Events Add an event Speakers Talks Collections
 
Behnam Dayanim
partner, chair of Advertising, Gaming & Promotions and co-chair of Privacy & Cybersecurity practices at Paul Hastings LLP
  • Video
  • Table of contents
  • Video
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
Managing Privacy and Cyber In A Pandemic: Lessons Learned For 2021 & Beyond
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
110
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

The COVID pandemic triggered massive health, economic and societal disruption and loss. It also upended privacy and cybersecurity challenges and expectations. This presentation will explore lessons learned as a result of those experiences – new regulatory expectations, compliance tips and commercial practices that will remain with us long past the pandemic itself.

About speaker

Behnam Dayanim
partner, chair of Advertising, Gaming & Promotions and co-chair of Privacy & Cybersecurity practices at Paul Hastings LLP

Behnam Dayanim is a Partner with the global law firm Paul Hastings LLP, where he chairs the firm’s Privacy and Cybersecurity practice and its Advertising, Gaming, and Promotions practice. Dayanim has been ranked globally and nationally as a leading privacy and gaming attorney and has spoken frequently at RSA Conferences since 2000. He was named Best Lawyers® 2014–15 and 2019–20 Gaming Law “Lawyer of the Year in Washington, DC, and has been named a top gaming and gambling lawyer by Chambers Global and Chambers USA. He also has been cited by Chambers Fintech and the Legal 500 for his work in privacy and data protection, ranking in Band 1 among Chambers Fintech Data Protection lawyers worldwide.

View the profile
Share

Hi everyone. I'm down, Diane team. I'm partner and Global chair. The privacy and cybersecurity practice at the law firm Paul Hastings. I'm based in Washington DC. Although I haven't seen Washington DC for many, many months doing this broadcast or video the webinar from my home. I'm glad to be here with all of you. I'm going to talk today about how to manage privacy and cyber and a pandemic Lessons Learned for a 2021 and Beyond. So what are we going to talk about? Well, covid really has both accelerated certain Trends and also upended certain producing a

sumption that people had about data privacy, and cybersecurity prior to the fans on it. It's accelerated. The transition to remote work on a course, increased Reliance on remote resources and the same time. It's really changed. Expectations, about what types of data employers might expect. Their employees. I and I think both of these Trends are likely to last much longer than the simply the length of the pants. And both do have very significant implications for privacy and cyber security threats.

Dive into them as many businesses start to move into the office reopening phase. One of the real questions that that they say is, is the types of information. They're collecting it. I think it's important for those of us who serve in privacy or in cyber security rules or as legal counsel to really challenge, the extended information that is truly needed for office reopening. For example, we know that that many businesses are conducting temperature checks of employees, when they

enter the building and drink folks away if they Show a fever or other signs of illness. Is there really a need to record that? Or is it simply enough to know that you have that process in place? And so that anybody has been admitted to the building has satisfied, those criteria without having to record that, Jane, Doe, or John Smith sex, or even Jane Doe was turned away because she failed the temperature check. It's not really in the questions really necessary to have that information. I would posit in most cases. It is not

right? And I'm in a few and if and if there is an insistence that any particular item information is needed, then if they really should be questioned in challenge, Jen and documented, as to why it is that that information was needed. And once you gotten past that stage and have decided that you actually do, need the particular data element. Then, of course, there's a question about how to collect and store and to ensure that it is protected and also it's in front of more. At the moment. It's also important to understand state and local mandates on reporting,

positive, test results and contact tracing. Those will vary from state-to-state in from Ocala to Ocala tea. In many cases. They will be obligations and Company upon the employer. If they become aware of a positive test result, to notify the authorities which ones counter and then respects their traditional privacy standpoint because I'm not sharing employee information here, those laws with Trump, any ordinary default position and would, in fact, require disclosure. That was interesting that I thought the state of points might be of interest to your, in this regard a PPU. I

report that was done just within the past six weeks or so. I looked at data collection efforts by employers. And as you see here on the slide in the cave that many employers that overwhelming majority 70, / 6 76%, I've asked employees to notify them if they're diagnose. I'm a little over half and asked, if we stopped their personal travel, all over a third of ask about household members covid status and a little under a quarter. I taken temperatures of employees live the life that I was just describing a moment ago. All of these things are really quite novel, quite

