The European Union Commission (“Commission“) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks.

By way of brief background, the EU General Data Protection Regulation (“GDPR“) restricts the transfer of personal data to third countries unless such countries provide an adequate level of protection for personal data or an exception/derogation applies. The Commission may determine that a third country ensures an adequate level of protection by its domestic law or international commitments on data protection. On July 12, 2016, the Commission adopted a decision finding Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the US.1 The Commission’s 2016 adequacy decision also requires an annual review of Privacy Shield to evaluate the functioning of the framework. Currently, over 5,000 companies participate in the Privacy Shield program.

A press statement from the Commission on the third annual review noted that, “the review focused on the lessons learnt from [Privacy Shield’s] practical implementation and day-to-day functionality.” Participating in the review were US government departments overseeing enforcement of Privacy Shield, including the US Department of Commerce (“Commerce“), the US Federal Trade Commission (“FTC“), and newly appointed Privacy Shield Ombudsperson, Keith Krach.

In concluding that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU, the Commission noted the following next step action items to ensure the continued functioning of Privacy Shield:

  • Re-certification. To increase the transparency and reliability of the Privacy Shield list for both businesses and individuals, grace periods for companies that have not completed their re-certifications should be limited to 30 days. If these companies have not completed their re-certification at the end of this period, Commerce should send them a warning letter.
  • Spot-checking. In April 2019, Commerce introduced a system for checking 30 companies per month for Privacy Shield violations. While the Commission encourages such compliance checks, the review found that Commerce’s spot-checks focused on formal requirements, such as unresponsive points of contact at companies participating in the program or inaccessibility to the companies’ privacy policy. As a next step, the Commission encourages Commerce to review more substantive obligations, including the Accountability for Onward Transfers Principles, which would require Privacy Shield companies to produce their data sharing agreements.
  • False claims. Commerce should expand its quarterly reviews for false Privacy Shield claims to include companies that have never applied for Privacy Shield.
  • Human Resource Data Guidance. In the coming months, the EU Data Protection Authorities, Commerce and the FTC should develop guidance on the definition and treatment of human resources data.
  • Authority sharing. The EU and US authorities should find ways to share meaningful information on ongoing investigations.

While the Commission’s report confirms that Privacy Shield continues to provide adequate protection for EU to US personal data transfers, an ongoing matter before the Court of Justice of the European Union raises questions regarding the validity of Privacy Shield.2 The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgement. For now, companies currently participating in the Privacy Shield or applying to the program should continue to evaluate and document their capabilities of meeting the Privacy Shield’s obligations.


1 Adequacy decisions made prior to the new EU General Data Protection Regulation remain in force unless a Commission decision decides otherwise.
2 C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam Schrems.

 

The post Third Annual Privacy Shield Review Confirms EU Commission’s Adequacy Decision appeared first on Global Compliance News.

Source

Dealing with the compliance challenges presented by near daily new US sanctions and export controls requires a risk-based compliance program that addresses rapid change and mitigates increasing global enforcement risk, while still being practical and business friendly.

Executive Summary

Most GCs will be familiar, at least to some degree, with the increasing risks presented by the extraterritorial application of US sanctions and export controls. Frequently changes, in both scope of territories and parties caught and the types of restrictions, coupled with possible severe consequences (blacklisting, monetary penalties), mean that compliance programs must be nimble, addressing key risks while being practical and business friendly.

Key Risk Assessment Questions

What is my US nexus?

  • US corporate ownership or control of a non-US company can mean that US sanctions apply directly (in case of Cuba and Iran sanctions). Even if such sanctions do not apply directly, US ownership and control usually means operational involvement of US persons such that most companies consider policies that either recuse involvement of such US persons or set forth restrictive corporate policies on doing business with sanctioned territories.
  • A listing on a US stock exchange subjects a non-US company to SEC jurisdiction. While this does not prohibit sanctioned territory dealing by the non-US company per se, such business can implicate SEC reporting requirements and increased scrutiny.
  • Working with US financial institutions/USD also means increased US sanctions scrutiny as these financial institutions act as effective gatekeepers for the review of sanctions risks. Even non-US financial institutions seek to comply with US sanctions given, among other things, the risk of sanctions for processing or facilitating financial transactions with US sanctions targets.
  • Dealing in US-origin hardware, software, and technology (“Items”) can mean that US sanctions and export control jurisdiction attaches. Thus, non-US companies should assess the US nexus of their supply chain, prioritizing identification of those Items that are perhaps dual-use or subject to higher controls. Inadvertent reexport of Items subject to US law, not only to sanctioned territories and parties but also to countries subject to higher US export controls in general, can result in violations.

