Tag Archives: Clara Y. Kim

Lack of In-House Cyber Expertise, a Growing Concern for Regulators, Leads to $1.5M CFTC Penalty

by Avi Gesser and Clara Y. Kim

As regulators ramp up their cybersecurity enforcement, one area of increasing focus is in-house expertise.  Regulators are starting to explicitly require companies to have qualified data protection personnel.  For example, the New York Department of Financial Services (NYDFS) cyber rules require that companies’ cybersecurity personnel be qualified to manage the company’s cybersecurity risks, receive cybersecurity updates and training, and maintain current knowledge of cybersecurity issues. Continue reading

The Rise of Deepfake Audio Means It’s Time to Revisit Business Email Compromise Scams and Ways to Reduce Risk

by Avi Gesser, Clara Y. Kim, and Thomas Harris-Warrick (The Crypsis Group)

We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI (PDF: 1.77 MB), in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this threat persists is that cybercriminals have used increasingly sophisticated methods to trick companies into wiring money to them instead of the legitimate payee.

Indeed, in a twist on traditional BEC scams, a fraudster recently used an AI-based software to mimic the voice of a CEO on the phone, successfully tricking another executive into sending money to a supplier.  The AI was sophisticated enough that it was able to recreate the slight German accent of the CEO such that the executive thought he recognized his CEO’s voice.  With the rise of AI and deepfakes, BEC scams may get harder to detect, so it is worth revisiting the measures companies should consider employing to reduce those risks. Continue reading

The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

by Avi Gesser, Matthew Kelly, Will Schildknecht, and Clara Y. Kim

By now, most major U.S. companies are generally aware of the new privacy requirements (PDF: 187 KB) that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information.  But, at least in the short term, it is likely that the CCPA’s cybersecurity requirements will have the most significant impact on companies.

Unfortunately, the CCPA does not spell out its cybersecurity requirements explicitly.  Rather, it creates a private right of action for California consumers against companies that have experienced a cyber breach if their personal information has been taken by an unauthorized person.  A successful action requires that the exfiltration or disclosure be of unencrypted personal data and result from the company’s violation of its duty to implement and maintain reasonable security procedures and practices. § 1798.150(a)(1). Continue reading

Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

by Avi Gesser, Eric McLaughlin, Greg Swanson, and Clara Y. Kim

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for new laws.  Instead, they are refitting existing laws to meet their data privacy and security objectives. Continue reading

Alternative Data Goes Mainstream, and Gets Increased Attention from Regulators

by Avi Gesser, Eric McLaughlin, Clara Y. Kim, and Sumeet Sanjeev Shroff

In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative data industry is projected to be worth $350 million in 2020. The recent announcement by Bloomberg LP that it is offering a product that will give clients access to large volumes of alternative data shows the widespread use of this information in making investment decisions, which is causing hedge fund managers and institutional investors to seek even more untapped alpha-generating data sets.  Not surprisingly, all this activity is attracting increased regulatory scrutiny. Continue reading