remarkable when you think about it, not the kinds of questions that one would ordinarily have expected in four years to be asking of their employees. And I would posit that we will see you in the near future and additional question, your additional bullet point. If the survey is done a few months from now, regarding organization is a basque employees, notify them. If they've been vaccinated that'll be the next step is. And the question question. The companies will have to Grapple with this is to what extent they want to to unto know that information Edition 3. And 10 organizations

have been asked to share anonymized is covid data with the third party where there's a government research research organisation. NGO, 20% Shared and the names of Staff within diagnose you with other employees or with government officials and how to talk a little bit more about that as well. 15% have conducted a d p. I a a data privacy impact assessment focused on covid questions. That's a good thing to do. Most of you watching this know that when you have a robust privacy compliance program, one element of that is to conduct their privacy impact assessment before, embarking upon a new

processor adopted, a new system or technology that will involve the collection of data work from home. I am interesting. We at and in some ways I certainly understand that we not surprisingly but also expedited their privacy or Security review. There's nothing necessarily wrong with eating private security. Okay, so I eluded the temperature Shacks or earlier. They mention the kinds of questions to ask. When thinking about something like a temperature check is, you know, you

really need to record the responses who collects the responses, the building itself or the employer. Is it necessary to keep it at all? If you're asking for testing information, when do you require testing of your employees? That's, that's not an obvious. It's not, there's not an obvious answer to that question. And the answer will depend in many respects from the company's own particular circumstances and the characteristics of its Workforce. What do you do with a result? They mention positive results. In many places will require reporting to governmental authorities. Negative

results were negative results. There's no one-size-fits-all here, but it's the kind of question that you have to be. You have to approach him and intentional fashion. And how do you communicate a positive results for the workforce? So for example You have an employee Jane double tested positive. Do you send an email to the entire Workforce at that location saying that Jane Doe that's the positive that would not be the right answer? That's almost never in my experience of the right level of disclosure. But you might say something like an employee who was last in the office on

December, 23rd, tested positive, he or she worked on the 10th floor. And you said, you might send that to people in that office and that another offices that those are providing the information necessary for people to make a determination as to whether or not they themselves, might have come into contact with that person or need to have need to take some stuff to take care of themselves. Whether it's monitor, ground symptoms were obtained. A test result. Those are the kinds of questions that are important to think about. Now before we have wide-scale reopening

because even post vaccination there will be some number if he I'm probably quite a large number of people in the, in the shorter term has not been vaccinated and might therefore, be susceptible to the virus and the back Nation itself is not a hundred percent. So this kind of question will be something that I think it's going to be with us for quite some time and understanding and having a place a process to deal with. It will be really important agencies, will typically require notification of positive test results. And so

each location teaching for location. She really know who those agencies are and have the contact information necessary. The another very important question is your disposal. If you are storing, testing data for it, for example, in addition, to determining how long you want to store the information, you really should have a plan in place for securely disposing. It disposing of it. That's not unique to test information. That's true of any personal data, but this is just another example of the importance of of that. The element to a data Protection Program

and quite often. Not understood, and that is the interaction of covid. Testing results. Testing data with HIPAA Hippa, of course, is the federal law that governs the protection, the Privacy ends and security of protected health information and imposes, quite rigorous requirements, and it does not apply here. In the reason does not apply is that hipaa-covered is protected health information and protected health information is health information, but not all health information itself information that's been created collected, transmitted or

maintain a connection with the provision of healthcare. The payment for health care or used in healthcare operations. When you have an employee, take a covid test or have a temperature check for that matter. That is not in connection with the provision of healthcare. That's for employee employee safety. In point place of employment safety. It's work-related business. Operations reasons, Healthcare operations, as a general matter. Employee testing won't fall within the scope of HIPAA. So that are both directions.

