Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.

Infographic: The Do's & Don'ts of Data Breach Response/Management

Created on April 1, 2021

Demand Generation Manager, Exterro

Today's data breach landscape is unprecedented and complex. Every organization is facing potential enforcement of many interconnected and overlapping laws in multiple jurisdictions. Requirements for what constitutes a privacy breach or legal privilege, or what thresholds regulators are setting to hold organizations to account vary significantly.What needs to be done? Should we call law enforcement? What about the General Data Protection Regulation's (GDPR) requirement to notify within 3 days? Should we notify consumers? Although there is no one-size-fits-all approach, here are some of the key do’s and don’ts when responding to... Read More

Data Privacy News: New Rule May Require Banks to Report Incidents and Breaches Within 36 Hours

Created on February 12, 2021

Demand Generation Manager, Exterro

On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule)," which would create accelerated notification obligations for banking organizations and bank service providers in the event of a security incident.This would require a banking organization to notify its primary regulator no later than 36 hours after reasonably determining that a... Read More

Brazil's General Data Protection Law to Take Effect Immediately

Created on August 27, 2020

Demand Generation Manager, Exterro

Overview: Originally approved in 2018, The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) was expected to take effect on August 14, 2020. In April, however, President of Brazil, Jair Bolsonaro issued a Provisional Measure that provided COVID-19 emergency aid and the postponement of the LGPD law to May 2021. After a Senate vote on August 26th, the LGPD will now come into effect immediately, also requiring that the National Data Protection Authority (ANPD), responsible for applying the sanctions of the new law be created soon... Read More

Colorado Data Privacy Law

Created on August 19, 2020

Demand Generation Manager, Exterro

Why This Privacy Law is Important: On September 1, 2018, the Colorado Protections for Consumer Data Privacy law went into effect. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data. Overview/Status of Bill: This bill went into effect September 1, 2018 Need to Know Information: Who it Applies To: Any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information (“PII”) of Colorado residents in the course of its business, vocation, or occupation. What is... Read More

Online French Retailer Fined: CNIL Adopts Its First Sanction as Lead Supervisory Authority

Created on August 18, 2020

Demand Generation Manager, Exterro

Overview: On August 5, 2020, the French Data Protection Authority (the CNIL, or Commission nationale de l'informatique et des libertés) announced that it has filed a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (GDPR). This is the first penalty under the GDPR enforced by the CNIL.Why Defensible Data Retention Policies Are Important: The CNIL found Spartoo’s full and permanent recording of telephone calls received by its customer service for employee training purposes to be excessive. The CNIL found that such... Read More

Data Retention Critical to New FTC Regulations

Created on August 3, 2020

Demand Generation Manager, Exterro

Overview: The Federal Trade Commission is proposing new cybersecurity requirements to its Gramm-Leach-Bliley Act (GLBA) safeguard rules. A central tenet of New York State Department of Financial Services policies, as well as current FTC guidance on reasonable security, is data retention. Why is This News Important: Under the proposed rule, financial institutions would need to designate someone within the company as responsible for overseeing the institution’s information security program. Financial institutions would also be required to periodically perform additional risk assessments, regularly test and monitor the effectiveness of its program, and have... Read More

Walmart Faces Data Breach Suit Under CCPA

Created on July 21, 2020

Demand Generation Manager, Exterro

Overview: Walmart Inc. is accused in a proposed class action of violating California’s privacy law by failing to protect customer data from an alleged hack. Hackers allegedly accessed Walmart’s website to obtain personal identifiable information (PII) including names, addresses, financial data, and other information.Why is this news important: CCPA, which went into enforcement on July 1st, increases the risk of payouts following security breaches because it added a private right to sue and statutory damages of up to $750 per customer, per incident.Walmart joins dozens of companies sued under CCPA since the... Read More