights into Legislative Amendments and Regulatory Enforcement in Hong Kong
  • 1:17:01  Adapting Legal Careers to Emerging Technologies, Change and Uncertainty

Connect with RR Podcast at:

LinkedIn: https://hk.linkedin.com/company/hkufintech 
Facebook: https://www.facebook.com/hkufintech.fb/
Instagram: https://www.instagram.com/hkufintech/ 
Twitter: https://twitter.com/HKUFinTech 
Threads: https://www.threads.net/@hkufintech
Website: https://www.hkufintech.com/regulatoryramblings 

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net/

Categories
Innovation in Compliance

Innovation in Compliance – Igor Volovich on Moving Towards Data – Driven, Risk – Based Compliance

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. One of those areas is telehealth and telemedicine. My guest in this episode is Igor Volovich, the Vice President of Compliance Strategy at Qmulos. This podcast is sponsored by Qmulos.

Igor Volovich brings a unique perspective to the table regarding the importance of executive accountability and proactive risk governance in cybersecurity. Volovich emphasizes the crucial role that executives play in ensuring compliance, controls, and security posture decisions, and criticizes the current model of firing and hiring Chief Information Security Officers as ineffective. He believes that risk governance should be a holistic business function, rather than separate departments handling different types of risks, and encourages boards of directors to question and challenge reports on compliance and risk posture. Drawing from his extensive experience and deep understanding of the field, Volovich advocates for a real-time convergence of compliance, security, and risk management. Join Tom Fox and Igor Volovich on this episode of the Innovation in Compliance podcast to delve deeper into these insights.

Key Highlights:

  • Maintaining Compliance Integrity through Executive Accountability
  • Misrepresentation of Compliance in Penn State
  • Moving Towards Data-Driven, Risk-Based Compliance
  • Data-Driven Risk Management for True Compliance
  • Incentivized Whistleblowing and Cybersecurity Accountability
  • Elevating Risk Governance for Effective Cybersecurity
  • Real-Time Compliance and Data-Driven Automation

Resources:

Igor Volovich on LinkedIn

Qmulos

 

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

Life With GDPR: WhatsApp Breach: Hospital’s GDPR Failures Exposed

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. The recent controversy surrounding Nigel Farage’s banking situation highlights the risks and compliance challenges faced by the banking industry in relation to data protection. In this episode, Tom and Jonathan discuss a data breach in a Scottish hospital during the COVID-19 pandemic.

The breach occurred when hospital staff shared patient details on WhatsApp, raising concerns about GDPR compliance. The hospital informed the ICO about the breach but chose not to notify affected patients, highlighting the need for appropriate advice and support when making such decisions. The conversation also explores communication challenges in internal investigations and the privacy and security risks of platforms like WhatsApp. It emphasizes the importance of organizations adapting to the preferences of digital native employees and conducting data protection impact assessments. The podcast also highlights the importance of effective policies, training, and proactive phishing training to prevent cyber-attacks and protect sensitive information.

 

Key Takeaways:

  • Data breach in Scottish hospital
  • The Challenges of Communication in Internal Investigations
  • Importance of Policies and Training
  • Phishing Training Effectiveness

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Connect with Tom Fox

Connect with Jonathan Armstrong

Categories
Blog

The Importance of Effective Policies and Training in Data Protection: Lessons from a Scottish Hospital Breach

I recently had the chance to visit with Jonathan Armstrong on a recent data breach case that occurred in the health service provider NHS Lanarkshire (Scotland) during the COVID-19 pandemic. This breach serves as a stark reminder of the challenges organizations face in maintaining data protection and compliance, especially when it comes to communication platforms like WhatsApp. In this blog post we will explore the lessons learned from this incident and discuss practical advice for organizations to ensure robust data protection measures.

