Pratum Blog

California Consumer Privacy Act

For a preview of future privacy law in the United States, keep a close eye on The Golden State. On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. When the CCPA passed, industry observers considered it a landmark piece of consumer privacy rights legislation, as it requires certain businesses to disclose whatever personal data they have about a consumer whenever that person requests it.

California voters raised the stakes in November 2020 by passing the California Privacy Rights Acts (CPRA), which extends the CCPA’s scope and gives it new enforcement bite. Under CPRA, which takes effect January 1, 2023, the newly created California Privacy Protection Agency (CalPPA) can enforce the CCPA through steps such as auditing businesses’ privacy practices and ordering regular risk assessments as deemed necessary. (Click here for a deep dive into all of the CPRA’s implications.)

So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills. California’s pioneering laws will certainly help shape what other states do. (Click here for a quick reference to where privacy legislation stands in each state.)

Plus, some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just those living in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.

New Rights for Consumers:

While much remains unclear about the California law’s exact impact on business, it does set certain rights in place for consumers’ data:

  • Knowing what personal information is collected, used, shared or sold. The CPRA now requires that this information be shared with consumers “at or before the point of collection.”
  • Having the right to delete personal information held by businesses, and by extension business’ service providers. The CPRA extends this requirement to require companies to share the deletion request with anyone they have shared the information with.
  • Exercising the right to opt-out of sale of personal information. (Children under 16 must provide opt-in consent. Children under 13 need parental or guardian consent.) Consumers can also prohibit the “sharing” of their information in scenarios such as one company giving it to another company for advertising usage, even if no money changes hands for the information.
  • Having the right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
  • Having the right to correct inaccurate personal information.

How CCPA Compares to GDPR

While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.

These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.

The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.

Federal Privacy Law Potential

We may see this sort of universal legislation in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.

This possibility of federal privacy laws resembling the CCPA or GDRP is growing. Several senators have worked together to propose bills like the SAFE DATA act, which place stricter limitations on algorithmic decision-making, biometric data, and data minimization.

The move toward federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, it’s worth noting that even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.

Concerns Over Privacy Legislation

As with any significant change, there are concerns over the stricter privacy laws. One case out of Germany shows why they may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.

That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.

A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling.In short, the business wanted more private data to release the customer’s private data. It appears to be a cybersecurity cycle that organizations are still trying to figure out. 

What You Can Do

With so much new legislation, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers. (For an overview of how privacy laws impact businesses and compare to overall security, click here.)

Even if you’re not interested in giving your business a boost with proactive privacy, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.

Here are a few steps your business should be taking now to get ready:

1. Designate a privacy officer, someone in charge of organizing the process to become compliant.

2. Be externally compliant. Update your privacy notice on your company website.

3. Think about data inventory. Know where information is located within your system.

4. Figure out how you will be able to obtain and report customer information when requested.

5. Decide on a verification process to ensure the data your giving out is to the correct person.

Figuring this all out may not be easy, but getting to work on it early could save you a lot of issues and headaches later. Regardless of whether it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.

If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process. For assistance, please contact us today.

Editor's Note: This post was originally published in January 2020 and has been updated to reflect new legal developments.
Time is Money When It Comes to Data Breaches

If you worry that you’re too pessimistic, wait until a warning sign pops up on your dashboard—whether it’s in your car or on the company network. Those moments make reckless optimists of us all, convinced that the problem will fade away like last night’s heartburn. Even though that approach may not actually work, it’s usually more convenient in the short term than wading into a vague problem with invisible tentacles. But the next time unusual network activity sets your Spidey Sense atinglin’, remember this: Most data breaches get more expensive with each passing day.

Despite that, most companies take days to send up the infosec distress flare. That’s why Pratum’s incident response team keeps its calendar open on Friday afternoons. Nearly every week, we get a distress call as IT teams realize they’d better not let things stretch into the weekend. A typical call to our breach hotline (515-212-6634) sounds like this:

“I saw this suspicious login activity on Tuesday, but I took care of it. Then it happened again on Wednesday, so I fixed it again. But it seems like it’s still going on, so can you take a look at it? Before 5:00 today?”

Hackers Favor Delayed Strikes

Pratum’s team stands by 24/7, but, for your sake, they’d rather you make the call sooner. “The problem is a lot less severe if it hasn’t grown for several days,” says Pratum’s Director of Security Operations Megan Soat.

Hopefully, this fact comes to mind the next time you discover a breach “as soon as it happened”: By the time you notice a breach, the hacker has already been at work on your system for some time—probably a long time. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. (As you would expect, breaches caused by malicious attackers covering their tracks take longer to detect than glitches or user errors.) A massive breach of Starwood Hotels discovered in 2018 had gone undetected for four years.

