Update on Cybersecurity

September 16, 2016

Bankers Push Cybersecurity



A committee of central bankers is looking to draft international guidelines covering cybersecurity responsibilities for banks and fund transfer providers, aiming to make the global payments system safer, said people familiar with the plans.

The group plans to devise a framework that will divvy up cybersecurity responsibilities between sending and receiving banks, as well as at payment infrastructure providers, the people said.

The guidelines are being put together by the Committee on Payments and Market Infrastructures, which was convened by the Bank for International Settlements to analyze cross-border payment and settlement networks in an effort to protect the banking system.

The effort comes as the financial messaging system Swift and some of its member banks have attracted scrutiny in the wake of recent cyberattacks at customer sites. In February, cyberthieves made off with $81 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.

The committee aims to set out a global framework for cybersecurity standards where one doesn’t exist. Its challenge is that guidelines from such international groups tend to have limited enforceability by law, because each jurisdiction involved can choose what policies to adopt.

Rep. Barry Loudermilk (R., Ga.)—chairman of the subcommittee on oversight for the U.S. House Science, Space and Technology Committee, which is reviewing the Bangladesh Bank incident—said Federal Reserve explanations of how recent cyberattacks occurred “raise additional questions.”

“It is troubling to me that bad actors were able to successfully extract millions of dollars from the Federal Reserve banking system,” he said. “My subcommittee is working to find out how this happened and how to prevent it from happening again.”

Workers at the New York Fed don’t manually screen most central-bank payment orders as they come in, and instead rely heavily on authentication by Swift, known formally as the Society for Worldwide Interbank Financial Telecommunication.

This summer, Swift became subject to a new set of cyber rules also developed by the payments committee and the International Organization of Securities Commissions. Those rules, once implemented, will require Swift and financial market-infrastructure providers to prove they can resume operations within two hours of a disruption.

A Swift spokeswoman had no immediate comment. A spokesman for the National Bank of Belgium, which is the lead overseer of Swift, declined to comment on its specific oversight actions on the company. Benoît Coeuré, chairman of the Committee on Payments and Market Infrastructures, wasn’t immediately available to comment.


Rise at 11? China’s Single Time Zone Means Keeping Odd Hours


Some days, the sun doesn’t come up until 10 a.m. or later. People eat lunch after 2 p.m., or even after 4 if they’re not in a rush. The school day stretches so late that children can’t get home in time to catch their favorite cartoon shows.

Why are the clocks in Urumqi, China, so far out of kilter with the cycles of the sun? Because of a legacy of Mao Zedong and the Communist Party’s desire for unified control. Though China is almost as wide as the continental United States, the whole country is officially in just one time zone — Beijing time.

So when it’s 7 a.m. in the Forbidden City, it’s also officially 7 a.m. 2,000 miles to the west in Urumqi, the capital of the Xinjiang region — even if the stars are still out there.

That can lead to headaches — and lost sleep. “It’s hard to adjust,” says Gao Li, a sanitation worker in Urumqi. “I often think we must be the only people who eat dinner at midnight.”

So schools, airports and train stations operate at odd hours; national exams are sometimes given in the dead of night; and restaurants stay open for dinner into the wee hours.

The eccentricities of the clock also tend to divide people in Xinjiang by ethnicity. The Uighurs, Turkic-speaking Muslims who consider the region their homeland, tend to set their clocks two hours earlier, to more closely match the local day. But the Han Chinese who live there, members of China’s predominant ethnic group, generally follow Beijing time. The discrepancies can be a source of confusion and frustration, especially for younger people who frequently socialize across ethnic lines.

Jin Xiaolong, 28, who teaches parkour, a French athletic discipline, says scheduling classes with his Uighur friends in Urumqi can be a challenge.

“I used to arrive early, all alone,” he said. “I’d go to a restaurant to eat, wait some more, and eventually grow impatient and start practice by myself.”

Now, he makes a point of clarifying to his friends: He only deals in Beijing time.

Follow Javier C. Hernández on Twitter @HernandezJavier.


