Data breaches are the leading threat in today’s digital world, with a new cyberattack occurring approximately every 39 seconds. Non-profit organizations are increasingly being targeted by cybercriminals, not only because of the wealth of data they possess, but because they simply do not take the same precautions nor employ the same resources as their for-profit counterparts.  In fact, small-to-medium-sized organizations are actually more likely to be targeted by hackers for that very reason.

The financial cost of managing a data breach is well documented.  A recent study estimated the average cost of a breech in 2021 at 4.24 million dollars, a 10% rise from 2019.  Although less tangible, the potential loss of trust of the nonprofit’s donors, volunteers and the community can be significant. Such a loss is not only difficult to restore, it can also affect fundraising activities, volunteer engagement, and partnerships with other organizations for years to come.

For organizations seeking to decrease their cybersecurity vulnerabilities, a good first step is to obtain a comprehensive understanding of the current risk environment. For example, what kind of data does your organization collect, store, share and transmit?  Where and how is the data being stored, and who has access to the data?  How does the organization transmit data? (Data transmission is often one of the most significant vulnerabilities; any time data is sent from one location to another, there is a risk of interception.) During the COVID-19 pandemic, the risk of insecure data transfer has increased as more and more individuals have begun accessing critical data from personal mobile devices or using personal digital storage solutions.  Assessing these weak points can be achieved through a data-privacy audit whereby information gathered is then used to strengthen the organization’s cyber-readiness.

Additionally, organizations should consider implementing the following measures:

Implement (Or Update) Organization-Wide Cybersecurity Policies
The first step in ensuring the security of an organization’s data is to have consistent, documented cybersecurity policies in place for all employees to follow.

Provide Ongoing Cybersecurity Training
Next, all individuals within the organization who have access to secure data should receive annual cybersecurity training.

Focus Your Cybersecurity Efforts/Revaluate Third-Party Vendors
Focus on security controls that would be the most effective based on your specific needs and resources. And as many breaches occur from the actions/omissions of third-party vendors who store an organizations data, review the legal terms of all such agreements to make sure there are appropriate terms and conditions to protect your organization (read Are You Protected? Five Points to Include in Every Technology Agreement).

Create A Data Retention and Deletion Policy
Most organizations collect more data than they need, and hold the data longer than necessary or practical.  The more data your organization stores, the greater the liability if a breach occurs.  It is imperative that organizations adopt a policy that dictates the types of data to be stored, and when/how that data is deleted when no longer relevant.

Prepare for the Unexpected
Every organization needs a plan for what to do in case of a data breach. An incident response can help organizations plan to comply with applicable laws and regulations, and launch a rapid and coordinated response that will mitigate the damaging consequences of a data breach.  On a side note, the recently enacted NY SHIELD Act requires organizations that collect information from NY residents to have both a Data Retention and Deletion policy as well as an Incident Response plan in place, among other requirements (read The SHIELD Act – A New York State of Mind … and Privacy).

The post Cyber Readiness – If it Ain’t Broke, You May Still Want to Fix It… first appeared on Perlman Sandbox.

As most organizations continue to have a significant portion of their workforce work remotely, 2020 will likely show a significant uptick in unauthorized access to personal information.  Additionally, the average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent year over year to $148. Such financial repercussions as well as the risk of incurring reputational harm that could follow unauthorized access of customer data, indicate that privacy and cyber security should be a top concern.

Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees, and it is incumbent upon them to safeguard that information. The fact is, that with each passing year, the number of data breaches grows, and the related financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties.

