What is domain name

A domain name is an identification string that defines a realm of administrative

autonomy, authority or control within the Internet. Domain names are used in various
networking contexts and for application-specific naming and addressing purposes

Domain Name या DNS (Domain Naming System) एक ऐसा नामकरण है जिससे हम किसी

website को Internet में identify कर सकते हैं. किसी भी वेबसाइट की बात करें तो सभी background
में किसी न किसी IP address से जुड़े हुए होते हैं. ... ये एक human readable version है IP Address
का

What is Domain name?

A domain name is your website name.

A domain name is the address where internet users can access your website. A domain
name is used for finding and identifying computers on the internet. Computers use IP
addresses, which are a series of numbers.

Because of this, the domain names were developed and used to identify entities on the
internet rather than using IP addresses.

A domain name can be any combination of letters and numbers, and it can be used in
combination of the various domain name extensions, such as .com, .net, .org and many
more.
  Cyber Law

The computer-generated world of internet is known as cyberspace and the laws prevailing
this area are known as Cyber laws and all the users of this space come under the ambit of
these laws as it carries a kind of worldwide jurisdiction. Cyber law can also be described
as that branch of law that deals with legal issues related to use of inter-networked
information technology. In short, cyber law is the law governing computers and the
internet.

The growth of Electronic Commerce has propelled the need for vibrant and effective
regulatory mechanisms which would further strengthen the legal infrastructure, so crucial
to the success of Electronic Commerce. All these governing mechanisms and legal
structures come within the domain of Cyber law.

Cyber law is important because it touches almost all aspects of transactions and activities
and on involving the internet, World Wide Web and cyberspace. Every action and
reaction in cyberspace has some legal and cyber legal angles.

Cyber Crime is not defined in Information Technology Act 2000 nor in the National
Cyber Security Policy 2013 nor in any other regulation in India. Hence, to define cyber-
crime, one can say, it is just a combination of crime and computer. In other words ‘any
offence or crime in which a computer is used is a cyber-crime’. Even a petty offence like
stealing or pick pocket can be brought within the broader purview of cybercrime if the
basic data or aid to such an offence is a computer or an information stored in a computer
used (or misused) by the fraudster. The I.T. Act defines a computer, computer network,
data, information and all other necessary ingredients that form part of a cybercrime.

Cyber law encompasses laws relating to:

· Cyber crimes

· Electronic and digital signatures

· Intellectual property

· Data protection and privacy

Cyber space includes computers, networks, softwares, data storage devices(such as hard
disks, USB disks etc), the internet, websites, emails and even electronic devices such as
cell phones, ATM machines etc.

Cyber Crime?
# Any crime with the help of computer and telecommunication technology.

# Any crime where either the computer is used as an object or subject. [1]
Categories of Cyber Crime
1. Cybercrimes against persons

2. Cybercrimes against property

3. Cybercrimes against government

1. Against a Person

# Cyber stalking

# Impersonation

# Loss of Privacy

# Transmission of Obscene Material

# Harassment with the use of computer

2. Against Property

# Unauthorized Computer Trespassing

# Computer vandalism

# Transmission of harmful programmes

# Siphoning of funds from financial institutions

# Stealing secret information & data

# Copyright

3. Against Government

# Hacking of Government websites

# Cyber Extortion

# Cyber Terrorism

# Computer Viruses[2]

Some Other Crimes

# Logic Bombs

# Spamming

# Virus, worms, Trojan Horse

# E-Mail Bombing

# E-Mail abuse etc.

Need For Cyber Law
In today’s techno-savvy environment, the world is becoming more and more digitally
sophisticated and so are the crimes. Internet was initially developed as a research and
information sharing tool and was in an unregulated manner. As the time passed by it
became more transactional with e-business, e-commerce, e-governance and e-
procurement etc. All legal issues related to internet crime are dealt with through cyber
laws. As the number of internet users is on the rise, the need for cyber laws and their
application has also gathered great momentum.

In today’s highly digitalized world, almost everyone is affected by cyber law.

For example:

# Almost all transactions in shares are in demat form.

# Almost all companies extensively depend upon their computer networks and keep their
valuable data in electronic form.

# Government forms including income tax returns, company law forms etc. are now filled
in electronic form.

# Consumers are increasingly using credit/debit cards for shopping.

# Most people are using email, phones and SMS messages for communication.
# Even in “non-cyber crime” cases, important evidence is found in computers/cell
phones eg: in cases of murder, divorce, kidnapping, tax evasion, organized crime,
terrorist operations, counterfeit currency etc.

