shutterstock_506771554Cross-posted from Carpe Datum Law

Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar.   Sometimes the emails include the name, title, and other personal information of the “sender” that we believe might be harvested from LinkedIn or other business databases.  The email asks employees to use a link in the phishing email or attached PDF to log into a fake Workday website that looks legitimate.  The threat actors who run the fake Workday website then use the user name and password to log into the Workday account as the employee and change their direct deposit bank/ACH information to another bank, relatable Green Dot, or similar credit card.

The fraud is typically only discovered when the employees contact HR inquiring as to why they did not receive their direct deposit funds.  Unfortunately it appears that spam filters and other controls are failing to prevent this email from infiltrating the organization’s network.

In order to prevent this from happening to your organization, Workday has posted several “best practice” tips on their customer portal.  The most impactful mitigation techniques include enabling and enforcing two factor authentication on your organization’s Workday instance, and changing your Workday settings to force administrative approval upon employee requests for direct deposit account change.  Both of these will help secure your Workday environment and avoid employee loss of paychecks.   Finally, always remember to train employees on fraudulent email identification through training and security drills/tests.

Sedona-Conference-Header

When:           Monday, April 24, 2017
Where:          Offices of Seyfarth Shaw LLP, Chicago, IL
Sign in:          5:00 – 5:30 pm
Event:            5:30 – 6:30 pm
Reception:    6:30 – 7:30 pm

Topic: Interactive Dialogue concerning The Sedona Conference® International Litigation Principles (Transitional Edition): Practical Help for Companies with the EU General Data Protection Regulation and Privacy Shield

Please join us for a Working Group 6 (WG6) Membership-Building event at Seyfarth Shaw on Monday, April 24, 2017, [Sign in: 5:00 pm; Event: 5:30 pm; Reception: 6:30 pm]. A distinguished panel, including panel moderator Jim Daley of Seyfarth Shaw, Jennifer Hamilton of Deere & Company, Cameron Krieger of Latham & Watkins, and Laura Kibbe will lead a dialogue on The Sedona Conference® International Litigation Principles (Transitional Edition).

The International Litigation Principles was first published in 2011. In the intervening years, there have been important Developments in data protection law world-wide, including the passage of the EU General Data Protection Regulation (GDPR), the replacement of the Safe Harbor Data Transfer Framework with the new “Privacy Shield” framework, and the emergence of the APEC data privacy framework in the Asia-Pacific region. The situation is still fluid, particularly the implementation of the EU GDPR between now and its effective date of May 2018. Despite this, the six Sedona International Principles have remained relevant and useful. The Transitional Edition updates the commentary and analysis of the original Principles document, and includes two new model court orders to facilitate cross-border transfer of personal data for discovery in the U.S. litigation.

The event is open to the entire legal community, and there is no cost to attend.

Non-members in attendance that are interested in becoming WG6 members will receive a $100 discount for a Working Group Series (WG6) membership. Please be sure to remind any friends, colleagues or clients who are interested in joining. WGS membership is in-for-one, in-for-all. Once a WGS member, one is eligible to become a member and take part in the activities of all Working Groups, including WG6.

FACULTY

James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger
James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger

Carlson_Scott BW bio

Seyfarth Host: Scott Carlson

AGENDA — APRIL 24, 2017

TIME SESSION PANELISTS
5:00 – 5:30 pm Sign In
5:30 – 6:30 pm Interactive Dialogue Daley, Hamilton, Kibbe, Krieger
6:30 – 7:30 pm Reception

Seyfarth Shaw LLP is an approved provider of Illinois Continuing Legal Education (CLE) Credit.  This event is approved for 1.0 hours of CLE credit in CA, IL, NJ and NY.  CLE credit is pending for GA, TX and VA.

TO REGISTER WITH THE SEDONA CONFERENCE® FOR THIS EVENT

SPONSORS

Seyfarth logo

Consilio logo

Wednesday, February 22, 2017
Washington, D.C.

Agenda
9:00 – 9:30 a.m. — Breakfast & Registration
9:30 – 11:00 a.m. — Program

Seyfarth Shaw LLP
975 F Street, N.W.
Washington, D.C. 20004
(202) 463-2400

Finding the delicate balance between an employee’s right to privacy and the employer’s need to run its business can be challenging. There are many legitimate reasons that an employer may have for intruding on otherwise “private” matters of employees, such as conducting workplace investigations, responding to agency inquiries or subpoenas, or fulfilling its obligations during discovery in a lawsuit. With the rapid surge in the use of technology and social media in the workplace, the stakes in the workplace privacy arena are becoming even higher for employers.

Please join us on Wednesday, February 22, for a discussion of what every employer needs to know regarding recent legal developments on select issues in workplace privacy, including:

  • Monitoring employee company and personal web-based electronic mail.
  • The NLRB’s developing case law on disciplining employees based on social media postings.
  • Privacy issues presented by Bring Your Own Device policies.
  • The use of social media in hiring and legal limits on accessing employee social media information.

Cost: There is no cost to attend but registration is required and seating is limited.

register

 

 

If you have any questions, please contact events@seyfarth.com and reference this event.

shutterstock_172034426Cross-posted from Carpe Datum Law.

Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).

