The details of the horrific Mandalay Bay attack offer a clear example to the hospitality industry as to just why proactive – and often covert – security standards must be tested and implemented.  The name of the game is to detect, deter or neutralize an attack before it takes place. In order to do this, smart technology and keen intelligence gathering techniques must be deployed. Well-versed analytical personnel must have unfettered access to the intelligence and offer management their professional assessment as to the threat at hand.

We note here some of the suggestions we have provided in recent conversations with hotel security personnel or in hospitality sector security associations or meetings.  If implemented, these revised or updated protocols could further enhance security for guests and employees. But to be effective, they each must be studied by the hotel operator, assessed for potential legal challenges and training must be provided to employees.

Again, with the emphasis on being proactive and getting out in front of potential threats, consider the following measures:

• Ensure your hotel security personnel participate in any local or regional periodic security meetings with their peers from other hotel chains.  That is a great way to share intelligence on criminal or extremist trends affecting the tourism sector and hotels in particular. Even though a particular crime trend may not have reached your geographic area or if it is affecting only brands that do not reflect your  demographic, you still need to be aware of it and prepare for it. And don’t keep the intel to yourself-your staff needs to be aware and that includes employees at the worker-bee level.

• Ensure to provide meaningful and recurrent training to staff with frequent guest interface regarding possible indicators of suspicious activity.  Probably the most important line of defense here is the housekeeping staff, which enters guest rooms on a daily basis, often more than once. Staff should be trained to recognize the signs of potentially unsafe or illegal activity, such as telltale signs of human trafficking or prostitution.  The accumulation of several unmarked boxes, bags or suitcases inconsistent with the number of guests assigned to the room is something noteworthy as well. Any unusual or foul odor or the presence of an unknown substance in any area of the room should trigger a notification to security personnel.  Again, we are reminded of the saying “see something, say something”.

• Room entry when the “do not disturb” sign hangs on the outside of the guest room should not be interpreted as a mandate not to enter.  Each hotel operator will have to establish its own policy with regard to periodic staff entry and as to how long is too long before a knock or a call from the front desk is made.  Entry policy should be closely coordinated with the hotel’s legal counsel.*

*Key Point:  Consider adding a waiver or consent clause to your guest registration paperwork in which the room occupant specifically agrees to periodic entry by hotel staff to ensure the safety of all guests and employees.

• A clear “know your customer” policy should be established.  In other words, hotel security staff or employees at the operator’s corporate headquarters need to implement a cursory background check of certain arriving guests who may seem out of place in the establishment.  For example, if you are welcoming a 20 year old man or woman into your hotel and if the room is in the $400-$500 per night category, you may want to do a “Google” check or similar check on the name. The person has done nothing wrong so far and possibly never will, but in general, a 20 year old does not fit the demographic of a hotel charging that amount of money per night.  You may find nothing, but you may find that the person has had a series of run-ins with the law. That of course does not necessarily mean he or she should be excluded from the premises, but it’s a nice heads up to the staff.
  

• The use of check-in/check-out apps has to be the most frustrating technology out there for hotel security personnel.  It allows the guest to have virtually no interface with the hotel staff in that check in and out is performed electronically and billing is automatically charged to the credit card on file.  Room entry is achieved with a downloaded code or barcode, which the guest holds in proximity to a reader made a part of the exterior door lock. If you use this technology at your hotel, ensure that you DO have interface with the guest during his or her stay by knocking on the door occasionally or by placing calls to the room.

There are many other proactive ways to enhance security at hotels and large venues.  Various technologies are commercially available which permit iris scanning or facial recognition.  Of course, with the adoption of new techniques, some privacy is given up. Individual brands and properties will determine the right mix for their locations, based on customer demographics, prior incidents, crime and terrorism trends and importantly, the law.  Privacy cannot and should not be total in a hotel as guest and employee security and safety must be taken into consideration.

What Is Virtual Kidnapping?