# Cybercrime cases such as online banking frauds, online share trading fraud, source
code theft, credit card fraud, tax evasion, virus attacks, cyber sabotage, phishing attacks,
email hijacking, denial of service, hacking, pornography etc. are becoming common.

# Digital signatures and e-contracts are fast replacing conventional method of transacting
business.[3]

Cyber Laws In India

In India, cyber laws are contained in the Information Technology Act, 2000 (“IT Act”)
which came into force on October 17, 2000. The main purpose of the Act is to provide
legal recognition to electronic commerce and to facilitate filing of electronic records with
the Government.

The existing laws of India, even with the most compassionate and liberal interpretation
could not be interpreted in the light of the emergency cyberspace, to include all aspects
relating to different activities in cyberspace. In fact, the practical experience and the
wisdom of judgement found that it shall not be without major threats and pitfalls, if the
existing laws were to be interpreted in the scenario of emerging cyberspace, without
enacting new cyber laws. Hence, the need for enactment of relevant cyber laws.
None of the existing laws gave any legal validity or sanction to the activities in
Cyberspace. For example, the Net is used by a large majority of users for email. Yet till
today, email id not “legal” in our country. There is no law in the country, which gives
legal validity, and sanction to email. Courts and judiciary in our country have been
reluctant to grant judicial recognition to the legality of email in the absence of any
specific law having been enacted by the Parliament. As such the need has arisen for
Cyber law.

World and Cyber Laws

# The Great firewall of China monitors every moment in cyber space and protect to
publish any offensive content.

# China have an hold on every content which is harmful of dangerous for the government
of China.

# Brazil is considered world’s biggest airport for Hackers.

# Iran is also a dangerous country for the Netizens. He also have a Crime Police unit for
crime in Cyber Space.

Importance of Cyber Laws

# We are living in highly digitalized world.

# All companies depend upon their computer networks and keep their valuable data in
electronic form.
# Government forms including income tax returns, company law forms etc are now filled
in electronic form.

# Consumers are increasingly using credit cards for shopping.

# Most people are using email, cell phones and SMS messages for communication.

# Even in “non-cyber crime” cases, important evidence is found in computers/ cell

phones e.g. in cases of divorce, murder, kidnapping, organized crime, terrorist operations,
counterfeit currency etc.

# Since it touches all the aspects of transactions and activities on and concerning the
Internet, the World Wide Web and Cyberspace therefore Cyber law is extremely
important.[4]

Conclusion

To sum up, though a crime free society is perfect and exists only in illusion, it should be
constant attempt of rules to keep the criminality lowest. Especially in a society that is
dependent more and more on technology, crime based on electronic law-breaking are
bound to increase and the law makers have to go the extra mile compared to the
impostors, to keep them at bay.

Technology is always a double-edged sword and can be used for both the purposes –
good or bad. Stenography, Trojan Horse, Scavenging (and even Dos or DDos) are all
technologies and per se not crimes, but falling into the wrong hands with an illicit intent
who are out to exploit them or misuse them, they come into the array of cyber-crime and
become punishable offences.

Hence, it should be the tenacious efforts of rulers and law makers to ensure that
technology grows in a healthy manner and is used for legal and ethical business growth
and not for committing crimes. It should be the duty of the three stake holders viz. i) the
rulers, regulators, law makers and agents ii) Internet or Network Service Suppliers or
banks and other intercessors and iii) the users to take care of information security playing
their respective role within the permitted limitations and ensuring obedience with the law
of the land

  DMCA Law

The most common challenge many creators face these days is a copyright issue. Back in
the previous non-Internet century artists didn’t face copyright issues as frequently as it
wasn't so easy to steal and spread around someone else's work. But with the boom of the
internet and digital world, there is a surge in copyright issues faced by artists, writers,
authors and photographers who publish their work online and then find it on non-
authorized websites.

What is DMCA?
Digital Millennium Copyright Act (or DMCA) is a rather controversial law by US
government enacted in 1998 by then-president Bill Clinton. The aim of DMCA is to
balance the interests of copyright owners and users and look into any sort of copyright
infringement that surface in the digital world.
DMCA is intended to regulate digital media and deal with copyright challenges the
digital world faces. DMCA not only looks into the copyright infringement issues faced by
users on the internet but also reinforces penalties for offenders.