2016 Sep 08

Multinational Companies Wary of Transatlantic Data-Transfer Agreement

A survey shows multinational companies remain wary of a new international data-transfer agreement between the United States and the European Union, and many are relying on contract provisions that could be invalidated by Europe’s highest court. The survey of 600 privacy professionals, conducted in June and July, found only about one-third say they plan to use the agreement, known as Privacy Shield, which allows businesses to transfer personal data on European citizens to the United States. The European Commission says 103 companies have been certified under Privacy Shield since the U.S. Commerce Department began accepting applications, and the Commerce Department is reviewing the privacy policies of 190 other companies. By comparison, more than 4,000 firms had been certified under an earlier agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year.

In the survey, by the International Association of Privacy Professionals and consulting firm EY, 81 percent of respondents said they are relying on model contract clauses approved by the European Union to transfer personal data on EU citizens. But those clauses are considered likely to be invalidated by the European Court of Justice, which would again expose companies to sanctions for moving data improperly. Legal experts say the model clauses are on shaky legal ground because they do not adequately restrict the access of U.S. authorities to data of European citizens. The court used similar reasoning in striking down Safe Harbor. Legal experts offered several reasons why companies are not embracing Privacy Shield, including the possibility that it, too, will be invalidated. Another reason companies may be holding off is that another set of rules, known as the General Data Protection Regulation (GDPR), is scheduled to take effect in May 2018, meaning the Privacy Shield regime may have a limited lifespan. The GDPR rules are much broader, including, for example, the so-called right to be forgotten that forces companies to delete personal data of European citizens upon request. In the survey, 89 percent of respondents said they are taking steps to comply with the GDPR rules, reports the Wall Street Journal (7 September, Heide).

From “Multinational Companies Wary of Transatlantic Data-Transfer Agreement”
Abstract News © 2016 Information, Inc.


Terror attacks prompt government to call for new balance between security and anonymity


BERLIN—When a bomb threat targeted the Thier Galerie shopping mall in Dortmund last month, police rushed to the scene and asked to scour closed-circuit camera recordings.

There wasn’t much footage to go through. An attempt by the mall operator to ramp up video surveillance last fall had been vetoed by local authorities who feared an assault on patrons’ privacy. “You can’t just say you want to have more cameras,” said Heike Marzen, the mall’s manager. “There are certain laws we have to follow.”

Branded by its dictatorial past, when surveillance was both dreaded and commonplace, Germany has some of the world’s toughest privacy laws. But after two attacks claimed by Islamic State and a mass shooting this summer, the government is pushing to recalibrate the balance between security and anonymity.

This month, German Interior Minister Thomas de Maizière introduced a raft of security proposals. Seizing on the case of the Dortmund mall, he made it clear many of these would require a change of mentality.

The threat there, he said, “could have been cleared up with video recordings if they hadn’t been forbidden by privacy champions.” Authorities could have quickly scanned feeds from the whole building to see if anything was planted. Instead police had to search the mall with dogs. They didn’t find a bomb and determined the threat to be a hoax.

Mr. de Maizière is proposing to add cutting-edge video surveillance in some 20 rail stations across the country and intensify monitoring of the internet. Many regional govern- ments and large cities, meanwhile, are discussing video surveillance of highly frequented areas, an almost nonexistent practice in much of the country.

Opponents of the plans say they run afoul of Germany’s constitution and decades of legal precedents that have enshrined privacy among Germans’ most heavily guarded rights. Many fear such surveil- lance will curtail rights without stopping crime, while giving the state too much power.

German authorities and businesses don’t have broad leeway to use cameras, and specific plans must be approved by a special commissioner in each state.

“I don’t want a state that has a complete surveillance system,” said Christopher Lauer, a Berlin state lawmaker with the libertarian Pirate Party who is fighting plans to add cameras in Alexanderplatz, a transport hub and crime hot spot in the center of the capital. “If there are ever darker times in Germany, then the state could just use this against the people.”

In France, a state of emergency in place since November’s Paris terror attacks gives security forces carte blanche to hunt terrorists, and in the U.S. intelligence gathering engenders relatively little controversy. Germany, however, has resisted anything seen as remotely reminiscent of the surveillance that took place under its Nazi and Communist dictatorships.

But the price of privacy has become obvious as terror and crime threats have grown.

When a disgruntled teenager went on a shooting rampage in Munich last month, police had to ask residents to upload smartphone videos of the attack to their servers.