Due to the continued need to protect information, New York State enacted Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) on March 21 of 2020.   This new law applies to any organization that receives or collects private information about New York residents through the Internet, and requires, among things that your organization.   The Act requires specific actions and imposes a variety of obligations, and significant fines may be levied for non-compliance.  Among other requirements, to meet the SHIELD Act requirements organizations must:

1. conduct a risk assessment of its cybersecurity program;
2. properly vet all third-party service providers to ensure they can comply with the NY SHIELD Act, and include in its contracts specific provisions related to cybersecurity practices;
3. have policies and procedures related to the deletion and/ or disposal of data within a reasonable amount of time after it is no longer needed for business purposes;
4. develop and implement a written incident/data breach response plan so that you can comply swiftly and completely with the Acts reporting requirements (or face potentially harsh penalties); and
5. designate a “point person” to coordinate your data-security program to meet compliance.

The good news is that conducting a privacy audit can significantly reduce potential “data incidents” and minimize the related risks.  It is also a big step to achieving SHIELD compliance.   A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared.

The following risk assessment methodology is a good place to start.
• Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files
• Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
• Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
• Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
• Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

As organizations look to identify material risks and implement processes and procedures to protect their data and hence their missions – data privacy and cyber security will no doubt continue to be a critical concern.  Now is the right time to conduct a privacy audit.

The post 2021 – A Very Private New Year – Steps all Nonprofits Can Take first appeared on Perlman Sandbox.

The reality is that most of the “default” third-party terms are invariably one-sided in favor of the vendor. Should things go awry as they did with the Blackbaud incident, it is vital to have the appropriate legal terms in the contract to protect your interests.  While it is impossible to provide an exhaustive list of issues to be considered in negotiating a contract, I recommend that the following five points should always be addressed prior to signing a third-party technology contract.

1. Adjust the Limitation of Liability Cap

Vendors routinely attempt to limit any claims for loss or damage that might be incurred.  Typically, they try to limit the recovery period to six months, or even less, of fees paid.  I suggest that the “cap” be set at some multiple of the contract value, and not be tied to monies paid to date. This avoids having limited recompense for claims that occur early on in the contract term.

2. Draft Exclusions to the Limitation of Liability Cap

Related to the first provision, most types of damage are “capped” at some pre-agreed dollar amount.  However, certain damage, because it poses a greater risk to your organization and its reputation, should be excluded.  As an example, damage that results from a data breach, indemnified claims and breaches of your confidential information should never be capped. In the case of the Blackbaud breach, such an exclusion would have allowed your organization to fully recover all losses and expenses.

3. Require Breach Notification and Credit Monitoring Expenses

The Blackbaud incident illustrates that breaches happen.  Although unfortunate, the reality is that no system or platform is “breach proof.”  Even if your vendors maintain all the various physical, logical and administrative security precautions that have been reasonably requested, breaches can occur.

If a breach occurs and notification is required, your vendor is obligated to notify you alone, not your end-user donors.  For this reason, I strongly recommend that you require any vendor that has access to personally identifiable information on your behalf, to agree to pay for all fines, expenses and costs related to the breach, including notification to your donors, regulatory fines, and credit monitoring services for the potentially affected individuals.  They should also be required to promptly notify you of any breach or suspected breach – my recommendation is within 48-72 hours.  Blackbaud took over two months to provide notification!  This is reprehensible – but they are now the exception that proves the rule: contractually obligate your vendors to timely notice.

4. Insist on Specific Cyber/Privacy Representations and Warranties

During the sales pitch, prospective clients are presented with polished and detailed marketing materials that exhaustively detail the various aspects of the vendor’s product, including the various cyber-security precautions they have in place.  However, most contracts provide scant details of the actual precautions to be undertaken.  Bottomline, if a vendor is getting access to any personally identifiable information, you should have specific and detailed cyber-security and privacy requirements spelled out in the contract.

5. Request Transition Services

Vendor relationships do not last forever.   When the time comes to change a vendor, the transition can be a lengthy and arduous process.  When the existing vendor is reluctant to assist with the facilitation of the transition, the client gets stuck with the logjam.  To mitigate this issue, I always insist on including a provision in the contract that requires the vendor to provide ongoing services and specific transition support at their current standard rates for a specified period of time.