DMCA in its original form was censured by several scientists who believed that this will
largely disrupt growing IT industry of US. Following worldwide criticism, the law faced
several revisions to incorporate various exceptions, but still, several countries prefer their
own version of the law.

Does DMCA apply outside of the USA?

No, the DMCA is part of the United States copyright law, therefore is applicable only to
the websites hosted in the US. All sites hosted in the US are bound to obey the law.
Therefore even if the copyright owner is outside of the US, they can still issue DMCA
notice if the hosting website is located in the US.

However, there are many hosting providers and businesses who despite being hosted
outside the US comply with their own copyright law and often accept DMCA takedown
notices to avoid any legal aftermath in their own country.

In addition to that, most sites hosted in World Intellectual Property Organizations

(WIPO) countries abide by the Digital Rights Management (DRM) law and entertain
DMCA takedown notices. At this time there are around 200 countries that have signed
the WIPO treaty.
What is a DMCA safe harbor?
DMCA safe harbor is referred to the provision of Digital Millennium Copyright Act
which provides safe heaven to Online Service Providers (OSP) and other internet
intermediaries by exempting them from direct copyright infringement.

There are four safe harbors approved by Congress and in these cases, there is limited to
no copyright infringement liability for Online Service Providers. Following are the
permitted safe harbors under DMCA:

 System caching

 Information location tools

 Temporary digital network communication

 Storing information at the user’s direction on system or network

The reason behind creating DMCA safe harbors is to expand internet and to improve the
quality and variety of services to be provided on the internet. It wasn't possible to achieve
it by limiting the liability for Internet Service Providers (ISPs).

ISPs would have found themselves committing copyright infringements while making
copies of copyrighted content for the purpose of enhanced speed, hosting websites or
simply directing users to sites that possibly contain infringing content.

As such to avoid these problems and for the better efficiency and expansion of the
internet, there’s a limited liability for ISPs and sites falling under one of the safe harbor
categories.
The right to use the copyrighted content without permission of the copyright owner in
certain conditions is deemed as “Fair Use”. The legally permissible purposes for which
the copyrighted content can be used and fall under Fair Use category include:

 News reporting

 Commentary

 Research

 Criticism

 Scholarship

 Teaching

Fair Use promotes creativity and people using the copyrighted content for the above-
mentioned purposes won’t be charged with copyright infringement.

To determine whether there was Fair Use of the copyrighted work or not, consider the
following factors:

 Nature of the copyrighted work/content

 Usage purpose of the copyrighted work; whether it’s of commercial nature or for
educational purpose

 The amount and substantiality of the portion used by the third person

 How the portion used will affect the potential market and its impact on the value
of the copyrighted content
What is a DMCA takedown notice?
A DMCA takedown notice is an official notification to the company, search engine, ISP
or web host informing them that the material they are hosting or linking to infringes on a
copyright.

The company or website at the receiving end of the notice should immediately take down
the copyrighted material. If they don’t remove the material in question, then the ISP can
forcibly take down the content.

The types of copyrighted material for which you can send a DMCA takedown notice (or
DMCA request) includes:

 A written text which includes books, articles, poetry, blogs, etc

 Pictures that you took and posted on your business’s official social media sites

 Artwork, photos, images, paintings, etc

 Songs, music or other audio files

 Videos

 Digital software

The hurdle you may face while issuing a DMCA takedown notice is when the website
that hosts the copyrighted content is not located either in the US or another country that
follows the DMCA or copyright laws.
Does the work have to be registered before sending DMCA
takedown notice?
No, you don’t have to register your work before sending a DMCA takedown request.
Content in tangible form becomes your intellectual property as soon as it’s created and
you hold the copyright to it and thus can send a DMCA notice.

Most people post photos, videos, or written content on the internet without any
registration with the copyright office, but they hold the exclusive rights of the material
and can send DMCA notice for any unlawful use of their content.

But if the person who sent a takedown notice receives a counter-notification stating that
there was no copyright infringement, then they have to file a lawsuit within 14 days.

Registration is required if you would like to be able to file a copyright infringement

lawsuit and claim for monetary damages. Otherwise, DMCA takedown request can be
sent for any unregistered material for the sake of its protection.

How to write a DMCA takedown notice?

