The Brave New World of Privacy and Cybersecurity & Are You

Rick BortnickOf Counsel – San Diego, CA [email protected]

WEBINAR

The Brave New World of Privacy and Cybersecurity & Are You Next?Friday, October 22, 2021

http://wilsonelser.com

https://www.wilsonelser.com/attorneys/richard_j_bortnick

mailto:richard.bortnick%40wilsonelser.com?subject=

10/22/2021

1

The Brave New World of Privacy and Cybersecurity ‒ Are You Next?Presented By

Rick BortnickOf Counsel, Wilson Elser

Shiraz Saeed

Vice President - Cyber Risk Leader, Arch InsuranceOctober 22, 2021

Presented By

Rick BortnickOf Counsel, Wilson Elser

Shiraz Saeed

Vice President - Cyber Risk Leader, Arch InsuranceOctober 22, 2021

• Regulatory Compliance Overview• Threat Actors• Attack Vectors• Third-party Liability• First-party Losses• Insurance Coverage Under Different Types Of Insurance Policies• Claims• Sample Situation• Best Practices• Conclusion

Agenda

2© 2021 Wilson Elser. All rights reserved.

• Regulatory compliance• California Consumer Privacy Act

• Virginia

• Colorado

• Connecticut

• NY SHIELD Act

• Illinois

• NYDSF

• GDPR

• HIPAA / HITECH

• Others

3

Risk Management & Compliance

© 2021 Wilson Elser. All rights reserved.

10/22/2021

2

• The California Consumer Privacy Act is the United States’ most robustprivacy law. It is patterned, in part, after the European Union’s GeneralData Privacy Regulation (“GDPR”), although GDPR is even more onerous(but likely not for long … see below).

• CPPA became effective on January 1, 2020.

• California’s Office of Attorney General (“OAG”) began to enforce CCPAon July 1, 2020.

The California Consumer Privacy Act (“CCPA”)


• A for-profit business that:• Collects or controls the processing of consumers’ Personal Information (PI);• Does business in California; and• Meets one of following:

• $25 million in annual revenue• PI from 50,000+ consumers, households, or devices per year• 50% annual revenue from selling PI

• A business that:• Controls or is controlled by a covered business; and• Shares common branding with the covered business

5

Who is Covered?


Consumers’ Personal Information• Consumer: a natural person who is a California resident

• Personal Information: Information that identifies or can identify a person or household

• Biometric information

• IP address, internet activity, pixels, beacons, and device IDs

• Purchasing history

• Inferences drawn from PI to create a customer preference profile

What Information is Covered?


10/22/2021

3

Enforcement actions by the California Attorney General• Regulatory Fines: $2,500 or $7,500, if intentional

Private right of action• In the event of a data security incident

• If the incident resulted from the failure to implement adequate security measures

• 30-day notice requirement

• Statutory Damages: $100 to $750 per consumer per incident

7

Consequences for Non-Compliance


• On November 3, California residents voted to enact the California Privacy and Rights and Enforcement Act, sometimes referenced as CCPA 2.0. CPRA imposes more robust privacy requirements on Covered Entities and increases the penalties they might be assessed for violations.

• The enhanced privacy rights proposed in CRPA are analogous to certain of GDPR’s most robust mandates.

• Among other things, CPRA imposes new obligations with respect to personal information collected after January 1, 2023, save the right to access personal information collected on or after January 1, 2022.

California’s Privacy Rights and Enforcement Act (“CPRA”)


• On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

9

NY Shield Act


10/22/2021

4

A covered business will be deemed to be in compliance with the SHIELD Act’s data security requirement if the business implements a data security program that includes reasonable administrative, technical and physical safeguards, such as:

• Reasonable administrative safeguards

• Reasonable technical safeguards

• Reasonable physical safeguards

NY Shield Act


New York Department of Financial Services Cybersecurity Regulation

11

NYDFS – 23 NYCRR 500


Covers entities licensed by DFS

• Insurance Companies

• Service Providers

Extends beyond NY borders

• Companies doing business in NY

• Companies doing business with them

• The U.S. is one of only a handful of countries that still lacks a blanket data protection law.

