News

Beauty E-Commerce Feel 22 Raises its Series A

In a recent round of investment, Feel 22, a beauty e-commerce platform based in Lebanon raised its series A from Equitrust, Choueiri Group’s investment arm, along with other private investors. Feel22 has quickly emerged as a leading player in the Lebanese market, and is now ready to scale up its model across other Levant countries,

What does going public mean?

Going public refers to a private company’s initial public offering (IPO), thus becoming a publicly traded and owned entity. Businesses usually go public to raise capital in hopes of expanding. Venture capitalists may use IPOs as an exit strategy (a way of getting out of their investment in a company).
The IPO process begins with contacting an investment bank and making certain decisions…

Ororus Advisors sits on the judging panel of Aim Startup Beirut

AIM Startup came to Lebanon for the first time on January 10th, 2019 at the UK Lebanon Tech Hub. Lebanese Startups participated in mentoring sessions and pre-competition workshops including a legal workshop titled ‘Startups: Understanding Everything Legal’ delivered by our Partner Nadine Imad. Represented by Nadine Imad, Ororus Advisors also sat on the judging panel

Ororus Advisors participates in Arabnet Riyadh 2018

Arabnet came back to Riyadh with its 7th edition on December 12th and 13th at the Four Seasons Hotel, Riyadh with more than 40 panels around digital media, advertising, e-commerce and more. Ororus Advisors took part of the Startup Clinic. Our Partner, Magda Farhat, met with emerging companies and entrepreneurs to provide them with legal

Collective Investment Scheme Mutual Funds in Lebanon

A collective investment scheme is a type of investment scheme that involves collecting money from different investors and then combining all the money collected to fund the investment. A collective investment scheme may also be called a mutual fund. Similar to a mutual fund, a collective investment scheme provides almost absolute control of the investment to the company pooling…

The Importance of Data Privacy Compliance Under the GDPR

It has become very costly to avoid data privacy compliance. While fines and penalties have existed for years in various amounts from multiple regulators, the European Union’s new General Data Protection Regulation (GDPR), effective May 25, 2018, raises the stakes. It specifies fines up to 20 million Euros or 4% of a company’s prior-year global revenue, whichever is higher, dependent on the “nature, gravity, and duration” of the violation and the “categories of personal data affected.”

Privacy is inherently important to all of us. Privacy is power – the power over self. Ever since the advent of the internet, most of our lives are purposefully conducted online, and that makes the concept of privacy even more important. The “special categories” created by GDPR’s Article 9 recognize the sensitivity of certain areas of our lives, which may have a greater impact if made public. These categories include race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data related to a person’s sex life or sexual orientation.

Global Privacy Trends

This concept is taking different shape quite differently around the globe. The E.U. is moving towards recognizing digital privacy as a fundamental human right, and other countries are following suit with local laws to provide similar protections. At this point, the U.S. is the lone holdout for general privacy rights, but even here, we’ve provided enhanced protections for personal health information (PHI) privacy through HIPAA since 1999.

U.S. Laws

For the first time, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands now have breach notification laws. While these are often ignored, these laws typically require private entities to notify affected users and the attorney general of any security breach or unauthorized disclosure involving personally identifiable information (PII).

These laws are focused on data attributes like social security and driver’s license numbers, birth date and place, age, marital status, race, salary, phone number, and other demographic or financial information. Based on recent headlines and most individuals’ experiences handling the aftermath of persistent credit card and large-scale PII data breaches (e.g. Equifax), it is easy to understand the importance of keeping this private information out of the public eye.

The Cost of a Breach

Recent privacy breaches have led to executives being dragged before Congress, fines in the millions, and remediation and litigation costs in the hundreds of millions.

  • Equifax (2017) – PII of 146m people: Estimated to be $439m to $600m
  • Anthem PHI Breach (2015) – PHI of 80m people: $260m in remediation; fines are still being litigated
  • Target Credit Card Breach (2013) – PII of 70m people: $372m in fines, penalties, and remediation

According to a 2017 study sponsored by IBM, the average costs of a data breach across businesses of all sizes globally is $3.62m or $141 per record. Recently the New Jersey Attorney General fined a medical practice $418,000 or about $260 per patient record when their third-party service provider actually caused a data breach. The Ponemon Institute, the firm that actually performed the IBM study, estimates that even one employee’s lost or stolen laptop may cost as much $50,000 after all the required legal notifications are made.

Required Action

Every federal and state body with privacy enforcement authority imposes higher fines for willful and uncorrected violations. Some basic steps to prevent, identify, and mitigate a privacy compliance failure include:

  • Develop and maintain a comprehensive information security policy and program
  • Classify sensitive or critical data and separate it from the rest of the computer network
  • Ensure all systems are securely configured and regularly patched
  • Implement encryption technologies to safeguard sensitive and critical data
  • Restrict access to the absolute minimum necessary
  • Implement comprehensive logging, monitoring, and alerting for critical events that could indicate a breach
  • Develop a robust incident response and breach notification process
  • Conduct regular independent third-party security assessments

What to do Next

While remediation and notification are costly, ignoring privacy compliance can be much more expensive. Prevention is more affordable than remediation, and preparation is better than litigation. The growing privacy compliance obligations can be burdensome to understand and difficult to implement. It is prudent to seek outside counsel when in doubt. Furthermore, establishing or administering information security and data privacy assessments through legal counsel may provide the defense of legal privilege if litigation is ever required.

GDPR and NIST 800-171 are two critical compliance standards affecting many businesses. These requirements are best achieved when addressed by an effective management program to ensure effective implementation and continued compliance. Ororus Advisors LLP has been helping clients implement and monitor control frameworks, data privacy, and information security programs for 5 years.

 

TESTIMONIALS

You took the time to understand our challenges fully and catered the work to specifically address the issue we had at hand in detail without leaving the scope. The approach was accommodating and understanding our needs with no fuss, enabling us to reach what we needed quickly.
Tariq Sanad CFO of Fetchr

About Us