In the sentiments of Robert Frost, good contracts make good vendors.  As the Blackbaud data breach illustrates, “stuff” happens.  While this is one of many third-party providers to suffer a data breach, the attack on Blackbaud serves as a stark example of why organizations need to take the time to carefully evaluate third-party vendor privacy and cyber security practices, as well as insist on specific contractual terms that define accountability and responsibilities in the event of an incident.  (And FYI, the NY SHIELD Act requires all organizations that collect information on NY residents to review all such contracts with third-party vendors to endure that such contracts impose specific technological, administrative and physical safeguards). Failure to do so could leave your organization with limited recourse and remedies when the worst happens.

The post We Won’t Get Fooled Again – Blackbaud Data Breach first appeared on Perlman Sandbox.

This is a good time to audit the protocols your organization recently implemented and ensure that your colleagues recognize and alleviate risks when they are routinely working from home.  Below are some typical risks, with strategies to minimize those risks.

• Unsecured WIFI networks: Home networks (and use of public networks) may be vulnerable to malware or ransomware attacks through their wireless router – Secure home WIFI networks with a robust password and, when possible, avoid use of public networks. 
• Working on unsecured personal devices: Home computers may lack critical security patch management – Employees should only conduct work on their employer-issued computers. Where this is not possible personal laptops should not be allowed to leave the home. 
• Transferring corporate data using personal email accounts: Employees may send sensitive information to their personal email accounts; non-enterprise email accounts usually lack the protections that commercial accounts often have – Advise employees against sending sensitive company data to their personal email accounts, and to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement. 
• “Hard-Copy” document management and destruction: Employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise – Advise as to proper destruction and to avoid disposing of documents at home or in a public place without proper cross-cut shredding. 
• Unsecured connections to organizational systems: Absent a secure virtual private network (VPN), employees may attempt to connect to your systems in an insecure manner – Investigate the viability of configuring a VPN for employees accessing your systems.
• Syncing with personal cloud storage accounts: Employees working remotely may use a personal cloud service account to transfer documents or data to and from office that may be less secure – Monitor use and consider creating a list of recommended providers.
• Key vendor relationships: Most organizations rely on third-party vendors to support both internal and external mission-critical services.  These services could be impacted should these companies also ask their employees to work from home – Proactively reach out to these vendors to inquire as to their plans to continue to support your organization and to keep your data safe (as summarized above); also review the contracts in place to be aware of your rights and remedies.

It is important to remember that although COVID-19 has posed challenges in regard to good cyber practices, privacy laws, regulations and expectations still apply. 

For example, the New York State’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), went into effect on March 21 of this year.   This new law applies to any for profit or nonprofit organization that receives or collects private information about New York residents.  Simply put, if your organization has a website, it’s likely you need to comply with the provisions of the SHIELD Act (and there are substantial fines for noncompliance).  Among the many obligations, the SHIELD Act expects organizations to 1) implement reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of data, and 2) properly vet all third-party service providers and include specific provisions related to cyber-security practices, and 3) designate a “point person” to coordinate your data security program.   Many organizations would have fallen short of these requirements prior to COVID-19 — many more will fall short today as employees continue their work from home.  While meeting these requirements may seem daunting, they are more easily achieved than one might initially think.  I routinely help organizations to achieve compliance with the SHIELD Act and other similar regulations and best practices, and in doing so these organizations become better “stewards” of the personal information they collect on behalf of their employees and donors.

Jon Dartley is an attorney with in-depth knowledge of the laws of data privacy regulation. You may reach him at jon@perlmanandperlman.com. 

The post Is it Time for a Cyber Risk Check-up? first appeared on Perlman Sandbox.