In a virtual kidnapping, the criminals make a ransom demand, without actually taking a hostage; rather, the perpetrators negotiate with those from whom the ransom is demanded on the pretext that a connected person has been abducted. Virtual kidnapping can take on many forms; however, it is always an extortion scheme which attempts to coerce victims into paying a ransom fee in exchange for the release of a family member/associate. Criminals typically employ a host of psychological tactics and threaten physical harm to ensure the victim’s compliance. These forms of kidnapping do not require the geographical proximity or resources of traditional kidnapping – for- ransoms such as accomplices, resources, safe houses and capital outlay. Virtual kidnapping has a high risk-benefit ratio in favor of criminals, offering high returns against a low risk of capture or prosecution.

Virtual Kidnapping- Techniques and Methods

Techniques and methods used by criminals to perpetrate virtual kidnappings vary and continue to evolve. A perpetrator will call the victim and convince them to isolate themselves in a specific location out of their family’s reach or to travel to a location of the perpetrators choice, through the use of coercion techniques. Once there, the victim is made explicitly aware of his/her abduction and is held against his/her will by the assumption that they will be harmed, should they escape. Often victims are threatened to switch off their mobile devices, contact no one, which further creates the illusion that they (the victim) has been kidnapped, making the rouse more convincing. These more sophisticated forms of virtual kidnapping require some amount of coordination on the part of the criminal, who may need to do some preliminary investigations prior to initiating the scheme and selecting a potential victim. Criminals often impersonate cartel members as a means of intimidating their victims or lead their victims into believing that they are under surveillance in order to discourage them from trying to contact the abductee or to notify the authorities.

In one of the more common forms of virtual kidnapping, victims are selected at random and criminals use telemarketing techniques and cold-call hundreds of numbers until someone submits. When this technique is employed, criminals may call their victim and mimic screaming or play recorded versions of screaming while threatening to harm their “captive”, often inducing panic. In this state, the victim may instinctively reveal the name of one of their relatives, thus enabling the criminal to gain information directly from the victim while undertaking the extortion. Criminals involved in virtual kidnapping schemes tend to pursue the ‘mass market’, increasing their range of targets and the threat to individuals significantly. Unlike traditional kidnap for ransom, victim profiles vary and are not dependent upon geographical location, language, race or socio-economic factors.

Recent Incident

On Feb. 2, a federal grand jury in Houston, Texas, returned a 13-count indictment against Mexican national, Ismael Brito Ramirez, relating to virtual kidnapping scheme run in several states involving at least 40 victims. The perpetrator, currently incarcerated in Mexico on other charges, is believed to have called various individuals in California, Texas, and Idaho demanding ransom payments on the premise that he had abducted their relatives. The perpetrator threatened violence before instructing his victims to transfer undisclosed sums of money to a number of people in Mexico or to make money drops at specific locations in Houston, TX. Ramirez extorted in excess of USD 28,000 from his victims and has been charged with conspiracy to commit extortion and fraud, interstate transmission of extortionate communications, wire fraud and conspiracy to launder money. 

Virtual Kidnapping Characteristics

Criminals tend to demand wire payments smaller than $2,000 (or the equivalent thereof) within the US to Mexico as there are legal restrictions for wiring larger sums over the border. Occasionally, criminals direct victims to make money drops at locations of their choice within the US, such as San Diego or Houston, which can be smuggled across the border with relative ease. Within Mexico, ransom amounts may vary, depending on the modus operandi employed by the criminal. Criminals typically seek to extort small payments within 24-hours of initiating the extortion; incidents rarely continue beyond a few hours.

Cyber Threat

There is an electronic or cyber risk when considering virtual kidnappings. Malware, spyware or trojans may be used to make an electronic device run an unintended program that allows criminals to gain private or secure information from their intended victim. Phishing scams aim to trick individuals into disclosing private information, such as their social media passwords, to criminals. Phishing scams are usually delivered in the form of official communication from a reputable institution such as a bank or internet service provider. Criminals may convince would-be victims to reset their passwords by delivering an ‘official’ email to the user, thus gaining access to their current passwords. Criminals may also contact the victim informing them that necessary updates need to be made to their mobile software and that their devices would need to be shut down for an extended period of time, rendering the victim uncontactable.