Where do I do business?

  • Business involving Crimea, Cuba, Iran, North Korea, Russia, Syria, and Venezuela should be the focus of US sanctions compliance efforts because these are the territories subject to the most sanctions. Recently, Turkey has been the subject of some limited US sanctions, providing a recent example of how sanctions can be used in rapid response to geo-political situations.
  • Dealing with some of these territories also presents risks under EU sanctions and not dealing with Cuba and Iran because of US sanctions presents risks under European countermeasures such as the so-called EU Blocking Regulation.
  • Even if there is no US nexus, business with these markets can present US secondary sanctions risks for dealing with certain sanctioned parties or sectors associated with these territories. Secondary sanctions range from becoming a Specially Designated National (“SDN”) (i.e., a “blacklisted” party effectively cut off from the US market) to menu-based sanctions (for example, inability to obtain visas for US travel or licenses for Items subject to US law).

With whom am I doing business?

  • Dealing with SDNs or other restricted parties can be prohibited or restricted where there is a US nexus, risk secondary sanctions even without US nexus, and create commercial/contractual risk.

Compliance Program Minimum Considerations

Much of the above risk can be mitigated by a compliance program which at least has robust controls to cover:

  1. Restricted Party Screening: a risk-based process to screen (usually involving automated and manual review) third parties, such as partners, distributors, purchasers, and customers.
  2. Review of Dealings Involving Sanctioned Territories: coupled with screening, a process to assess legality of such dealings, risk of secondary sanctions, and commercial/contractual risks, which can start with something as simple as a checklist for reviewing key issues.

First published in General Counsel Netherlands October 2019.

 

The post Navigating US Extraterritorial Sanctions and Export Control Risks with a Nimble Compliance Program appeared first on Global Compliance News.

Source

Latest release of HITRUST CSF adds CCPA, SCIDSA, and NIST SP 800-171 authoritative sources as well as updates six others

FRISCO, Texas – October 28, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the availability of version 9.3 of the HITRUST CSF information risk and compliance management framework, further delivering on its mission of One Framework, One Assessment, Globally™.

HITRUST CSF version 9.3 now incorporates and harmonizes 44 authoritative sources, most recently adding one new data privacy-related and two new security-related authoritative sources, as well as updating six existing sources as compared to the previous release.

As security and privacy requirements change in response to new and updated laws and regulations, or breaches and other cyber events, HITRUST is committed to maintaining and expanding the relevancy and applicability of the HITRUST CSF to meet the evolving regulatory and risk management landscape and associated control requirements. HITRUST CSF v9.3 updates include:

  • The California Consumer Privacy Act (CCPA) 1798 – requiring qualifying organizations to protect consumer data in specific ways as well as that consumers be able to opt-out sharing of their data;
  • The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – requiring qualifying organizations have a comprehensive information security program and the reporting of cybersecurity events;
  • NIST SP 800-171 R2 (DFARS) – providing guidance on protecting controlled unclassified information in nonfederal systems and organizations; and
  • Updating various authoritative sources to latest versions, specifically AICPA 2017, CIS CSC v7.1, ISO 27799:2016, CMS/ARS v3.1, IRS Publication 1075 2016, and NIST Cybersecurity Framework v1.1.

Further enhancements include:

  • Updates to the glossary to better clarify terms found in the HITRUST CSF,
  • Adjusted authoritative source mappings to more fully harmonize requirements across industries and sectors, and
  • Adjusted selected risk and regulatory factors to ensure that only controls appropriate to a given assessment are included, streamline the required questions.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session. Businesses of various sizes, industries, and privacy and security maturity levels must comply with the CCPA starting January 1, 2020.