• All 50 states now have a data breach notification rule usually also calling for reasonable data security. But currently only four states have robust privacy laws in effect:

• California (CCPA)

• Virginia

• Colorado

• Connecticut

Other States’ Data Privacy Laws


10/22/2021

5

• Data Privacy legislation is pending in at least 14 states:• Arizona• Florida• Illinois• Maryland• Minnesota• Nebraska• New Hampshire• New York• Oklahoma• Pennsylvania• Rhode Island• South Carolina• Washington state• Wisconsin

13

Other States’ Proposed Data Privacy Laws


• Five states have launched data privacy task forces or issued orders for lawmakers and state officials to study the issue:

• Hawaii

• Louisiana

• Massachusetts

• North Dakota

• Texas

• In those states, the study/task force orders were implemented in place of legislation

Other States’ Proposed Data Privacy Laws


• Privacy Rule• The Privacy Rule standards address the use and disclosure of individuals’ health

information (known as “protected health information”) by entities subject to the Privacy Rule.

• Security Rule• While the Privacy Rule safeguards protected health information, the Security Rule

protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

• Transactions and Code Set Rule • The Transaction and Code Set Rule addresses the use of predefined transaction

standards and code sets for communications and transactions in the health-care industry.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) – 7 Key Rules


10/22/2021

6

• Unique Identifiers Rule• The Identifiers Rule defines unique identifiers used for covered entities in HIPAA

transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.

• Enforcement Rule• The Enforcement Rule sets civil money penalties for violating HIPAA rules and

establishes procedures for investigations and hearings for HIPAA violations.

• Breach Notification Rule• The Breach Notification Rule stems from the HITECH Act, which stipulates that

organizations have up to 60 days to notify patients/individuals, the HHS, and sometimes the media of PHI data breaches.

• Omnibus Rule• The Omnibus Rule stems from the HITECH Act and further tightens and clarifies

provisions contained in the Privacy, Security, Enforcement, and Breach Rules.


Health Insurance Portability and Accountability Act of 1996 (HIPAA) – 7 Key Rules

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights in relation to automated decision making and profiling.

17

GDPR (EU)


• Illinois’s Biometric Information Privacy Act

• Passed in 2008 to protect against the unlawful collection and storage of biometric information, Illinois’ Biometric Information Privacy Act (BIPA) was the first state law regulating the collection of biometric information. It requires companies doing business in Illinois to:

• Notify and obtain prior written consent for the collection, use and storage of biometric data• Have a public written policy for the storage and destruction of biometric data• Securely store biometric identifiers

• More than 300 class action lawsuits have been filed as of March 2021.

• Latest Developments: • Six Flags case settled June 2021 for $36M• Contrast Six Flags with Facebook BIPA settlement of $650M. • CCPA (California Consumer Privacy Act) effective January 2020 potentially broader definition of

biometric data than Illinois• New York law effective July 2021• GDPR considers biometric data as well and has levied a small handful of fines

Biometric Data Privacy


10/22/2021

7

• Employees

• Hacking

• Vendor portals

• Ransomware

• Business Email Compromises

• Phishing/Whaling/Vishing/Smishing

• Deepfakes

19

So, What are We Seeing in the Real World?


Internally - Employees / Vendors

• Malicious – Stealing Information (Card Skimming)

• Negligence – Phishing, Lost Resources (Laptop/Mobile Device)

• Vendors – Security & Governance

• Externally - Individual Hackers / Organized Crime/Nation-State

• Ideological and / or financial

• Sending Viruses / Malicious Code – Ransomware

– Private Information Exfiltration

– Disruption of Business

How Can An Event Occur?

• More Than Hooded Silhouettes• The modern cyber risk landscape is populated by threat actors with myriad motivations.

• Some attack targets, but many are opportunists who attack vulnerabilities wherever they find them.

• Attack methods can very from highly-targeted and deliberate attacks that develop over months, to mass-scale, self-spreading malware.

Who Are the Threat Actors?


10/22/2021

8

• Phishing/Whaling: Fraudster typically sends out random emails or text messages (smishing) to thousands of people designed to induce then to open an attachment, click on a website URL (“watering hole attack), etc.