Social media is another aspect when considering potential cyber threats. Sharing personal information online could make you vulnerable to criminals. Social engineering in virtual kidnapping ranges from simple tactics to more sophisticated techniques.  Opportunistic criminals may monitor your current whereabouts online and use it in their extortion scheme. An example of this includes posting your upcoming activities online, such as your intention to watch a film at a local theatre – the virtual kidnapper knows their potential victim’s phone is likely to be off for two hours during movie and may use this time to extort their family members as the intended target may be uncontactable for that time period. More sophisticated tactics involve befriending people on social media to learn more about their habits, wealth or personal life as a means of surveillance. Cybercrime methods have been increasingly employed by criminals when perpetrating virtual kidnappings. This trend is likely to gain momentum as the technical abilities of unsophisticated criminal groups and networks grow.

Statistics and Reporting

Comprehensive statistics on virtual kidnappings are difficult to ascertain for a number of reasons. As many criminals perpetrate these crimes from within Mexico, it is increasingly difficult for US-based law enforcement agencies to investigate and prosecute cases. Ransom money is often wired out of the US, making it challenging to trace. Law enforcement agencies are usually limited to their national jurisdiction or may lack the capacity, skills, and mandate to investigate transnational criminal activity fully.  The poor reporting rate remains a significant challenge in tracking and assessing incidents and trends. In the US, victims may not report incidents out of fear of being targeted again or being stigmatized. Sometimes victims do not report incidents because the payment extorted was nominal and not considered significant enough to report. In Mexico, victims are often unwilling or unable to report incidents due to fears of reprisals and/or concerns over official corruption, collusion or incompetence.

Virtual kidnappings are not formally classified under the penal code. In the US for example, there is a Federal Kidnapping Act, which in most cases classifies traditional kidnapping as a federal offense. Charges of aggravated kidnapping may be laid in the event that the victim has sustained injuries. However, there is no specific act under which a crime of this nature can be charged. Rather, virtual kidnapping-related charges are laid under the federal criminal code. Charges may include conspiracy to commit fraud, wire fraud, extortion, money laundering or a combination of the aforementioned charges, further exacerbating the challenges around collecting conclusive incident data. Although there are obvious challenges related to gathering accurate statistics and incident data relating to virtual kidnapping, a number of alternative methodologies for accessing and processing information may assist in this regard. Anecdotal evidence, unofficial data, and prosecuted cases are good indications of the scale of the threat and have served to posture the position that the trend has and will continue to grow.

Growing Trend

The scam, once confined to Mexico and Southwestern border states in the US, has seemingly spread to the rest of the US in recent years, representing a significant shift in the trend. Investigators in the FBI’s Los Angeles Division tracked numerous virtual kidnapping calls between 2013 and 2015, most of which originated from Mexico, specifically Mexican prisons, and targeted Spanish speaking individuals or immigrant workers within the US, particularly in Los Angeles and Houston. After 2015, trends shifted and criminals targeted victims indiscriminately and far more frequently using the cold-calling method – a tactic which increased the number of victims significantly. Since 2013, the majority of the cases probed by FBI in Mexico have emanated from Tamaulipas and Baja California. Further highlighting this trend, the FBI discovered a virtual kidnapping ring based in Tijuana, Baja California targeting the Mexican immigrant population in Washington DC in 2013. The ring placed in excess of 5,000 phone calls a day, a scheme based solely on volume and the odds of success. The ransom payments were primarily sent to San Diego, California and smuggled across the border. The FBI estimate the group made at least USD 500,000 over an unspecified period of time, further illustrating the nature of the threat.

In Mexico, the poor security environment and pervasive threat of crime and traditional kidnap-for-ransom, has enabled the virtual kidnapping trend to grow amid the insecurity. Potential victims in the US are more likely to take the virtual kidnapping threat seriously and engage the extortionist, as a result of the existing threat of traditional kidnap-for-ransom in Mexico. The National Autonomous University of Mexico (UNAM) reported that between 6,000 and 8,000 virtual kidnappings and phone extortion schemes were reported in Mexico in 2017, further highlighting the scale of the threat.