There is still much confusion in the market about what CCPA compliance means, and HITRUST is committed to helping organizations meet the challenge. HITRUST will continue to enhance the CCPA work in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law by reviewing the draft rules released by the California Attorney General’s Office and the new ballot initiative proposed by Californians for Consumer Privacy and related legislation.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST CSF is a key component of the HITRUST Approach, which provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

HITRUST recognizes that many organizations prefer the reporting structure defined in the NIST Cybersecurity Framework. HITRUST has been actively supporting the development and implementation of the NIST Cybersecurity Framework since its initial release. In fact, a 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework, as the HITRUST CSF provides a reasonable and appropriate set of controls and assessment of those controls via the HITRUST CSF Assurance Program. In addition, organizations can subsequently receive a certification of its implementation of the NIST Cybersecurity Framework by HITRUST.

HITRUST developed the Healthcare Sector Cybersecurity Framework Implementation Guide, available from the US-CERT Cybersecurity Framework Website at https://www.us-cert.gov/resources/cybersecurity-framework. The Sector Guide helps healthcare organizations integrate all aspects of the NIST Cybersecurity Framework into their cybersecurity program leveraging HITRUST’s approach to control framework-based risk analysis. Building on this model, HITRUST has committed to developing and maintaining additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors. The next guide is expected in early 2020.

For those interested in commenting on the latest draft guidance on how HITRUST CSF controls map to the NIST Cybersecurity Framework version 1.1 Core Subcategories as an Informative Reference, see the NIST Cybersecurity Framework Informative Reference Catalog Website at https://www.nist.gov/cyberframework/informative-references/informative-reference-catalog.

Looking forward to the next major release of the HITRUST CSF v10, which has a targeted release date of Q4 2020, HITRUST is preparing to evolve the framework to be even more complete, efficient, and intuitive.

“HITRUST understands the challenges of managing information risk and compliance – no matter what industry you are in,” said Sarah Phillips, Senior Manager of Standards for HITRUST. “We help organizations address these challenges by providing the depth and breadth of controls needed, while eliminating redundancies and the need for organizations to interpret and harmonize a multitude of global frameworks, standards and regulations.”

To download the HITRUST CSF go to: https://hitrustalliance.net/hitrust-csf/

To learn more about the HITRUST CSF v9.3 and HITRUST Shared Responsibility Program register for the webinar: https://go.hitrustalliance.net/SharedResponsibilityWebinar2019

The post HITRUST® Releases Version 9.3 of the HITRUST CSF® Incorporating New Privacy and Security Standards appeared first on HITRUST.

Source

DOWNLOAD ALERT

On 3 October 2019, the United Kingdom and the United States signed a first-of-its-kind Bilateral Data Access Agreement (the “Agreement”), which is expected to reduce the time it takes UK and US law enforcement agencies to access electronic evidence held by technology companies located in each other’s territory. A link to the Agreement can be found below.1

The issue of ready access to electronic data stored abroad has become increasingly acute in recent years. This has particularly been the case for UK law enforcement agencies, since the evidence needed to further their investigations and support subsequent prosecutions is often stored by technology companies headquartered in the US.

Under pre-existing arrangements between the UK, the US and other jurisdictions, law enforcement agencies are able to request information held by a company abroad through Mutual Legal Assistance Treaties (“MLAT”). Under these MLAT processes, law enforcement agencies submit information requests to the government of the country in which the data-holding company is based. The government in turn reviews the request, obtains and serves an order as needed locally, collects the data and ultimately returns it to the requesting country’s law enforcement agency. This is a multi-stage process that can take months or even years to obtain the relevant data from abroad.

The Agreement will expedite the process, by allowing law enforcement agencies to ask a domestic court to issue a production order for electronic data (such as emails, texts and instant messages) to be issued directly against a communication service provider (“CSP”) located in the other country. As a result, following authorization from the court in their home country, law enforcement agencies will be able to serve that order for production of electronic data directly on a CSP in the other country, without that request having to be routed through the MLAT processes. The CSPs which are required to comply with production orders issued pursuant to the Agreement include email providers, mobile phone networks, social media companies and cloud storage services. Prosecutors hope that this process will mean that relevant evidential data can be obtained abroad in a matter of days or weeks, rather than months or years.