Background

According to the Cordery Compliance Client Alert on the matter, over a two-year period between 2020 and 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where there were a minimum of 533 entries that included patient names. The information included 215 phone numbers, 96 with dates of birth and 28 included addresses. 15 images, 3 videos, and 4 screenshots were also shared, which included personal data of patients and clinical information, which is a “special category” health data under both EU and UK law. Other data to the WhatsApp group was also added in error. Other communications were also identified where the staff in question had used WhatsApp.

WhatsApp was not approved by NHS Lanarkshire for processing personal data of patients.  The use of WhatsApp was an approach adopted by the staff apparently without organizational knowledge. It was used by the staff as a substitute for communications that would have taken place in the clinical office but did not do so after staff reduced office attendance due to the COVID-19 pandemic. No Data Protection Impact Assessment was in place and no risk assessment relating to personal data processing was completed concerning WhatsApp, as WhatsApp was not approved by NHS Lanarkshire for the sharing of personal data relating to patients. NHS Lanarkshire undertook an internal investigation and reported this matter to the ICO.

ICO Holding

The UK ICO determined that NHS Lanarkshire did not have the appropriate policies, clear guidance and processes in place when WhatsApp was made available to download. Additionally,  there were a number of infringements of UK GDPR, not the least being not implementing appropriate technical and organizational measures (TOMs) to ensure the security of the personal data involved, as a consequence of which personal data was shared via an unauthorized means and an inappropriate disclosure occurred. There was also a failure to report this matter, as a data breach, to the ICO in time.

Armstrong noted that ICO recommended that NHS Lanarkshire should take action to ensure their compliance with data protection law, including:

  1. Considering implementing a secure clinical image transfer system, as part of NHS Lanarkshire’s exploration regarding the storage of images and videos within a care setting;
  2. Before deploying new apps, consideration of the risks relating to personal data and including the requirement to assess and mitigate these risks in any approval process;
  3. Ensuring that explicit communications, instructions or guidance are issued to employees on their data protection responsibilities when new apps are deployed;
  4. Reviewing all organizational policies and procedures relevant to this matter and amending them where appropriate; and,
  5. Ensuring that all staff are aware of their responsibilities to report personal data breaches internally without delay to the relevant team.

Armstrong concluded that “In light of the remedial steps and mitigating factors the ICO issued an official reprimand – a fine has not yet been imposed. The ICO also asked NHS Lanarkshire to provide an update of actions taken within six months of the reprimand being issued.”

Discussion

This case highlights the challenges organizations face when it comes to communication during internal investigations. In many instances, the most interesting documents are not found in emails, as one organization discovered. Employees often turn to alternative platforms like WhatsApp to avoid leaving a paper trail. However, it is crucial to understand that these platforms may not provide the expected privacy and security.

While platforms like WhatsApp may seem secure, they still share data with big tech companies, raising concerns about privacy. Organizations must adapt to the preferences of digital-native employees who may find email restrictive and opt for alternative communication methods. However, this adaptation should be done consciously, ensuring that policies and procedures are in place to protect sensitive information. Armstrong emphasizes the importance of revisiting emergency measures implemented during the pandemic. As remote work continues, organizations must conduct thorough data protection impact assessments to ensure compliance across all communication platforms and measures.

As with all types of compliance, setting policies and procedures is just the first step. It is essential to communicate and educate employees on these policies to ensure their understanding and compliance. Annual online training sessions are not enough; organizations should provide engaging training that goes beyond passive learning. In addition to targeted and effective training there must be ongoing communications provided to employees. Armstrong also related on the ineffectiveness of off-the-shelf online phishing training. Waiting for an incident to occur and then providing training is not enough to prevent people from clicking on malicious links. Organizations should focus on providing better training before incidents happen, rather than trying to enhance training afterwards.

The next step is monitoring as compliance with policies and procedures should be actively monitored. Technical solutions are available to help companies track compliance, but it’s crucial to involve individuals at all levels of the organization when designing these policies. Additionally, a balanced approach is needed, where employees are recognized for their service but also held accountable for policy breaches. The days of solely relying on punishment for enforcement are gone.