• Spear fishing: tailored to the recipient; appears to be sent by someone you know

• Whaling: attacking the big fish, i.e., executives, senior personnel, BOD, etc.

• Sender’s email address is spoofed or faked, i.e., use of l (the lower case letter “L”) instead of I (the upper case letter I”)

• Fake software updates

• Fake delivery instructions (FedEx, UPS, etc.)

• Fake bank instructions, i.e., your account has been temporarily locked; you need to change your password

• Vishing: Vishing is a form of phishing wherein a fraudster, leaves a message — such as via email, text, phone call or direct-chat —that appears to be from a trusted source but isn’t. The goal is to steal someone's identity or money.

• During a vishing phone call, a scammer uses social engineering to get you to share personal information and financial details, such as account numbers and passwords. The scammer might say your account has been compromised, claim to represent your bank or law enforcement, or offer to help you install software. Warning: It's probably malware.

• Smishing: Notifications sent via text messages or short message services (SMS). Crooks spoof what appear to be legitimate businesses and send multiple fake message notifications. The messages state that the recipient has an urgent notification of some sort. Each notification includes a link for more information. Clicking the link takes the recipient to a phony Google loginpage that is designed to steal any information the recipient enters.

Phishing/Whaling/Vishing/Smishing


• Video or audio made of falsified images and sounds, often assisted by AI and machine learning.

• threat actors can wholly generate images and voices of celebrities, politicians or others to create fake news or simply to reap profits.

• Example: “drunk” Nancy Pelosi.

• Three key risks:• fraud, such as when a thief last month used Deepfake audio to deliver a phone message to a

U.K. energy company CEO purportedly from his superior telling him to transfer a significant sum of money. An insurance investigation later concluded that AI was used to replicate the boss's voice and that it could not be detected as fake.

• manipulation of stock prices by using Deepfakes of executives that damage the brand, such as where an executive “makes” racist remarks just before an initial public offering.

• targeted personal attacks against an employee by, for example, a disgruntled ex-employee or spouse. A Deepfake video could portray a person performing a lewd or firable offense.

23

Deepfakes


How Do We Identify Exposures?

Computer Systems – Information Technology & Operational Technology• System Topography

– Do you operate the networkyourself or outsource to a vendor?– Number of Servers, Laptops, Desktops, Mobile Devices ETC. – Critical platforms/applications and their interconnectivity– Identify potential impact to business units due to loss of use of the computer

systems. • Storage and Movement of Private Information• Security and Governance

– WISP, Privacy Policy, Firewall, Anti-Virus, MFA, Encryption, Backups, EDR, Vulnerability Scanning/Patching, Employee Training, IR/BCP/DR Policy, ETC.

10/22/2021

9

How Do We Identify Exposures?

Do you handle Private Information? • What type of Private Information do you collect?• How do you collect, store, transfer, distribute or delete the information?

Do you perform Funds Transfers either as a Seller or a Buyer?• Do you wire transfer money to pay bills or collect payment?• Do you have a verification process to confirm who is being paid prior to payment?

Do you have a Website?• What content is on the site?• Can employees or third parties upload content (blog, post pictures or comments)?• Content Ownership

• The California Attorney General adopted the Center for Internet Security list of 20 identified controls as “defining a minimum level of information security that all organizations that collect or maintain personal information should meet.”

• Separated into Basic, Foundational, and Organizational

• Different levels of controls are specified for three types of implementation groups (IG), representing companies with increasing levels of sophistication

What Are “Adequate Security Measures”?


• Rogue Employees• 9% of incidents (source: Beazley statistics)

• Disgruntled• Information Security / Information Technology

• Enticed• Human Resources

• Call Centers

• Finance

• Untrained/Inattentive

Employees Are a Significant Concern


10/22/2021

10

• Hacker obtains authorized credentials from a vendor that provides access to the client’s IT infrastructure and logs in as the vendor

• Malware breaches the vendor portal segment and migrates to mission critical systems, personal information, and credit and debit card information

• Target, Walmart

28

Vendor Portals


• Most affected sectors: Healthcare, Critical Infrastructure, Financial Services, Educational Institutions, Municipalities, Professional Services, Vendors

Ransomware – Who, What, Where


Scheme 1 – Directive from the BossAttacker may impersonate a high-ranking executive or business partner to target someone lower in the organizational hierarchy, such as accounts payable. This tactic is intended to intimidate the victim into sending money or data immediately and thwart the idea of asking any questions.