Risk Mitigation

Indicators that you may be the victim of a virtual kidnapping scheme:

• Callers may attempt to keep you on the phone to prevent you from contacting the victim. Alternatively, callers may threaten you or the supposed hostage in an attempt to discourage you from contacting the victim or the authorities.
• Callers may convey a sense of great urgency or calls may seem rushed.
• Calls will not be made from the victim’s phone.
• Ransom money is only accepted via wire transfer or drop-points.
• Ransom amount demands may suddenly drop.
• Incoming calls may come from an outside or international area code.

For risk mitigation, the following should be considered:

• Be cautious about detailing your whereabouts on social media if you are undertaking travel abroad. Consider updating your social media accounts following your intended trip. Some criminals may research their targets this way.
• Inform your relatives and close confidants if you will be undertaking travel to areas with no/limited cell phone reception or internet connection.
• Stay informed about cybersecurity and how to avoid online threats.
• If you suspect a real kidnapping is taking place, or you believe the call may be a scam, contact your nearest local law enforcement agency as soon as possible.

For further guidance on risk mitigation, iJET clients are eligible for additional information.

Download our 2018 Global Forecast Executive Summaryto get insights into other risks impacting the world today.

GDPR compliance does not rest just with IT – it is everyone’s responsibility. Organizations can help their employees comply with the new regulation and protect against breaches by developing a comprehensive communication and training strategy. In fact, the GDPR requires that companies train their workforces on how to handle personal data under the new law. For training to be effective, it should not be limited to an annual off-the-shelf online course. Instead, training should begin at the top of each organization with a demonstrated commitment to creating awareness and a compliant culture, whether through townhalls or other company-wide communications. Supplement online training with in-person role-based training tailored to meet each functional area’s unique requirements.

Training, however, is not enough. With Privacy by Design now mandated by the GDPR, messages about information protection must be integrated throughout the business. This begins with emphasizing the value of information protection in the Code of Conduct and Ethics. Put this language into practice by embedding privacy and security in operational procedures, aligning it to business goals, and measuring it regularly. Encourage employees to champion information protection by inviting them to the conversation.

With May 25th just around the corner and 59% of U.S. employees reporting they know little to nothing about GDPR, there is still much more work to be done in creating employee awareness. And with fines of up to 4% of annual global revenues or €20 Million (whichever is greater) for non-compliance, lack of awareness could prove to be costly. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.

So, what is a spoofed website? In this scheme, a fraudster creates a fake website and/or email domain that looks legitimate, often copying a real website using logos, images and even the layout/content of the site. This phishing tactic usually asks the visitor to enter log-in credentials or personal details in an attempt to collect information used for identity theft. This tactic can also be used for other fraudulent activity. In the case reported by ARC, the fraudster used the fake website to appear legitimate to hotels and book stays using compromised credit cards.

Unfortunately, it can be difficult to spot a spoofed website, but there are a few signs to be weary of. First, check the web address. A spoofed website usually contains a misspelled word, extra punctuation or is excessively long. You should not only check for these signs in a web browser, but also any text linked to hyperlinks—hover over hyperlinked text to see the full URL before clicking. Another sign of a spoofed website is pop-ups. Sometimes spoofers direct victims to legitimate sites and use a pop-up window to collect personal information. Always use the website you are familiar with, have used previously without issues and have bookmarked. Don’t rely on a Google search. Review any results returned by searches and compare the URLs.

Now that you know how to spot a spoofed site, here are some tips to protect yourself if you feel like you may have landed on one:

• If you think you have found yourself on a spoofed site, scan the page for a Trust Seal. Many authentic sites use these badges issued by third-party security companies to show the site is verified, secure and safe. Please keep in mind that not every secure and authentic website, including Travel and Transport’s, marks their site with any type of “Trust Seal.” This is just one indicator of authenticity.
• Check the address bar for more details on the site. Oftentimes the company name is shown alongside the URL in the address bar. Another item to look for is a lock showing the site is secure as well as “https” in the URL. This is a good first step, but not always a complete indicator of a “trusted site.” HTTPS certificates are relatively easy for an advanced hacker to obtain.
• Anti-phishing software is another way to arm yourself against scammers. Many browsers have add-ons or plug-ins to help detect phishing sites. You can also utilize the site whois.com to determine when the website was created. This site helps determine if your own site has been spoofed.
• If you are unsure if you are on a spoofed website asking for login information, give a fake password. If you use a fake password and appear to be logged in, you are most likely on a spoofed site. If you’re fake password is rejected, you should still be leery and take some of the other precautions mentioned in this list.
• When in doubt, contact the company directly to verify the website.
• Lastly, if you think you have fallen victim to a phishing site, immediately contact your IT team and report the site to the local police.