In Cologne, authorities have struggled to prosecute a wave of sexual assaults on New Year’s Eve partly because of the limited video footage from the city’s main square, where most of the attacks took place.

Investigators say video cameras often enable arrests that otherwise wouldn’t happen. In the U.K., with its long history of terror attacks and almost five million security cameras, security footage helped in identifying and arresting terrorists involved in the 2005 bombings on the public transport system.

“If there are cameras, then all of a sudden, we have the beginnings of an investigation,” said Martin Steltner, a senior prosecutor in Berlin.

Speaking outside Berlin on Wednesday, Chancellor Angela Merkel hailed the importance of video surveillance and data collection.

“Until now in Germany the idea of ‘as little data as possible’ has dominated,” Ms. Merkel said. “That absolutely doesn’t fit anymore with the digital age.”

People leaving the Olympia mall in Munich in July after gunfire erupted. A lone gunman killed nine people before killing himself.



U.S. Companies Slow to Adopt European Data Transfer Agreement
Uncertainty remains that the terms will survive legal tests in the EU

Microsoft said it applied for Privacy Shield certification. Other U.S. companies have been slow to sign on to the new international data-transfer agreement.
Aug. 14, 2016 1:44 p.m. ET

U.S. companies have been slow to sign on to a new international data-transfer agreement with the European Union for reasons that include uncertainty that the terms will survive legal tests in the EU, experts said.
The agreement, called Privacy Shield, allows businesses to transfer personal data on European citizens to the U.S. About 40 companies have been certified under the new rules since Aug. 1, when the U.S. Department of Commerce began accepting applications, the agency said on Friday.
“Many American companies are waiting to see if the Privacy Shield survives an expected challenge by privacy advocates in the European courts,” said Jay Cline, who heads cybersecurity and privacy at PwC, an international consultancy. “So we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.”
Some companies still need to implement new measures to comply with the new system, such as updating privacy policies with information about where customers can address complaints. Many firms waited until the EU formally published the new mechanism’s documents in mid-July before beginning to implement the new requirements, company representatives said.
Other companies are evaluating whether the new agreement offers advantages over alternative approaches to complying with European data protection laws, experts say. Alternatives include so-called model clauses—standardized data-protection language preapproved for addition to contracts with customers—and binding corporate policies approved by the EU.
More than 4,000 U.S. companies had been certified under the previous, less robust agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year in the wake of Edward Snowden’s revelation of U.S. surveillance programs.
Microsoft applied for Privacy Shield certification on the first day applications were accepted, the company said. The Redmond, Wash., software giant said it implemented both Privacy Shield principles and model clauses. The combination strengthened Microsoft’s competitive position, said John Frank, Microsoft’s vice president for EU Government Affairs.
“European privacy protections are important to European citizens and organizations. We offer EU-approved Model Clauses and we have signed onto the Privacy Shield rules so that we can offer our customers strong data protection standards,” Mr. Frank said.
Amazon.com Inc. competes directly with Microsoft in cloud infrastructure services—the reason for much of Microsoft’s data transfer activity—yet it hasn’t yet applied for Privacy Shield certification.
“The new EU-US Privacy Shield does not impact AWS customers” because the company maintains data centers in several countries where its customers can store their data, and that it also uses model clauses, wrote Stephen Schmidt, vice president of security engineering and chief information security officer of Amazon Web Services, in a recent blog post. Amazon nonetheless planned to apply for Privacy Shield certification, he added.
Experts say Privacy Shield certification is likely to help companies compete with rivals.
“When Safe Harbor was still in place, we saw that companies who were part of it had a competitive advantage in competitive bids over companies who used model clauses. I think we will see the same with Privacy Shield,” Mr. Cline said.
BSA, a software industry organization dedicated to international trade, expects Privacy Shield eventually to be adopted as widely as its predecessor.
“We expect that at least the 4,000 companies who applied for Safe Harbor will apply for the new mechanism as well,” said Thomas Boué, an expert on privacy issues at BSA.
A study by the Future of Privacy Forum, a think-tank based in Washington, D.C., said the Safe Harbor agreement got off to a slow start when it launched in 2000. Some commentators blamed the delay on companies wanting to gauge the consequences of abstaining, the report said. Others blamed bureaucracy.
Despite the new agreement, the rules that govern handling of data on European citizens remain unsettled. Both Privacy Shield and model clauses are likely to be examined by the European Court of Justice, and Christian Schefold, an expert in data protection and compliance at the international law firm Dentons, expects model clauses to fail the test.
As for Privacy Shield, the European Commission has said it was confident it would withstand legal challenges.
The annual fee for Privacy Shield certification depends on the size of the company and can cost up to $3,250. The application process usually takes from several weeks to six months, experts said.
—Natalia Drozdiak contributed to this article.
Write to Dana Heide at dana.heide@wsj.com