However, it is important to note that the Agreement will not:

  • allow law enforcement agencies to access data to which they would not otherwise have had a right to access under existing domestic legislation and Constitutional protections. Accordingly the standard of proof and the jurisdictional requirements for the issuance of an order or warrant to access data remain unchanged;
  • apply to circumstances in which the data subject is a resident of the country from which the evidence is requested (i.e., UK authorities may not request data related to US residents, and vice versa); and
  • require CSPs to provide law enforcement agencies with a means of decrypting data (e.g., from encrypted messaging apps).

The Agreement was facilitated by complementing pieces of legislation recently passed in the UK and the US: the Crime (Overseas Production Orders) Act 2019 in the UK,2 and the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act enacted in 2018 in the US.3 Both Acts anticipate that agreements of this type would be entered into with countries with equivalent levels of due process, privacy and the rule of law; the UK-US Agreement is the first. More agreements of this type are anticipated. In September, 2019 the US and EU released a joint statement that they had commenced negotiating a data access agreement,4 and in October 2019, a similar announcement was made by the US and Australia.5

In the US, the CLOUD Act also had an important secondary objective of clarifying that the 1986 Stored Communications Act (“SCA”)6 does require disclosure of data subject to a search warrant that is stored abroad by companies subject to US jurisdiction. That question had caused some controversy after a 2016 Second Circuit decision in Microsoft v. United States7 held that the SCA did not require Microsoft to disclose information in its custody and control that it had stored on a server in Ireland.

The Microsoft case was on appeal to the US Supreme Court at the point that the CLOUD Act was passed and was therefore determined to be mooted.

What does the Agreement mean for you?

If you are a CSP, the Agreement, and any subsequent agreements entered into pursuant to the Crime (Overseas Production Orders) Act and the CLOUD Act, will allow foreign law enforcement agencies to serve upon you orders requiring the production of electronic data directly to the enforcement agency. The relative ease of their issuance, and the reduced timeframe, is likely to increase the volume of such international requests and accordingly increase the burden on CSPs in receiving, coordinating, and responding to them.

From a prosecutorial perspective, once in force, UK law enforcement agencies, including the Serious Fraud Office (“SFO”), should find that they have much quicker access to data stored by CSPs in the US, as will their US counterparts to data stored by CSPs in the UK. This should, for example, speed up SFO investigations, which are often hampered by the lengthy MLAT process, reduce the amount of SFO investigations that have on occasion been abandoned due to an inability to access data and evidence overseas, and potentially speed up the process of eliminating suspects from enquiries.

Since many of the major global CSPs are located in the US (rather than the UK), the effects of the Agreement in facilitating investigations are likely to be more pronounced for UK enforcement agencies than they will be for their US counterparts, who already have more immediate access to data held by domestic CSPs. However, since the US currently receives many more MLAT requests than it issues, the Agreement, and others like it, should diminish the burden on US law enforcement and its diplomatic apparatus currently handling them.

More broadly, the Agreement is another manifestation of global law enforcement cooperation. Evidence and information are more freely flowing across borders as seen by the ever increasing number of multijurisdictional prosecutions and investigations. This trend can only increase as governments continue to develop mechanisms to share information in global criminal matters.

Finally, of course, the Agreement will not impact the MLAT arrangements currently in place with other jurisdictions and those processes will still need to be followed with those counties until such time as similar data access agreements can be negotiated.

What should you do?

In anticipation of the Agreement’s ratification, CSPs in the US and the UK should familiarise themselves with the new regime and implement the necessary processes and procedures to respond to electronic data production orders from foreign agencies, within the relatively short timeframes anticipated.

Other companies and individuals, potentially subject to investigation in either the US or the UK, should be aware that law enforcement agencies in each country will have more ready and speedy access to electronic data abroad believed to be relevant to their enquiries. This may in turn impact those agencies’ expectations when assessing a company’s own cooperation and voluntary document production.