There is no official template to write a DMCA notice, but there are certain guidelines you
should follow before writing a DMCA takedown notice. Take a look at these:

 Provide the URL of the website hosting copyrighted content, mention the
infringing material and cite any other detail you have.

 Cite the URL of the original content, its title, and other details.

 Clearly state that you have a good faith belief that your content is infringed upon
and you don’t permit usage of your copyrighted content and the information in the
notice is correct.
  Make a statement under penalty of perjury that all the information you have
provided is accurate.

 Include your contact information because it’s a legal notice.

 Finish it off with your physical or electronic signature.

It's is very important to provide the necessary details, statements, and disclosures and
format them accordingly to ensure the success of your takedown notice. If you find it
complicated or are unsure of the process, you may use our professional takedown
service and we'll handle it for you.

Where to send a DMCA takedown notice?

DMCA takedown notice can be sent to various sources involved in publishing the
infringed material.

Start with the easiest way which is emailing the site’s owner to take down your
copyrighted content. Usually, people respond to it to avoid any legal consequences and
remove your copyrighted content from their site. You may usually find contact
information or contact form on their site.

If the owner refused to do so, you may send a signed DMCA request to their hosting
provider. They’ll act upon DMCA notice according to their laws.

If the hosting provider finds your request to be legitimate, it has the authority to either
immediately take down the infringing content or disable access to it.

Besides filing a request with the website’s hosting provider, you can also file a DMCA
takedown request with Google. After entering the contact information, you have to
provide URL of both your original content and of the infringed material. If successful,
you will at least disable the infringing web page from getting additional exposure via
Google's search engine. It will also negatively impact their SEO potential and the site’s
owner will think twice before stealing someone’s content next time.

Why do I need to include personal information?

The most common question asked by the users is why there is a need for personal
information, especially address and phone number, when sending the DMCA takedown
notice. The answer is rather simple - it’s a legal document.

Obviously, people may have legitimate privacy concerns regarding their personal details
being exposed to the infringer and getting their hands on your address and phone number
is not such a pleasing prospect.

DMCA law is quite vague regarding this and mentions that the DMCA notice should bear
the personal information through which the service provider can contact the notifier. So
theoretically, it can be just an email ID. In real life though, unfortunately, many takedown
notices fail if they lack those personal details with providers citing the lack of
information or improper formatting of the DMCA notice.

If you're concerned about providing your personal details to a stranger, you may hire and
authorize an agent to handle it for you.

What should I do if I receive a DMCA notice?

Yes, it sounds scary considering its legal standing. You can get a DMCA takedown
notice if you host or manage websites or post any content online.

The first thing you should do is calm down, relax and be honest to yourself. Think about
whether you committed copyright infringement intentionally or unintentionally. If you
find yourself guilty of doing this, then the best thing you can do is to rectify the mistake.
Immediately locate the infringed content and take it down as soon as possible.
There is a high possibility that you didn’t steal the content intentionally and posted the
copyrighted content on your website without a thorough understanding of copyright laws.
Or maybe the person you took permission from to post the content didn’t actually own
the content in the first place.

And if you host multiple sites with several people posting and sharing content, there is a
great probability that it was them who committed copyright infringement and you receive
the notice as the next logical person to contact. Nevertheless, it’s better to take the
DMCA takedown notice seriously and remove the offending content instantly.

Other possibilities could be that you consciously used the copyrighted content within the
boundaries of Fair Use. If that’s so, then contact the notifier and share the details of the
work you used their copyrighted content for. It's quite possible that you will sort this
issue out and come to an agreement with the owner of the copyrighted content.

What is a DMCA counter-notice?

If you remain firm in your belief that you didn’t commit copyright infringement and
failed to peacefully settle the issue with the person who sent the notice, you can send a
counter-notice to the notifier.

The counter-notice, besides holding your contact details, should include the content
which was removed following DMCA takedown notice. Furthermore, you should state
under the penalty of perjury that you didn’t commit copyright infringement and the
content was removed mistakenly.

By filing a counter-notice you are agreeing to "accept service of process" from the
notifier. This means you understand that this counter-notice may result in a lawsuit.
Complainant on the other hand when receives a counter-notice, will either stop pursuing
the takedown request or will possibly file a lawsuit within 14 days. So be extra cautious
and confident when filing a counter-notice as it may result in a lawsuit.