With processes becoming more and more automated through digital and web processes, it is important to take a comprehensive look at risk management to include crime and corruption that takes place on the web. As Travel and Transport’s Chief Technology Officer, Tim Krueger, puts it, “In today’s world of an ever changing and increasing threat landscape, user awareness and training are essential elements to any modern security program. Individual diligence in identifying and avoiding potential scams and threats is often the first and last line of defense.” We hope you never have to use these tips, but keep them in your back pocket in case you ever happen upon a fraudster.

Sources:
https://archives.fbi.gov/archives/news/pressrel/press-releases/fbi-says-web-spoofing-scams-are-a-growing-problem
https://www.globalsign.com/en/blog/how-to-spot-a-fake-website/
https://www2.arccorp.com/support-training/fraud-prevention/fraud-alerts/fa01262018/
https://safety.yahoo.com/Security/PHISHING-SITE.html

Some plaintiffs’ lawyers have found a lucrative niche by engaging the services of “testers” – private citizens who go from business to business looking for ADA violations. The law does not require claimants to notify a business of alleged violations so they might fix the problem prior to filing a lawsuit; hence, many businesses are caught off guard when served with the lawsuit. Worse, they will spend thousands of dollars in attorneys’ fees to resolve a case when the cost of actual compliance is very low. In fact, after the costs of enforcing the technical requirements of the law are paid and the lawyers receive their fees, the plaintiff often receives no damages for the case.

A 21st-Century Twist On The ADA

A modern twist on these standard ADA cases is becoming increasingly prevalent. Now people are using this same section of the ADA to bring allegations that business websites are inaccessible to those with disabilities. No longer do testers need to actually visit a brick-and-mortar establishment, but can merely surf on the World Wide Web looking for those businesses with websites that are not accessible for those with disabilities.

In 2010, the U.S. Department of Justice (USDOJ) issued an Advance Notice of Proposed Rulemaking on the Accessibility of Web Information and Services. The purpose: “to establish requirements for making the goods, services, facilities, privileges, accommodations, or advantages offered by public accommodations via the Internet, specifically at sites on the World Wide Web (Web), accessible to individuals with disabilities.” Although the comment period closed in January 2011, the USDOJ has still not published clear guidance or final regulations for the private sector. The latest news suggests that will happen sometime in 2018. For now, though, the lack of clear policy has left the field wide open to unfettered litigation.

The bad news is that the delay in the regulatory process has not slowed the torrent of ADA lawsuits against businesses for alleged failure to provide equal access to web-based services. This means that your hospitality business can be sued by someone who is simply surfing for a lawsuit. You should take steps now to ensure your company’s website is reasonably accommodating those with disabilities.

What You Can Do To Stop The Surfing Suits

Some of the more common website accessibility issues affect individuals with vision or hearing impairments and those who are unable to use a mouse and must navigate with a keyboard, touchscreen, or voice recognition software. Those with visual impairments may need special software to magnify the content of a page, have it read aloud, or to display the text using a braille reader. For those with hearing impairments, the issue is often that audio content on the website does not include closed captioning, or that images do not include captions. You may need to build your website to properly interact with any adaptive software or technology designed for accessibility purposes.

Fortunately, the Web Content Accessibility Guidelines (WCAG) exist to provide web designers with standards for making digital content more accessible to those with disabilities. The USDOJ has made it increasingly clear over the last several years that it considers a website “accessible” if it complies with the standards of the WCAG 2.0 AA. The agency has used this standard in settlement agreements and consent decrees with businesses it believes to have violated the ADA. There is speculation that this will be the standard adopted for the private sector in 2018.