1 See https://www.gov.uk/government/publications/ukusa-agreement-on-access-to-electronic-data-for-the-purpose-ofcountering-serious-crime-cs-usa-no62019
2 For more information on the Crime (Overseas Production Orders) Act 2019, please read our publication from June.
3 For more information on the CLOUD Act, see the US Department of Justice’s recent White Paper and FAQs at: https://www.justice.gov/opa/press-release/file/1153446/download
4 See https://www.justice.gov/opa/pr/joint-us-eu-statement-electronic-evidence-sharing-negotiations.
5 See https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiation-cloud-actagreement-us.
6 18 U.S.C. Chapter 121 §§ 2701–2712
7 829 F.3d 197 (2d Cir. 2016)

The post UK and US sign Data Access Agreement to Expedite Digital Evidence-Sharing in Criminal Investigations appeared first on Global Compliance News.

Source

Data has gone global. Whether you’re operating in one country or worldwide you need to know the local and international rules, regulations and risks that will affect your business.

We are bringing together members of our global Data Protection and Security Team from London, EU, and the US to update you on the key legal and regulatory developments affecting the world of data privacy. With sessions focusing on employee data, adtech, regulatory enforcement trends and practical compliance issues we will be sharing perspectives from around the world to help you manage your data globally.

Data protection is not just for privacy specialists – so please do share this invitation with any colleagues interested in joining our event!

Agenda
12.15 pm Registration for pre-session
12.30 pm Pre-session – Data Protection 101: a refresher on the basis
1.00 pm Registration for main session and lunch
1.30 pm Pre-session ends, lunch for those in that session
2.00 pm Welcome and Global data protection update
2.45 pm Breakout session

Choose one breakout from the following

  • Adtech
  • Data protection and employment: developments in criminal records data, biometric data processing, DSARs and human rights
  • Regulation reactions: EU enforcement trends
  • Data protection and broader compliance issues: investigations, sanctions screening
3.45 pm Refreshment break
4.00 pm Recent cases in the UK and elsewhere
4.45 pm Panel discussion: International perspectives from France, Germany, Italy and the UK
5.15 pm Closing remarks
5.30 pm Networking drinks and canapes

 

About this event

Baker McKenzie
100 New Bridge Street
London
EC4V 6JA

Map

The post Annual Data Protection and Security Seminar 2019 on 13 November 2019, London appeared first on Global Compliance News.

Source

Read full article

This article published in the Government Contracting Law Report discusses the U.S. Department of Justice’s Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters, which identify various factors that the Department will consider in issuing credit to companies that voluntarily disclose misconduct that could serve as the basis for False Claims Act violations, or companies that otherwise cooperate in ensuing investigations.

 

The post US: DOJ Guidelines Incentivize Companies to Self-Disclose and Cooperate in False Claims Act Cases appeared first on Global Compliance News.

Source

On October 2, 2019, the World Trade Organization (WTO) issued an arbitration decision in European Communities and Certain Member States – Measures Affecting Trade in Large Civil Aircraft, WT/DS316/ARB. The decision authorizes the United States to impose $7.5 billion in tariffs on EU imports for EU subsidies to Airbus, making the ruling the largest in the WTO’s history and providing a partial conclusion to one of the longest running WTO disputes. The US Trade Representative (USTR) announced in a press release, which is available here, that the Trump Administration plans to impose tariffs beginning October 18. USTR stated that the bulk of these tariffs will be applied to imports from France, Germany, Spain, and the United Kingdom, and that the tariff increases will be limited to 10 percent on large civil aircraft and 25 percent on agricultural and other products. The European Union is awaiting a damage award in a WTO counter-complaint against the United States and Boeing where it has sought authorization to levy duties on $12 billion worth of US products.