• Unsecure WIFI networks: Home networks (and use of public networks) may be vulnerable to malware or ransomware attacks through their wireless router – Secure home WIFI networks with a robust password and, when possible, avoid use of public networks.
• Working on unsecure personal devices: Home computers may lack critical security patch management – Employees should only conduct work on their employer-issued computers. Where this is not possible personal laptops should not be allowed to leave the home.
• Transferring corporate data using personal e-mail accounts: Employees may send sensitive information to their personal email accounts; non-enterprise email accounts usually lack the protections that commercial accounts often have – Advise employees against sending sensitive company data to their personal email accounts, and to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement.
• “Hard-Copy” document management and destruction: Employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise – Advise as to proper destruction and to avoid disposing of documents at home or in a public place without proper cross-cut shredding.
• Unsecure connections to organizational systems: Absent a secure virtual private network (VPN),employees may attempt to connect to your systems in an insecure manner – investigate the viability of configuring a VPN for employees accessing your systems.
• Synching with personal cloud storage accounts: Employees working remotely may use a personal cloud service account to transfer documents or data to and from office that may be less secure – Monitor, recommend/advise.
• Key vendor relationships: Most organizations rely on third-party vendors to support both internal and external mission-critical services.  These services could be impacted should these companies also ask their employees to work from home – Proactively reach out to these vendors to inquire as to their plans to continue to support your organization and to keep your data safe (as summarized above); also review the contracts in place to be aware of your rights and remedies.

The post COVID-19 and Cyber-Readiness – Good Practices for Remote Work first appeared on Perlman Sandbox.

The CCPA’s broad privacy requirements are entirely new, and are certainly among the strictest privacy laws in the United States. It is important to note that CCPA is not a replacement for other existing California privacy law – all of those laws remain  in effect. Here the focus is on CCPA.

Does it Apply to Your Company?
CCPA applies to any for profit company in the world which collects personal data, and

1. Has annual gross revenues of at least $25 million; or
2. Obtains personal information of at least 50,000 California residents, households, and /or devices per year; or
3. Derives at least 50% of its annual revenue from selling California residents’ personal information

What to Do to Prepare
To comply,  companies will have to adopt a variety of new measures, including:

• Draft and post a comprehensive privacy notice ( send me an email request for a more detailed list of elements to include)
• Conduct a data inventory to “map” the use of California residents personal data and instances of “selling” data
• Implement procedures to meet the new individual rights for data access, deletion and opting-out
• Update all vendor agreements with third-parties who may be processing such data on behalf of the business

What are the Penalties for Non-Compliance?
Non-compliance with CCPA puts a company at risk for large fines. The Attorney General can levy fines of  up to $7500 per violation, and make the party subject to “private actions” from California residents.

Jon Dartley, Esq., 212.889.0575 ext. 224
jon@perlmanandperlman.com

DISCLAIMER:
These materials were prepared for informational purposes only. The information contained herein is general in nature and may not have application to particular factual or legal circumstances. These materials do not constitute legal advice or opinions and should not be relied upon as such. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship. Recipients of this information should not act upon any information in this article without seeking professional counsel.

The post California Consumer Privacy Act (CCPA) – You are not California Dreamin’! first appeared on Perlman Sandbox.

The SHIELD Act creates two primary obligations: 1) the adoption and maintenance of a comprehensive cybersecurity data protection program to safeguard private information; and 2) compliance with specific data breach notification requirements.

The SHIELD Act broadens what is considered to be personally identifiable information (“PII”) which means that most organizations will be deemed to be collecting PII.  Under the Shield Act, any organization that collects PII must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.   While the extent of the safeguards is expected to be relational to the size and complexity of the organization, it is clear that all organizations will have to meet the minimum requirements as outlined below.

• Develop, implement and maintain “reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of PII.
• When utilizing third-party service providers, include specific contractual provisions that stipulate that maintenance of appropriate cybersecurity practices are necessary for compliance. (This suggests that all current, and certainly future, vendor agreements must be reviewed and appropriately negotiated).
• Adopt a data retention and destruction policy to safely and securely store, and when appropriate, permanently dispose of, PII.