  GDPR Law

GDPR is a regulation that requires businesses to protect the

personal data and privacy of EU citizens for transactions
that occur within EU member states. And non-compliance
could cost companies dearly. Here’s what every company
that does business in Europe needs to know about GDPR

Companies that collect data on citizens in European Union (EU) countriesl need to
comply with strict new rules around protecting customer data. The General Data
Protection Regulation (GDPR) sets a new standard for consumer rights regarding their
data, but companies will be challenged as they put systems and processes in place to
maintain compliance.

Compliance will cause some concerns and new expectations of security teams. For
example, the GDPR takes a wide view of what constitutes personal identification
information. Companies will need the same level of protection for things like an
individual’s IP address or cookie data as they do for name, address and Social Security
number.

The GDPR leaves much to interpretation. It says that companies must provide a
“reasonable” level of protection for personal data, for example, but does not define what
constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it
comes to assessing fines for data breaches and non-compliance.
Time is running out to meet the deadline, so CSO has compiled what any business needs
to know about the GDPR, along with advice for meeting its requirements. Many of the
requirements do not relate directly to information security, but the processes and system
changes needed to comply could affect existing security systems and protocols.

What is the GDPR?

The European Parliament adopted the GDPR in April 2016, replacing an outdated data
protection directive from 1995. It carries provisions that require businesses to protect the
personal data and privacy of EU citizens for transactions that occur within EU member
states. The GDPR also regulates the exportation of personal data outside the EU.

The provisions are consistent across all 28 EU member states, which means that
companies have just one standard to meet within the EU. However, that standard is quite
high and will require most companies to make a large investment to meet and to
administer.

According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR
will require them to rethink their strategy in Europe. Even more (85 percent) see the
GDPR putting them at a competitive disadvantage with European companies.

Why does the GDPR exist?

The short answer to that question is public concern over privacy. Europe in general has
long had more stringent rules around how companies use the personal data of its citizens.
The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995.
This was well before the internet became the online business hub that it is today.
Consequently, the directive is outdated and does not address many ways in which data is
stored, collected and transferred today.
How real is the public concern over privacy? It is significant and it grows with every new
high-profile data breach. According to the RSA Data Privacy & Security Report, for
which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S.,
80 percent of consumers said lost banking and financial data is a top concern. Lost
security information (e.g., passwords) and identity information (e.g., passports or driving
license) was cited as a concern of 76 percent of the respondents.

An alarming statistic for companies that deal with consumer data is the 62 percent of the
respondents to the RSA report who say they would blame the company for their lost data
in the event of a breach, not the hacker. The report’s authors concluded that, “As
consumers become better informed, they expect more transparency and responsiveness
from the stewards of their data.”

Lack of trust in how companies treat their personal information has led some consumers
to take their own countermeasures. According to the report, 41 percent of the respondents
said they intentionally falsify data when signing up for services online. Security concerns,
a wish to avoid unwanted marketing, or the risk of having their data resold were among
their top concerns.

The report also shows that consumers will not easily forgive a company once a breach
exposing their personal data occurs. Seventy-two percent of US respondents said they
would boycott a company that appeared to disregard the protection of their data. Fifty
percent of all respondents said they would be more likely to shop at a company that could
prove it takes data protection seriously.

“As businesses continue their digital transformations, making greater use of digital assets,
services, and big data, they must also be accountable for monitoring and protecting that
data on a daily basis,” concluded the report.
What types of privacy data does the GDPR protect?
 Basic identity information such as name, address and ID numbers

 Web data such as location, IP address, cookie data and RFID tags

 Health and genetic data

 Biometric data

 Racial or ethnic data

 Political opinions

 Sexual orientation

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU
states must comply with the GDPR, even if they do not have a business presence within
the EU. Specific criteria for companies required to comply are:

 A presence in an EU country.

 No presence in the EU, but it processes personal data of European residents.

 More than 250 employees.

 Fewer than 250 employees but its data-processing impacts the rights and freedoms
of data subjects, is not occasional, or includes certain types of sensitive personal
data. That effectively means almost all companies. A PwC survey showed that 92
percent of U.S. companies consider GDPR a top data protection priority.

A new survey conducted by Propeller Insights and sponsored by Netsparker Ltd. asked

executives which industries would be most affected by GDPR. Most (53 percent) saw the
technology sector being most impacted followed by online retailers (45 percent), software
companies (44 percent), financial services (37 percent), online services/SaaS (34
percent), and retail/consumer packaged goods (33 percent).

