New Cyber & Privacy Laws
New Cyber & Privacy Laws on Your Projects
PC Lock within New Cyber & Privacy Laws
Strategic and Business Management of the Talent Triangle

As is the norm for the monthly Orange County PMI ATS sessions, our September 12, 2020 New Cyber & Privacy Laws on Your Projects’ session was no exception. Our presenter was our very own Virginia A. Suveiu, Esq. Virginia is Counsel at Volkov Law Group. She is a mediator and arbitrator for the International Chamber of Commerce, the Orange County Bar Association, and the Financial Industry Regulatory Authority. She is on the Board of Directors of the National Contract Management Association – Orange County. Virginia has held numerous positions in academia, including as founding dean and professor, and currently, she is an instructor and content developer for UC Irvine and was given the Distinguished Instructor Award there. Virginia’s presentation was not only very concise and detailed but timely as well.

Advanced Topic Seminar presenter Virginia Suveiu, Esq
The Effects of the New Cyber and Privacy Laws on Your Projects

In our current state of COVID-19 and requirements that we all work remotely for the most part, the subject of Cyber & Privacy Laws should be at the forefront of all our minds.

There are applicable state, national, and international laws that we all need to be aware of, as well as new laws coming up on the November ballot for consideration. These laws are administrated statewide by the State Attorney General, and nationally the Federal Trade Commission. In particular the Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices cover the statutory and regulatory framework of our current law.

I am certain all of us have gotten notice by mail or email from a company we have done business with that their financial data has been hacked by Cyber Criminals and by law they are required to notify us of this breach of security. One notable Case Study brought to our attention in the presentation comes from 2019. Capital One’s computer systems were hacked affecting more that 100 million accounts in the U.S. In this breach approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised. Included in this breach was the names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth, and self-reported income, were also improperly accessed by the hacker. Obviously, Capital One had a big problem on their hands creating even bigger potential problems for their clients with potential long-term consequences. None of us want to get news like this. Personally, the only thing worse than news like this is looking into my personal accounts one day and finding all of my money has magically disappeared. These are the kinds of possible ramifications to result from this serious breach of security on the part of Capital One.

While this case never actually made it to court, an agreement called a Consent Order was filed by the Federal Government. If you are like me, understanding what a Consent Order is exactly will help clarify the settlement between Capital One and the Federal Government. A “Consent Order” can be defined simply as, an out of court settlement between the parties allowing settlement without burden of proof. In this case, the Federal Government did not have to provide the burden of proof, and Capital One did not have to plead guilty to any malfeasance or wrongdoing. While I appreciate the saving of my tax dollars a drawn out court case would have cost, it seems a little unfair that nobody had to go to jail for allowing the personal information of so many people to be violated.

In short, Capital One failed to establish effective risk management when it migrated information technology operations to a cloud-based service in 2015. The internal audit mechanisms of the bank failed to identify “numerous control weaknesses and gaps” in the cloud operating environment. Finally, this last gaff on the part of Capital One gives me little comfort in that the Board of Directors neglected to hold management accountable for internal control gaps and weaknesses. The purpose of this article is not to rant, but I find this untenable. It makes me want to ask, “Who’s in control anyway?”.

The Consent Order laid out stringent guidelines to Capital One to:

• Maintain and effective operation RM program and ensure that ORM (Operational Risk Management) and internal control issues are properly tracked, escalated, and reviewed
by senior management and the board.

• Strengthen the Bank’s governance and internal controls, creating clearly defined operational risk roles and responsibilities and implementing personnel training.
• Revise its internal audit program with respect to auditing the Bank’s risk management
programs, including technology risk management.
The State of California has specific rules establishing guidelines for Corporate Cyber Security. In 2018 California enacted the CCPA (California Consumer Privacy Act). In essence, this act gives California residents more control over their personal information that is collected about them by businesses. California residents have the right to “opt-out” of the “sale” of their personal information. In contrast to other state privacy laws that established privacy standards, the CCPA specifically gives affirmative rights and bases for legal action for individuals. The Act was updated and effective January 2020 that give California residents certain rights.
• Right to prohibit the sharing of personal information
• Right to request access and deletion
• Right to statutory damages for security breaches without showing harm

Space in this brief summation does not allow for a complete review of this law, but I am showing a link immediately below taking you to the State Attorney General’s website page outlining in detail your rights under this law.
https://oag.ca.gov/privacy/ccpa

On a grander scale there are privacy laws that go beyond our state and nation’s borders. The European Union’s GDPR (General Data Protection Regulation) has broad-reaching authority https://gdpr.eu/what-is-gdpr/?cn-reloaded=1 targets or collects data on people who live in the EU.
It went into effect on May 25, 2018 and levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of Euros. A link to a helpful website outlining the guidelines of this far-reaching law is https://gdpr.eu/what-is-gdpr/?cn-reloaded=1

With the permission of Virginia, I am copying and pasting below one of the slides from her
presentation giving a quick and easy side by side comparison of California’s CCPA and the EU GDPR.

Presentation slide of CCPA verses GDPR comparisons
California’s CCPA and the EU GDPR

The bottom line is; while there are many similarities between the GDPR and the CCPA, such as the individual’s right to have protected information and deleted and to limit the use of their information, compliance with the GDPR does not exempt a business from complying with the CCPA, nor does it guarantee full compliance with the CCPA.

I would like to wrap up the discussion of this presentation by trying to bring it into the relevant framework of our day to day world as project managers. We all face this daily now more than ever before by just doing our jobs. Working from home on less secure servers than what might be available if connected directly to company servers in our corporate offices gives a potential opportunity to information being hacked. Hopefully, as we are working from home we are using the services of our corporate IT providers to protect our computers from this type of unwanted invasion. I know my company is very good about protecting my laptop safeguarding emails and being very particular about any downloads of information or programs.

When establishing Risk Management in our projects it is very important for us to apply all the tools we can to ensure our project’s information is protected. We are given effective tools to use such as PRINCE 2, a process based method for effective project management. PRINCE is an acronym standing for “PRojects IN Controlled Environments”.

Another methodology that would be good for all of us to employ would be that of a Privacy Impact Assessment. Briefly, this is beneficial to apply to our Project’s Risk Management Policies to:
• Helps determine whether a system, process or program involving personal information raises privacy risks – Proposes solutions to mitigate privacy risks
Some positive objectives to using this methodology:

• Assess the extent to which a system/program /process meets legislated and best practice
requirements for protecting personal information
• Identify and assess the privacy risks associated with implementing new or changed
systems/programs and recommend options for managing and mitigating the risks
• Help the project team and business leaders address privacy risks proactively

When is PIA needed?
• New projects, programs, services, or systems
• Major changes to existing programs
• Changes in collecting, using, or disclosing personal information • Additional systems or
data linkages
• Enhanced accessibility
• Re-engineering business processes
• Changes in technology

Judith Berman our Orange County PMI Chapter Director of ATS was kind enough to include this information as well as a link to a presentation given by Carla Calabrese, CIPM Consultant at Orange County PMI 3ʳᵈ Annual Professional Development Days on May 17, 2017. I am including a link to that the presentation below as well as a link to Virginia’s presentation. Please take the time to examine all this material and apply it as it fits into the structure of your organization. It is important for all of us to make sure we understand the new world we are now living in and how to protect ourselves and our clients.
https://pminb.starchapter.com/images/downloads/Self_Growth_Profe
ssional_Development_Days_2017/2017_pmi_pd_day_privacy_and_projec
t_management.pdf

Photo of Dennis Burns
Contributed By: Dennis Burns

You May Also Like