4 Resources That Make GDPR Compliance Less Painful

The deadline to comply with the GDPR’s complex and far ranging requirements is rapidly approaching.  As your organization races to implement its compliance program before the May 25, 2018 effective date, questions and concerns are likely to arise.  While there is no shortage of online guidance on the GDPR, finding answers to your specific questions and concerns, and assuring those answers come from credible sources, can be daunting.  But we’re here to help.  Below are four resources that make the GDPR more accessible, thereby enabling you to more efficiently and effectively decipher your organization’s obligations.

    1. EUGDPR.org is a good place to start your search. The site answers FAQs about the GDPR in general, how to prepare to meet its requirements, and whether your organization is subject to the GDPR’s mandates. It also summarizes the articles contained in the GDPR and, for those seeking motivation, provides a down-to-the-second Time Until GDPR Enforcement countdown clock.
    2. GDPR Regulations & Recitals. Though they are available elsewhere, this site lays out the regulations and recitals in a very user-friendly format.
    3.  Article 29 Working Party (“WP29”) Guidance. WP29 is an advisory group made up of representatives from EU data protection authorities and the European Commission. It has authored guidance on a number of key GDPR topics, including data portability, data protection officers, lead supervisory authority, data protection impact assessments, personal data breach notifications, automated decision-making and profiling, administrative fines, consent, and transparency. WP29’s guidance is well worth heeding because the GDPR envisions a key role for WP29’s successor, the European Data Protection Board (“EDPB”), which will replace WP29 when the GDPR takes effect. As discussed in Recital 139, the EDPB will contribute to “the consistent application of” the GDPR and the promotion of “cooperation of [its] supervisory authorities” throughout the EU.
    4. Our Blog & Articles. In past posts and articles, we’ve covered important GDPR issues including employee consent, the impact of the GDPR on US organizations with EU employees, and an employee’s right of erasure. We’ll continue to write regularly on GDPR-related topics in coming months.




An Employee’s Right of Erasure Under the GDPR

The implementation of the European Union’s General Data Protection Regulation (GDPR), with an effective date of May 25, 2018, is just around the corner, and with it will come pressure on the human resources (HR) department to update its approach to handling employee data. The GDPR significantly enhances employee rights in respect to control over their personal data.

In particular, the GDPR introduces the concept of a “right of erasure” i.e. a ‘right to be forgotten’. Although the concept currently exists under EU law, it is currently applicable under very limited circumstances, when data processing may result in damage or distress. Under the GDPR, pursuant to Article 17 and Recital 65, an employee will have a right to have his/her data erased and no longer processed, where consent of processing is withdrawn, where the employee objects to such processing, or where processing is no longer necessary for the purpose for which it was gathered. That said, the employer, under certain circumstances, can refuse to comply with an employee’s request for erasure of personal data – where data processing is required by law or in connection with a legal proceeding.

Further, there is a time limit for responding to a request for erasure of data by an employee. An employer will be required to comply with a request by an employee ‘without undue delay’, and not later than one month of receipt of the request, together with the reasons for delay (Article 12).

To effectively meet the GDPR’s new requirements, employers will need to take stock of the employee data they process related to EU operations (see Does the GDPR Apply to Your U.S.-based Company?). What categories of EU employee data are processed? What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.

To better understand how an employee’s “right of erasure” will impact day-to-day HR operations, below are a few practical examples of instances where an employee will have the right, under the GDPR, to request that his/her data be erased and no longer processed.

Circumstances where an HR department may be compelled to erase employee data:

  • You collected the data during the employee’s hiring process, but, following the completion of that process, you can no longer demonstrate compelling grounds for continuing to process it.  Such data could include, inter alia: (i) past employment verifications, (ii) education and credential verifications, (iii) credit reporting and other financial history data, (iv) government identification numbers.
  • You collected data about an employee in order to administer benefits to him or her, but the employee has since de-enrolled from the benefits program.
  • You collected employee online monitoring data for work productivity purposes – but you collected data which the employee does not expect is reasonable processing (personal emails, personal messenger conversations, etc.).
  • You collected employee data (g., profiling data) for use in evaluating whether to promote an employee to Position X, but end up promoting another employee to that position instead.
  • You processed data related to employee job performance issues (g., late arrivals, absences, disputes with a coworker, etc.) a number of years ago, and the employee has not had similar issues since.
  • You collected identifying data on an employee such as an employee’s past address, phone number, email address, username, financial account information, etc., but the employee has since provided updated information.

