Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

11/27/2019
12:00 PM
Tony Anscombe
Tony Anscombe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get Prepared for Privacy Legislation

All the various pieces of legislation, both in the US and worldwide, can feel overwhelming. But getting privacy basics right is a solid foundation.

On January 1, 2020, California will step on the world stage of privacy when the California Consumer Privacy Act (CCPA) takes effect. It follows the European Union's General Data Protection Regulation (GDPR) and other regional legislative controls that are designed to protect the personal data of consumers.

The CCPA legislation may apply to your business if it's a for-profit entity and collects or processes the personal information of Californian residents. And one of the following needs to apply: the business has an annual gross revenue in excess of $25 million; the business annually trades the personal information of 50,000 or more consumers, households, or devices; or the business derives 50% or more of its revenue from selling consumers' personal information.

There may be requirements to update privacy policies, third-party, and service provider contracts and any other terms that cover the collection, retention, and protection of personal data held by the company. It's important that all businesses review their status and establish if they need to comply with the legislation.

As with other privacy legislation, the fines for noncompliance could be significant. Under GDPR, we have recently witnessed British Airways being fined $230 million and Marriott Hotel Group $123 million for data breaches. The CCPA legislation allows for fines by the attorney general of up to $7,500 per incident and gives individual consumers the right to file a lawsuit for up to $700 each. I expect once the legislation takes effect that we will see some considerable legal action with class action lawsuits filed against companies that suffer data breaches

Complying with the legislation requires companies to adopt policies for the collection and retention of the data. It also requires companies to provide "reasonable security" to protect the personal data. The word "reasonable" can be interpreted in many different ways and the extent of what is deemed reasonable will not be clear until we see the legal cases being brought once the legislation takes effect.

To assist companies in taking proactive steps to address the requirement for reasonable security, companies could leverage the requirements of other legislation such as GDPR. The following are starting points for companies that need to comply; note, however, that these are just starting points, and I recommend seeking professional and legal advice to ensure compliance.

Privacy Basics: Single Point of Responsibility
Appoint a data protection officer (DPO). This is a requirement under GDPR and is an essential position for any company holding personal data. A DPO's main tasks should include understanding where the data is, the business purpose of why it was collected and is being retained, controlling access to the data, and deleting data no longer required. Consumers may request a copy of their data or require it to be deleted, and a dedicated DPO facilitates a single point of contact to deal with such requests.

Having this single point of responsibility is essential so that businesses can operate in a professional and compliant environment. The DPO can organize regular risk assessments, penetration tests, and security policies. While these do not provide a 100% guarantee that no breach will happen, they are steps that provide evidence that the issues have been taken seriously in the organization, providing a defensible defense should the need occur.   

Limiting access to the data will reduce the risk of an inadvertent breach and reduce the number of employees that will need specialized training in the management and handling of personal data. It does not, however, reduce the need for all employees to be subjected to cybersecurity awareness training.

The data should be considered the crown jewels of the organization. Without customer data, or with a lost reputation due to a data breach, the company is likely to suffer financially. Treating the personal data of consumers like the crown jewels and placing it in its own protected segment of the network will create barriers and layers that can thwart the attempts of cybercriminals to gain access. We deal with layers in everyday life: The important possessions we own personally may be in a home safe or a safety deposit box. We then secure our homes with alarms and several locks on doors. With every layer, we add more complexity for the burglar.

Securing personal information should include, at a minimum, encryption and multifactor authentication. When asked, "What should I encrypt?" the answer is everything. Encryption is no longer the resource overhead it once was and by having whole-device encryption on devices, the risk of data being breached due to a stolen or lost device is reduced. Encryption of the personal data being held, including the hashing of customer passwords, will also demonstrate that significant steps have been taken to secure the data.

It would seem unprofessional not to include the following recommendations:

  • Make sure all devices connected have been patched and updated.
  • All devices should be protected with an up-to-date endpoint anti-malware product.
  • All devices and data should have a backup and recovery policy that is tested from time to time.

The need to have privacy legislation is just another step in the evolution of the digital and connected revolution that is transforming humanity. As consumers, we need to engage in understanding the value of our data, who we allow to collect it, and what we allow them to do with it. Without this engagement or legislation to protect us, we allow companies wishing to monetize by using our personal information to have free rein.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Gamification Is Adding a Spoonful of Sugar to Security Training."

Tony Anscombe is the Global Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger, and speaker on the current threat landscape, security technologies, and products, data protection, privacy and trust, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TonyA940
100%
0%
TonyA940,
User Rank: Author
11/29/2019 | 11:36:52 AM
Re: CCPA
You may need to be GDPR compliant though, and other legislation around the world. The best practice is to implement a good security policy and secure data regardless of business size.
TonyA940
100%
0%
TonyA940,
User Rank: Author
11/29/2019 | 11:29:21 AM
Re: GDPR
And Marriott group around $125m, it's a serious amount of cash the regulatory is taking. As a victim of the BA breach, I fully support making examples of companies that have these issues.
TonyA940
50%
50%
TonyA940,
User Rank: Author
11/29/2019 | 11:27:12 AM
Re: Encryptions
I often get asked 'what should we encrypt', I always give the same answer - everything.
TonyA940
50%
50%
TonyA940,
User Rank: Author
11/29/2019 | 11:23:27 AM
Re: Data
Completely agree, the issue is the engagement. Unfortunately, people are only concerned when it directly affects them, while we know it affects everyone it needs to be personal to get attention and engagement. It's a huge challenge and hopefully, legislation will help control this. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19338
PUBLISHED: 2020-07-13
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is ...
CVE-2020-11749
PUBLISHED: 2020-07-13
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.
CVE-2020-5766
PUBLISHED: 2020-07-13
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields.
CVE-2020-15689
PUBLISHED: 2020-07-13
Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
CVE-2019-4591
PUBLISHED: 2020-07-13
IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 167451.