If your company website posts menus, accepts orders, permits customer reviews and testimonials, takes reservations, provides addresses and directions to brick-and-mortar locations, accepts job applications, includes FAQs, has email or chat features, or your business has any other online presence, you should consult with your web designer about ways to make these aspects accessible to those with disabilities. It is both the right and the legal thing to do, and it could save your business the unwanted expense and stress of litigation.

For more information, contact the author at MAnderson@fisherphillips.com or 504.529.3839.

Want to read more about the ADA? Check out these articles:

• Recent Verdict Strengthens the Growing Need for Websites to Increase Accessibility to Disabled Individuals
• ADA Interactive Process: A Quiz for Employers

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

• Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
• Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
• Evaluate and routinely measure employee security training levels.
• Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
• Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
• Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
• Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
• For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
• Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
• Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
• Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
• Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
• Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
• Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
• Consider the company’s overall insurance program and whether cyber risks are covered.

Authors

Matthew J. Siegel – Member, Cozen O’Connor
Ethan Price-Livingston – Associate, Cozen O’Connor

The primary purpose of the GDPR is to provide EU citizens with greater control over how their personal data is collected, protected and used. There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

The definition of personal data under the GDPR is extremely broad and includes any information relating to an identified or identifiable natural person (e.g., addresses, telephone numbers, email addresses, bank information, credit card details, photos, posts on social media websites, medical information, and even an IP address). There is also a separate definition for “sensitive personal data” (e.g., racial or ethnic origins, political opinions, physical or mental health and criminal history) which is entitled to even greater protection.

Companies which are in compliance with the existing Data Protection Act (DPA) certainly have a head start as not everything has changed, but most companies will have to implement additional privacy protections and adopt comprehensive data protection strategies to comply with the more expansive provisions of the GDPR. The following are steps which companies should consider taking now to prepare for implementation of the GDPR.

• Data Protection Officer (DPO). The GDPR requires that companies hire a DPO if they engage in regular, systematic collection or storage of sensitive customer data. Even if not required, it would be a good idea for most companies to have a DPO with sufficient expertise to guide compliance efforts.
• Data Breach Notification Requirement. The GDPR requires that companies report data breaches to authorities and affected customers within 72 hours of becoming aware of the breach. Thus, companies should have an incident response team in place and be prepared with carefully crafted messaging.
• Train Your Workforce. The GDPR requires that companies raise awareness of and train their workforces on how to handle personal data under the new law.
• Obtain Consent and Provide Information. Organizations must obtain consent before any data are collected and provide customers (including website visitors) with detailed information on data that are collected and how the data will be used.
• Institute Procedures for Deletion of Personal Data Upon Request. Under existing law, organizations are required to delete personal data only when it causes substantial damage or distress. Under the new GDPR, an EU citizen may request that all data collected on them be permanently deleted if the information is no longer needed for the purpose for which is was originally collected or simply when consent to use the data is withdrawn.

With the enforcement date of the GDPR only seven months away, organizations should start assessing their policies and procedures so that they are not caught short when the law goes into effect. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.

Did you like this article? Check out these related posts:

• It’s Time to Wake Up & Figure Out How GDPR Affects You!
• Cloud Computing Crash Course: Location, Location, Location

Even in an era of acute cyberawareness, we still struggle to keep our business networks and personal computers secure. And now the Internet of Things (IoT) exponentially increases our risk from hacktivists, nation states, and criminals. Today our smartTV, home security system, toaster, and heart pacemaker have a user name and password. These devices increase what the security community calls the attack surface – that is, new and novel ways for intruders to hack into your life.

Yet people must communicate, statecraft must be practiced, and commerce and money must flow around the world. Adherence to a basic cyber hygiene regiment can greatly reduce cyber risk exposure. Just like exercising, eating healthy, and getting more sleep – good cyber habits are not difficult, but they must become a routine to be effective.

If you don’t do anything else to protect your digital self, do the following:

Use a new password for every account.

Why? Hackers know people reuse their passwords. So, when a hacker obtains millions of user names and passwords he has automated tools to try these username and passwords against other websites such as banks, corporate networks, ecommerce sites, email providers, and social media sites. Think for a moment of the damage to be done if you use the same password for your work account and your bank account.