Who within my company will be responsible for

compliance?
The GDPR defines several roles that are responsible for ensuring compliance: data
controller, data processor and the data protection officer (DPO). The data controller
defines how personal data is processed and the purposes for which it is processed. The
controller is also responsible for making sure that outside contractors comply.

What types of privacy data does the GDPR protect?

 Basic identity information such as name, address and ID numbers

 Web data such as location, IP address, cookie data and RFID tags

 Health and genetic data

 Biometric data

 Racial or ethnic data

 Political opinions

 Sexual orientation

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU
states must comply with the GDPR, even if they do not have a business presence within
the EU. Specific criteria for companies required to comply are:
  A presence in an EU country.

 No presence in the EU, but it processes personal data of European residents.

 More than 250 employees.

 Fewer than 250 employees but its data-processing impacts the rights and freedoms
of data subjects, is not occasional, or includes certain types of sensitive personal
data. That effectively means almost all companies. A PwC survey showed that 92
percent of U.S. companies consider GDPR a top data protection priority.

A new survey conducted by Propeller Insights and sponsored by Netsparker Ltd. asked

executives which industries would be most affected by GDPR. Most (53 percent) saw the
technology sector being most impacted followed by online retailers (45 percent), software
companies (44 percent), financial services (37 percent), online services/SaaS (34
percent), and retail/consumer packaged goods (33 percent).

Who within my company will be responsible for

compliance?
The GDPR defines several roles that are responsible for ensuring compliance: data
controller, data processor and the data protection officer (DPO). The data controller
defines how personal data is processed and the purposes for which it is processed. The
controller is also responsible for making sure that outside contractors comply.

Data processors may be the internal groups that maintain and process personal data
records or any outsourcing firm that performs all or part of those activities. The GDPR
holds processors liable for breaches or non-compliance. It’s possible, then, that both your
company and processing partner such as a cloud provider will be liable for penalties even
if the fault is entirely on the processing partner.
The GDPR requires the controller and the processor to designate a DPO to oversee data
security strategy and GDPR compliance. Companies are required to have a DPO if they
process or store large amounts of EU citizen data, process or store special personal data,
regularly monitor data subjects, or are a public authority. Some public entities such as
law enforcement may be exempt from the DPO requirement.

According to the Propeller Insights survey, 82 percent of responding companies say they
already have a DPO on staff, although 77 percent plan to hire a new or replacement DPO
prior to the May 25 deadline. That hiring doesn’t stop with the DPO. About 55 percent of
the survey’s respondents reported that they had recruited at least six new employees to
achieve GDPR compliance.

How does the GDPR affect third-party and customer

contracts?
The GDPR places equal liability on data controllers (the organization that owns the data)
and data processors (outside organizations that help manage that data). A third-party
processor not in compliance means your organization is not in compliance. The new
regulation also has strict rules for reporting breaches that everyone in the chain must be
able to comply with. Organizations must also inform customers of their rights under
GDPR.

What this means is that all existing contracts with processors (e.g., cloud providers, SaaS
vendors, or payroll service providers) and customers need to spell out responsibilities.
The revised contracts also need to define consistent processes for how data is managed
and protected, and how breaches are reported.

“The largest exercise is on the procurement side of the house—your third-party vendors,
your sourcing relationships that are processing data on your behalf,” says Mathew Lewis,
global head of banking and regulatory practice at legal service provider Axiom. “There’s
a whole grouping of vendors that have access to this personal data and GDPR lays out
very clearly that you need to ensure that all of those third parties are adhering to GDPR
and processing the data accordingly.”

Client contracts also need to reflect the regulatory changes, says Lewis. “Client contracts
take a number of different forms, whether they are online click-throughs or formal
agreements where you make commitments to how you view, access, and process data.”

Before those contracts can be revised, business leaders, IT, and security teams need to
understand how the data is stored and processed and agree on a compliant process for
reporting. “A pretty sizable exercise is required by the technology groups, the CISO, and
data governance team to understand what data fits within the firm, where it’s being stored
or processed, and where it’s being exported outside the company. Once you understand
those data flows and the impact on the business, you can start to identify the vendors you
need to be most focused on both from an information security perspective, how you
manage those relationships going forward, and how you memorialize that in the contract
itself,” says Lewis.

