Blog

The GDPR and Higher Education #3: Lawful Data Processing and Data Rights

As we discussed in our first and second blog posts, higher education institutions — including those in the United States — are impacted by the forthcoming European Union’s General Data Protection Regulation (“GDPR”).  We continue our conversation in this post, focusing on the actual processing of data and the rights of data subjects.

Breach Response- Decoding the Target in an M&A Transaction

If nothing else, one key element for any organization when addressing the issue of cybersecurity is breach/disaster response.  We have discussed in previous blog posts that being able to deliberately and elegantly respond to a breach is the main difference between extinction and survive.  A Darwinian proposition: only the strong (and prepared) survive.  Never is this fact more evident than when dealing with an M&A transaction.

The GDPR and Higher Education #2: Universities as Data Controllers & Data Processors

As we discussed in our first blog post framing the impact of the European Union’s General Data Protection Regulation (“GDPR”) on higher education, there are a number of key GDPR provisions that higher education institutions should be aware of when contemplating GDPR compliance.  This second blog post will focus on data controllers and data processors, key definitions and roles under the GDPR.

The Impact of the GDPR on Higher Education in the United States Blog Series

Colleges, universities, institutions of higher education– however you want to frame it — are organizations devoted to the development of academic subjects. They create environments ripe for intellectual exploration and the exchange of information. They provide a platform for individuals from across the globe to collaborate on ideas and develop the innovations of tomorrow. These institutions are a treasure-trove of data.  Inherent in the functioning of any higher-education organization is the free flow of ideas (i.e. data):  data related to the individual students, data related to studies conducted by these institutions, data related to research and development.  Basically, they are institutions of data.

A Funny Thing Happened on the Way to the Office

I try to make most of my blog posts about current legal issues in the area of cybersecurity and data privacy because so many businesses do not fully understand cybersecurity, how it works and what they can do to protect their company. As my law partner often says, cybersecurity is like pandora’s box and many companies do not want to open that box because they are scared and do not know what is inside.  However, this is not that kind of post. I am angry. And really, more than angry, I am upset. And why may you ask?? Simply because I received a telephone call. HUH???

Cybersecurity is Always a Good Investment IN M&A Transactions

Whether you are the target or the acquirer, cybersecurity is the number 1 issue in an M&A transaction. The reason? Money. If you are the target, failure to appropriately address cybersecurity can significantly devalue your company.  If you are an acquirer, failure to conduct appropriate cyber due diligence before the deal is signed can result in purchasing a liability instead of an asset.  No matter which side of the table you sit, cybersecurity should be top-of-mind.

Biometric Data under the GDPR

With the launch of the iPhone X, the debate around using biometric data as an authentication method has become mainstream.  To recap, the iPhone X is making thumbprint access to a mobile device a thing of the past:  now, all you need is your face (and, of course, the iPhone X).  While thumbprint access has become standard in most mobile devices, the use of facial recognition is new for most consumers.

Responding Elegantly and Deliberately

While at the recent Cybersecurity Awareness Summit at the Harrisburg University of Science and Technology, one of the speakers put a slide up that said basically; Firewalls, passwords, anti-virus software, and multifactor authentication → yesterday’s news. The point being that these are really the baseline.  The starting point.  The bare minimum of security.  

Breaching the Castle: Walls and a Moat are No Longer Enough

I cannot tell you how many times I hear people comment that their cybersecurity is “just fine” because they have firewalls and antivirus software. Cybersecurity effects all of us and simply having good firewalls and antivirus software is not enough. 

Sticking Your Head in the Sand: How NOT to Approach the GDPR

In speaking with entities, of all sizes and all industries, we are often confronted with the same series of questions over and over again regarding the EU’s General Data Protection Regulation (“GDPR”):  why do I need to comply?  Is the EU really going to enforce this?  What are the odds (as if we have a Magic 8-Ball) that the EU will actually sanction me?  That is in essence like saying: what are the odds I will be hit by a car?  I don’t know, but I still look both ways before crossing the street and I have insurance because I don’t want to risk it.  The doubters, the deniers, the wait-and-see’ers;  these are the entities that will get hit by the GDPR.  They hope that the GDPR will not be as extensive, or as intrusive, or as devastating as privacy experts are saying and while we don’t have a Magic 8-Ball, the response we give these naysayers is, “All signs point to Yes!”.