Steven J. O'Neill

RISKY BUSINESS: Technologies Requiring a Data Protection Impact Assessment (DPIA) under the GDPR

Roulette Wheel in Clark County Nevada as seen from space in Google Earth

Under the European Union GDPR privacy compliance obligations, Data Protection Impact Assessments (DPIA) are mandatory for data processing “likely to result in a high risk to the rights and freedoms of data subjects.” Failure to conduct such a risk assessment is a breach of the GDPR that is subject to significant fines. Whether an organization is required to comply with the GDPR is beyond the scope of this article but if your organization processes any of the following types of “risky” Personal Data of EU or UK citizens listed in the table below, now is the time to find out. Personal Data is broadly defined as any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. How can an organization determine whether to incur the expense of conducting a DPIA? According to Article 35(3) of the GDPR, there are three types of processing that always require a DPIA: 1) systematic profiling with significant effects; 2) large scale use of …

Read more

Solar Winds Supply Chain Hack Wins Password Contest

In this picture, the Sun's surface is quite dark. A frame from a movie recorded on November 9th by the orbiting TRACE telescope, it shows coronal loops lofted over a solar active region. Glowing brightly in extreme ultraviolet light, the hot plasma entrained above the Sun along arching magnetic fields is cooling and raining back down on the solar surface.

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management. The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery of a 3rd strain of malware named SUNSPOT that was deployed in September 2019 – that is 15 months before the first discovery of the hack by cybersecurity company FireEye on December 8, 2020. There are important questions to be answered about the scope and intent of the hack. Was it a massive penetration testing dry run? Can infected IT infrastructure be fully cleaned without burning it to the ground and rebuilding? Was it espionage on steroids or an act of war? How many more shoes will drop? News reports of the SolarWinds hack often speculate whether important PII was …

Read more

US-EU Privacy Shield Perforated – GDPR after Schrems II

Ajax lower left holding a shield aloft, at the right stands Agamemnon surrounded by his soldiers (1540–50).

On July 16, 2020, the European Court of Justice (ECJ – the European Union’s high court) invalidated the EU-US Privacy Shield Framework as a potential mechanism for meeting the GDPR’s cross-border personal data transfer restrictions. Effective immediately, U.S. companies that process EU “personal data” can no longer rely on registration under the Privacy Shield and must establish an alternative legal basis for any continued EU-US transfers. Previously, cross-border transfers to the US were permitted under three mechanisms: 1) the Privacy Shield (http://privacyshield.gov), 2) Standard Contractual Clauses (SCC), and 3) Binding Corporate Rules (BCR). The Privacy Shield was originally developed in response to a 2005 ECJ decision invalidating the “US-EU Safe Harbor Framework,” an earlier agreement to permit U.S. companies to process EU personal data in a way that protected EU privacy rights. Privacy Shield, administered by the Federal Trade Commission, allowed companies self-certify compliance and was generally considered a workable GDPR solution for U.S. companies that processed (touched) EU personal data. Impacts The decision has made waves not just because it declares that any cross-border transfer of personal data under the Privacy Shield is illegal but because it has immediate effect. According to a FAQ issued by the European Data …

Read more

Death Trap Buildings

Florentine Codex - infection of Aztecs with smallpox

On July 9, 2020, the World Health Organization (WHO) bowed to pressure from scientists to concede that the novel coronavirus (SARS-CoV-2) could cause infection via aerosols. (See https://bit.ly/39EHerk.) Aerosols are simply small droplets (generally described as under 5 microns) containing the virus that can linger in the air for hours. The author of the linked New York Times opinion article, engineering professor Linsey Marr, writes that a 5 micron droplet takes about a half-hour to drop from the mouth of an average height adult to the floor – longer if there are air currents. Link to article, https://nyti.ms/3ggetDM. This is not rocket science, even the Aztecs knew that smallpox was airborne. The implications of this fact are enormous, for the legal liability of design professionals responsible for maintaining healthy buildings, for employers responsible for employee safety under the general duty clause of OSHA, and for people with a statistically higher …

Read more

Pyrrhotite Contaminated Concrete – A Call for Collaboration

Map showing area in MA and CT with pyrrhotite contaminated concrete

In Biblical fashion, more than 34,000 residential foundations in Connecticut and Massachusetts were built on sand between 1983 and 2016.  Not literally, but many if not most residential concrete foundations containing pyrrhotite aggregate from Becker’s Quarry in Willington, CT and mixed by JJ Mottes Concrete in Stafford Springs, CT will need to be repaired or replaced eventually. Those that contain pyrrhotite and have not (yet) shown evidence of failure will remain suspect and likely impact the value of the real estate.  This article focuses on the single-family residential sector but the problem may be wider. Connecticut DOT asserted that pyrrhotite concrete has not impacted its structures. However, there is visual evidence that some commercial and multi-family residential structures are showing telltale signs of pyrrhotite deterioration. What is known is that thousands of pyrrhotite foundations are crumbling in a slow-motion disaster.  The cost of correction currently ranges from $150,000 to $350,000, …

