Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

11/27/2019
12:00 PM
Tony Anscombe
Tony Anscombe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get Prepared for Privacy Legislation

All the various pieces of legislation, both in the US and worldwide, can feel overwhelming. But getting privacy basics right is a solid foundation.

On January 1, 2020, California will step on the world stage of privacy when the California Consumer Privacy Act (CCPA) takes effect. It follows the European Union's General Data Protection Regulation (GDPR) and other regional legislative controls that are designed to protect the personal data of consumers.

The CCPA legislation may apply to your business if it's a for-profit entity and collects or processes the personal information of Californian residents. And one of the following needs to apply: the business has an annual gross revenue in excess of $25 million; the business annually trades the personal information of 50,000 or more consumers, households, or devices; or the business derives 50% or more of its revenue from selling consumers' personal information.

There may be requirements to update privacy policies, third-party, and service provider contracts and any other terms that cover the collection, retention, and protection of personal data held by the company. It's important that all businesses review their status and establish if they need to comply with the legislation.

As with other privacy legislation, the fines for noncompliance could be significant. Under GDPR, we have recently witnessed British Airways being fined $230 million and Marriott Hotel Group $123 million for data breaches. The CCPA legislation allows for fines by the attorney general of up to $7,500 per incident and gives individual consumers the right to file a lawsuit for up to $700 each. I expect once the legislation takes effect that we will see some considerable legal action with class action lawsuits filed against companies that suffer data breaches

Complying with the legislation requires companies to adopt policies for the collection and retention of the data. It also requires companies to provide "reasonable security" to protect the personal data. The word "reasonable" can be interpreted in many different ways and the extent of what is deemed reasonable will not be clear until we see the legal cases being brought once the legislation takes effect.

To assist companies in taking proactive steps to address the requirement for reasonable security, companies could leverage the requirements of other legislation such as GDPR. The following are starting points for companies that need to comply; note, however, that these are just starting points, and I recommend seeking professional and legal advice to ensure compliance.

Privacy Basics: Single Point of Responsibility
Appoint a data protection officer (DPO). This is a requirement under GDPR and is an essential position for any company holding personal data. A DPO's main tasks should include understanding where the data is, the business purpose of why it was collected and is being retained, controlling access to the data, and deleting data no longer required. Consumers may request a copy of their data or require it to be deleted, and a dedicated DPO facilitates a single point of contact to deal with such requests.

Having this single point of responsibility is essential so that businesses can operate in a professional and compliant environment. The DPO can organize regular risk assessments, penetration tests, and security policies. While these do not provide a 100% guarantee that no breach will happen, they are steps that provide evidence that the issues have been taken seriously in the organization, providing a defensible defense should the need occur.   

Limiting access to the data will reduce the risk of an inadvertent breach and reduce the number of employees that will need specialized training in the management and handling of personal data. It does not, however, reduce the need for all employees to be subjected to cybersecurity awareness training.

The data should be considered the crown jewels of the organization. Without customer data, or with a lost reputation due to a data breach, the company is likely to suffer financially. Treating the personal data of consumers like the crown jewels and placing it in its own protected segment of the network will create barriers and layers that can thwart the attempts of cybercriminals to gain access. We deal with layers in everyday life: The important possessions we own personally may be in a home safe or a safety deposit box. We then secure our homes with alarms and several locks on doors. With every layer, we add more complexity for the burglar.

Securing personal information should include, at a minimum, encryption and multifactor authentication. When asked, "What should I encrypt?" the answer is everything. Encryption is no longer the resource overhead it once was and by having whole-device encryption on devices, the risk of data being breached due to a stolen or lost device is reduced. Encryption of the personal data being held, including the hashing of customer passwords, will also demonstrate that significant steps have been taken to secure the data.

It would seem unprofessional not to include the following recommendations:

  • Make sure all devices connected have been patched and updated.
  • All devices should be protected with an up-to-date endpoint anti-malware product.
  • All devices and data should have a backup and recovery policy that is tested from time to time.

The need to have privacy legislation is just another step in the evolution of the digital and connected revolution that is transforming humanity. As consumers, we need to engage in understanding the value of our data, who we allow to collect it, and what we allow them to do with it. Without this engagement or legislation to protect us, we allow companies wishing to monetize by using our personal information to have free rein.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Gamification Is Adding a Spoonful of Sugar to Security Training."

Tony Anscombe is the Global Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger, and speaker on the current threat landscape, security technologies, and products, data protection, privacy and trust, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TonyA940
100%
0%
TonyA940,
User Rank: Author
11/29/2019 | 11:36:52 AM
Re: CCPA
You may need to be GDPR compliant though, and other legislation around the world. The best practice is to implement a good security policy and secure data regardless of business size.
TonyA940
100%
0%
TonyA940,
User Rank: Author
11/29/2019 | 11:29:21 AM
Re: GDPR
And Marriott group around $125m, it's a serious amount of cash the regulatory is taking. As a victim of the BA breach, I fully support making examples of companies that have these issues.
TonyA940
50%
50%
TonyA940,
User Rank: Author
11/29/2019 | 11:27:12 AM
Re: Encryptions
I often get asked 'what should we encrypt', I always give the same answer - everything.
TonyA940
50%
50%
TonyA940,
User Rank: Author
11/29/2019 | 11:23:27 AM
Re: Data
Completely agree, the issue is the engagement. Unfortunately, people are only concerned when it directly affects them, while we know it affects everyone it needs to be personal to get attention and engagement. It's a huge challenge and hopefully, legislation will help control this. 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.