Category: Compliance > Privacy

Categories
Compliance > Privacy

Guarding Digital Assets: Proactive Data Privacy Measures for Remote Work

The challenge of ensuring data privacy is paramount in today’s globally interconnected landscape, where an increasing number of businesses are adopting remote work models. Using strong security measures to protect and safeguard sensitive data while working remotely is vital. This article aims to explore some of the key strategies and protocols one can put into practice to safeguard data privacy, irrespective of your place of work.  

Importance of Data Privacy in Remote Work 

Remote work offers various advantages such as flexibility, reduced commuting, better work-life balance, and global talent access.  

As the boundaries between professional and personal spaces blur, it becomes essential to prioritize data privacy.The potential outcomes of poor cybersecurity practices in remote work environments can lead to:   

  1. Reputation Damage: The customer’s data leak or compromise can tarnish the company’s brand image, leading to a loss of trust among stakeholders, potential clients, and investors.
          
  2. Legal or Regulatory Compliance: Non-compliance with data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), can lead to hefty fines, penalties, and legal repercussions.
     
  3. Intellectual Property: Proprietary information is vital for businesses to maintain a competitive edge. Unauthorized access or breaches by competitors or malicious actors can jeopardize a company’s market position and potential revenue.
          
  4. Data Breaches: Exposure of sensitive data, such as Personally Identifiable Information (PII), financial information, company’s customer data, or trade secrets, through data breaches, can have a devastating impact on a company’s reputation. The consequences can lead to financial losses and reputation damage, and they may suffer legal and regulatory penalties.
          
  5. Financial Losses: Cyber-attacks can lead to substantial financial losses for individuals and organizations, such as a Ransomware attack. Financial fraud, such as unauthorized transactions or identity theft,can arise if remote work systems, like laptops or smartphones, are compromised, leading to personal or business losses.  

Key Challenges in Data Privacy for Remote Work 

Hardware and Software Vulnerabilities 

When working outside the controlled environment of an office, remote employees frequently use personal devices or unsecured networks, which might not be up to date with the latest security patches, thus making them more susceptible to cyber threats and data breaches.  

Phishing, malware, and socially engineered attacks 

Remote workers are susceptible to cyberattacks like phishing, malware, and social engineering attacks, especially when they access corporate data from public networks or unfamiliar devices. 

Inconsistent Security Protocols 

Without standardized protocols across all remote work setups, the chances of data breaches increase manifolds. 

Enforcing organizational policies and regulatory requirements: 

Enforcing organizational policies and regulatory compliance can be challenging with remote work due to the lack of physical presence of IT staff and supervisors.  

Steps to Promote Data Privacy in Remote Working. 

Implementing and following security best practices can help safeguard valuable data resources and drastically reduce the chances of costly cyber-attacks.  

End-to-end Encryptionand Backups 

While handling data, ensure data is encrypted at rest and in transit over the networks. This ensures that data is indecipherable, even if intercepted, to unauthorized users.Encrypting the communications channels helps safeguard information. Regular backing up of data to cloud storage or an offline storage device can protect against data loss, offer protection against ransomware attacks, and serve as a repository. Users can access and share data from any location.  

Use VPN (Virtual Private Network) 

Use Virtual Private Networks (VPNs) to establish secure and encrypted connections. VPNs help shield sensitive information from cyber threats, especially when using public networks.Also, avoid public Wi-Fi networks and use trusted networks or a personal hotspot.  

Update and Patch Software 

Keep all company-provided software and devices updated with the latest security patches. This protects against vulnerabilities that cybercriminals might be able to exploit.In addition, install software that is company-approved and from trusted sources, and always adopt safe browsing practices.  

Use strong password and Multi-factor Authentication (MFA) 

Always use long and complex passwords to protect computing resources. Avoid sharing passwords and using the same passwords on multiple accounts. In addition to using unique, strong passwords, incorporating an additional layer of security, like a one-time passcode or biometric authentication, and MFA to ensure unauthorized access is restricted.Combining these factors makes it harder for hackers to impersonate a victim’s identity.  

