For a preview of future privacy law in the United States, keep a close eye on The Golden State. On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. When the CCPA passed, industry observers considered it a landmark piece of consumer privacy rights legislation, as it requires certain businesses to disclose whatever personal data they have about a consumer whenever that person requests it.
California voters raised the stakes in November 2020 by passing the California Privacy Rights Acts (CPRA), which extends the CCPA’s scope and gives it new enforcement bite. Under CPRA, which takes effect January 1, 2023, the newly created California Privacy Protection Agency (CalPPA) can enforce the CCPA through steps such as auditing businesses’ privacy practices and ordering regular risk assessments as deemed necessary. (Click here for a deep dive into all of the CPRA’s implications.)
So how will this impact the rest of the country? For one, California is not the only state to enact this sort of legislation. According to CNET, Nevada and Maine have already passed similar legislation and 11 other states are also considering privacy bills. California’s pioneering laws will certainly help shape what other states do. (Click here for a quick reference to where privacy legislation stands in each state.)
Plus, some of the businesses complying with the CCPA are offering the same privacy rights to ALL U.S. customers, not just those living in the Golden State. That means if you live in Iowa and want to know what a California business has on file about you, you may be able to find out and request it be removed from their servers.
While much remains unclear about the California law’s exact impact on business, it does set certain rights in place for consumers’ data:
While this new push for privacy may seem progressive to Americans, it’s been a part of European business practices for two years now and in a more aggressive way. The General Data Protection Regulation (GDPR) went into effect in 2018. The goal of the GDPR is to give individuals control over their own personal data. EU, EEA, and UK residents now have access to and can correct, delete, and export personal information. The GDPR also has more privacy controls in place, and much steeper fines and penalties for those who don’t comply.
These provisions apply to almost all organizations that collect data from EU, EEA, and UK individuals. That includes small businesses, non-profits, non-technology companies, and organizations operating outside of Europe.
The GDPR is also designed to make following regulations easier to comply with for groups working internationally. Under these parameters, organizations only have one set of privacy laws to understand and abide by, rather than a new set of laws for each country within the region.
We may see this sort of universal legislation in the United States in the near future. With more states creating their own guidelines, there is talk of new, federal privacy legislation.
This possibility of federal privacy laws resembling the CCPA or GDRP is growing. Several senators have worked together to propose bills like the SAFE DATA act, which place stricter limitations on algorithmic decision-making, biometric data, and data minimization.
The move toward federal legislation has been reassuring to some businesses already following CCPA. The concern is that each state will enact their own privacy laws, making it difficult for companies to keep up with so many different sets of rules. However, it’s worth noting that even though federal law supersedes state law, some federal laws allow states to enact tougher requirements on top of the federal regulations.
As with any significant change, there are concerns over the stricter privacy laws. One case out of Germany shows why they may be justified. An Amazon Alexa user requested all of his audio files the device had picked up. Instead, he was given 1,700 audio files from the wrong home. Amazon blamed the mistake on “human error” and said it was an isolated incident.
That’s just one example of how requesting a legitimate customer’s private data could also be acquired by the wrong person. However, even when businesses try to avoid this sort of mistake, the possibility of critical information getting into the hands of a criminal is there. That’s why some California businesses are now setting stricter guidelines for customers wanting to access their own data.
A New York Times article outlines a recent situation in which a business trying to comply with CCPA hired a third-party vendor to handle the influx of customer information requests. The vendor started verifying these requests by asking customers to supply more identification. This was typically done by asking for images of customers’ driver’s licenses and even additional photos of customers’ smiling.In short, the business wanted more private data to release the customer’s private data. It appears to be a cybersecurity cycle that organizations are still trying to figure out.
With so much new legislation, businesses could use early compliance as an advantage. Using the time and resources needed to become CCPA or GDPR compliant could put you a step above the competition. Touting an emphasis on privacy is appealing to many consumers. (For an overview of how privacy laws impact businesses and compare to overall security, click here.)
Even if you’re not interested in giving your business a boost with proactive privacy, you should start considering what compliance will look like for your organization. Companies should accept the fact that privacy rights are a growing concern and new legislation will be coming.
Here are a few steps your business should be taking now to get ready:
1. Designate a privacy officer, someone in charge of organizing the process to become compliant.
2. Be externally compliant. Update your privacy notice on your company website.
3. Think about data inventory. Know where information is located within your system.
4. Figure out how you will be able to obtain and report customer information when requested.
5. Decide on a verification process to ensure the data your giving out is to the correct person.
Figuring this all out may not be easy, but getting to work on it early could save you a lot of issues and headaches later. Regardless of whether it’s CCPA or another piece of legislation, this is something many businesses will need to respond to. It’s up to each company to decide if they want to be proactive or reactive.
If you need help with objectives like inventory, security controls, process recommendations, or who to reach out to for legal compliance, Pratum representatives work with national and international businesses every day. A Pratum cybersecurity expert would be happy to help guide you through the privacy legislation process. For assistance, please contact us today.Editor's Note: This post was originally published in January 2020 and has been updated to reflect new legal developments.
If you worry that you’re too pessimistic, wait until a warning sign pops up on your dashboard—whether it’s in your car or on the company network. Those moments make reckless optimists of us all, convinced that the problem will fade away like last night’s heartburn. Even though that approach may not actually work, it’s usually more convenient in the short term than wading into a vague problem with invisible tentacles. But the next time unusual network activity sets your Spidey Sense atinglin’, remember this: Most data breaches get more expensive with each passing day.