Employers must be ready to comply with the new EU data regime upon its effective date next month. If your organization has not yet started, it should begin implementing policies and procedures that inform employees of their enhanced rights to control over their personal data, ensure that operationally the organization can comply with such rights, and train HR personnel handling employee requests for erasure of data. This includes developing a plan of how to respond timely and effective to employees’ requests, and a review process for when there is a legal basis to deny a request.

D.C. Circuit Court Finally Rules on FCC’s 2015 TCPA Order

After two and a half years, the U.S. Court of Appeals for the District of Columbia issued a highly anticipated ruling reviewing the Federal Communications Commission’s (“FCC” or “Commission”) July 2015 Declaratory Ruling and Order (“2015 Order”) in which the FCC issued interpretative guidance on several aspects of the Telephone Consumer Protection Act (”TCPA”). Over a dozen organizations sought review of the FCC’s 2015 Order. The D.C. Court, on appeal, reviewed four key aspects of the 2015 Order: 1) which sorts of automated telephone dialing system (“ATDS”) equipment are subject to the TCPA’s restrictions, 2) if a party consents to a call, whether the caller is still in violation if the consenting party’s wireless number is, unbeknownst to the caller, reassigned to a different party, 3) how may a consenting party revoke consent, and 4) whether the FCC too narrowly interpreted an exemption for certain healthcare-related calls.

The D.C. ruling, by a unanimous three judge appellate panel, set aside the FCC’s expansive interpretation of what constitutes an ATDS and its approach to consent of reassigned wireless numbers. The Court, however upheld the FCC’s approach to revocation of consent by “reasonable means” expressing a desire to receive no further messages from the caller and the scope of the FCC’s exemption for certain healthcare calls.

ATDS Equipment

In setting aside the FCC’s expansive interpretation of what constitutes ATDS equipment, the appellate panel concluded that the FCC’s opinion that all equipment that has the theoretical “capacity” for autodialing is subject to the TCPA, is too broad. Although the FCC did say in its 2015 Order “there must be more than a theoretical potential that the equipment could be modified to satisfy the ‘autodialer’ definition”, the panel held that this “ostensible limitation affords no ground for distinguishing between a smartphone and a Firefox browser”. The panel determined that the FCC’s interpretation of ATDS was “an unreasonably expansive interpretation of the statute”.

Wireless Number Reassignment

The appellate panel also rejected the FCC’s approach to calls made to a person who previously have consent but whose number has since been reassigned to another nonconsenting person. The FCC concluded that calls in that situation are a violation of the TCPA, but did allow for a “one-call safe harbor” (i.e. one call post-reassignment, regardless of whether the caller has any awareness of the reassignment).  The Court set aside this interpretation as a whole on grounds that the FCC’s “one-call safe harbor” was “arbitrary and capricious”.

