Privacy Laws - What's Next

The California Consumer Privacy Act of 2018 (the “CCPA”) has raised awareness here in the U.S. as the "next thing" companies are going to have to be compliant with.  It is considered the strictest privacy bill in US history.  Although not required to be implemented until January 2020, the sheer gravity of changes is substantial.  Many have compared it with the EU’s General Data Protection Regulation (GDPR), which went into effect in late May.  As you'll see it goes even deeper.

Some provisions:

  • Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what's being done with their data in terms of both business use and third-party sharing. 
  • Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting. 
  • Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use. 
  • Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special "Do Not Sell My Personal Information" button on their web sites to make it easy for consumers to object. 
  • Sale of children's data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that. 
  • A covered "business" is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
  • The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer's "nonencrypted or nonredacted personal information." Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).

Deeper control over personal information

Much like the GDPR, California’s new bill provides individuals more control over their personal information. Personal information as defined in the CCPA includes:

  • An individual’s name (first and/or last),
  • E-mail address,
  • IP address, and
  • Browsing and search history.

This definition is deeper than the GDPR and could have greater impact because of it.  Alignment between the CCPA and the GDPR is most clearly seen in the area of individual rights. In the CCPA, individual rights pertain to the consumer, which could be an individual person, household, and/or an organization or group of persons residing in the state of California, while the GDPR applies these rights to just the individual person. 

Cybersecurity and Data Breaches

In this era of regular and consistent barrage of data breach notifications, the CCPA has put some financial weight behind it.  The CCPA includes repatriations to consumers as a penalty. In the event of a data breach, a business may have to provide affected consumer(s) with compensation ranging from $100 to $750. 


While the GDPR requires data subjects to opt in to allow their data to be processed by an organization, the CCPA states that consumers must choose to opt out of allowing companies to sell their information. The CCPA requires that businesses provide a clear and conspicuous link on their website titled “Do Not Sell My Personal Information” to provide consumers with the opportunity to opt out.

The reach outside of California

Just as the impact of GDPR expanded outside of the EU, the CCPA will heavily influence privacy legislation across the U.S. Even companies without a physical presence in California will need to implement some, if not all, of the guidelines imposed by CCPA. The scope of the CCPA is not based just on an organization’s physical location, but also on its total revenue and sources of revenue and how these are tied to the sale of California residents’ data. California’s large population size and dominance in the technology industry means many U.S. companies will be affected by the new law. The only companies that may be able to avoid complying with the law are those that can prove that all of their commercial conduct takes place wholly outside of California.

What measures should I take?

  • Build data inventories and records pertaining to California residents.
  • Consider alternative business models, such as California-only sites, services, offerings.
  • Design processes that allow data subjects to submit requests.
  • Create a link for “Do not sell my personal information” on the business’ website homepage in a place that is a clear and easily accessible for consumers and implement procedures to accommodate these requests.


The landmark NYS DFS cybersecurity regulation that took effect in New York State in March 2017 is approaching its third of four signposts. This was the first regulation of its kind that included prescriptive direction for the protection of personally identifiable information handled by all financial institutions that conduct business in the State.

The previous signposts included Policy creation, such as having a cybersecurity program, and an incident response plan. Within the second signpost specifically, there were some more technical items, including multi-factor authentication for remote access as well as penetration testing.

The next set of signposts are set to take effect on September 4th, and they are amongst the toughest from a technical standpoint. They include data encryption (in transit and at rest), five-year audit trails and limitations on data security.

What is required on September 4, 2018?

Starting September 4th, companies will be required to have commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach, and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity. Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.

With the eighteen month transitional period ending Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

Section 500.06 Audit Trail:

1)    Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:

a)     are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and

b)    include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

2)    Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years.

Section 500.08 Application Security.

1)    Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

2)    All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

Section 500.13 Limitations on Data Retention.

1)    As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

Section 500.14 Training and Monitoring.

1)    As part of its cybersecurity program, each Covered Entity shall:

a)     implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and

b)    provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.

Section 500.15 Encryption of Nonpublic Information.

1)    As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

a)     To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.

b)    To the extent a Covered Entity determines that encryption of Nonpublic Information at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.

c)    To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.

Who needs to comply?