Implement Zero-Trust Network Access:  

Zero-Trust, a security framework, requires strict verification of the user and devices that try to access the network. Every user and device, whether inside or outside of the organization’s network, must be authenticated, authorized, and validated continuously before access is granted. By default, for all users and devices, the access control is set to “deny.” the connections are assumed to be malicious unless authorized to access.  

A zero-trust strategy will help secure access to corporate resources only from trusted networks and devices.  

Establish Security Awareness Training Program 

An effective strategy to maintain a secure workplace environment is educating and conducting regular security awareness training sessions to inform employees about the latest threats and best practices. Training sessions may include recognizing phishing emails, the risk of using unsecured network connections, using strong and secure passwords, reviewing the company’s cybersecurity policy, or job-specific training. Regular employee training and remedial training (for those who fall for simulated phishing) will help employees to be vigilant, promote awareness, and reduce the probability of falling victim to cybercriminals.  

Conclusion 

When working remotely, data privacy is not just a technical challenge but is also a critical business necessity. Businesses can not only protect their data by implementing robust security measures, but also can build trust among its employees and stakeholders, promote sustained growth, and improve their reputation. To stay ahead of the curve, one must regularly review and update their data privacy measures.  

Categories
Compliance > Privacy

Data Privacy Laws and Cybersecurity: Navigating The 2023 Shift

Introduction

In 2023, the United States is witnessing a pivotal transformation in its data privacy laws, heralding a new era in legal frameworks and cybersecurity strategies. This shift, significant in its scope and impact, demands a reevaluation of how organizations approach data privacy and security compliance.

Recent Developments in Data Privacy Laws
  1. New State Laws and Amendments:
    • California Privacy Rights Act (CPRA): Enhancing CCPA with GDPR-like rights from January 1, 2023.
    • Colorado Privacy Act (CPA): Introducing data security mandates, effective July 1, 2023.
    • Connecticut Data Privacy Act (CDPA): Emphasizing data minimization and security from July 1, 2023.
    • Utah Consumer Privacy Act (UCPA): Prioritizing data security, effective December 31, 2023.
    • Virginia Consumer Data Privacy Act (VCDPA): Revising data processing rights from January 1, 2023.
  1. Emerging Trends:
    • Scope Consistency: These laws primarily target businesses within state borders or those engaging with state residents.
    • Consumer Rights Expansion: A growing trend towards empowering consumers with data access, deletion, and opt-out options.
Implications for Cybersecurity
  1. Enhanced Data Security: The evolving landscape necessitates robust cybersecurity measures to safeguard personal data.
  2. Risk Assessment and Compliance: Regular assessments for high-risk data processing underscore the need for continuous compliance.
  3. Legal and Financial Stakes: Non-compliance risks substantial legal and financial repercussions, with penalties reaching $50,000 per violation in some states.
  4. Diverse Regulatory Landscape: The variance in state laws presents a significant challenge for multi-state operations, requiring adaptable compliance strategies.
  5. Evolving Future Trends: With impending legislation in states like Maine and Massachusetts, the regulatory environment will grow, demanding agile cybersecurity responses.

2023 marks a watershed moment in U.S. data privacy law with profound cybersecurity implications. For organizations, the focus must shift to robust security measures, vigilant risk assessments, and a proactive stance on compliance. As the legal landscape evolves, staying informed and adaptable is crucial for effectively navigating these changes.

[For detailed insights on the evolving privacy laws, visit Reuters]

(https://www.reuters.com/legal/legalindustry/new-era-privacy-laws-takes-shape-united-states-2023-11-15/)

Categories
Compliance > HIPPA | Information Security Compliance > Privacy

FTC and HHS Guidance for Online Tracking Technologies by HIPAA Covered Entities and Business Associates

On January 7, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published guidance on the use of tracking technologies by covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The guidance, titled “FAQs on HIPAA and Health Websites and Social Media,” addresses various issues related to the use of tracking technologies, including cookies, beacons, and other similar technologies.

The guidance emphasizes that covered entities must ensure that their tracking technologies comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Covered entities must also provide clear and conspicuous notice to individuals about their use of tracking technologies and obtain their affirmative consent before using such technologies.

The guidance also highlights the importance of properly securing any data collected through tracking technologies to protect against unauthorized access, use, or disclosure. Covered entities should implement appropriate security measures, such as encryption, access controls, and monitoring, to safeguard this data.