The data breach in the Scottish hospital serves as a wake-up call for organizations to prioritize data protection and compliance. Communication challenges during internal investigations, privacy concerns associated with alternative platforms, and the need for effective policies and training are crucial areas to address. By conducting regular data protection impact assessments, providing engaging training, and ensuring buy-in from employees, organizations can strengthen their defense against cyber threats and protect sensitive information. Always remember that compliance is an ongoing process, and continuous evaluation and improvement are necessary to adapt to the evolving digital landscape. Finally stay vigilant and proactive in safeguarding data privacy and protection.

Categories
Data Driven Compliance

Data Driven Compliance: Jason Patel on Go-to-Market Security, Compliance, and Data Privacy: Safeguarding Business and Customers

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, which features an in-depth conversation around the uses of data and data analytics in compliance programs. Data-Driven Compliance is back with another exciting episode. The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.

In this podcast episode, Tom Fox and Jason Patel delve into the critical aspects of go-to-market security, market intelligence security, and customer privacy enforcement in today’s digital world. They discuss the importance of protecting businesses and customers’ experiences, leveraging data for security and marketing strategies, and ensuring compliance with privacy legislation like GDPR and CCPA. They highlight the services offered by Cheq, a company specializing in go-to-market security, and stress the need for real-time compliance and a transparent approach involving various stakeholders. The conversation also explores the risks of relying solely on vendors for compliance and the impact of opt-in and opt-out strategies on data privacy. Looking ahead, they predict data privacy to be a leading issue, emphasizing the need for clear and explicit internet regulations to protect businesses and consumers.

Key Highlights:

  • Check: Go-to-Market Security and Customer Privacy Enforcement
  • Designing GDPR-compliant controls
  • Real-time compliance in data tracking
  • The Impact of Opt-In vs. Opt-Out Strategies
  • The Future of Internet Regulations

 Resources:

Cheq

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
The ESG Report

Data Privacy and ESG with Dan Frechtling

Tom’s guest in this episode of the ESG Report is Dan Frechtling of Boltive, a company that helps keep the Internet safe from invasive media and enforces data privacy. Data privacy and cybersecurity are ESG issues because they are significant drivers of business risk and a growing concern among investors and CEOs. The public costs of poor corporate cybersecurity management are increasingly viewed as market failures.

Dan is the CEO of Boltive. His career began as a marketer, and he has spent years learning the power of marketing. Having experienced a significant event that changed his perspective about hyper-targeting and information sharing, he transitioned to cybersecurity where he learned about data privacy issues. 

 

Here are some key points Dan and Tom talk about:

  • Dan talks about his professional journey and background and his role at Boltive.
  • Dan defines invasive media and describes the protection his company provides against it. 
  • Dale explains how Boltive’s solution for invasive media protects the audience from malware, redirects, and other malicious behaviors, by replacing them with revenue-generating ads.
  • Compliance with terms of service and user experience is key in order for these solutions to work, Dan tells Tom.
  • In cybersecurity, the intermediaries and third parties are often creating noncompliant and bad user experiences. Boltive solves this by creating a synthetic user experience so each step is recorded and traceable to see what went wrong.
  • Knowing and identifying if your inventory is sensitive and understanding the flow of data makes complying with ever-changing privacy regulations easier. 
  • Dan explains why the digital ad ecosystem is so convoluted and the potentially harmful effects on customers.
  • Dane highlights some of the compliance issues with online marketing. 
  • GDPR is the gold standard when it comes to privacy and data protection, but state laws should also be followed when they are more stringent than GDPR.