And hours count on data breaches like minutes count on ambulance calls. IBM’s study shows that organizations that keep the detection/containment window under 200 days save an average of $1.2 million.

The Price of Waiting

Some of a breach’s costs are clearly measurable (such as the price to restore data), and others may be harder to spot (such as the average 5% stock price drop among breached public companies). Costs that can pile up during a delay include:

  • Lost business operations time – Obviously, the longer you take to fix a problem, the longer it takes for everyone to get back to their day jobs.
  • Ongoing damage – Many attacks spread in clever ways even after you block the original problem. Megan points to attacks involving an Office 365 system. “A lot of teams don’t look at the e-mail forwarding rules,” she says. “So malware may have automatically sent itself all over your system, which means the bad guys still have access after you think you’ve fixed the issue. An IT team may think they’ve solved it but lack the expertise to verify that.” Similarly, irony-loving hackers may exploit your automated backup system to spread their work via the very tool you use to protect your data.
    One of a cybersecurity pro’s biggest services is verifying that the problem is truly eliminated. “Even if you think you have it solved, it could be weeks or months before something else pops up if you don’t have it verified by someone who knows what they’re doing,” Megan says.
  • Fines – Breach notification laws typically specify the timeframe in which you must notify affected parties that their information has been compromised. That window is frequently as short as 72 hours. So taking most of a work week to sort things out could use up your allotted time and incur fines.
  • Breach of contracts – In time-sensitive industries such as logistics, a compromised system could mean you miss critical deadlines and break contracts, costing you revenue in the short term and entire contracts in the long term.
  • Lost customer trust – Here’s a case where the cover-up can look worse than the crime. If word gets out (either through a legally required notification or simple industry gossip) that you dragged your feet in dealing with a breach, many customers will lose confidence in your security process and overall decision making and transparency. That’s why 71% of Chief Marketing Officers say loss of brand value is a breach’s biggest cost. “If it’s something they have to notify on,” Megan says, “it looks a lot better if they’ve involved someone from the beginning. How do you show clients that you took it seriously? Call in a security firm right away.” (Pratum Breach Hotline: 515-212-6634)

What To Do Next Time

Before you face the next suspected breach, consider taking these steps so you’re ready to extinguish problems as soon as you know about them:

  • Create a business continuity/disaster recovery plan – You’ll be way ahead if you’ve developed a response plan in a clear, calm mindset so that you don’t have to scramble for next steps when a stressful event drops on you. Reach out to us for a template you can use to get started.
  • Consider an information security retainer – Signing a contract in advance makes it easy to bring a consultant into the situation. You won’t have to explain your system under the pressure of a breach, and the consultant can let you know in advance what data you should be tracking so they can help you when the time comes. Plus, if you establish a retainer with a set number of hours per year, you’ll have the service built into your budget, which means your boss won’t worry about using the service you’ve already paid for.
  • Call our hotline for a quick opinion – Even if you’ve never worked with us before, we’ll provide an initial read on what you’re facing. “We don’t charge for the first call to find out what’s going on,” Megan says. “And we’re willing to tell people if they don’t need our help.”

To learn more about how Pratum can help minimize the damage and costs the next time a hacker comes calling, contact us today.

Get Serious about Mobile Security

Pull up a copy of any security framework published in the last 20 years, and you’ll almost certainly find some mention of asset management. Tracking the hardware and software in your environment is the fundamental step to securing your organization—and that includes planning for mobile device security. You can’t effectively secure what you can’t see, and you can’t patch software on a system that you don’t know is there. That’s why one top standard, the Center for Internet Security Critical Security Controls (CIS CSC or CIS Top 20), gives the top two spots on its priority list to “Inventory and Control of Hardware Assets” and “Inventory and Control of Software Assets.”

Despite the absolutely fundamental nature of asset management, many organizations neglect it. IT managers especially tend to overlook mobile devices and software, even though these assets are some of the most important elements in risk management. The four factors below make mobile devices and software especially likely to get involved in security incidents:

1. Mobile devices are easily physically lost or stolen.

2. They often contain sensitive data.

3. They frequently connect to networks outside the corporate network perimeter.

4. Users' normal impatience with security safeguards is even more limited in mobile settings.

Add all that up, and you have a recipe for security incidents involving mobile devices. And that’s a problem that can spread quickly. It is critical that your organization manage, control, and monitor mobile devices in order to protect them from becoming a beachhead for hackers looking to pivot and access internal organization systems.

There’s no doubt that managing mobile devices properly adds complexity to your security strategy. But you don’t have the option of ignoring the issue. If a breach occurs, your customers and industry partners won’t care about all the reasons you found it too hard to manage and secure your mobile hardware and software assets. If you think it’s too costly or difficult to implement a mobile device or software control, you should reevaluate whether you should use mobile devices as part of your computing environment.

