What is the CCPA ?

CCPA

The California California Consumer Privacy Act (CCPA ) is a new consumer protection law which comes in effect from 1st January 2020 and is yet another sign that data protection is now taken very seriously. This follows closely in the steps of the General Data Protection Regulations ( GDPR) which were launch in May 2018.

Who does this apply to ?

  • This law is applicable in the state of California where organisations carry our business that involves collecting and processing the personal information of individuals.
  • Where an organisation has gross revenues of over $25,000,000
  • If an organisation buys / sells at least 50,000 consumers personal records for commercial gain
  • If an organisation earns more than 50% of their revenue from the selling of a consumers personal records.

If all any of this criteria is met then the CCPA will be applicable and the business will have to adhere to these regulations.

What are the consequences of non- compliance?

Should this be the case it is possible that the business could face the following penalties :-

  • Civil Penalty up to $7,500 for each intentional violation and $2,500 for other violations
  • In addition to this  the victims of a data breach may obtain $100 to $750 per consumer, per incident.

The importance of how a business manages its data is therefore of the utmost importance in order that these regulations are complied with and to avoid any penalties that stem from a breach of these regulations.

Some guidelines to the management of data 

  • Ensure that all employees are updated with this legislation and carry out training as applicable.
  • Ensure that all processes and procedures are aligned to comply with the new legislation and if not introduce new ones to cater for this.
  • Carry out a review of cyber security within the organisation and implement upgrades and improvements where necessary in order to mitigate a possible data breach.
  • Where necessary bring into line privacy notices and policies on websites and other public facing forums.

The protection of data is becoming a core value within businesses as in the event of a data breach the costs to manage this and the impact on their reputation can be severe.

Image : Shutterstock

GDPR One Year On – What’s Changed?

GDPR

GDPR has been with us now for just over a year – so what has changed during this period?

Businesses are now much more proactive in their approach to cyber security instigating robust systems and procedures to combat the threat of hackers.

http://cyberbrokers.co.uk/gdpr-data-protection-but-not-as-we-know-it/

The ICO have just published a report “GDPR – One Year On” which sets out a review of its first year in operation.

https://ico.org.uk/media/about-the-ico/documents/2614992/gdpr-one-year-on-20190530.pdf

Countering the Cyber Security Threat

The risk of a data breach is also now higher than ever with the changing cyber risk landscape. New ransomware strains and malware are evolving so keeping up to date protections in place is vitally important. GDPR is a clear driver of the approach that the C Suite has to instigate to protect and secure their businesses.

Among the many areas that IT Security has focused upon is back-up which is essential in protecting data. This makes it retrievable in the event of a compromise of data due to a cyber-attack.

Change in Philosophy

GDPR was a long time coming and businesses have struggled to find the resource to put in place processes to achieve compliance. Some were ahead of the game and some struggled to meet the deadline of 25th May 2018.

The philosophy to cyber security has also reached an engagement point where businesses are looking beyond GDPR. Businesses are now seeking cyber security accreditation’s such as ISO27001.

Global Effect

Other countries are also taking note of the impact that GDPR is having and bringing in similar legislation of their own.

For example the California Consumer Privacy Act (CCPA) which comes into force on 1st January next year.This provides consumers with certain rights over their personal data which is held by businesses  and is an obvious parallel with GDPR.

GDPR Fines

Regulators to date have issued in excess of 200.000 fines of which 65,000 were related to data breaches . Fines totalled E56M which includes the E50M levied against Google by the Irish Data Protection Commissioner. In this case new users were inadequately advised how personal data was collected and how this was subsequently used.

The fear of potential fines being issued of up to 4% of global turnover of a business by the regulators has not materialised yet. However from a speech made by Elizabeth Dunham , the U.K. Commissioner of the ICO recently stated in a speech that this may be about to change later in the year. The ICO it is understood have a couple of very large cases that are currently being reviewed.

Both Equifax and Uber have been fined over the past twelve months but this was under previous legislation and not GDPR.

The impact of GDPR  does appear to have improved cyber security standards. We are however waiting to see how regulatory bodies will impose the full force of non-compliance in the event of a cyber-attack that results in a significant data breach.

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

The Holiday Cyber Risk Landscape

Holiday

The holiday season is now in full swing where people travel to far off destinations to enjoy a well earned break and to spend time with their families. Unfortutely the cyber threat remains with us …… and arguably is increased as people’s guard is somewhat down due to the relaxed environment that being on holiday promotes.