 

KEY QUOTE:

“Invasive advertising can really be many different forms and we see our role to protect brands and publishers and technology platforms so those ads don’t get inadvertently served, because the world of programmatic advertising is very lawless and algorithm-driven.” – Dan Frechtling

 

Resources 

Dan Frechtling LinkedIn | Twitter 

Boltive

Categories
Uncovering Hidden Risks

Ep 4 – How Compliance, Data Protection, and Privacy Come Together

Alym Rayani, general manager for compliance and privacy marketing at Microsoft, joins host Erica Toelle and guest host Hammad Rajjoub on this week’s episode of Uncovering Hidden Risks. Alym works closely with engineering leadership to drive product strategy and roadmap while overseeing the product value proposition, marketing efforts, and customer experience. Due to these changes in regulations and increased cybersecurity risk, these areas are converging. Erica, Hammad, and Alym are taking a closer look at a top industry trend: convergence of compliance, data protection, and privacy requirements, and discussing what this means for Chief Information Security Officers.

In This Episode You Will Learn:

  • What areas create quick wins for organizations that create momentum for larger initiatives
  • What the answer is for CISOs to stay in compliance with regulations
  • Risks CISOs will face focusing on data protection without considering compliance and privacy

Some Questions We Ask:

  • What challenges are CISOs, privacy officers, and CCOs seeing from this convergence?
  • How are data protection and privacy changing the way CISOs approach new problems?
  • What should CISOs look for in a data protection technology solution?

Resources:

View Alym Rayani on LinkedIn

View Hammad Rajjoub on LinkedIn

View Erica Toelle on LinkedIn

Related Microsoft Podcasts:         

Listen to: Afternoon Cyber Tea with Ann Johnson 

Listen to: Security Unlocked

Listen to: Security Unlocked: CISO Series with Bret Arsenault

Learn More

Categories
Blog

The Uncovering Hidden Risks Podcast Returns to the Compliance Podcast Network

The risk landscape for organizations has changed significantly in the past few years. Traditional ways of identifying and mitigating risks simply do not work. They focus primarily on external threats when risks from within the organization are just as prevalent and harmful. Additionally, regulations change frequently, and it is difficult for security and compliance leaders to keep up on these changes.

The Compliance Podcast Network is therefore thrilled to have back for a limited series, the Microsoft podcast, The Uncovering Hidden Risks, which will explore the need for enterprises to quickly move to a more holistic approach to data protection and reduce their overall risk. The show will cover an array of topics, across data governance, risk management, and compliance. It will address industry trends and customer pain points.

In each episode Erica Toelle, Sr. Product Marketing Manager for Microsoft Purview, partners with a Microsoft guest host to interview a guest leader in the data governance and compliance industry. These experts have a unique and deep understanding of the challenges organizations face, and the people, processes, and technology used to address them.

We are excited to have this podcast made available to the listeners of the Compliance Podcast Network so that they may listen in to these conversations as Erica and her Microsoft colleagues discuss a range of interesting topics, ranging from trends, best practices, and real-life strategies for developing a holistic data governance and risk management program.

The Uncovering Hidden Risks podcast will launch on Wednesday, September 28th with the first episode in the series.  

Listen to The Uncovering Hidden Risks podcast trailer below and subscribe on https://www.uncoveringhiddenrisks.com

Or you can listen and subscribe on the following platforms:

Here is a preview of the first episode, posting on Wednesday, September 28th:

Transitioning to a holistic approach to data protection

Guest Bret Arsenault, CVP, CISO at Microsoft joins us on this week’s episode of Uncovering Hidden Risks to discuss how a holistic approach to data protection can deliver better results across your organization and the three steps that can get you there. Erica Toelle and Talhah Mir host this week’s episode to chat with Bret about current trends in the data protection space, what data protection issues are top of mind, and how teams should start on their data protection strategy.

Categories
Compliance Into the Weeds

CFPB on Data Protection Minimums

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, we explore the recent CFPB circular which noted a company’s failure to implement adequate data protection measures can qualify as an unfair practice prohibited under the Consumer Financial Protection Act.  Highlights include:

·      The CFPB is going to start bringing charges against more companies for sloppy data protection programs.

·      Three Key data protection security controls.

·      Why CISOs and IT needs to talk to compliance.

·      The role of auditing and monitoring.

·      How and where to get started.

Resources

Matt in Radical Compliance