Feb. 28, 2024

Data Retention and Destruction Lessons From FTC’s Blackbaud Case

Effective data disposal and retention policies are key to organizations’ ability to provide adequate security and privacy protection to consumers’ sensitive data. In the FTC’s announcement of its recent settlement with Blackbaud over claims stemming from a 2020 ransomware attack, it said, “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers.” This article examines the circumstances of the breach and the settlement terms, and offers lessons for companies on how to structure data retention and destruction practices, including what to incorporate in their policies. See our two-part series on safeguards for proper disposal of hardware: “Risks and Examiner Expectations” (Feb. 26, 2020), and “Effective Inventories, Policies and Due Diligence” (Mar. 4, 2020).

Legal and Ethical Issues in Use of Biometrics: FIDO, Identity-Proofing and Other Options

Biometrics are rising in popularity as an authentication method. A facial scan or fingerprint arguably can provide definitive evidence of a person’s identity. In the wrong hands, however, such immutable information can pave the way to identity theft. This second article in a two-part series synthesizing insights from a Biometric Update program discusses fast identity online authentication, issues around identity proofing and why biometrics may be the best alternative for some use cases despite its flaws. Part one covered key concerns over use of biometrics, selection of biometric modalities, responsible and ethical implementation, and state biometric privacy laws. See our two-part series on digital identity management in a post-pandemic world: “A Framework for Identity-Centric Cybersecurity” (Mar. 24, 2021), and “SolarWinds, Zero Trust and the Challenges Ahead” (Mar. 17, 2021).

Cybersecurity Practices for PE Sponsors and Their Portfolio Companies: Incident Prevention and Response

Private equity sponsors have become savvy over the years about the importance of robust cybersecurity practices at both their own firms and their funds’ portfolio companies, but they are still learning ways to meaningfully bolster those efforts. This first article in a two-part series, distilling insights offered by CISOs and chief risk officers during an SS&C Intralinks program, identifies key cybersecurity measures and incident response efforts that can help firms secure fund data and stay ahead of emerging cyber threats. Part two will offer suggestions for addressing cybersecurity during the deal process and post-acquisition, as well as tips on changing perspectives and insurance. See “Ten Cybersecurity Resolutions for Financial Services Firms in 2023” (Jan. 11, 2023).

Data Privacy Partner Joins Willkie in London

Willkie Farr & Gallagher has announced the addition of partner Briony Pollard in its London office. Arriving from Weil, Gotshal & Manges, Pollard joins the firm’s privacy, cybersecurity & data strategy practice group. For insights from Willkie, see “Understanding Cyberattacks on Digital Asset Platforms” (May 17, 2023).