Create good passwords.

Why? Hackers know people create lousy passwords. “12345”, “password”, and “qwerty” are embarrassingly popular, as proven in every single theft of databases of passwords. Use at least eight (8) characters, upper and lower case and special characters. Avoid common words and short phrases, since there are hacker tools that test every permutation of dictionary words. Additionally, consider using a password manager which can help you create stronger, unique passwords and remember them for you.

Don’t open suspicious attachments or links.

Why? Technically there are numerous ways to access a computer illegally, but most of the high-profile computer breaches happen because one employee clicked on one single hyperlink in an email or website; that’s all it takes. You know the feeling when you’re not sure if the email is legit…trust your instincts.

Don’t use free public Wi-Fi.

Why? Free public Wi-Fi is not free. You pay a high price in security and privacy. Imagine your laptop screen is a stadium jumbotron. Every page you visit, every search term you type, every computer you connect to is on virtual display. Potentially, others connecting to the same free Wi-Fi can spy on your communications, access your computer’s data, or misdirect you to malicious websites that infect your computer/corporate network.

Don’t “overshare” on social media.

Why? Whether the watcher it’s a nation-state, cyber protester, or criminal, hackers have done their homework before they strike. If the hackers are targeting your corporation, details about travel, new projects, promotions, or office politics speak volumes on how to attack your organization or you. These details can be used to craft, for example, a phony human resources email with the “pay and promotion” attachment that is laced with malicious software. Moreover, our sharing across social medias creates a cumulative personality profile that can be used against us or our organizations. Remember – photos of the new puppy = good. Photographic evidence, locations, and commentary on the Saturday after-game exploits = bad.

In short, the potential for reputational or financial harm to your company or personnel is pretty significant compared to the relatively small amount of effort it takes to mind your cyber behavior. Survey your personal and organizational cyber fitness, and offset a major problem down the road.

For more intelligence analysis and insights, follow iJET on Twitter where we share regular updates on risk management issues impacting global organizations and the security of their people and operations.

1. Host applications, thereby eliminating the need to install and run applications on users’ own computers or data centers (known as Software-as-a-Service, or SaaS).
2. Host the hardware and software on its own infrastructure, thereby eliminating the need to install in-house hardware and software needed to develop or run a new application (known as Platform-as-a-Service or PaaS).
3. Provide virtualized computing resources, thereby eliminating the need to install and run hardware, software, servers, storage or other infrastructure in the user’s own facility (known as Infrastructure-as-a-Service or IaaS).

Knowing Where Your Data is Stored is Mission-Critical

Don’t let the term “cloud” fool you into thinking that the information is not in a specific location. It is, and it’s important to know the exact geographic location of the server where your data will be stored, including any back-up locations.

First, your legal obligations relating to the information can completely change according to the geographic location of where your information is stored. For example, if the cloud provider sends your organization’s personally identifiable information (PII) to a server in the European Union, you will be subject to the ultra-strict privacy rules of the General Data Protection Regulation (GDPR), set to take effect in May 2018.

Second, your information may not be as secure if the privacy and security laws in the server’s location are not as protective as in the United States. Servers in India, for example, are subject to India’s Information Technology Act , which allows the Indian government to intercept and demand decryption of information with serious fines and/or imprisonment for non-compliance.

Third, with some countries’ data localization laws, you may be required to store certain information within a specific country, and you may be prevented from exporting it out of that country. Russia’s localization law, for example, requires a multinational organization to host data concerning Russian citizens only on a server in Russia, which may mean creating a new data center in Russia.

Depending on the type of information you are sharing, you may also have to comply with U.S. export control regulations. This is an especially important contract consideration for information relating to items classified as “dual use,” or technology with encryption functionalities that are subject to Export Administration Regulations. Storage of such information outside the United States may lead to serious sanctions if required licenses are not obtained.