June 29, 2016

The ransomware epidemic explained

Ransomware is an epidemic. Every day more businesses, consumers, government and other organizations are finding their critical data held hostage and collectively paying millions of dollars to get it back. In some cases, such as attacks on hospitals, it is literally threatening lives. And with over 100,000 new variants released every day, ransomware is mutating like a nightmare virus, while the world’s cyber security forces work feverishly to stop it. In fact, ransomware is the number one cyber concern among healthcare organizations according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.

As with Ebola and Zika and other viral epidemics, experts and potential victims need to understand how the disease attacks and how it spreads so they can protect themselves.

Ransomware in a nutshell

Most ransomware either locks the interface or encrypts files on a computer or network, sends users a ransom message, and, ideally, releases the interface or decrypts the data after the ransom is paid. (Although Richard Walters, senior vice president of security products at Intermedia, recently told TechNewsWorld that companies have a 20 percent chance of not getting their data back after the ransom is paid.) The details of ransomware can and do vary widely, partly to keep attackers ahead of security experts and partly to keep victims off balance and paying.

According to The ICIT Ransomware Report, the first ransomware appeared in the 1980s, and, ironically, until ten years ago, most of it was fake. Fraudulent spyware removal tools and performance optimizers scared users into paying to fix problems that didn’t really exist. Although the first ransomware that actually denies access to data was developed in 1989, the malware didn’t become common until 2006.

At this point, there are two major types of ransomware:

  • Locker ransomware restricts user access to infected systems by locking up the interface or computing resources within the system. It puts up a display page telling victims to pay through credit vouchers purchased from local stores or money transfer services. According to security software vendor Symantec, locker ransomware accounted for about 36 percent of ransomware samples they detected in 2014-5015. Attackers have moved away from locker ransomware because the disabled interface prevents victims from paying in crypto currencies such as Bitcoin, which are faster and less traceable, so better for the recipients. However, experts expect that locker ransomware may regain popularity with attackers because it can affect mobile devices and devices on the “Internet of Things.”
  • Crypto ransomware encrypts files on the target system so that the computer is still usable, but users can’t access their data. It typically uses strong industry-standard encryption schemes, often with encryption keys that time out, adding urgency to the ransom payment deadline. Crypto ransomware leaves the user interface functioning, so that users can get to the Internet to make ransom payments in crypto currency. Symantec say that crypto ransomware makes up 64 percent of the samples that their software detects.

The success of any given ransomware variant depends in part on the technology and part on how skillfully the attackers are able to exploit the fears of the victims. On the technical side, successful ransomware needs to evade detection by security software long enough to install itself and do its dirty work, and it needs to employ locking or encryption strong enough that it can’t be easily broken. But powerful ransomware is now widely available on the Dark Web for free, so any “script kiddie” (a technically unsophisticated would-be hacker) can mount an attack in return for giving the developer a share of the profits. The successful cyber-extortionist is also able to work the psychological scam, scaring victims into paying rather than taking defensive measures, and giving them reasonable confidence that their systems will be restored plus enough technical support that they can figure out how to pay in cyber coin.

Ransomware attack vectors

As with other malware, the spread of ransomware often depends on user ignorance, but cyber-extortionists have come up with a few new tricks to infiltrate systems. Ransomware enters systems through four main channels:

  • Social engineering: Ransomware is often downloaded by unwitting users. Phishing emails induce users to click on bad links or download and open malicious attachments. According to the ICIT report, criminals will hire services to redirect users from adult content sites or media piracy sites to their downloads (adding shame to the urgency of fear when the user is trapped) or they will use malvertisement services to bait users from ads on legitimate web sites. Bad guys are also now using social media messaging as an attack vector for malware. This is harder for organizations to defeat because the attacks are now running under HTTPS/SSL, so that it’s harder to detect the malware.
  • Layered attacks: Criminals who have already infected a system sometimes sell access to ransomware criminals. The undetected malware on the so-called “zombie” machine can download the ransomware and remain after the ransom is paid, waiting for another opportunity to steal data or extort payment.
  • Embedded: Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or resume files. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is so ubiquitous in browsers around the world. As this Symantec post shows, the fake update pages can be very convincing.
  • Self-propagation: Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user’s contact list.