The GDPR might also change the mindset of business and security teams toward data.
Most companies see their data and the processes they use to mine it as an asset, but that
perception will change, says Lewis. “Given GDPR’s explicit consent and firms needing
to be much more granular in their understanding of data and data flows, there’s a whole
set of liabilities that now exist with the accumulation of data,” says Lewis. “That’s quite a
different frame of mind both for legal and compliance, but maybe more important for the
way the business thinks about the accumulation and usage of that data and for
information security groups and how they think about managing that data.”

“Data is leaving the firm in all kinds of ways,” says Lewis. “While the CISO and the
technology groups need to be able to track all of that, you also need to put protection in
place.” Those protections need to be spelled out in the contract so the outside firms
understand what they can and cannot do with the data.

Lewis notes that by going through the process of defining obligations and
responsibilities, it prepares a company to handle GDPR compliance operationally. “If one
of your vendors says, ‘You were hacked last night,’ did they know who to call and how
to respond as part of meeting the regulatory requirements,” he says.

The 72-hour reporting window that the GDPR requires makes it especially important that
vendors know how to properly report a breach. “If a vendor was hacked and you’re one
of thousands of clients, do they notify your procurement department or an account person
or someone in accounts receivables? It could come in all kinds of ways,” says Lewis.

You want a clearly defined path in the contract for the information to get to the person in
your organization responsible for reporting the breach. “A regulator is not going to say
you shouldn’t have had a breach. They are going to say you should have had the policies,
procedures, and response structure in place to solve for that quickly,” says Lewis.

Larger companies might have thousands of contracts to update. Complicating that

challenge is that it needs to be done late in the compliance process. Before you can define
responsibilities and responsibilities, you must know exactly what data you have, where
and how it is processed, and the data flows. “That’s left a lot of institutions racing toward
the deadline trying to complete the technical and operational issues and having to play
catch-up on putting the right contract in place to enforce that. A lot of firms have not
done any renegotiation of contract terms.”

That begs the question: What happens if the contracts aren’t all in place by the May
deadline? Lewis sees several risks to not completing the contract source
  CAN Spam Act

What is CAN-SPAM?
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) is
an act that was passed in 2003.

That's right, they looped us in with pornographers.

That act is a law that establishes the rules for commercial email and

commercial messages, gives recipients the right to have a business stop emailing them,
and outlines the penalties incurred for those who violate the law.

The Bureau of Consumer Protection notes that CAN-SPAM doesn't just apply to bulk

email. "It covers all commercial messages, which the law defines as 'any electronic mail
message the primary purpose of which is the commercial advertisement or promotion of a
commercial product or service,' including email that promotes content on commercial
websites. The law makes no exception for business-to-business email." It does, however,
exempt transactional and relationship messages.

What does this law mean, practically, for marketers and business owners? I'll lay out the
rules you need to follow as an email marketer, but in short, it means that your emails
need to comply in three main areas: unsubscribe, content, and sending behavior.
First, what are the penalties for non-compliance with the
CAN-SPAM Act?
For every single email that violates the CAN-SPAM Act, the FTC will fine you $16,000.
So if you're caught being non-compliant for a list of, say, 10,000 ... well, you do the
math. Yikes.

So now that I've sufficiently scared you, here's how to comply with CAN-SPAM rules.

Rules to Follow for CAN-SPAM Compliance

In order to be CAN-SPAM compliant, it's important your email messages follow these
rules, which can be found in full over at the FTC's website.

DO

 Do include your valid physical postal address in every email you send out.

 Do provide a clear and obvious way to opt out of every email you send out, and
honor the unsubscribe within 10 business days.

 Do use clear "From," "To," and "Reply to" language that accurately reflects who
you are. This applies to the person or business sending the message, as well as the
domain name and email address.

DON'T

 Don't sell or transfer any email addresses to another list.

 Don't make it hard to unsubscribe from emails. You cannot 1) charge a

fee 2) require a recipient to provide personally identifying information beyond an
email address, or 3) make recipients take extensive steps other than simply
replying to an email or visiting a single page on a website to unsubscribe
themselves from your emails.
  Don't use deceptive subject lines in your emails that misrepresent the contents of
your message.

Now, I can't stress enough that I am not a lawyer, and that you should not construe the
contents of this article as legal advice. The FTC website also has extensive advice on this
subject to which you can refer. But, I hope this article has helped lend some clarity
around CAN-SPAM if it's caused you some confusion in the past! source

:20