All financial service companies that are licensed in New York State are subject to the requirements of this regulation. This includes nonresident licensees. Covered entity means “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

About Prager Metis Technology

PragerMetis Technology (PMT) is the technology arm of PragerMetis, a top 60 accounting firm. Offices in New York, Miami, Los Angeles, London and India.  PMT is located in the firm’s Woodbury office. The firm specializes in cybersecurity, risk intelligence, advanced analytics, regulatory compliance, blockchain, cryptocurrencies and other technology solutions.

For more information contact:


Technology Trends

The technology revolution is all around us.  The Internet of Things, Cyber Security and Artificial Intelligence are three of the hottest trends that we are dealing with every day.  What's next?  Robotics Process Automation is just around the corner - in fact some organizations have already begun to use it today.  As accountants, auditors, technologists and operational experts all of us have to know and understand the basics to get a good foundation for how it can help our businesses thrive and grow.  We don't want to be left behind and we need these to form the basis for a competitive advantage in the marketplace.  

Technology has changed everything.  The reach is outstanding and the speed is beyond what we could have imagined only a few short years ago. The time it takes to adopt technology has exploded. Just look at these statistics to reach 50 million users:
•    Radio – 38 years
•    TV – 13 years
•    iPhone – 3.5 years
•    Facebook – 2 year
•    Pokémon Go app – 19 days

Although these are interesting what is driving information is the sheer amount of data that is currently available.  There are now 2.4 quintillion bytes of data created every day.  We’re capturing, recording and digitizing more than we ever thought was possible.  This has changed society and business dramatically.  

Internet of Things

The Internet of Things, or IoT, refers to billions of physical devices around the world that are now connected to the internet, collecting and sharing data. Thanks to cheap processors and wireless networks, it's possible to turn anything into part of the IoT. This adds a level of digital intelligence to devices that would be otherwise dumb, enabling them to communicate without a human being involved, and merging the digital and physical worlds.

The term 'IoT' is mainly used for devices that wouldn't usually be generally expected to have an internet connection that can communicate with the network independently of human action. For this reason, a PC isn't generally considered an IoT device and neither is a smartphone -- even though the latter is crammed with sensors.

Digitalization is defined by Gartner as leveraging digital technologies to change business models and provide new revenue and value-producing opportunities. A digitalized business’ information systems will enhance operations by collecting data and transforming it into insight and action that supports the business. Ultimately, digitalized business systems will be able to make many decisions without the need for human involvement and to perform specific tasks autonomously.  These cyber-physical capabilities comprise a functioning industrial internet of things infrastructure, with everything from the tiniest sensors in manufacturing equipment to data-visualization dashboards used to perpetuate organizational health.


Just watch the news or read an article or tweet – Cybersecurity is everywhere.  Whether it's the latest breach of a company or government agency, a new vulnerability in a piece or popular software, or a lax security practice from a company that should have known better, there are moments every day where we can't help but shake our heads at the sad state of cybersecurity. In an age where we manage more and more of our lives digitally, it means that anyone—in any career—should know simple things about keeping security up to par. At work, this will help companies maintain robust protocols.

Cyber Attackers Rely On Human Error

The vast majority of companies are more exposed to cyberattacks than they have to be. Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. One high-profile example: the CEO of Equifax attributed the company's 2017 breach—which comprised the data of over 147 million consumers and could cost over $600 million—to, you guessed it, human error. Mistakes by network administrators and users—failures to patch vulnerabilities in legacy systems, misconfigured settings, violations of standard procedures—open the door to the overwhelming majority of successful attacks.

The Rise of AI in Cyber

The idea of a computer program learning by itself, growing in knowledge and becoming increasingly sophisticated may be a scary one. It's even scarier when it's learning to attack things.  In February, a study from teams at the University of Oxford and University of Cambridge warned that AI could be used as a tool to hack into drones and autonomous vehicles, and turn them into potential weapons.  The fear for many is that AI will bring with it a dawn of new forms of cyber breaches that bypass traditional means of countering attacks.
Prager Metis Technology puts a human behind the wheel. Many web application assessments are highly automated. They produce a high volume of false positives and overlook application behavior that an expert security analyst would find. Our findings are validated, and our consultants will work with your development staff to make sure that no stone is left unturned and that the results of your assessment are accurate.