XXXX,

I need you to initiate an emergency wire-transfer in the amount $64,700 to the account below. I am boarding a flight right now and this needs to be completed immediately. Can you get this done? Send confirmation of the transfer once complete.

Best Regards.

CEO Mr. Scammer

30

Business Email Compromises


10/22/2021

11

Scheme 2 – Fake Email “Chain” Attacker will also use a fake chain of emails to trick a victim by adding the illusion of credibility.The fraudster can point to a faux history with realistic interactions for a request to send on their behalf

XXXX,

See Rick’s request below. I need you to send all employee W2s for 2016.

Best Regards.

COO Ms. Scammer

_____________________________________________________________________

From: Richard J. Bortnick, Esq.

To: COO Scammer

Subject: FWD: Request

Scammer, I need to review all employee W2s for 2016. Can you gather for me?



Scheme 3 – Mergers & AcquisitionsScammers (often individuals posing as attorneys) send spoof emails to victims and convince them to wire money in regards to an acquisition that the victim’s company is undergoing.

XXXX,

In regards to an Acquisition that we are currently undergoing, Attorney YYYY is going to be contacting you. If you can please devote your full attention to his/her demand to acquire some accounting information so we can finalize this deal.

I must bring up the fact that the operation is regulated by the Financial Market Authority which mean that you need to keep this matter extremely confidential as you are the only one currently aware of the situation.

You will need to keep complete silence and work exclusively with YYYY. Any questions you may have must be addressed directly with him/her.

We are going public with the acquisition next week. I will personally meet with you and YYYY a couple of days prior and expect to be fully updated on your progress.

Thank you for treating this with your utmost attention.

32



Scheme 4 – Trick Domain Name Email• Victims receive an email asking them to wire money to a specific account.

• Email from domain with one character changed.

• Domainname.com — Official

• Domainmame.com — Attacker

• These emails usually come with a PDF attachment with account information details such as bank information, account information, swift code, etc.

XXXX,Process a wire of $MMM,HHH.CC to the attached account information. YYYY will provide me the support documentation later. Code it to Admin Expense.

Send me the confirmation when done.Thanks,

Accounting Manager Mrs. Scammer



10/22/2021

12

Scheme 5 – Wire Money to “Vendor”

• Legitimate order to vendor made.

• Often, vendor’s email compromised.

• Forged email received from vendor changing wire instructions.

• Wire transfer to new instructions and product arrives. Vendor moves to collect for non-payment.

34



Security Failure

• Failure of an Organization to protect their Computer Systems

– Virus, Malicious Code, Malware Attacks, Ransomware, DOS Attack

Privacy Incident• Failure of a Organization to protect Private Information

– Personal or Corporate; Online or Offline

– Violation of any Federal, State, or Local privacy statute (collection or loss)

– Failure to comply with PCI-DSS standards

Coverage Triggers

Incident Response Expenses

• Legal Consultation

• Forensic Investigation

• Public Relations Services

• Notification to Consumers based on legal mandate

• Providing ID-Monitoring / Credit Monitoring

Security & Privacy Liability

• Government Agencies

• Individuals/Class Actions

• Businesses

• Administrative

First-Party & Third Party Coverage

10/22/2021

13

Business Income Loss

• Addresses loss of income and operating expenses resulting from the interruption or suspension of business due to a failure of network security

Data Recovery

• Reimburses for the costs associated with restoring, recollecting or recreating lost electronic data

Cyber Extortion

• Contemplates coverage for extortion threats against a company’s computer networkand confidential information by an outsider seeking money or other valuables

First-Party Coverage

Cyber Crime (BEC – Business Email Compromise)

• Reimburses for the Loss of Funds, Other Property or Utilities Power from Fraudulent Impersonation, Invoice Manipulation, Telecommunication Fraud or Crypto-Jacking

Reputational Loss Coverage

• Reimburses for the Loss of Income as a result of Negative Publicity connected to a Security Failure or Privacy Incident

