cybersecurity.jmbm.comCybersecurity Lawyer Forum — Published by JMBM’s Cybersecurity and Privacy Group — Jeffer Mangels Bu

Cybersecurity Lawyer Forum — Published by JMBM’s Cybersecurity and Privacy Group — Jeffer Mangels Butler & Mitchell LLP Contact Us Tap Here To Call Us Phone: +1.310.785.5331 Phone: +1.310.201.3529 cyberlawyer@jmbm.com Cybersecurity Lawyer Forum Published By Jeffer Mangels Butler & Mitchell LLP Navigation Home Our Team What We do JMBM LLP Subscribe Contact Us CONTACT US: 310.201.3553 March 31, 2021 Cybersecurity Guide for Hospitality Industry Now Available through NIST by JMBM's Cybersecurity and Privacy Group Bob Braun was recently quoted in an article distributed by the National Institute of Standards and Technology (NIST), evaluating the organization’s recent publication of a three-part guide to securing guest and credit card data at hotels. “This publication analyzes and addresses the challenges common to almost all hotels in creating secure data systems,” he said. “Hotels would be well-advised to incorporate its recommendations in their information protection protocols.” The guide, Securing Property Management Systems, uses commercially available technology to implement a range of data security strategies, including zero trust architecture, role-based authentication, and tokenization of credit card data. Hotels are attractive targets for attackers seeking sensitive guest or financial data; one industry report ranked the hospitality industry as the third-most frequently compromised, suffering 13% of all incidents in 2019. Read the full article here . All three parts of the guide are available as a downloadable PDF here . by JMBM's Cybersecurity and Privacy Group Posted in: News March 31, 2021 Updated: March 31, 2021 3:04 pm March 24, 2021 New CCPA Developments by Robert E. Braun The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider: Do Not Sell Button . The regulations introduce, but do not require, the use of a blue opt-out icon designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. While earlier versions of the regulations discussed placement of the icon, the only mandates that remain are that the icon is the same size as others on the web page. Businesses can download the icon here . Importantly, the icon may be used in addition to, but not in place of, the existing do not sell procedures. Ongoing Enforcement . While the Attorney General has not been active in bringing enforcement actions for violations of the CCPA, the Attorney General’s office has actively issued notices to cure violations. The press release accompanying the new regulation notes that there has been “widespread compliance … especially in response to notices to cure.” Last year, Supervising Deputy AG Stacey Schesser told the IAPP, the International Association of Privacy Professionals, that enforcement targeted online businesses that were missing key privacy disclosures or “Do Not Sell” links, and came in response to consumer complaints, including on social media. The future of enforcement will depend on a number of factors, including the impact of the newly formed California Privacy Protection Agency and the Governor’s nomination of Rob Bonta as Attorney General to succeed Xavier Becerra, who was recently confirmed as U.S. Secretary of Health and Human Services. Continue reading by Robert E. Braun Posted in: California Law and Privacy Regulations March 24, 2021 Updated: March 24, 2021 2:48 pm January 25, 2021 Sensitivity Training – Sensitive Personal Information under the California Privacy Rights Enforcement Act of 2020 by Robert E. Braun Just as we were getting used to the California Consumer Privacy Act of 2018 (the “CCPA”), Californians voted to approve Proposition 24, the California Privacy Rights Enforcement Act of 2020 (the “CPRA”). For now, the CCPA is still with us – the CPRA becomes effective on January 1, 2023 – but companies that do business in California need to address the new industry requirements, consumer privacy rights, and enforcement mechanisms as far in advance as possible. The CPRA, like the CCPA, is a consumer-focused law with the goal of expanding consumer knowledge about and control over the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. To that end, the CPRA introduces a new class of information, sensitive personal information . Companies that collect sensitive personal information are required to follow disclosure requirements and implement additional protections and rights for California residents. In order to comply with the new law, a critical first step for businesses is to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition. What is sensitive personal information? The CPRA’s approach to sensitive personal information generally tracks the European Union’s General Data Protection Regulation’s definition of Special Category Data, but adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages. Specifically, the CPRA defines sensitive personal information as: social security, driver’s license, state identification card, or passport number; account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a mail, email and text messages; genetic data; biometric information for the purpose of identifying a consumer; personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation. Continue reading by Robert E. Braun Posted in: California Law and Privacy Regulations January 25, 2021 Updated: January 25, 2021 11:39 am November 18, 2020 Michael A. Gold named one of California’s Top Cyber Lawyers by the Daily Journal by JMBM's Cybersecurity and Privacy Group LOS ANGELES—Jeffer Mangels Butler & Mitchell LLP (JMBM) is pleased to announce that Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, has been recognized by the Daily Journal as one of California’s Top Cyber Lawyers. As reported by the Daily Journal , his clients include companies that operate within large and complex data environments, particularly those with international operations and regulatory challenges. In the Daily Journal’s profile, Gold said: “Threats and exploits and hacks are existential problems for companies when they lead to lawsuits and regulatory investigations. Nobody takes this lightly, and part of my job is to help clients see a path forward.” Read the full profile here . Gold has been recognized as one of the “Most Influential Lawyers: Digital Media and E-Commerce Law” by the Los Angeles Business Journal , has been designated a “Top Rated Lawyer in Technology Law” by Martindale Hubbell, and was listed in the Daily Journal’s Top 20 Cyber – Artificial Intelligence Lawyers” in 2018. He is the co-publisher of the blog, Cybersecurity Lawyer Forum, a resource for lawyers, executives, boards of directors and IT professionals. “Michael remains on the forefront of the dynamic cyber and technology issues that continue to impact businesses worldwide,” said Bruce Jeffer, JMBM’s managing partner. “He is a tremendous asset to our clients and to our firm.” by JMBM's Cybersecurity and Privacy Group Posted in: News November 18, 2020 Updated: November 18, 2020 12:43 pm November 5, 2020 What Businesses Need to Know About the New Cal...