Artificial Intelligence

Data is useless without the skills to analyze it.  Artificial Intelligence is all about imitating human intelligence, and pushing the capabilities of machines beyond those of standard computing methods. Neural networks in particular are designed to imitate the human brain. Because of this, we believe some of the same methods we humans use to get the most out of our brains can be used to get the most out of computerized neural networks.  
Knowledge engineering is a field of artificial intelligence (AI) that creates rules to apply to data in order to imitate the thought process of a human expert. It looks at the structure of a task or a decision to identify how a conclusion is reached. Knowledge engineering sought to transfer the expertise of problem-solving human experts into a program that could take in the same data and come to the same conclusion. 

The biggest leaps forward in the field of AI are in imitating things that humans, even small children, do effortlessly and without much thought (understanding speech, recognizing people and places, etc.). While these advances enable a variety of tactical solutions for security, marketing and consumer product enhancement, they offer little value to managers who must address the Volatility, Uncertainty, Complexity and Ambiguity (VUCA) that drive the opportunities and risks of the real world.

In the VUCA world of business management, our approach to artificial intelligence has rapidly produced the most useful knowledge at global entities faced with perplexing challenges.  The pragmatic solution has been using neural networks that -  

  • Mimic the stimulation/suppression logic of biological neurons  
  • Use learning by correlation but do not over-rely on it  
  • Apply well-known, tested and successful computing methods by:  
    • Leveraging relational data and Entity Relationship Modeling  
    • Using word indexing across textual sources to create new connections  
    • Performing arithmetic and statistical computations across newly discovered pathways  
  • Imitate successful human problem solving by:  
  • Being “educated” by human designers in the approach to solving particular problems  
    • Interacting and collaborating with humans throughout the analytical process  
    • Integrating a variety of analytical methods, data sources, and data structures into a single neural network  

The above approach to AI blends cognitive science, computer science, domain expertise and managerial judgement into a pragmatic balance to address real-world business problem analysis challenges.  

Most companies want to get ahead of known and unknown risks.  Traditional risk management programs can often be reactive, slow and biased resulting in many risks going unmonitored and unmitigated until it is too late.  Prager Metis Technology has developed a line of sight into emerging risks and opportunities.  Our solution has the capability to capture management’s mindset from internal documentation and data.  It is optimized for modeling abstract, complex and systemic scenarios which enables discovery of unknown or not clearly defined issues and requirements.  That's unique and eye opening for our clients.

Internal Audit - the next 20 years


We believe internal audit will remain a very important function in the future. Stricter regulatory requirements, stakeholder needs and the continued fraud, waste and abuse that occurs globally to start.

It’s a statutory requirement in many parts of the world to have an internal audit function. The global recession, corporate failures, banking crises, money laundering, corporate fraud, cyber-attacks, volatile market and disruptive innovation, etc. all necessitate the need for an internal audit function in the future as well.


There is a need to change the mindset of the auditor.  Our primary purpose is to help the organization to achieve its objective. Mostly, internal auditors are more focused on how to audit rather than why to audit.

It’s up to the internal auditor, to choose to act like a doctor or a police officer or strike a balance between both.

How to audit raises the element of independent and objective. How to audit also demand to consider several factors such as the nature of the business, industry norm, management style, internal culture, control environment etc.


In future, the most successful audit professionals will be the one, who embrace the change and be ready to adapt to tackle new challenges of future risks.

The traditional approach is required, but in the current volatile environment, we have to have more innovative ideas and approach to safeguard the interest of shareholder/stakeholder. May be that’s one of the reasons that IIA revised the internal audit definition, which encompass along with audit assurance, advisory role as well.

In the very near future the audit professional will dramatically move from periodic to continuous audit, from manual or semi-automated to fully automated controls, from sampling to a 100 % population review, from providing assurance on historical data to providing assurance on emerging risk, from assessing business continuity to ensuring business resilience, from improving efficiency to recommending changes and innovation.

It’s simple - be open, be welcoming, be informed, be flexible.

In terms of technical skills, auditors should be aware of its surroundings, be its industry knowledge, global issues, political turmoil or disruptive innovation. It is important for auditor to study its impact on the business e.g. bit coin, driver-less cars, Hyper-loop travel, 3D construction printing, data transfer, hydroponics farming techniques etc.

In terms of interpersonal skills, the auditor can improve their communication, presentation, leadership and human psychology skills, without which it’s difficult to achieve desired objectives.