First-Party Coverage

Media Content Liability

Organizations Have Published Content

• Website

• Print

• Broadcast• Live In Person

Typical Cases of Claims

• Trademark or Copyright Infringement

• Defamation, Libel, Slander or Product Disparagement

• Invasion of Privacy or False Light

• Content leads to Infliction of Emotional Distress

Third-Party Coverage

10/22/2021

14

Cyber Casualty & Products Liability

PhysicalInjury

ComputerVirus

OrganizationComputer System

ComputerVirus

Customer ComputerSystem (Tech Product)

PhysicalInjury

Cyber Property Triangle

Computer SystemHardware – ElectronicEquipment

Software– ElectronicData

Premises - Building Time Element

ComputerVirusAll Risk

• Incident Response Plan (NIST Publication 800-61)

• Training & table-top exercises (incident response)

• Business Continuity Plan

42

Best Practices & Compliance


10/22/2021

15

• Training

• More training

• Even more training

• Policies and procedures

• IT Assessment

• Vendor contracts

• Regular updates as state privacy laws evolve and change

43

Best Practices & Compliance


• Exposure Analysis

– Volume / Type of Records

– Security & Governance

– Vendors

• Coverage

– Third-Party and First-Party

– Non-Physical vs. Physical Damage

• Claims Handling

– Policy Triggers vs. Cause of Loss vs. Resulting Damage

Conclusion

41 Offices located throughout the United States

Alabama | Albany | Atlanta | Austin | Baltimore | Beaumont | Boston | Charlotte | Chicago | Dallas | Denver | Edwardsville | Garden City | Hartford | Houston | Indiana | Kentucky | Las Vegas | London | Los Angeles | Miami | Michigan

Milwaukee | Mississippi | Missouri | Nashville | New Jersey | New Orleans | New York Orlando | Philadelphia | Phoenix | Raleigh | San Diego | San Francisco | Sarasota | Stamford | Virginia | Washington DC | West Palm Beach | White Plains

45

10/22/2021

16

Contact

Shiraz Saeed

Vice President, Cyber Risk Product Leader

Arch Insurance

[email protected]

Richard J. Bortnick

Of Counsel, Wilson Elser

San Diego, CA

619.881.3334

[email protected]

San Diego, CA

Services

Admissions

Memberships & A�liations

Richard J.BortnickOf Counsel

Contact

p. 619.881.3334f. [email protected]

Alternative Dispute Resolution

Class Action Defense

Cybersecurity & Data Privacy

Directors & O�cers Liability

Insurance Regulatory &Compliance

Insurance & ReinsuranceCoverage

Insurer Litigation:Coverage/Extra-Contractual

Professional Liability & Services

Bars

CourtsSupreme Court of the United States

U.S. Court of Appeals, First Circuit

U.S. Court of Appeals, Third Circuit

U.S. Court of Appeals, Eleventh Circuit

U.S. District Court, Eastern District ofPennsylvania

U.S. District Court, District of NewJersey

U.S. District Court, Eastern District ofWisconsin

U.S. District Court, Western District ofWisconsin

Executive Corporate Board of theFranklin Institute, Member

Richard Bortnick is an industry-renowned problem solver who litigates and counselsU.S. and international insurers and corporations on cyber, privacy and technologyrisks and exposures; directors & o�cers liability; insurance coverage; productsliability; and commercial litigation matters. In addition, Rick drafts insurance policyforms of varying types, including those covering cyber/ privacy/ technology risks andexposures, and serves as an expert consultant on cyber insurance matters involvingthe historical existence and scope of cyber insurance products. For nearly 20 of his 36-year legal career, Rick has served as a trusted adviser topublic and private entities of all sizes on their privacy, cyber and technology risks,and he has trained hundreds of business executives and others on their commercialand legal responsibilities. Rick began his career as a commercial litigator in theantitrust and securities laws sectors and as an insurance coverage attorney handlingdisputes of all natures, products and subject matters. As such, he has a broad rangeof experience in corporate and litigation matters that enables him to counsel clientson a full suite of their business needs. Rick has authored numerous treatise chapters, white papers and articles andregularly presents webinars and seminars on privacy, cyber and D&O for clients andthe public at large.