A survey carried out by Keeper Security Inc last year showed that the US posed to the greatest threat to holiday makers from hackers, however more worryingly the UK came in a second place with France, Spain and Italy also featuring in the top ten.

https://www.marieclaire.co.uk/entertainment/technology/cyber-security-holiday-destinations-523668

Some of the cyber threats that exist to indivuals and businesses are as follows :-

Insecure Wi-Fi Networks

A hotel wi-if network may be vulnerable if not secured with the latest security encryption software. This could also be said of restaurants or cafes. Attacks know as “Man in the Middle” where a third party is listening and changing information pretending to both the user and the application can intercept highly sensitive data and use this to compromise a users details.

GCHQ regularly warn travellers of the threats posed by insecure wi-fi networks and the holidayseason is when these threats become more prevalent. It is therefore important to check that the wi-if has the appropriate safety protocols in place in particularly when money is being transacted.

Holiday Scam E-mails 

It is conceivable that an individual could fall foul of a hacker before they leave their house .Holiday scam e-mails may portray a bogus website that offers a holiday deal which is too good to be true and the likelihood is that this could well be the case. Funds could be stolen by an on-line transaction with debit or credit card details also being compromised by a hacker.

Being Aware

Leaving a laptop or smart phone on your beach towel of on a cafe table opens opportunity for a speculative hacker to steal an electronic device and use data themselves or to post on the dark web to be sold at a later date.

Keeping a tight ship

The same principle applies to businesses during the holiday season who may not have their usual numbers in their cyber security team which creates an environment where threats could be missed or not acted upon as quickly as normal. A greater reliance therefore is imposed on everyday users to carry out good cyber hygiene in their everyday work schedule. Watching out for phishing e-mails and dubious website links which could lead for example to an incident of fraud or a ransom ware attack.

Back Home

Once back home it is good housekeeping to to check matters such as bank statements to ensure that no fraudulent transactions have taken place and that you can account for everything spent.

At work looking for any unusual e-mail activity or change in the functionality of your computer in case a virus may have downloaded itself whilst you were away.

Wherever you are on holiday cyber threats exist in many forms , hackers do not go on holiday so it is vitally important that you maintain the same cyber security posture.

Is Our Data Safer Under GDPR?

GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock

EU-US Privacy Shield – En Garde !

EU-US Privacy Shield

EU-US Privacy Shield will come into force on the 1st August and this now replaces the defunct Safe Harbour.

What has caused the delay?

Finally getting this over the line has been frustrating as it has met the resistance of the European Commission whose fault finding Article 29 Working Parties Opinion on this was delaying the final agreement.

This has now been given approval by the Article 31 Committee on 8th July and on 12th July the European Commission issued an “implementing decision” which ratifies that the Privacy Shield will be adopted.

Despite criticism from certain quarters during the negotiation phase this does now provide some certainty on how businesses can legally transfer personal data between the EU and US.

The Background

In February we covered the announcement of the  hotly awaited replacement to the Safe Harbour in our post

EU-US Privacy Shield – Is data safe again?

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • Individual Notification

Businesses must inform individuals of their rights under the US-EU Privacy Shield and what rights they have including specific reference to how their particular data is processed

  • Opt Out

Individuals can object to the disclosure of their personal data to third parties or for specific purposes.

  • Responsibility for movement of personal data

This should be limited and made clear for what purpose this is going to be utilised. The level of protection of the data in this process must be no lesser to that set out under the Privacy Shield.

  • Security Measures

These must be in place commensurate with the type and sensitivity of the data and how this will be processed.

  • Access to Data

This must be possible and if amendments are required to the data then this must be carried out promptly.

  • ƒData Integrity

Data must be set out in accordance to its’ relevance and end use, this must be up to date and accurate in all respects.

  • Consequences of non adherence

Processes to be put in place to ensure that compliance is achieved and a system of redress with options for legal remedies.

A copy of the Framework Principles as issued by the US Department of Commerce is available at the link below

EU-US Privacy Shield Framework Principles

What will the impact of Brexit?

This is going to be one of the many issues that will need to be negotiated with the U.K. leaving the EU. The protection of personal data is a foremost consideration all around the world today and this geographical location is no exception.

Would the UK now need to negotiate a separate Privacy Shield with the US – will we therefore see a US-UK Privacy Shield?

How does this interact with the General Data Protection Regulations that come info force on 25th May 2017? The UK will need to implement similar data protection regulations when dealing with the EU and the personal data of individuals within these European States. Data from the EU may also circulate via the UK to the US which is a further dilemma that will need to be addressed.

Can Cyber Insurance Help?

This form of policy provides protection for loss of personal data for such scenarios as a result of a hacker attack , the inadvertent loss of data by an employee or the destruction of data by a malicious act. The post breach response vendors provided by insurers also provides a significant benefit to businesses.

Cyber Insurance can therefore play a role in mitigating the impact of a data loss irrespective of the changing legal landscape that is evolving.

The underlying message to the business environment is that they must have heighten awareness and be very much ” En Garde” as to the dynamic changes on how data is processed and protected and the pitfalls of non-compliance.