Added to this, the SHIELD Act broadens the definition of data breach, requiring prompt notice to affected individuals and to government authorities.  For those organizations that have yet to adopt a “data breach response plan”, the time to do so is now.   This clause includes penalties for failing to provide timely notice in the event of a data breach as well as for failing to adopt reasonable safeguards.

The organizational costs related to unauthorized access continue to grow.  Therefore, procuring and maintaining a comprehensive and appropriate tailored cyber-security insurance policy has never been more important (also see Cyber Security Insurance – A Must Have).

Although the law took effect on October 23, 2019, it provides organizations a grace period until March 21, 2020 for the establishment of the required data protection policies and practices. I highly suggest organizations use this time wisely!  Businesses that have not previously been subject to cybersecurity regulatory requirements should promptly evaluate the sufficiency of their internal policies and practices – as well as the third-party service providers they use – to ensure compliance with the SHIELD Act requirements.  Those organizations with existing cybersecurity programs should review and update their policies and practices in light of these new requirements.

The post The SHIELD Act – A New York State of Mind … and Privacy first appeared on Perlman Sandbox.

So how should one go about drafting a website privacy policy?  The Federal Trade Commission advises that when drafting your privacy policy “say what you mean and mean what you say.”  The first part is easy – you need to have a global understanding of what your organization does with the information it collects.  For example, do you share information with third parties, use cookies and other web tracking technologies, or send promotional emails?  Whatever the practices, they need to be clearly described in your privacy policy.

The second part, “do what you say”, is more of a challenge.  Simply stating the policy is not enough – you must adhere to the policies and procedures as described.  Your organization will be held accountable for any failure to meet its own written standards, thus it’s imperative that everyone in the organization understand what they should be doing – and equally important, what they should not be doing.  There are useful tools and approaches for assessing and monitoring such adherence that you may consider adopting, such as a data privacy audit.

Finally, your privacy policy must keep pace with your practices and with changing law.  Web technologies, marketing strategies and other internal practices change regularly.  If the marketing department concludes that a monthly e-newsletter to donors is essential, that’s fine, but make sure that this is addressed in the privacy policy.  Unfortunately, many organizations do not routinely update their privacy policies to keep pace with such changes.

Additionally, the laws applying to privacy practices are in constant flux.  As an example, The General Data Protection Regulation (GDPR) issued by the European Union (EU) became effective May 25, 2018.  Although some organizations have adopted privacy processes and procedures in response to the regulations, many are still unclear as to the impact upon their organizations, and the steps necessary to comply.  In regard to your privacy policy, GDPR does require that you include specific provisions and “right” in your online privacy policy.  Failure to comply could result in significant fines and penalties.

As someone who routinely reviews and drafts privacy policies, I am keenly aware at how quickly these privacy policies can become “outdated.”  If you have a professionally drafted privacy policy, make sure that it is reviewed, followed and updated on an annual basis.  If you are like many organizations and have an outdated and/or inadequate privacy policy, then revising should be a top priority.  The investment today will go a long way in honoring the commitment to the privacy your supporters expect and deserve.

The post Privacy Matters: A Website Privacy Policy is Good Governance first appeared on Perlman Sandbox.

Analogizing this to startup companies can be illuminating. Having founded and run several startups, as well as having advised founders as either an attorney or board member, it has become clear to me that while a variety of factors are needed for an enterprise to be successful, there are several key factors that virtually every startup need to exhibit and embrace in order to be successful.

Accepted wisdom is that most startups will fail. So what makes the outliers successful? In my experience, there are five key factors, and I share them here.

1. Don’t start with a product, start with an open mind.
Thanks to lesson from the book the “Lean Startup,” the days of “if we build it, they will come” has thankfully passed. Most companies are founded on a “big idea,” whose founders are, understandably, passionate and committed to pursuing their dream. So what goes wrong? One survey of failed startups determined that 42% of them identified the “lack of a market need for their product” as the single biggest reason.