In addition, the guidance addresses several specific issues related to tracking technologies, such as:

  • The use of cookies for targeted advertising: Covered entities must obtain affirmative consent before using cookies for targeted advertising. They must also allow individuals to opt out of such advertising.
  • The use of beacons to track individuals’ locations: Covered entities must obtain affirmative consent before using beacons to track individuals’ locations. They must also provide clear notice to individuals about the purpose of such tracking and the types of data that will be collected.
  • The use of third-party tracking technologies: Covered entities must ensure that any third-party tracking technologies they use are compliant with HIPAA. They must also enter into a business associate agreement with any third party that has access to protected health information (PHI).

While this is not new information, the details of a $7.8 million fine being leveraged against BetterHelp yesterday, March 2, 2023 signal a shift in enforcement.

“The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.” 1

There had, up until now, been some ambiguity regarding what constituted PHI and PII (Protected Health Information and Personal Identifiable Information). The most notable example of this is the following example:

If a person visits an informational site about pregnancy, and the covered entity gathers information such as IP Address, Email, Location Data, etc. – that information is considered PHI/PII. It will be covered under HIPAA’s privacy guidance. This is true even if the site visitor does not have a relationship with the covered entity.

This is a significant change in previously understood and enforced HHS guidance. As such, organizations in the healthcare vertical should review all applications, web, and mobile, for tracking technology and evaluate what it is gathering and it if violates the HHS guidance.

SecurIT360 has put together a package that assists covered entities in evaluating the compliance, reputational, and technical risk associated with tracking technology across their application portfolio.

This approach can be summarized as follows:

  • Perform an in-depth technical analysis of the HHS guidance for HIPAA-covered entities.
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies
  • Establish a testing protocol that evaluates those requirements in addition to standard web security standards (OWASP WTG v4.2).
  • Create a project plan for the execution of this testing protocol as it is applied to all domains in scope.
  • Perform testing.
  • Present a comprehensive technical report that outlines detailed risk and remediation for issues found.
  • Assist with establishing a remediation plan.
  • Perform validation of remediation.
  • Issue a final report reflecting the residual risk after remediation.

For reference, we have included some additional scenarios that are both discovered and solved by this approach.

  • Unauthorized access to PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, it could potentially provide access to PHI that should be kept confidential. For example, if a hospital uses a tracking system that shows the location of patients or staff members, but the system is not properly secured, unauthorized individuals could potentially gain access to PHI.
  • Unintentional disclosure of PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, there is a risk that PHI could be unintentionally disclosed. For example, if a tracking system is used to monitor the location of patients, and the system is not configured properly, it could potentially display PHI in a public area or to unauthorized individuals.
  • Improper disposal of PHI: If tracking technology is used to collect PHI, there is a risk that the data could be improperly disposed of. For example, if a tracking system is used to monitor the location of patients or staff members, and the system is not properly secured or disposed of, PHI could potentially be accessed by unauthorized individuals.
  • Use of PHI for marketing purposes: If tracking technology is used to collect PHI, there is a risk that the data could be used for marketing purposes without proper consent. For example, if a tracking system is used to monitor the location of patients, and the data collected is used for marketing purposes without proper consent, this would be a violation of HIPAA.

Failure to obtain proper consent: If tracking technology is used to collect PHI, proper consent must be obtained from individuals before their data can be used. For example, if a tracking system is used to monitor the location of patients, but the patients are not properly informed of the data collection or their rights, this would be a violation of HIPAA.

References:

1: https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

Categories
Compliance > Privacy

Your CCPA Compliance Checklist for 2020

You’ve read about it for months now, and it’s finally here. The California Consumer Protection Act went into effect on January 1st, 2020. Unlike asking a telemarketer to put you on the mythical “Do Not Call List,” consumers’ new privacy rights under the CCPA are very real and very enforceable. We’ve waded through all the confusing information on the CCPA to put together a handy list of answers to questions you may have had when hearing about CCPA and considering its impact on your business.

What is it?

The California Consumer Protection Act, or AB-375, was passed on June 28, 2018. It is a comprehensive piece of legislation designed to significantly elevate privacy regulations and to protect California consumers from having their personal data stolen, sold, or shared without their knowledge. Businesses will be under increasing scrutiny to have complete transparency in how they are currently collecting, storing, and using consumer data.