Revoking Consent

In contrast to the first two aspects of the FCC’s 2015 Order, the Court upheld the FCC’s guidance allowing consumers to revoke consent through any “reasonable means clearly expressing a desire to receive no further messages from the caller”. The FCC was originally petitioned to clarify whether callers could unilaterally prescribe exclusive means for consumers to revoke consent. The Commission explicitly declined this request, on the belief that allowing, “callers to designate exclusive means of revocation” could “materially impair” the “right to revocation”. The Court agreed with the FCC’s conclusion.  Notably, the Court did state “[t]he Commission’s ruling absolves callers of any responsibility to adopt systems that would entail ‘undue burdens’ or would be ‘overly burdensome to implement” and that “callers will have every incentive to avoid TCPA liability by making available clearly-defined and easy-to-use opt-out methods.”  Seeming to address a recent wave of lawsuits based on alleged unreasonable revocation attempts by call or text message recipients, the Court further stated, “[i]f recipients are afforded [clearly-defined and easy-to-use opt-out methods], any efforts to sidestep available methods in favor of idiosyncratic or imaginative revocation requests might well be seen as unreasonable.  The selection of an unconventionally method of seeking revocation might also betray the absence of any ‘reasonable expectation’ by the consumer that she could ‘effectively communicate’ a renovation request in the chosen fashion.”

Healthcare Exemption

The FCC was originally petitioned to exempt from the TCPA consent requirement “certain non-telemarketing, healthcare calls” alleged to “provide vital, time-sensitive information patients welcome, expect, and often rely on to make informed decisions.” Although the Commission acknowledged the “exigency and public interest” in certain healthcare related calls, it was concerned that this policy argument failed with other types of healthcare calls such as “account communications and payment notifications” that could still potentially qualify as “vital, time-sensitive”.

As a result, the FCC’s 2015 Order limited the healthcare exemption to calls for which there is “exigency and that have a healthcare treatment purpose, specifically: appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications, and home healthcare instructions”. The exemption would not cover calls that include telemarketing, solicitation, or advertising content, or which include accounting, billing, debt-collection, or other financial content.”

The Court concluded that the FCC was “empowered to draw the distinction it did, and it adequately explained its reason for doing so”, and therefore did not act “arbitrary and capricious”, as petitioners argued.

FCC Response

Shortly after the Court’s decision was announced, the FCC Commissioners issued statements in response. Chairman Pai, Commissioner Carr, and Commissioner O’Reilly all viewed the decision favorably.  Commissioner Rosenworcel’s statement reflected her view that the Court’s decision would allow robocalls to continue unless the FCC does something to address them.  Importantly, it appears an appeal of the Court’s decision is unlikely as Chairman Pai stated, “I’m pleased today’s ruling does not impact the current FCC’s efforts to combat illegal robocalls and spoofing.  We will continue to pursue consumer-friendly policies” and “we’ll maintain our strong approach to enforcement.”


The D.C. Court’s ruling both clarifies key aspects of the FCC’s 2015 Order and provides the FCC with direction on how to address rulemaking in this area going forward. However, numerous issues of the TCPA’s breadth and scope remain.  Organizations  are advised to consider the D.C. Court ruling together with FCC Chairman Pai’s position on the TCPA, when implementing and updating telemarketing and/or automatic dialing practices going forward.

Cost-Benefit Analysis 101 for Healthcare Providers

Nary a week goes by without news of a data breach by a healthcare provider…while there are certainly a good number of breaches resulting from a breach of cybersecurity defenses or from the wrongful exploitation of system security weaknesses, there is still a risk to healthcare providers resulting from the internal operations of the healthcare provider. There are frequent reports of these “internal” breaches:  loss of equipment (e.g., laptops that were not secured and unencrypted USB drives), employee wrongdoing (e.g., theft of records or improper access to records to satisfy personal curiosity), and then those unfortunate “oops” moments (e.g., sending personal health information (“PHI”) to administrative vendors without a proper business associate agreement (“BAA”) in place, or a spontaneous conversation in a waiting room disclosing PHI).

Huge penalties are attached to these breaches. Healthcare entities (and their business associates) face stiff financial penalties:  $150,000 for a lost, unencrypted flash drive, $750,000 for sending an administrative service provider PHI without a signed BAA, and $2.5 million for a stolen laptop, just to name a few.   These poor folks would also likely be required to implement corrective action plans for several years, internal and external costs of investigating the breach and navigating the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) , and potential litigation, not to mention the adverse publicity.  Let’s not even get into the possibility of criminal penalties…

The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (“HIPAA/HITECH”) requirements have been around for some time. These critical rules are being augmented by the regular passage of various state laws.  Some enacted or proposed laws, such as the “Stop Hacks and Improve Electronic Data Security Act” (“SHIELD Act”) legislation proposed by the NYS Attorney General, would not add requirements for companies who are in compliance with other cybersecurity laws such as HIPAA/HITECH.  If you are not in compliance, however, then you could be facing OCR and other regulators as well.