Background of the Dispute

The Boeing/Airbus litigation dates back to 2004 when the United States initiated WTO proceedings arguing that EU subsidies to Airbus violated the WTO Agreement on Subsidies and Countervailing Measures and the 1994 General Agreement on Tariffs and Trade. Nine months later, the European Union initiated proceedings alleging that the United States was providing WTO-inconsistent subsidies to Boeing. In the years since, the WTO has ruled that the United States and European Union both provided infringing subsidies. The United States and European Union have each made changes to comply with these rulings, but the WTO has found continued infringements. A decision on the EU case regarding US subsidies is expected in the coming months.

Potential US Measures

The United States will receive authority to impose the retaliatory tariffs as early as this month, once the WTO’s Dispute Settlement Body formally accepts the arbitration award. In its press release, USTR announced that the United States has requested the WTO to schedule a meeting on October 14 to approve a US request for authorization to take the countermeasures against the European Union. Under Section 301 of the Trade Act of 1974, the USTR has the discretion to impose tariffs on EU products for violations of the WTO trade rules, or USTR could use the arbitration decision as a starting point for further negotiations with the European Union. USTR has published two lists of EU products that could be the target of the duties that cover more than $20 billion worth of EU exports, which are available here and here. The key EU exports that USTR will likely target include wine, cheeses, motorcycles, aircraft parts, and certain helicopters. Additional listed products include seafood products, produce, certain clothing and textile products, glassware, and certain metal products and metal alloys. USTR is not required to impose tariffs on the full amount authorized by the WTO, or to apply all the tariff increases at one time.

The UK Department for International Trade issued a press statement following the ruling stating that the United Kingdom and other EU Member States subject to the case had already complied with the WTO ruling and so did not see a basis for the United States to retaliate at this point. The United Kingdom also pointed out that in a corresponding procedure brought by the European Union against the United States, it was clear that the United States had taken no steps to comply, and so retaliation against the United States would be justified.

Implications for the WTO System and US-EU

This decision and the imminent decision in the EU case will bring to a head a long running dispute that has roiled transatlantic relations for decades. The United States and the European Union could eliminate the other’s threat of retaliation if it were to modify its legislation to comply with the WTO rulings. Short of that, the United States and the European Union will be able to impose retaliatory tariffs on imports from the other, or to negotiate a resolution between the parties.

President Trump, who calls himself “Tariff Man” and argues that foreigners pay tariffs imposed by the United States, may view this decision in the US case as providing leverage with the European Union. However, an authorization to retaliate in the EU case will likely tee up a stand-off. It may not matter much in practice if the United States’ retaliation authorization is substantially larger than the European Union’s, given the large amount of trade covered by the authorizations. Increased import tariffs would harm exporting businesses and their customers in both America and Europe, and escalating tensions could unsettle markets in a time of growing economic uncertainty. As a result, there may be increased interest in finding a negotiated path forward.

One clear winner is the WTO’s appellate body. The United States has criticized the appellate body and tied up nominations of new judges such that the appellate body will soon cease to have a quorum necessary to operate. In this case, the appellate body has, as designed, made the legal determinations necessary to ascertain WTO members’ rights. These determinations have cleared the way for the protagonists, the United States and European Union, to find a resolution.

 

The post WTO Authorizes US Tariffs in Boeing/Airbus Arbitration Decision appeared first on Global Compliance News.

Source

The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Clarification to the Definition of “Personal Information”

The original text of the CCPA defined “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, “personal information” must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

FCRA and Vehicle Industry Exemptions

The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the “sale” of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.

Further, a consumer’s right to opt-out of the “sale” of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.

Other Notable Amendments . . . and Those that Failed

For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.

One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.

The post California Consumer Privacy Act Update: What Has Changed and What Remains the Same? appeared first on Global Compliance News.

Source

Latest release of HITRUST MyCSF® brings innovations in custom assessments, user interface, third-party assurance, and control inheritance

FRISCO, Texas – September 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF® to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with third parties through the HITRUST Assessment XChange™.

MyCSF was designed from the start as an information risk assessment and compliance tool and engineered to streamline assessing, reporting, and remediating information risk and compliance. In addition the platform can be used to build a robust ISRM program, lending insight into an organization’s security posture and areas of improvement, benchmarking against the scores of similar organizations.