To provide tests, employee tests are conducted play test or two Capital. Ships are other things that in connection with this kind of activity. You have to review those under agreements carefully because often the vendor who might be administering a test and then under that also engages and Hitler related activities and set your address. For example, security requirements or privacy requirements agreement might just simply have some boiler plate that says, will we will comply with applicable, HIPAA

requirements, but that's meaningless in this contacts because this activity largely isn't subject to help her. So there will be no applicable Capital crime and so you have no protection as the client and dealing with that. Vendor. She has to modify that provision to say, either that don't comply with HIPAA requirements, notwithstanding, large irrespective of, whether it applies or a better option is to actually build in specific, requirements are for practice and security protection in the event of a of a security incident or a data breach. Because

if the information is not Phi, that means it's not it's not it's not subject to hippos, reach rules. So if there is a disclosure that information, if not, we can be good or bad, in many cases. It can be good because it means you don't have to assume that notice is required under HIPAA 1550. Hshhs. Excuse me to help Human Services. And so it's important to understand whether they did in fact, is covered by HIPAA and if it's not, it's important to spell out what steps will be taken if there is a breach, and that's

something that should be addressed both ahead of time. I'm in your bedroom and also internally through your internal policies and procedures. We had a client not too long ago. That's that actually experienced this. Where there was a breach involving covid, testing information and lengthy dialogue and stood between the client and the vendor over, whether it was simple affordable because they did not undertake that exercise or analysis, whatever time they entered into the agreement. Ultimately, They concluded correctly, that it was not a happy event that the vendor ultimately agreed.

And as a result, the HIPAA security breach Provisions do not come into play, but had they simply assumed it was up to you. It would have gone through that whole process without me. So that's an important thing to keep in mind. Okay, what about accelerated trance? Well, the obvious one is, of course that the increased and remote work has not surprisingly led to increased cyber-attack. And I have here, some some examples of spider come from Verizon business. Increased distraction has caused increased, a success, and cyber attacks in particular. Phishing scams. I,

when I was just a presentation, I was distracted and setting up because I had one of my children calling for me and I fell off the wall and I can cause employers to pay less clear for attention to what they're doing. And that is, in fact, I think one of the drivers of the increasing fishing successful phishing scams that we've seen web application, reaches Titan ransomware Attacks, the whole host of types of increase and remote. To do what people already should have been doing but also from a cybersecurity professional perspective. It really increases the importance of

keeping abreast of best practices because best practices are evolving more rapidly than the day before I was already at Dynamic phenomenon to begin with and now it's just what is what was six months ago is not best practices today. That's what's important for the service. For you special to know that and keep up-to-date that they can continue to maintain a reasonable approach towards cyber security. And reasonableness is important, because many of there are more and more federal and state regulatory. Requirements, that adopt a reasonableness standard saying, you have to have a reasonable

list with Whispers of written information security program, a reasonable West in place and reasonableness often turns on in part anyway, on industry best practices and on the 1st the ability of risk. Of course, in the HIPAA contact there is, there are specific and very granular cyber security requirements. That's also true. For example, in the New York, DSS cyber security regulations, which applies to financial services companies that are licensed by the New York Department of Financial Services, but that's not generally. The case, when you're talking about the venerable

Massachusetts date of scare, you all that has been in place for many years. For example, or the more recent CCPA, California consumer Privacy Act and its successor. The California privacy Rights Act, which will take effect in 2023. They talk more in terms of reasonableness and certainly, the Federal Trade Commission in looking at data security looks at reasonableness and and explicitly has ever looked at it in the context of Industry best practices among other things. So, what is this mean? What are the implications year was invention? Number 1, is it really requires keeping abreast of

what industry is doing knowing what your competitors and pure companies are doing. It also really requires increased communication between it operations, which is continuing to roll out new and better newer and better remote Working Solutions. And info security. I'm at each business process changes. Infosec needs to be in the loop. They need to be in the loop early now so that they can understand. And facilitate the implementation of those solutions. That is never successful. If it is always saying no, or are we slowing things down? And really needs to help facilitate, but the way

you can help us do take responsibilities by being involved early in the process. An addition. I would suspect that almost every company's data Maps may be out of date by now if they predate covid because where data is being captain and how it's being handled has changed and so updating date napping is important because it's hard to know whether you have vulnerabilities that you have and identify increasing training especially fishing around fishing with your user base while continually reminding me. Of the importance of being vigilant using simulated fishing. Those kinds of things,

which already, or things that should have been in place in from, I'm sure many companies are already wearing place. I'm need to be reinforced, and, and made more frequent. Hence, my comment, but these are accelerating Trend resilience that most business continuity Disaster. Recovery plans were not predicated on, indeterminate remote work, and that's really what we are living with today. And so making sure that those plans that were designed for a very different, environment are still useful and back-end