Read more

Constructuring

Title Page - AGC Managing Risk in the Digital Age

Associated General Contractors (AGC) and FMI recently published a survey of contractors’ perceptions of risk together with an analysis of factors expected to drive change in the U.S. engineering & construction (E&C) industry in the coming years. See Managing Risk in the Digital Age. The survey (completed late 2017 and published in 2018) yielded in four key findings: The “people factor” remains one of the biggest risks for E&C firms in today’s business environment. Industry stakeholders expect to see more change in the built environment within the next five years than there has been in the last 50 years. Most survey respondents are innovating “around the edges” and adopting technology in a piecemeal fashion (or not at all) but not fundamentally transforming their business approaches. For years, contractors have tackled risk by purchasing insurance programs and managing claims. Today that is no longer enough. The survey notes that business is …

Read more

California Consumer Privacy Act – GDPR Principles Arrive in the U.S.

Big Sur California ocean view from Cafe Kevah

In the wake of the Cambridge Analytica scandal, restrictions on monetization of personal information (aka PI or PII) are coming to California in 2020. The California legislature unanimously passed a historic bill to adopt many of the core privacy principles of the EU General Data Protection Initiative (GDPR) for California consumers. The bill was fast-tracked into law in order to avoid the likely passage of a more rigorous ballot initiative in the November election. The key difference between the ballot initiative and the adopted law is that the legislative version can be more easily amended to avoid unintended consequences. Indeed, the industry lobbying has already begun. A statement by the Internet Association immediately criticized the legislation: It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike. The significance of this new law on U.S. businesses will be far reaching. The state of California is now recognized as the world’s 5th largest economy, surpassing the United Kingdom. California’s 40 million “consumers” have just gained privacy rights quite similar to those recently afforded to EU citizens by the General Data Protection Regulation (GDPR). Unlike …

Read more

Eureka – Privacy Discovered in California?

The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents. California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US culture. Well-known regulations and restrictions on air quality such as CARB (CA Air Resources Board), on “chemicals known to the state to cause cancer or reproductive toxicity” such as Proposition 65, and on offshore drilling have been very influential. Facebook, Google, Apple, AirBnB, Tesla, and yes, Theranos are all California companies. Beauty is in the eye of the beholder In 1976, a wealthy acquaintance in the Bel Air hills invited me for drinks to survey the skyline overlooking Los Angeles at dusk from his poolside perch. Like the successful Mr. McGuire in The Graduate urging Ben to steer his career towards the …

Read more

Reality Bites – Caught “Lead Handed” on TV

Do TV contractors poison their real world customers? According to an EPA press release dated June 5, 2018: “The U.S. Environmental Protection Agency (EPA) and Magnolia Waco Properties, LLC, which does business as Magnolia Homes, have reached a settlement to resolve alleged violations of the Toxic Substances Control Act (TSCA) Lead Renovation, Repair and Painting Rule (RRP Rule), related to home renovations conducted without adequate lead paint protections as depicted on the television program Fixer Upper. Under the terms of the settlement, Magnolia will take steps to ensure compliance with lead-based paint regulations in future renovation projects, address lead-based paint hazards at high-risk homes in Waco, Texas, and educate the public to lead-based paint hazards and appropriate renovation procedures.” Allegedly, according to a November 29, 2017 administrative complaint, Chip and Joanna Gaines, stars of HGTV’s “Fixer Upper” and owners of Magnolia Waco Properties, LLC (d/b/a Magnolia Homes), “did not comply …

Read more

GDPR Privacy by Default – Will the US Senate Follow Europe?

On May 25th, Senators Edward J. Markey (D-Mass.), Dick Durbin (D-Ill.), Richard Blumenthal (D-Conn.), and Bernie Sanders (I-Vt.) introduced a Senate resolution calling for U.S. companies and institutions covered by the European Union’s (EU) new privacy law, the General Data Protection Regulation (GDPR), to provide Americans with privacy protections included in the European law. The 5 page Resolution summarizes the GDPR as requiring: that data processors have a legal basis for processing the data of users; and that opt-in, freely given, specific, informed, and unambiguous consent from users is a primary legal basis. The Resolution is not a bill and has not yet been debated or adopted. However, it was symbolically introduced on the very same day that European GDPR became law. Many US enterprises are impacted by the new EU law, because they control or process the personal data of people in the EU. Some US companies have announced full compliance with the GDPR for all people worldwide. Others have geofenced and blocked EU data subjects. Others, like the Washington Post, have erected a supposedly compliant paywall to provide GDPR-compliant and ad-free access to the EU countries. The Markey Resolution “encourages entities” already covered by the impact of the …

Read more