New features include:

  • Custom Assessments: Tailor assessments to fit an organization’s needs, selecting some or all of the controls in any of 44 authoritative sources that are mapped and harmonized in the HITRUST CSF, including ISO 27XXX, NIST 800-53, NIST Cybersecurity Framework, NIST 800-171, PCI, HIPAA, HITECH, GDPR, FFIEC, and CCPA. Customizations could include assessing against one or multiple authoritative sources, regulatory factors, or control requirements without having to add CSF baseline controls.
  • Custom Roles: Create and define access control permissions tailored to the organization.
  • Redesigned User Interface: Modern, sleek, and streamlined interface enables intuitive and faster workflow.
  • Integration to Third-Party Assurance Process: MyCSF fully supports the HITRUST CSF Assurance Program including assessment entry, assessor assignments, and submission. It also includes role assignment and workflows for the recently added Internal Assessor role, allowing internal audit and other departments to aid in the CSF Assessment process.
  • Enhanced Shared Responsibility Support: Updated functionality within MyCSF supports the HITRUST Shared Responsibility Program for inheriting controls from cloud and other service providers, streamlining the assessment and working process.
  • Integration with HITRUST Assessment XChange Portal: Makes sharing risk assessment data with third parties simple, secure, and efficient. Satisfies and streamlines customer requests to provide CSF Assessment Reports as well as customer communications concerning Corrective Action Plans (CAPs), Interim Assessments, and more.
  • Enhanced API: MyCSF also offers expanded API functions for integration with GRC and other systems.

For more information, including the MyCSF data sheet, go to https://hitrustalliance.net/mycsf.

For more information on the HITRUST Assessment XChange, go to https://hitrustax.com.

The post HITRUST Enhances Best in Class Information Risk and Compliance Assessment Platform appeared first on HITRUST.

Source

Latest release of HITRUST MyCSF® brings innovations in custom assessments, user interface, third-party assurance, and control inheritance

FRISCO, Texas – September 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF® to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with third parties through the HITRUST Assessment XChange™.

MyCSF was designed from the start as an information risk assessment and compliance tool and engineered to streamline assessing, reporting, and remediating information risk and compliance. In addition the platform can be used to build a robust ISRM program, lending insight into an organization’s security posture and areas of improvement, benchmarking against the scores of similar organizations.

New features include:

  • Custom Assessments: Tailor assessments to fit an organization’s needs, selecting some or all of the controls in any of 44 authoritative sources that are mapped and harmonized in the HITRUST CSF, including ISO 27XXX, NIST 800-53, NIST Cybersecurity Framework, NIST 800-171, PCI, HIPAA, HITECH, GDPR, FFIEC, and CCPA. Customizations could include assessing against one or multiple authoritative sources, regulatory factors, or control requirements without having to add CSF baseline controls.
  • Custom Roles: Create and define access control permissions tailored to the organization.
  • Redesigned User Interface: Modern, sleek, and streamlined interface enables intuitive and faster workflow.
  • Integration to Third-Party Assurance Process: MyCSF fully supports the HITRUST CSF Assurance Program including assessment entry, assessor assignments, and submission.  It also includes role assignment and workflows for the recently added Internal Assessor role, allowing internal audit and other departments to aid in the CSF Assessment process.
  • Enhanced Shared Responsibility Support: Updated functionality within MyCSF supports the HITRUST Shared Responsibility Program for inheriting controls from cloud and other service providers, streamlining the assessment and working process.
  • Integration with HITRUST Assessment XChange Portal: Makes sharing risk assessment data with third parties simple, secure, and efficient. Satisfies and streamlines customer requests to provide CSF Assessment Reports as well as customer communications concerning Corrective Action Plans (CAPs), Interim Assessments, and more.
  • Enhanced API: MyCSF also offers expanded API functions for integration with GRC and other systems.

For more information, including the MyCSF data sheet, go to https://hitrustalliance.net/mycsf.

For more information on the HITRUST Assessment XChange, go to https://hitrustax.com.

The post HITRUST Enhances Best in Class Information Risk and Compliance Assessment Platform appeared first on HITRUST.

Source