top of page

    Cyber (Compliance)

  • Compliance with the European Union (EU) General Data Protection Regulation 2016/679 (GDPR), Directive 95-46-EC, and other international privacy regulations such as the Personal Information Protection and Electronic Documents Act (PIPEDA).

  • Compliance with French Law Act No. 2002-303, dated March 4, 2002, and accreditation procedure mandated by Decree No. 2006-6, dated January 4, 2006, regarding the hosting of health data within any French jurisdiction.

 

  • Compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), such as policies for consumer access and deletion requests regarding their personally identifiable information (PII), opt-out procedures to prevent the unauthorized use and sale of consumer PII, clear language on websites relating to the use of and opting-out for PII, continual training for personnel regarding consumer rights under the CCPA, the application of the CCPA to consumers located outside California but using facilities and services within California, W3C Web Content Accessibility Guidelines (WCAG).

 

  • Compliance with the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR 500.

 

  • Compliance with domestic and international privacy-related guidelines, laws, regulations, rules and statutes, such as:  the “safe harbor” framework; Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM); Data & Marketing Association (DMA) Guidelines; EU Data Protection Directive; Fair Credit Reporting Act (FCRA) and Regulation V (Fair Credit Reporting); False Claims Act (FCA); Federal Reserve Regulation P (Privacy of Consumer Financial Information); Federal Trade Commission (FTC) Behavioral Advertising Principles; FTC Telemarketing Sales Rule;  Federal Risk and Authorization Management Program (FedRAMP); Foreign Intelligence Surveillance Act (FISA); Gramm-Leach-Bliley Act (GLBA); Health Information Technology for Economic and Clinical Health Act (HITECH); Health Insurance Portability and Accountability Act (HIPAA) – applying to any digital platform that may the collect or handle any protected health information (PHI); ISO 27000; Mobile Marketing Association Best Practices; Network Advertising Initiative (NAI) Guidelines; Office of Management and Budget (OMB) Memoranda M-10-22 and M-10-23; Payment Card Industry (PCI) Data Security Standard (DSS) (collectively, PCI DSS).

  • Monitored safe harbor compliance as required internationally, managed the safe harbor certification processes and the efficacy of privacy controls applicable to new service offerings, and ensured that privacy-related key risk indicators were effectively implemented to prevent an unacceptable impact on business objectives and reputation.

  • Worked with third-party stakeholders (including business partners, suppliers, service providers and IT product vendors) to ensure a clear understanding and full compliance with the operational privacy requirements.

  • Maintained, evolved and implemented privacy policies and procedures in coordination with key management personnel and the information security team, lines of business, enterprise risk, compliance and audit functions.

 

  • Procurement and management of governance, risk and compliance (GRC) platforms (AuditBoard, Blueprint OneWorld, BP Logix, Integrum, LogicGate, ManageEngine, MyEasyISO, SiteDocs, ZenGRC) for compliance with 21 CFR Part 11 (Code of Federal Regulations Title 21 - Electronic Records), Americans with Disabilities Act (ADA), Children's Online Privacy Protection Act (COPPA), Fair and Accurate Credit Transaction Act (FACTA), Federal Information Security Management Act (FISMA), Federal Rules of Civil Procedure (FRCP), Financial Industry Regulatory Authority, Inc. (FINRA), Generally Accepted Accounting Principles (GAAP), Health Information Trust Alliance (HITRUST), Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act), HITECH, HIPAA, Information Security Management System (ISMS) ISO 27001, Occupational Safety and Health Act (OSHA), Patient Safety and Quality Improvement Act (PSQIA), PCI DSS, Patient Protection and Affordable Care Act (PPACA a/k/a "Obamacare"), Sarbanes-Oxley (SOx), Service Organization Control (SOC), security services report cards and service-level agreements (SLAs).

  • Managed compliance with Sarbanes-Oxley (SOx), such as leading all IT, security and data privacy SOX-related audits, established required remediation policies related to such audits, assisted in the preparation of external vendor SOC1 and SOC 2 reviews and published related reporting and action plans within the company, coordinated the required annual user recertifications, prepared and presented required SOx-related readiness reporting and remediation plans, authored and updated the company’s IT Incident Response Plan, and ensured that required SOx controls were robust.

  • Compliance regarding affiliate marketing, affiliate networks, artificial intelligence (AI), blockchain, browsewrap, business process outsourcing, PIPEDA, CCPA, chat-bots, Children's Online Privacy Protection Act (COPPA), clickwrap, cloud security, Computer Fraud and Abuse Act (CFAA), confidentiality, Consumer Review Fairness Act (CRFA), CAN-SPAM, cookies, corporate policies, cyberbullying, data architecture, data governance, data security, data warehousing, date-bots, Dietary Supplement Health and Education Act (DSHEA), DevSecOps, digital currency, digital media, digital transformation, distributed ledger, domain names, e-signatures, ecommerce, Electronic Signatures in Global and National Commerce Act (ESIGN), email marketing, emerging technologies, encryption, end user license agreement (EULA), Fair Credit Reporting Act (FCRA), Federal Trade Commission Act (FTCA) Section 5, International Organization for Standardization (ISO) 27000 series guidelines – also known as the International Electrotechnical Commission (IEC) IEC Information Security Management Systems (ISMS) Family of Standards – GLBA, HIPAA, internet advertising and marketing, internet law, internet promotions and sweepstakes, Lanham Act (also known as the Trademark Act of 1946), machine learning, National Institute of Standards and Technology (NIST) security guidelines, Nutrition Labeling and Education Act (NLEA), online identity theft, online lead generation, online privacy, online reputational attacks, over-the-top (OTT) media service, personal data (the EU equivalent of the term personally identifiable information – PII – in United States jurisdictions), personally identifiable information (PII – in United States jurisdictions), phishing, privacy training, Restore Online Shoppers’ Confidence Act (ROSCA), robotic process automation (RPA), social media, software development lifecycle, spam, stalking apps, Tax Cuts and Jobs Act (TCJA), telecommunications, telemarketing, Telephone Consumer Protection Act (TCPA), user experience (UX) design, user interface (UI) design, website audits, Written Information Security Programs (WISPs).

    Last updated 200614_1608

bottom of page