and sufficient day is really important and then lastly, updating, Andre listening to make sure that they make sense that they still fit with what you're trying to do. In today's environment is important because in a, in a, in a distributed Workforce, when no one is in the same, look, And where are there multiple at responsible parties and it's in response program, that may have made sense a year ago. May not make sense today. And so, that's really important to understand. I'm speaking the data breaches. There's also another development that's not related to

that. I think it's worth. I'm in a Rises out of a court decision. This past summer in Virginia in connection with the Capital One breach, where the court-ordered Capital One to disclose its forensic report and that was shocking to me because the forensic report has been regarded as often as privileged affected on the attorney, work-product privilege. And in fact that the position of cap, one took in that case, the court said, no, it was not and required that if you disclose the plaintiffs in the class action

that has been filed, or that was filed in connection with the breach. Lawrence from this. Number one is not sufficient to have Council involved in the friends of process. Instead. You should retain the vendor through Council, that if counsel has returned and is responsible for the vendor. Now, many companies have pre-existing relationships with vendors. They might have a flat fee, kind of arrangement and counseling Arrangement, something along those lines and that's the end of that they want to use for the forensic report in the case of incident. That's totally fine. But it but what

you need to do in that case is answering to a special statement of work or project schedule for this project. And this, that particular srw will be between Council and the vendor, even if it's governed by the terms of Master Services agreement, and it very clear that that work is going to be conducted under the protection of privilege. Council, really needs to be involved in a meaningful way. And directing and shaping the investigation. It can't Simply Be. UCC them on your emails to the vendor courts. Really, at least they follow the cap. One

present will be looking more closely at that kind of thing and ensuring that in fact, Council play the real world number three, number three on it really has to reflect legal involvement. And by that, what I mean, is one said was among other things. This report is the same report that would have been written with Council and ever been involved. And so there's really no impact on other than to try to claim privilege. And that's not what we're trying to work product is intended to do. The attorney. Work

product is work, product directed by Council prepared, and anticipation of litigation litigation. And so it needs to reflect. This is my editorial, in addition to what the court said. It needs to reflect that legal to just something about the report should On its face, should reflect the fact that Council was involved in directing and shaping it. And so that's at that, I think very often overlooked and in the end, very important. It's not a new requirements on something with federal court. In the top one case created. It's always been the

standard. It just hasn't always been applied. So rigorously I think moving into a Post Cap one environment if they very well could be. And so that's something important to keep in mind than last week, what you really need to be written down. There's that there's a reflexive tendency to want everything in writing and then there's like to do it because they could show all the beautiful work of art and the clients to make it because of something they can refer to. But the problem is, is that you create a record that you may not need. I'm there may be a whole

host of findings in the forensic report that are unrelated to the incident or that Is there a material for that? Now, the last show up as findings, and if you then don't address each one and said, we've some open, which is which might be a very reasonable decision then in the future. If there's a litigation in connection with a with another incident and this report gets disclosed. You're going to have a lot of explaining to do and it's going to create unnecessary suspicions about the adequacy of your information, security efforts. And so, really thinking

hard about what you need for you and need to be in writing is important and it, even if you decide, yes, we do need a written report and decide what it should have in it. That should be conveyed orally in a conference, with, with the lender and the client before anything gets written down. So you can make sure that everybody's on the same page as the weather report will contain. And then when the report is drafted, it should be sent in draft form to cancel first. Make sure that again, it reflects the expectations of the party. Before it is finalized. So very deliberative

process. It's certainly doable. There's nothing about the Kaplan decision that says forensics reports can never be privileged but it requires Okay, ransomware ransomware is as everyone knows. A increasingly common. Type of attack might want to mention one thing we flew here. Again. This is not a covid related phenomenon, but it's coincident with it. In terms of timing. I'm in October of this past year, ofac insert a ransomware advisory business with which includes making the payment to a sanction to party. A

person who is listed 100 facts list of bad people, you're violating ofac sanctions and it's a strict liability standard. Meaning you don't have to know. The person is sanction. If you simply make the payment or engaging the transaction with that person, then you have potential liability and that's really all those facts about recess and that's always true. And it goes on to say and if you seek a license, meaning you you discover that the ransomware attack, her is a sanction party and you want to make the payment anyway, and so you come to ofac For a license to do. So what you what you