With the adoption of the Swiss Privacy Shield, transfers of personal data from Switzerland under the Swiss Safe Harbor Framework will no longer be permitted. Organizations currently registered with the Swiss Safe Harbor would need to certify under the Swiss Privacy Shield or implement alternative methods for complying with Swiss data transfer restrictions, such as Standard Contractual Clauses and Binding Corporate Rules. To join the Swiss Safe Harbor, organizations would need to ensure that their privacy policies, notices, statements, and procedures are in compliance with the new framework. The Department of Commerce provides sample language that can be used in an organization’s privacy policy to signify its participation in the Swiss Privacy Shield.

Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.

Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.

While the requirements of the two frameworks are nearly identical, there are a few differences: Continue Reading The Swiss Privacy Shield Opens for Business on April 12

Cross-Posted from Carpe Datum Law.

shutterstock_318496325The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right to data portability, on data protection officers, and on the lead supervisory authority. Key takeaways from these three guidelines can be found on our eDiscovery blog.

This month, WP29 announced that it adopted its “2017 GDPR Action Plan.” The Plan identifies two areas of focus: (1) follow up on 2016 topics, and (2) new 2017 priorities. The follow-up work will include finalizing guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up of the European Data Protection Board (EDPB), and the preparation of the one-stop-shop” and EDPB consistency mechanism.

This year, WP29 plans to prepare and release guidelines on the topics of consent, profiling, and transparency. The WP29 will also work on the update of already existing opinions on data transfers to third countries and data breach notifications. This year, companies that rely on transfers of personal data from the EU may have the following three opportunities to engage with the WP29 and EU Data Protection Authorities (DPAs):

  • On April 5-6, 2017, the WP29 will hold a Fablab meeting, where interested stakeholders will have an opportunity to present their views and comments on the identified 2017 priorities.
  • On May 18-19, 2017, the WP29 will organize an interactive workshop where non-EU counterparts will be invited to exchange views on the GPDR and its implementation by the WP29.
  • The press release also states that relevant public consultations “may be” launched at a national level by local DPAs.

The WP29 plans to review its 2017 plan periodically and prepare a new plan for 2018 to finish the preparation work. We will be commenting on the forthcoming GDPR guidelines as they are released by the WP29.

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

shutterstock_196544378Cross Posted from Carpe Datum Law.

China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license. Continue Reading China Finalizes New Cyber Security Law

CaptureDo you and your firm have adequate cybersecurity to prevent yourself (and your confidential client data) from getting hacked?

On Wednesday, December 7, at 11:00 a.m. Pacific, Richard Lutkus, a partner in Seyfarth Shaw’s eDiscovery and Information Governance Practice; and Joseph Martinez, Chief Technology Officer and Vice President of Forensics, eDiscovery & Information Security at Innovative Discovery, will present “A Big Target: Cybersecurity for Attorneys and Law Firms.”

This webinar will cover any considerations that attorneys should take into account when in possession of any client data from an information security perspective. Coverage will include both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

This program will specifically address the following topics:

  • Information storage, retention, and remediation
  • Device management
  • Phishing and social engineering
  • Security considerations
  • Cloud storage and ethical considerations

Please join us for this informative webinar.

register

itechlaw_logoSeyfarth Shaw LLP is pleased to be a Global Sponsor at ITechLaw’s 2016 European Conference in Madrid on November 9-11.

ITechLaw is a not-for-profit organization established to inform and educate lawyers about the unique legal issues arising from the evolution, production, marketing, acquisition and use of information and communications technology.

The conference will feature a wide-ranging program and invaluable networking opportunities that will focus on cutting-edge legal topics, including e-commerce, e-contracting, disruptive technologies, data protection developments, and the impact of cognitive technologies in the legal spheres. Attendees at the European Conference include leading attorneys in private practice, in-house counsel, business executives focusing on the global economy, government officials and academics.

This year, Seyfarth Shaw Partner Robert B. Milligan serves on ITechLaw’s Board of Directors. He will also serve as the moderator of the Disruptive Technologies session, which will cover:

  • a practical approach to the Internet of Things (IoT)
  • consumer protection in the age of IoT
  • the impact of robotics, artificial intelligence & disruptive technologies in law

In addition, Seyfarth Shaw is pleased to co-sponsor the conference. Please stop by our table during the conference to learn about our Intellectual Property, Global Privacy & Security and Trade Secrets, Computer Fraud & Non-Competes Practice Groups.

For more information, click here.

shutterstock_189182636 (1)As the companies doing business in Europe are trying to get their arms around the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), but so far not making substantial headway, the European Data Protection Authorities (DPAs) are doing their own GDPR preparation by securing increased budgets and additional workforce.

Last week, the Irish Data Protection Commissioner (DPC), Helen Dixon, has “welcomed” the additional funding of €2.8 million for her office’s 2017 budget, as announced by the Government, bringing the total funding allocation to the DPC to over €7.5 million. The 2017 budget increases are in line with the increases in 2015 and 2016, representing a 59% increase on the 2016 allocation and over four times the €1.9 million provided to the DPC in 2014.

Commenting on the 2017 funding allocation, Helen Dixon stated:

“The additional funding being provided by Government in 2017 will be critical to our preparations for the implementation of the EU General Data Protection Regulation in May 2018. In 2017 we will continue to invest heavily in building our capacity and expertise, including the recruitment of specialist staff, to administer our new enforcement powers and all of our additional responsibilities under the new law.

Continue Reading Irish Data Protection Commissioner Welcomes Increases in Budget in Preparation for the GDPR Enforcement