What kind of consumer data is protected?

Be careful – the CCPA takes a very broad view of what constitutes “personal data” about consumers. It’s not just credit card information! The specific definition of personal data under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to a customer’s name, this “personal information” includes: IP address, postal address, email address, Social Security Number, driver’s license number, passport number, biometric information, geolocation data, consumer photos, and messages…the list goes on. ALL of these things are now protected under the CCPA. Due to the connected nature of the growing Internet of Things, more consumer data of an alarmingly personal nature is being unwittingly shared online. The regulations under the CCPA are an attempt to control and curb the spread of that data.

What are consumers’ rights under the CCPA?

In short, the CCPA is designed to give consumers greater control legal over what information businesses know and share about them. Consumers have the right to:

  • Disclosure – Consumers can make verifiable requests to know what personal information is being collected or sold about them, and businesses must disclose this information.
  • Access – At the point of collection, a consumer must be informed of what type of information is being collected, and how it is being used.
  • Deletion – Consumers can request to be “forgotten,” ie. they can request for all personal information about them to be deleted from a business’ system. This includes the removal of consumer information from third-party vendors.
  • Antidiscrimination – Consumers cannot be discriminated against because they have exercised their rights under the CCPA.
  • Ability to Opt-Out – A business must provide a “Do Not Sell My Personal Information” option on its website.
  • Privacy Policy Requirements – Businesses are required to state their online privacy policy plainly, and update it every 12 months.

What are the new privacy policy requirements for businesses under the CCPA?

Maintaining all of these rights for consumers sounds like a big ask, but there are five main CCPA requirements that will help you achieve this. The CCPA asks that business take part in the following activities:

  • In-house data inventory, mapping of relevant personal data, and highlighting instances of selling data
  • Setting up new individual rights to data access and erasure
  • Setting up new individual rights to opt-out of data selling
  • Updating service agreements with third-party vendors and data processors to ensure that they are also CCPA-compliant
  • Identifying and eliminating information security gaps and business system vulnerabilities

Will it affect my business?

“My business isn’t based in California, so I’m in the clear, right?” Not so much. There is a broad swath of companies that will have to comply.

If your business is for-profit, and if your business:

  • Is owned and operated in California
    OR:
  • Sells to consumers in California
    OR:
  • Has an annual revenue of $25 million or more
    OR:
  • Buys receives, sells, or shares consumer data from 50,000 or more consumers, households, or devices
    OR:
  • Gains a majority of their annual revenue from the selling of personal data

You will be bound by this legislation! As you can see, this definition includes most of the companies in the U.S.

Are there any exceptions?

The main exceptions to the rule are where it conflicts with federal regulation. The CCPA shall not restrict a business’ ability to:

  • Comply with federal, state, or local laws
  • Collect, use, sell, or disclose consumer information that is aggregated consumer information
  • Collect or sell personal information if every aspect of the transaction takes place wholly outside of California

The CCPA shall not apply to:

  • Medical Information or protected health information, pursuant to regulations established by HIPAA
  • Personal information collected pursuant to the California Financial Information Privacy Act

So, unless your industry is medical or financial (which are already strictly regulated), you need to pay close attention to the CCPA!

How do I achieve compliance?

“Ok, I get it. It will affect me. Now, what do I do to maintain compliance?” It’s all about putting in “reasonable security protection.” Your business should check for the following points to ensure CCPA compliance:

  • Stringent processes and protections in place for how you collect and store customer data
  • Consumer notifications of what type of information is being stored and used at the point of collection
  • Strong endpoint protection and encryption
  • Strong emergency processes in place in case a data breach occurs
  • An Opt-Out option on your website so that consumers can request to be “forgotten”
  • An updated privacy policy that you’ve shared with your third-party vendors
  • An updated privacy policy posted clearly on your website

Update your systems so that your consumers are made aware of what information you are gathering and how you are using it, and you should have no problem.

What will happen if I’m non-compliant?