would need. There's going to be a presumption of the Nile. We're going to we're telling you you can have a really high and burden to show before we can allow that payment to mean a meeting were probably going to deny the request. So what is that? Do they put it puts companies that are victims of ransomware attacks in a very hard position because number one, you almost never know who the attacker is. So you don't know whether the reception party or through an Ascension country like Iran. A few bar Syria. You don't know anything about them. That's the whole point. They require payment

through crypto-currencies, and it's so you don't know the payment and, and, and risk later to finding out her having to be discovered. The party was a sanction party. Or do you not make the payment for fear of violating the sanctions that doesn't give you any help in that regard. I meant it's not surprising. The government generally has not been supportive of making ransomware payments, but it's something companies need to make him. Keep in mind and decide how they're going to address ahead of time. Obviously. Bienes you don't need

the the access to the Decatur. That's been ransomed it because it's been interdicted because you have backups, but you need to have a policy in place for how you're going to do a man somewhere. I can proactively. Okay, last things I'm running short on time again, not covid related, but for many years, many of them with Asia operations, relied on Hong Kong as a Datacenter location. For a number of reasons, including convenience availability of bandwidth, internet, transpacific

connections, and they were comfortable doing. So because Hong Kong was separately administered from China. As I'm sure all of you know, from the news that's really no longer. The case has extended its National Security authority over Hong, Kong meeting at Hong Kong locations of Chinese surveillance in Chinese process as if they were in mainland, China. And that really creates a Significant security issue for companies to consider many of them have considered real ocab actually started already. Relocating data center assets out of Hong Kong to other locations in Asia. Most commonly

Tokyo, and that's why I'm not a 80%. But my understanding is Tokyo. Also is blessed with a large number of trans-pacific, to wrap transpacific connections. Whereas other locations, such as single or are so often go through Hong Kong and so you still have similar problem but figuring that out is important and it's also important to the extent that you don't relocate or even if you're not able to because you're going to have all come presence of some kind and that is developing or if you have already revisiting your internal escalation procedure. What your folks on the ground to

do if they're served with a government order to turn over data? Turn over records? How to stay in the Jackson? A, how not to it's not necessary nor is it appropriate to require you to put your employer fire? You For you to put themselves at risk of arrest. But there are ways they can unless create a record that they objected to a particular search or seizure whether they can follow investigators as they go through an office in. Nnn, collect materials. Keep a record of what was taken, who's the whom they should alert internally when they're approached. There should be an escalation in

media. Dysplasia. Procedure said that your person on the ground in Hong Kong knows who to call or who to email when it approached by the government. So that the company can take appropriate steps. Those kinds of written procedures, which company companies have a multi-jurisdictional. We should be really reviewed on the in the Hong Kong contest, with an eye toward Chinese in Hong Kong specific, considerations. Okay. So what are we, what are action was our recap from what I talked about? What what should people be doing today? Review your reopening protocols. Hopefully we all will be

reopening soon understand what kind of data you're collecting how you protect it. Ask question challenge. Do we need these day that we really need to collect this information. Review, your ransomware response procedures so that you know how you're going to address the payment demands and have thought carefully about the ofac issue, that was identify any of the advisory ofac is making clear at. This is important to it. And so it needs to be important to you, in terms of at least how you think about it in the coming weeks really already. In any case, this company you doing this and should

be considered ways to minimize your data, exposure to Hong Kong and I and every day really review your your information, security, protocols and programs. It's it's more important than ever to keep up to speed with what your peer companies are doing. And to ensure that you are security precautions, have adapted to the changed circumstances in which we live and work today and which will almost certainly continue in some measure even. Post-pandemic and that's it. Thank you very much.

Cackle comments for the website

Buy this talk

Access to the talk “Managing Privacy and Cyber In A Pandemic: Lessons Learned For 2021 & Beyond”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Katie Nickels
Director of Intelligence at Red Canary
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jamie Dicken
Director, Security Assurance at Resilience
+ 1 speaker
Aaron Rinehart
Co-founder, CTO at Verica
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “Managing Privacy and Cyber In A Pandemic: Lessons Learned For 2021 & Beyond”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content