Review Your Mobile Security Posture

When you do get serious about mobile security, you’ll quickly discover a host of different solution categories (plus a long list of vendors) that could come into play, including Mobile Device Management (MDM), Mobile Application Management (MAM), End Point Protection (EPP) and Data Loss Prevention (DLP). (Plus many others if we bring mobile device network security into scope.)

Most organizations will need to consider a mixture of approaches and solutions to manage mobile device and software risks. One thing you shouldn’t do is determine the best solution first. Before you get to the point of solutioning, you should:

1. Understand all of the risks introduced to your organization by mobile devices and software. (Pratum can assist with thorough risk assessments that include evaluating your mobile posture.)

2. Determine the specific functions or features necessary for your organization to sufficiently manage mobile device and software risk.

3. Evaluate/document whether the solutions your organization already has in place are fully capable of managing your mobile device and software risks.

Below, we summarize first steps toward solutions for the top three mobile device risks listed at the beginning of this post.

Physical Loss/Theft

When a device physically leaves a legitimate user’s control, it is likely to face several potential threats. Anyone in control of a device can either attempt to access what’s on the device, or they may use it to access restricted networks or applications through the credentials of the device’s approved user. Even if a device doesn’t make it into the hands of a malicious attacker, it could be used in a way that exposes the organization to compliance or reputation risk. (A huge community of enthusiasts on the Internet revolves around rooting/jailbreaking devices). Finally, you must be ready to deal with devices that terminated employees never return.

To deal with each of the threats above, consider the following security controls:

Policy/Process/Standards
  • Require users to immediately report lost devices and report security incidents involving mobile devices.
  • Require users to sign an acceptable use agreement for mobile devices or Bring Your Own Device (BYOD).
Technology
  • Keep devices updated with minimum OS (iOS or Android) level standards.
  • Monitor for devices being rooted or jailbroken.
  • Monitor for failed login attempts and enable the ability to lock out or wipe devices when there are too many attempts.
  • Establish adequate device access control configurations:

– Enforce password/pin length/complexity standards.

– Enforce password/pin rotation, reset, and history standards.

– Enforce screen lock/timeout policies for devices.

– Use login banners and warnings.

Sensitive Data Control

Ultimately, data is what most organizations really want to secure on their mobile devices. Before you go down the path of choosing a security approach, consider whether the best approach is simply keeping sensitive data off the mobile device in the first place.

If you do need to allow data to go mobile, you can secure it with a combination of encryption and remote wipe capabilities:

  • Remote wipe – Tools that let you reach out and remove all data on the device (essentially a factory reset).
  • Selective remote wipe – Tools that reach out and remove specific data or apps on the device (more common in BYOD scenarios).
  • Device encryption – Encrypting the device’s hard drive to protect all the data. Be sure your strategy includes plans for managing the device’s encryption keys.
  • Selective encryption – Encrypting certain applications or data on the device. (More common in BYOD scenarios.)

Outside Network Connections

Taking devices outside the traditional security perimeter usually strips them of several layers of network security controls that come along with an organization’s firewall and Internet traffic filtering infrastructure. While endpoint network controls enabled by DNS are not strictly an asset management function, you should strongly consider using them. As mentioned above, a compromised mobile device often becomes a doorway that hackers use to breach broader company systems.

Here are some best practices for managing devices using outside networks:

Device software installation/usage restrictions
  • If users are allowed to install software/apps, they can install malware, whether accidentally or intentionally. So you should strongly consider app whitelisting or category-based whitelisting.
  • If a mobile device user without software restrictions implemented falls victim to a phishing attack, the device is much more easily compromised and can be used to pivot to internal systems.
Elevated security requirements for mobile device access to production systems and data
  • If your risky mobile devices don’t need to be on the same network as your servers when they come into the office, Network Access Control (NAC) can help keep them separated.
  • Consider requiring multifactor authentication (MFA) for any system that can be accessed by a mobile device.
App communication security
  • Ensure that communication channels for all apps on your mobile devices use the latest encryption capabilities such as TLS 1.2 or 1.3 to ensure that traffic transmitted over public networks is properly secured.
End Point Protection
  • Consider implementing an End Point Protection agent to monitor for and respond to malware infections or other security incidents on the device.

If you are an IT or security practitioner, remember that deciding whether to accept a risk or to manage it by implementing a control in any given scenario is ultimately a business decision enabled by your expert opinion. Pratum specializes in helping leaders assess risk in light of their specific business needs and develop appropriate solutions. Contact us to learn more about how we can work together to secure your organization.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.