There is a higher cost than ever for non-compliance, whether voluntary or involuntary. The CCPA Enforcement states that “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.” If you knowingly disclosed consumer personal data, the penalty is $7,500 for each intentional violation. If you unknowingly violate the CCPA (which shouldn’t happen if you are reading this post!), the penalty is $2,500 for each violation.

In addition to that, consumers can individually bring a civil action against your company for up to $750 per incident, or the cost of the actual damages, whichever is greater. This civil action will question whether your business has implemented “reasonable security procedures and practices,” so if you can’t prove you had privacy protection measures in place, watch out.

What should I do if there’s a breach?

If there is an attack on your business’ data systems and an information breach, you must act quickly to protect your consumers’ personal information, as well as to notify them of the breach. If you fail to do this within 30 days, you will be subject to maximum penalties. However, if you can prove that your violations have been amended and that no more will occur, you will be spared additional fines.

When will I have to enforce CCPA compliance?

If you feel like there’s a great deal you need to do to achieve compliance, you still have some time to do it. Even though the legislation goes into effect January 1st, 2020, there is a grace period that lasts until “6 months after the publication of such regulations,” or July 1st, 2020.

There. I’m done. Now I don’t have to hear about CCPA ever again, right?

Not quite. This legislation is following the trend of the EU’s GDPR (General Data Protection Regulation), which is actively creating and expanding the definitions of consumer rights. Right now, though, there is still turmoil as the CCPA tries to bring some cohesion to what is a dynamic policy area. There will be great changes in the legislation until homeostasis is reached. Businesses can expect similar laws to be passed across the country in the next few years, so if you don’t have to deal with consumer privacy rights now, don’t worry. You will.

Why is this important?

The CCPA legislation will impact your business, whether you realize it now or not. With many business’ marketing strategies relying heavily on using and predicting consumer identities, removing personal information about your customers introduces holes into the picture. This law will greatly affect the accuracy and efficacy of established marketing approaches like attribution.

The increased connection of the Internet of Things begins to reveal the many vulnerabilities that are emerging in sharing, storing, and protecting consumer personal information. According to Risk Based Security, 2018 was the second-most active year for data breaches, with 6,500 reported breaches that included some 5 billion records. And those numbers can only be expected to increase. The CCPA is an attempt to mitigate some of these breaches.

The CCPA may seem like a headache, but it is a good opportunity for your business to focus its attention on upgrading your security and privacy practices all around.

What’s going to happen next?

You can expect a rocky start to the enactment of the CCPA. First off, despite its being around for over a year, there is a great deal of contention as to the exact scope of the legislation. Two bills are currently under consideration to expand the CCPA, while nine bills are being considered that would narrow its scope. In addition, a federal privacy law is still under consideration in Washington, DC, that would affect the exact provisions of the CCPA.

In addition to this lack of agreement, there is a general lack of knowledge about the CCPA. A recent survey by ESET polled 625 business owners and executives to see how prepared they are for the enforcement of the CCPA on January 1st, 2020. Of these 625 owners, half had never heard of CCPA, 34% were unaware if they needed to change for compliance, and only 12% knew specifically how the law would affect them. Because of this confusion, you can expect to hear about a great deal of litigation in the new year as businesses are faced with the high cost of non-compliance.

Categories
Compliance > Privacy

Apple iOS and OS X Critical Vulnerability

Recently Apple released updates that contain a critical security patches that address flaws with SSL encryption which could allow attackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computers.

Apple released a “security advisory” in which they provide vague statements regarding said security issues:  ‘For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.‘

Apple did not say when or how it learned of the vulnerability, but the bug appears to exist in some versions of iOS 6, iOS7, Mac OS X, and Apple TV.  iOS 6.1.6 and 7.0.6 were recently released to fix the issue.  The bug appears to also have been introduced in OS X 10.9.  OS X 10.91 is still affected.

This flaw affects the basic security that Apple uses to implement SSL connection.  The main risk is when using an affected device in untrusted environments where someone could be eavesdropping – free unsecured wifi such as coffee shops, airports and hotels.  According to the post by Brian Krebs, For now, it may be wise to avoid using Safari on OS X systems. As Dan Goodin at Ars Technica writes, “because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn’t be considered a panacea.”

Sources:

http://www.digitalmunition.net/?p=823

https://www.imperialviolet.org/2014/02/22/applebug.html