While user awareness can help deter the spread of ransomware, the other three sources are more difficult to isolate and stop.

Fighting fear itself

At this point, the technology behind ransomware is formidable, as developers employ stronger encryption and more tactics to elude detection. Eventually, security technology will catch up, but in the meantime, organizations and individuals need to avoid giving in to fear because that is the ransomware criminal’s greatest weapon. Just as the earliest forms or ransomware extorted users with non-existent threats, much of today’s ransomware is not as invincible as it seems, which is why attackers keep coming up with scarier tactics for their malware. One of the most brutal is the Petya virus, described in a recent Kaspersky blog. Not only does the malware attempt to lock the whole hard drive at once rather than slowly encrypting individual files, its user interface is a grinning skull and crossbones made mostly of dollar symbols.


It’s T-minus two months until the Olympic torch and a parade of international athletes enter Maracanã Stadium in Rio de Janeiro to open the 2016 Olympic Games. And about an hour flight from Rio, in a new office in Sao Paolo, Airbnb’s nearly 20 Brazilian staffers are in crunch time. Back in March, Airbnb won a bid to become the “official alternate accommodation service provider” of the 2016 Olympic Games. That’s a mouthful, but it’s the first time such a title has been doled out at any Olympics. By scoring said plaudit, Airbnb beat out local services Hotel Urbano (a vacation-package sale site) and Alugue Temporada (a property-rental site popular in Brazil and owned by HomeAway). Airbnb has not disclosed how much the contract is worth, and Rio 2016 has not responded to a request for comment on the partnership. “With visitors traveling from around the world, Rio residents get to serve as diplomats to their home country, hosting a global audience with real, authentic Brazilian hospitality,” Airbnb co-founder Joe Gebbia said at a press conference in Rio announcing the partnership earlier this year. That’s a sea change from the 2012 Olympic Games, during which London homeowners were threatened with the possibility of fines should they attempt to rent out their homes to guests. According to Reuters, this is the first time a major sporting event has “turned to the general public, and their extra rooms, to solve a short-term spike in demand for accommodation. ” This year, visit the Olympic Games ticket-booking website, and you’ll see that booking a home or room on Airbnb is an official option. And Airbnb itself has an Olympics-themed landing page. And that’s about the extent of the partnership–on the surface. The back-end of things is far more complex. Airbnb promised the International Olympic Committee it would be able to provide more than 20,000 lodging options. That’s a lot–for a company that launched in Brazil in 2012 with just 3,500 listings. As a result, Airbnb has been adding shared homes, rooms, and full estates to its country listings–especially in Rio–at a rapid clip. Getting up to speed. Managing this growth has been Airbnb’s new Brazil country head, Leo Tristao, a former Google employee whom Airbnb hired away last year from Facebook. (He was Facebook’s head Brazil manager as well.) Tristao immediately identified a surprising complication–and we’re not talking about the country’s economic recession or the looming threat of the Zika virus. Eighty percent of the roughly 7.5 million tickets for the Olympics would be going to Brazilians. Meaning: The Brazilian hosts in Rio would be far more likely to be serving as diplomats to their own compatriots than to frequent globe-trotters. This situation would be new for Airbnb Brazil. The audience for the World Cup–the most similar recent event and a potential test-case for how this Games would play out for the company–was just 6 percent domestic. So, more than 90 percent of people who needed lodging were international travelers. And international travelers–the frequent travelers at least–are far better-versed in the ways of Airbnb than Brazilians, in general. “The hosts in Rio are already used to hosting international travelers usually,” Tristao says. “So we are more concerned about local Brazilians–how to educate them and make booking easy for them.” Planning for payments, hosting. Considering the fact that Brazil is deep in its worst recession in 25 years, opening up a variety of payment options to those who can afford to travel would be key. “Very, very key,” says Tristao. There are systems unique to Brazil that Tristao’s team wanted to be able to offer to locals. One of them: a popular debit-card-like payment system involving credit cards issued by local banks. There’s also the Boleto Bancário. It’s a form of payment native and specific to Brazil. It’s something like the bar code on a U.S. check. So to make a payment, for example, an individual has to scan a Boleto code from a merchant onto his or her phone to make funds automatically withdraw from their checking account. Boletos can also be paid at ATMs, local banks, or some supermarkets. Also, Tristao says, “Brazilians love to pay in installments, so we had to make that available, too.” Aside from payments, Airbnb Brazil will need to educate hosts to be patient guides for those new to the process. “It’s about showing our community the little tips from the moment a guest contacts them on the platform, through the booking flow, through the check-in,” Tristao says. His staff has been coaching hosts to be extra responsive–and to answer guests’ every-last question. “We want every guest to have a five-star experience.” He says while interactions through the Airbnb website may take some extra coaching, most Brazilians don’t need any help when it comes to the actual “hosting” part. “Sometimes,” he says, “I joke to my colleagues that hospitality is in our blood.” Expanding geographies. The downturn has perhaps helped Airbnb exceed its promise to Rio 2016: It is already up to 25,000 rooms available throughout Rio–5,000 more than it pledged. “Brazil is in an economic situation that is not favoring employment,” Tristao says, speaking euphemistically. He says Brazil’s sour economy has been an impetus for many eager hosts, as renting a room can help generate additional income for families. Rio is already the largest market in Latin America for Airbnb. Tristao says he’s proud of the expansion within Rio in particular, because it includes lots of lodgings in neighborhoods not populated by hotels or typically visited by tourists. And the company is pleased with its economic impact: During the World Cup in Rio two years ago, it provided $38.3 million in revenue for local hosts. Considering Airbnb Rio has been growing 87 percent year-over-year, this could, recession be damned, be a really huge year for Airbnb Rio.

