#RSAC: Review Your GDPR State, Biometric Collections and Cyber Insurance

Now is the time to review your exposure to GDPR and CCPA-related lawsuits, and review contracts related to penetration testing.

In a talk at RSA Conference in San Francisco exploring recent cyber-related court cases, Julia Bowen, senior vice-president, general counsel and corporate secretary, The MITRE Corp and Professor Rick Aldrich, cybersecurity policy and compliance analyst, Booz Allen Hamilton, reviewed a number of issues relating to border control, surveillance and online page removals.

“If you are under the GDPR or the CCPA, makes sure you’re doing that correctly,” Aldrich said, referencing cases where page takedowns were disputed by search engines over local laws.

He also recommended checking if you are collecting biometric data, and the legality of doing that, referencing a recent case where the Illinois Supreme Court dismissed a case that would have pared back a state law limiting the use of facial recognition and other biometrics. “If you are doing worldwide business that involves people in Illinois, you may want to check that,” Aldrich advised.

He also recommended reviewing your penetration testing laws, considering the recent case of the Coalfire employees being arrested whilst on an exercise in Iowa.

In the coming months, Aldrich recommended taking actions to update your organization’s policies to minimize risk with regards to personal information, cloud providers and cross-border data transportation. Aldrich and Bowen listed a number of issues related to these cases, including where personal devices are seized and owners are ordered to unlock them.

“If you travel internationally, you may be asked to surrender equipment and risk giving up information to the government,” he said. “If they seize equipment, you may not have it anymore.”

Finally, Aldrich recommended taking actions to update your organization’s policies to minimize risk with regards to insurance providers, especially where payouts were not made due to what was determined to be an act of war. “Some people are now saying that they don’t have an exclusion for an act of war, so be very careful to check that they will pay out,” he said. “There are a lot of companies that are not expecting to pay out $50m when NotPetya occurs.”

What’s Hot on Infosecurity Magazine?