Without doubt, many small or mid-sized healthcare providers have not complied with at least some of the security and privacy requirements under these laws as of this blog (please see monkey emojis above). We get it – healthcare payments are shrinking and compliance can be a big nut – but ignoring compliance obligations gets more risky with each passing day.

If you need help meeting privacy requirements, are looking for assistance with HIPAA compliant policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  Below are some assorted links to our previous award-winning blog posts dealing with data breach preparedness, the SHIELD Act, and breach matters pertaining to healthcare entities (and if you browse through the posts, there are plenty more informative blogs pertinent to privacy concerns for healthcare entities):


Alabama Senates Passes Data Breach Notification Act

There are only two states in the U.S. that have yet to enact data breach notification laws, but that may change in 2018. Several weeks ago, the South Dakota state legislature announced that a data breach notification bill (Senate Bill No. 62) was pending.  Now, Alabama is following suit.

On March 1st, the Alabama Senate unanimously passed Senate Bill 318, the Alabama Data Breach Notification Act.  The bill now moves to the House of Representatives for consideration.  The bill sponsored by state Senator Arthur Orr (R-Decatur) would require companies facing a data breach to notify affected individuals within 45 days of determination that a breach has occurred and is reasonably likely to cause substantial harm. Although there are no criminal penalties for companies that fail to notify affected individuals, the Attorney General’s office can issue fines of up to $5,000 per day, and file a lawsuit on behalf of the affected individuals. A private action is not available.

“Alabama is one of two states that doesn’t have a data breach notification law,” Sen. Arthur Orr said. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

Over the past year, Alabama Attorney General Steve Marshall  has both worked on and been vocally supportive of the bill. “I want to thank the Alabama Senate, and Senator Orr in particular, for moving this bill forward and taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked,” Marshall said. “This is a big win for Alabama consumers and I look forward to working with the House to cross the finish line.”

High-profile data breaches have been a “wake-up call” for state legislators across the U.S., and Marshall emphasized, “It is long overdue”. The coming years will likely bring a variety of amendments to already existing state data breach notification laws.  Review our articles on recent trends in other state data breach notification laws:

Is Employee Consent Under the GDPR Possible?

The European Union’s  General Data Protection Regulation (GDPR) is fast approaching and U.S. organizations that control or process personal data of EU residents are likely subject to these new data protection requirements.  Now is the time for U.S. employers to determine whether they are covered by the GDPR (see our blog post, Does the GDPR Apply to Your US-based Company) and, if they are, begin preparing their HR data systems for compliance.

An employer that needs to process EU employee data must have a lawful basis for doing so under the GDPR. One of the six lawful bases for processing an EU resident’s personal data in Article 6 of the GDPR is “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

A common practice in the U.S. is to rely on blanket consent clauses in employment contracts or handbooks that permit employers to process employee personal data. U.S. employers often also rely on implied consent from employees. However, such practices may not be considered valid forms of consent for lawful processing of personal data under the GDPR. An expansive discussion on the validity of employee consent for data processing under the GDPR, and how organizations can prepare their HR data systems to reflect GDPR ‘consent’ requirements, can be accessed here.

The Dark Web and its Impact on Small Business

Most business owners are all too familiar with identity theft. What they might not be sufficiently aware of is the “Dark Web” where identity theft thieves buy and sell stolen personal information.

The Dark Web Defined

The Dark Web describes places on the internet not identified by traditional search engines. Although not all sites on the Dark Web engage in criminal activity, it is generally where illegal consumer data is bought and sold.  For identity thieves, the Dark Web is a virtual market place that can provide a safe haven for cyber criminals to barter their goods, whether it’s stolen account information, stolen credentials, stolen documents or other personal information.