Finally, in the event of a data breach, U.S. and foreign law enforcement agencies have broad rights to obtain subpoenas to information stored in the cloud. However, rules surrounding a data breach vary from country to country and even state to state — some states, for example, exempt organizations from disclosing a data breach if the data is encrypted, and the encryption key was not exposed.

Conclusion

While cloud computing offers many benefits to organizations, it also introduces its own legal obligations and risks, many of which are tied closely to the geographic location of the stored data. As such, organizations must work proactively to understand the particular data privacy regulations applicable to their cloud computing arrangement. This due diligence will help organizations determine if they should engage with a cloud vendor or continue to store their data on-site.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

This may seem obvious, but when you leave your home country you’re subject to the laws and regulations of the country you’re visiting – from the moment you enter the front door. A security concern that not everyone thinks about can occur at border crossings. Depending on where you are traveling to, electronic devices such as smartphones, laptops, tablets and digital cameras may be subject to official government review as well as, in some cases, duplication of your hard drives and other storage media. Privacy concerns don’t end at the border, however. Depending on what country you’re in you may also expose your devices to viruses, activity tracking and other software simply by being in the country and connecting to its networks.

We talk a lot about data security for travelers on this site and all of that information should apply here as well. Check out a few of them here:

• 6 ways to protect yourself against data breach
• So what the heck’s a chip card anyway?
• Don’t throw away that old boarding pass! Here’s why.

While there’s no specific list (at least that we could find) of countries that can take a look at and potentially snoop, seize or copy data from your devices, there are reports that it can and does happen all over the world.

Whether you’re entering a country by air or traveling between countries by car, boat, train, foot, skis (in the unlikely event that James Bond is reading this), hoverboard (in the less likely event that a 12 year-old is reading this), winged horse, TARDIS, trained dolphin team or Uber, it’s a good idea to take some steps before you arrive to ensure that your personal and corporate data is protected from the minute you arrive to the minute you leave. Here are some tips on how to do that:

Encrypt
Encrypt the information on your laptop to ensure that your data remains hidden to unauthorized access. Both Microsoft and Apple offer tools to accomplish this. Just don’t forget your password! You might already have this activated if you use a company device. If so, be sure to check with your IT or corporate security department to get more information before traveling internationally.

Back up
Did you spend your flight crafting the perfect presentation? Make sure you’re able back it up to the cloud while in the air or as soon as you land – just in case your laptop is seized and searched. How about all those photos on your smartphone? Have you backed those up? There are services like Apple iCloud and Google Photos that make it easy. Run that backup before you leave home and again in every country you visit – but then pay attention to the next section!

Sign out
Clear your browser history and delete cookies from your web browsers that may still be signed into email, social media sites, etc.

Sign out of apps on your smartphone and tablet that might contain personally identifiable or sensitive information. This might include social media apps, email apps, notes apps like Evernote and Notes, storage sites like Google Drive and Dropbox, calendars and more. You might just delete the apps altogether. You can get them back when you return.

Do you have a fingerprint reader on your device? Temporarily disable that or reboot your phone prior to arriving at the border so that a password/PIN is required. Here’s how to disable Touch ID on the iPhone or iPad.

Consider alternate devices
If you can manage, don’t take your brand new expensive Macbook or Surface Pro tablet along with you on the trip. Bring along a cheaper device instead such as a low cost Windows laptop or a Chromebook that won’t make you shed tears if it disappears. Make sure it’s new or has been wiped (erased and reloaded like new) before you go. That will limit exposure to to only the time period with which you’re traveling.

The same thing goes for your phone. Do you have an old phone you can take along rather than your primary device? Maybe go old school and consider a “dumb phone” for your trip – just pretend that it’s 2006 again! Yeah, I know that’s no fun and could be terribly inconvenient. It’s just something to consider depending on where you’re traveling.

If you’re carrying corporate devices, keep the number of your travel department, corporate security, or IT department handy (and not on your phone) so that devices can be remotely locked or even wiped should they be taken and accessed by government officials – or anyone else for that matter.

Whatever devices you bring, be sure they have the latest updates and security patches installed. When you return home, have your devices wiped and reset to ensure that no viruses or otherwise nefarious software has been installed.

This article was originally published by Travel & Transport. The original article can be read here.