Beijing can be a pretty informal place. People walk outside in their pajamas, and when it’s hot some men lift up their shirts to expose their bellies. Even President Xi Jinping dresses down, usually in his trademark dark windbreaker.
The authorities have determined that one place in China’s capital has gotten far too casual: the marriage registration office.
“Some people wear sleeveless shirts and shorts, or slippers, to register their marriages,” Han Mingxi, head of the wedding registry office for the Beijing Civil Affairs Bureau, told Beijing Daily, the official newspaper of the city’s Communist Party committee. “You see them and can immediately tell their attitude toward the marriage registry is too casual. This can easily create all sorts of problems.”
China has seen an increasing divorce rate in recent years, a phenomenon that has been especially pronounced in Beijing. While the number of couples marrying each year from 2011 to 2014 remained constant around 170,000, the number divorcing over those years climbed to 56,000 from 33,000, according to the Beijing Civil Affairs Bureau.
As part of new rules going into effect on July 1, wedding registry officials will elevate the sense of ceremonial formality, Mr. Han told Beijing Daily. But unlike bouncers at an exclusive nightclub, registry officials won’t be able to turn away slovenly dressed couples. The new rules will not allow people to be blocked from having their marriages registered, Mr. Han said, but rather will call for officials to make suggestions about appropriate attire.

Recently, the Hong Kong Courts and the Securities and Futures Commission (“SFC”) have taken action under the Personal Data (Privacy) Ordinance (“PDPO”). This included an insurance agent, a marketing company and a licensed individual for improper handling of personal data, resulting in a Community Service Order, a fine, and an SFC disciplinary action.

As you can see, consumers are more aware of privacy rights, and the PDPO is being taken very seriously. We can expect to see further enforcement activity. If you have questions regarding privacy issues, contact Bruce Wilson at ACTON International, bwilson@acton.com

ACTON International is proud to announce Managing Partner, Bruce Wilson has obtained Certification in the following Privacy Certifications:

Certified Information Privacy Professional – US

Certified Information Privacy Professional – EU

Certified Information Privacy Manager

Certified Privacy Technologist

We are proud to be a cutting edge leader concerning the GDPR(General Data Protection Regulation).  We are working on several opportunities to educate ACTON partners and clients around the globe.  Our ACTON Managing Partner Bruce Wilson is now one of the leading experts concerning the GDPR.