What Is the Connection between the Dark Web and Small Business?

Generally, personal data stolen from businesses ends up on the Dark Web. There is a myriad of categories within the Dark Web that specialize in different stolen information such as stolen credit cards, stolen account information from financial institutions, forged documents, etc.  Many times there are even subcategories within these general categories such as a specific brand of credit cards within a specific geographic location by state and zip code.  Surprisingly, some of these Dark Web businesses will not only sell stolen information such as bank cards, but will also offer “customer service” functions such as card support or refunds.  The Dark Web also offers compromised bank accounts, health records, credentials and forged real estate documents.  Interestingly, a “one-stop shop” is available on the Dark Web that offers entire “wallets” complete with driver’s license, social security numbers, birth certificates and credit cards.

How Is Stolen Information Utilized?

There is no real limitation for the creative criminal mind on what purposes stolen information can serve. Generally, it can include obtaining credit, mortgages, loans, tax refunds, etc.  In addition, it can be used to create a “synthetic identity” where both real and fictitious information is lumped together to suddenly create a new identity that is difficult to discover.

Stolen Credentials

A growing area of criminal activity on the Dark Web is the use of stolen credentials such as user names and passwords. To profit from this type of information, many times identity thieves hire “account checkers” who input stolen user names and passwords across various business accounts, including banking, and eCommerce and attempt to “break in” to the account, as many people use the same user name and passwords for various business services.  Suddenly, a stolen user name and password from one credit card, can suddenly be used to open up a variety of accounts across financial and business-related horizons.

Small Business Impact from Dark Web

The media generally focuses on data breaches for large companies that possess information on millions of consumers. Consequently, many small business mistakenly may conclude that they would not be a prime target of identity thieves.  Small business owners should know that thieves generally don’t target the size of the business, only those that are most vulnerable.  As privacy specialists noted at a recent Federal Trade Commission (FTC) conference,  information available for sale on the Dark Web is up to twenty times more likely to come from a company whose breach wasn’t reported in the media.  Unfortunately, many of these are small retailers, restaurant chains, practices, school districts, medical practices etc, as emphasized at the FTC conference, whereby it was announced that the majority of breaches investigated by the U.S. Secret Service involve small business. (The full FTC conference on identity theft is available for viewing under the video tab here.)

Reducing Risk for Your Small Business

Obviously, it starts and ends with adequate security protections and the commitment to consistently utilize proper security protocols. The FTC has a data security page that identifies security options for a business of any size and sector.  In addition, the House of Representatives recently held a hearing to discuss cybersecurity risks for small businesses and various solutions. In particular it was suggested that increased sharing of cyberthreat data could enhance the security of all industries, supported by Committee Chairman Steven Chabot’s recently introduced Small Business Cybersecurity Enhancement Act (H.R. 4668) which would create a government-led cyberthreat sharing information program.  For more information on small businesses and cybersecurity, see our article Data Breach Preparedness: A critical risk management for small and mid-sized business. The bottom line is that small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.


Upcoming Deadlines for Covered Entities Subject to NYS DFS Cybersecurity Regulations

Last week, the New York State Department of Financial Services (“DFS”) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations.  The next deadline under the regulations is February 15, 2018 – by that date, any covered entities (hopefully, you know who you are) must submit a statement to DFS certifying compliance with the regulations (excuse me, the landmark, first-in-the-nation regulations).  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS. Superintendent Maria Vullo stated “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards” and that by including cybersecurity in future examinations, DFS will help prevent cybersecurity attacks.