The brilliance of the concept that an entrepreneur should develop a “minimal viable product” – build something small, fast and cheap, and then test it – is its simplicity. Remaining nimble, flexible and open-minded cannot be overstated. (Equally important, of course, is to make sure the appropriate inventions assignment agreements and contractor agreements are drafted to ensure that your company properly owns everything your employees and contractors create).

2. To build a viable business, you need to build a successful team.
Psychological research is rich in the documentation and study of dysfunctional groups (think of Tolstoy’s “unhappy families”.) In the world of startups, many failures are due to discord among the founders. Although most founders are people with high hopes and good intent, when you bring into the mix the differences of personality, background and skills, combined with variation in expectations, conflict is to be anticipated. In most cases where the founders fail to resolve or work around these differences, the demise of the company is not far behind.

Thus, instilling teamwork skills and practice into your company culture is the key to its success. From a legal framework, a “founders” or shareholders agreement that delineates the rights and remedies of shareholders should disagreements or conflicts arise is also essential.

3. When adversity strikes, resilience is essential.
Things will go wrong, terribly wrong with your startup. This is not due to bad luck, rather it is part and parcel of launching a new enterprise. Startups operate in a rarefied environment in which market conditions, competition and circumstances (both macro and micro) are constantly in flux. Startup teams must possess the ability to change products, adjust to the changing landscape of competition, shift industries, rebrand the business, or even tear down a business and start all over again.
Resilience in the face of the headwinds of adversity is essential. There are many studies examining what makes one individual more resilient than another. One commonly identified trait is referred to as the “internal locus of control”. Simply put, resilient individuals believe that “they,” and not their circumstances, are the driver of success. So when things go wrong, roll with the “punches” and remain focused on success.

4. Keep your friends close, and your advisors closer.
I have helped many startups screen and engage advisors. Advisors and board members can make a significant contribution to a startups success. By providing an imprimatur of credibility, imparting insightful wisdom, making key introductions, or raising seed capital, an advisor can give the startup the foundation it needs to keep on track.

Unfortunately, the reality is that most advisors will not workout. He or she may overpromise, lose interest, or become consumed by competing commitments. You can insure that your advisor agreements provide adequate equity and/or incentives to secure the advisor’s engagement, but also have reasonable “cliffs” and milestones to warrant that compensation is tied to value received.

5. Show me the money!
All too often I have seen the never-ending pursuit of founders for money become the crucible that becomes too heavy to bear. Thus some very good ideas and promising companies fail to get very far. Since raising money is so challenging, my advice is to ask for more money than you think you will need, take money when you can get it, and in most cases use a convertible note to quickly (and cheaply, relative to other approaches) bring in the money so that you can focus on growing your company.

Once you have the necessary funds to get things underway, make sure you are disciplined in your spending. That means keeping overhead in line with your cash, recruiting key first employees with a modest (but competitive) salary and a generous equity grant. (And if you don’t have an equity compensation plan/strategy in place for key employees, stop reading this and go get one!)

Increase your odds of success.
Launching a startup is a momentous endeavor, and one that promises both excitement and heartbreak. While there is simply no “formula” that guarantees success, keeping in mind some of the above lessons may increase your odds.

The post From Startup to Growth Company – Five Factors For Success first appeared on Perlman Sandbox.

A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared. The following risk assessment methodology is a good place to start.
•Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files.
•Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
•Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
•Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
•Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

The above are general guidelines. As a first step, I typically provide clients with a customized, detailed checklist that is an essential tool for our audit. Not surprisingly, most of these audits reveal a variety of gaps and poor practices, which once addressed and remedied, reduces the likelihood of a breach, and leaves the organization better prepared should one occur.

The post Privacy Audit – Make it Your Organization’s New Year’s Resolution! first appeared on Perlman Sandbox.