Data Controllers

Closeup image of a computer keyboard that has one key marked "Vendor Management" in red letters

Contractually Defining Information Custody Transfers

November 7, 2023
Posted in

KEY TAKEAWAYS: Information custody transfers are far more ubiquitous and riskier than most organizations appreciate. From a legal and regulatory perspective, “access to” equals “custody of.” There are specific elements and contractual assurances upon which all organizations should insist when transferring personal or proprietary information. Failure to obtain the appropriate assurances from any vendor accessing…

Read More
Businessman hands typing on laptop with triangular malware caution warning sign.

Flawed ITAM: Known Cyber Security Risks Spell Trouble for CISOs and Boards

October 31, 2023
Posted in

Yesterday’s SEC release alleging that software developer SolarWinds Corp. and its Chief Information Security Officer (CISO) T. Brown misled investors about known cybersecurity risks and vulnerabilities is yet another in a series of Commission actions regarding cybersecurity that should be setting off alarms for CISOs, CIOs, and the boards at all publicly traded companies and…

Read More
A closeup image of a person's hands holding a pen and signing a document. A lock icon floats in the foreground.

Data Controller/Data Processor Contracts #2: Regulatory Alignment

August 17, 2023
Posted in

This is the second blog in an ongoing series examining the often-overlooked nuances of data controller/data processor contracts. Regulatory alignment is one of the primary reasons regulations require contracts between data controllers and data processors. And, yet, despite its primacy, many contracts make the mistake of establishing this linkage with an overly simplistic clause stating…

Read More
A closeup image of a person holding a pen and preparing to sign a document

Data Controller/Data Processor Contracts #1: Applicability

July 17, 2023
Posted in

This blog explains why and when organizations should require contracts with service providers that have access to customer or employee personal information. One of the most underappreciated aspects of data controller/data processors contracts is when they are needed. This results from either 1) a lack of awareness of their necessity, or 2) the failure to…

Read More
Judge using a gavel at a desk

P&Ps: The Common Denominator of Data Breach Findings

April 4, 2023
Posted in

When regulators issue data security breach rulings, their findings most often mirror those recently described by Andrew Ceresney, Director of the SEC Enforcement Division: “_____________ failed to adopt written policies and procedures reasonably designed to protect customer data.” That sentiment, stated in one variation or another, has been included in virtually every data security breach…

Read More
A blue digital illustration of the globe

Why a Global Approach to Data Protection Compliance is a “Best Practice”

January 20, 2023
Posted in

Instead of creating data protection requirements that apply to organizations operating within a specific border, the new generation of data protection regulations sweeping the globe apply to the citizens of that region. And, though this difference is subtle and even a little impractical, it means Data Controllers and Data Processors have to think differently about…

Read More