Speaking of annual reviews and assessments, another deadline is approaching under the DFS cybersecurity regulations. By March 1, 2018 (the one year anniversary of the regulation), covered entities should submit their annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities should have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

Mark your calendars! If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  And, if you need a refresher on any points related to the DFS cybersecurity regulations, here are links to our previous blog posts (excuse me, award-winning blog posts), articles and our webinar which are full of details:

ABA Gets Lawyers Heightened Protections for Device Searches at International Borders

Image result for airport custom searchesU.S. Customs searches have become increasingly invasive over the years. Pursuant to Department of Homeland Security (DHS) policy, U.S. Customs and Border Protection (CBP) operates under the “broad search exception”, which allows searches and seizures at international borders or an equivalent (e.g. international airports) without probable cause or a warrant. CBP’s searches are deemed “reasonable” per se, and thus not a Fourth Amendment violation, which protects against “unreasonable searches and seizures”.  The broad power of the CBP, of course, stems from concern for national security.

For lawyers, invasive CBP searches are particularly problematic, as the CBP asserts that it has the authority to read any document in possession of a traveler, including those found on electronic devices, despite claims that such documents are attorney-client privileged information.  A Ninth Circuit decision supports the CBP’s position, holding that “reasonable suspicion is not needed for customs officials to search a laptop or other electric device at the international border” (United States v. Arnold, 523 F. 3d 941(9th Cir. 2008). Since, other courts have ruled similarly.

ABA Efforts to Clarify Department of Homeland Security Policy

In May of 2017, then-American Bar Association (ABA) President Linda Klein wrote a letter to the DHS voicing the ABA’s concerns over potential violations of attorney-client privilege at international borders and airports. In particular, Klein requested that DHS clarify the directive on electronic device search and seizure, which had not been updated since 2009.

We recognize that security at the nation’s borders is of fundamental importance, and we acknowledge that lawyers traveling across the border with laptops and other electronic devices containing confidential client documents and other information could become subject to routine searches by CBP and [Immigration and Customs Enforcement] agents, Klein wrote. But just as border security is fundamental to national security, so too is the principle of client confidentiality fundamental to the American legal system.

Since May, DHS has worked together with the ABA to clarify the original directive, and develop new protections for attorney-client privileged information, and confidential client information on lawyer’s electronic devices. Early this month, the CBP issued a revised directive. The revised directive is a “clear improvement over the prior policy”, said now ABA President Hilarie Bass, although it does not include the entire ABA proposal.

Key changes to the revised electronic device search and seizure directive include: a requirement for CBP officers to consult with CBP’s senior counsel before searching devices when an attorney-client privilege is asserted; details for how CBP officers should respond to such assertions; segregation of privileged material; and disposal of privileged materials.

In addition, the ABA Standing Committee on Ethics and Professional Responsibility issued advice to travelling lawyers, in an electronic device advisory. The ABA recommends the following:

  • Determining which device contains attorney-client privileged documents, and consider leaving at home.
  • Consider a temporary, inexpensive device or storage device with minimum necessary information.
  • Familiarizing yourself with the type and location of privileged and confidential information.
  • Placing device on airplane mode, or powering off entirely.
  • Identification available to demonstrate that you are a legal professional.
  • Familiarizing yourself with the requirements in your jurisdiction’s professional code of conduct.

Any lawyer that travels outside the U.S. should be aware of the DHS policy on electronic device search and seizure at international boarders, and take precautions accordingly.

Top 10 for 2018 – Happy Data Privacy Day

This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t count on any days off soon, but awareness about data privacy and security issues affecting our lives and businesses has grown in recent years, and certainly will continue well into the foreseeable future.  In honor of Data Privacy Day, we again prepared our thoughts on some key issues to be on the look out for in 2018. We call it “Top 10 for 2018.”  The topics are below, and a more expansive discussion of them can be accessed here.

1. Greater Focus on EU Data Protection Requirements

2. Biometric Data – Emerging Law and Litigation

3. Analytics in the Workplace – Privacy Vulnerabilities

4. Enhanced Connectivity – GPS plus IoT

5. Ransomware and Phishing Attacks Continue

6. Insider Threats

7. Privacy and Data Breach Class Actions

8. Data Breach Readiness

9. Increased Data Privacy and Security Legislation

10. Vendor Management