Areas of FocusCybersecurity, Technology & Data Privacy Rick has vast experience handling privacy and cyber matters across a myriad ofsectors and disciplines. His clients include municipalities, merchants, serviceproviders, professionals such as attorneys and accountants, hospitality providers,technology companies and others. For almost 20 years, Rick has advised clients onthe preparation of pre- and post-incident privacy and breach response plans,policies and procedures, and handled breaches involving ransomware, hacking,employee negligence and malfeasance, and other threat actors and vectors. He hassuccessfully defended class actions against entities across all classes of business,and is a trusted adviser to his clients’ management privacy and incident responseteams as an outside expert consultant. Clients look to Rick for sound, sage adviceand counseling to protect their capital and �nancial interests and reduce theirexposures arising from a threatened, potential or actual privacy, technology and/or

https://www.wilsonelser.com/offices/25-san_diego_ca

mailto:[email protected]

https://www.wilsonelser.com/

https://www.wilsonelser.com/services/7-alternative_dispute_resolution

https://www.wilsonelser.com/services/20-class_action_defense

https://www.wilsonelser.com/services/27-cybersecurity_data_privacy

https://www.wilsonelser.com/services/31-directors_officers_liability

https://www.wilsonelser.com/services/51-insurance_regulatory_compliance

https://www.wilsonelser.com/services/11-insurance_reinsurance_coverage

https://www.wilsonelser.com/services/147-insurer_litigation_coverage_extra-contractual

https://www.wilsonelser.com/services/4-professional_liability_services

Awards & Distinctions

Education

Rated AV® Preeminent™ byMartindale-Hubbell Who’s Who in Legal Insurance &Reinsurance: Lawyers, 2018‒2021;Global Leader in Insurance andReinsurance, 2021 Advisen Cyber Risk Champion ofthe Year, 2015 The Franklin Institute ScienceMuseum, Executive CorporateBoard

Villanova University School of Law, J.D.,1985, cum laude

Boston University, B.S. BroadcastJournalism, 1981, summa cum laude

cyber incident. Directors & O�cers Liability Since 1990, Rick has handled directors & o�cers liability and insurance coverageclaims, and was counsel to a consortium of European insurance companies on whatwas then the biggest non-U.S. D&O lawsuit in history. His track record of success indefending his clients’ interests in both litigation and alternative dispute resolutionproceedings has positioned Rick among the best-known, most highly respected D&Oinsurance attorneys in the country and in Europe. Rick also assists his publiccompany clients with the preparation of their 10-Ks when cyber issues must beaddressed. Insurance & Reinsurance Coverage Rick has counseled and defended insurance and reinsurance company clients since1990, having handled hundreds of coverage matters involving professional liability,general liability and other insurance policy forms and endorsements. He has draftedand co-drafted insurance policies crossing all sectors, risks and exposures, includingmore than 20 cyber policies for insurers across the world. Rick’s clients recognize hiskeen eye for detail and precision in avoiding coverage disputes and litigation. To thepoint, no insurance coverage litigation has ever arisen from a policy Rick drafted orco-drafted.

Representative MattersWorked on several cyber incidents involving Fortune 500 retailers whose credit card systemswere breached and customers’ personal information ex�ltrated.

Remediated numerous thefts of personal information from hospitality companies theconsumer reservations systems of which were breached.

Handled hundreds of cyber breaches across all segments and disciplines requiringnoti�cation to consumers and/or regulators and responded to regulators’ inquiries andinvestigations.

Works with municipal and public entities on their privacy protection programs and policies.

Counsels critical infrastructure providers on their privacy and cybersecurity duties andobligations to consumers and regulators.

Defends manufacturers, merchants, technology companies and public entities in D&O andconsumer litigation involving breaches, and 10-K and accounting disclosures.

Represents international and domestic manufacturers, their vendors and those entities’insurers in class action and individual products liability litigation.

Serves as an expert consultant on the scope and historical development of cyber policies andprivacy-related risks and exposures.

Drafted or co-drafted more than 20 cyber insurance policies for insurers across the world.

Documents

The Brave New World of Privacy and Cybersecurity & Are You