Despite that, most companies take days to send up the infosec distress flare. That’s why Pratum’s incident response team keeps its calendar open on Friday afternoons. Nearly every week, we get a distress call as IT teams realize they’d better not let things stretch into the weekend. A typical call to our breach hotline (515-212-6634) sounds like this:
“I saw this suspicious login activity on Tuesday, but I took care of it. Then it happened again on Wednesday, so I fixed it again. But it seems like it’s still going on, so can you take a look at it? Before 5:00 today?”
Pratum’s team stands by 24/7, but, for your sake, they’d rather you make the call sooner. “The problem is a lot less severe if it hasn’t grown for several days,” says Pratum’s Director of Security Operations Megan Soat.
Hopefully, this fact comes to mind the next time you discover a breach “as soon as it happened”: By the time you notice a breach, the hacker has already been at work on your system for some time—probably a long time. An IBM study shows that, on average, American companies take 186 days to detect a data breach and another 51 days to fully contain it. (As you would expect, breaches caused by malicious attackers covering their tracks take longer to detect than glitches or user errors.) A massive breach of Starwood Hotels discovered in 2018 had gone undetected for four years.
And hours count on data breaches like minutes count on ambulance calls. IBM’s study shows that organizations that keep the detection/containment window under 200 days save an average of $1.2 million.
Some of a breach’s costs are clearly measurable (such as the price to restore data), and others may be harder to spot (such as the average 5% stock price drop among breached public companies). Costs that can pile up during a delay include:
Before you face the next suspected breach, consider taking these steps so you’re ready to extinguish problems as soon as you know about them:
To learn more about how Pratum can help minimize the damage and costs the next time a hacker comes calling, contact us today.
Pull up a copy of any security framework published in the last 20 years, and you’ll almost certainly find some mention of asset management. Tracking the hardware and software in your environment is the fundamental step to securing your organization—and that includes planning for mobile device security. You can’t effectively secure what you can’t see, and you can’t patch software on a system that you don’t know is there. That’s why one top standard, the Center for Internet Security Critical Security Controls (CIS CSC or CIS Top 20), gives the top two spots on its priority list to “Inventory and Control of Hardware Assets” and “Inventory and Control of Software Assets.”
Despite the absolutely fundamental nature of asset management, many organizations neglect it. IT managers especially tend to overlook mobile devices and software, even though these assets are some of the most important elements in risk management. The four factors below make mobile devices and software especially likely to get involved in security incidents:
1. Mobile devices are easily physically lost or stolen.
2. They often contain sensitive data.
3. They frequently connect to networks outside the corporate network perimeter.
4. Users' normal impatience with security safeguards is even more limited in mobile settings.
Add all that up, and you have a recipe for security incidents involving mobile devices. And that’s a problem that can spread quickly. It is critical that your organization manage, control, and monitor mobile devices in order to protect them from becoming a beachhead for hackers looking to pivot and access internal organization systems.
There’s no doubt that managing mobile devices properly adds complexity to your security strategy. But you don’t have the option of ignoring the issue. If a breach occurs, your customers and industry partners won’t care about all the reasons you found it too hard to manage and secure your mobile hardware and software assets. If you think it’s too costly or difficult to implement a mobile device or software control, you should reevaluate whether you should use mobile devices as part of your computing environment.
When you do get serious about mobile security, you’ll quickly discover a host of different solution categories (plus a long list of vendors) that could come into play, including Mobile Device Management (MDM), Mobile Application Management (MAM), End Point Protection (EPP) and Data Loss Prevention (DLP). (Plus many others if we bring mobile device network security into scope.)
Most organizations will need to consider a mixture of approaches and solutions to manage mobile device and software risks. One thing you shouldn’t do is determine the best solution first. Before you get to the point of solutioning, you should:
1. Understand all of the risks introduced to your organization by mobile devices and software. (Pratum can assist with thorough risk assessments that include evaluating your mobile posture.)
2. Determine the specific functions or features necessary for your organization to sufficiently manage mobile device and software risk.
3. Evaluate/document whether the solutions your organization already has in place are fully capable of managing your mobile device and software risks.
Below, we summarize first steps toward solutions for the top three mobile device risks listed at the beginning of this post.
When a device physically leaves a legitimate user’s control, it is likely to face several potential threats. Anyone in control of a device can either attempt to access what’s on the device, or they may use it to access restricted networks or applications through the credentials of the device’s approved user. Even if a device doesn’t make it into the hands of a malicious attacker, it could be used in a way that exposes the organization to compliance or reputation risk. (A huge community of enthusiasts on the Internet revolves around rooting/jailbreaking devices). Finally, you must be ready to deal with devices that terminated employees never return.
To deal with each of the threats above, consider the following security controls:
– Enforce password/pin length/complexity standards.
– Enforce password/pin rotation, reset, and history standards.
– Enforce screen lock/timeout policies for devices.
– Use login banners and warnings.
Ultimately, data is what most organizations really want to secure on their mobile devices. Before you go down the path of choosing a security approach, consider whether the best approach is simply keeping sensitive data off the mobile device in the first place.
If you do need to allow data to go mobile, you can secure it with a combination of encryption and remote wipe capabilities:
Taking devices outside the traditional security perimeter usually strips them of several layers of network security controls that come along with an organization’s firewall and Internet traffic filtering infrastructure. While endpoint network controls enabled by DNS are not strictly an asset management function, you should strongly consider using them. As mentioned above, a compromised mobile device often becomes a doorway that hackers use to breach broader company systems.
Here are some best practices for managing devices using outside networks:
If you are an IT or security practitioner, remember that deciding whether to accept a risk or to manage it by implementing a control in any given scenario is ultimately a business decision enabled by your expert opinion. Pratum specializes in helping leaders assess risk in light of their specific business needs and develop appropriate solutions. Contact us to learn more about how we can work together to secure your organization.