In the future, everyone will want to be
famous anonymous for fifteen minutes
A new spin on an old Andy Warhol quote really sums up the direction we have moved as a society. We knowingly and unknowingly surrender more personally identifiable information (PII) online than ever before, whether voluntarily to our benefit or through what has become regular and unwelcome cybersecurity breaches. Thanks to the Facebook scandals in the news, most people are now learning about the amount of data collected and shared. In today’s world, data about YOU is valuable. Even data you might find meaningless, like your favorite restaurant or online purchase, this can be used to profile your socioeconomic status and preferences to further target you. This has created a growing concern about private data collection and its use, but also growing is the number of breaches of legitimate sites who mishandle the protection of PII. This is not only the concern of private individuals, but it also promises to have an impact on business as well.
Security vs. Privacy
Security refers to the ways we protect ourselves, our property and personal information. It is the first level of defense against unwanted intruders. Privacy is our ability to control access to our personal information.
Data Privacy Laws
As voters demand more government legislation to help address Data Privacy, many bodies have already or are in the process of responding. You may be aware of the EU’s (European Union) GDPR (General Data Protection Regulation) but you may be surprised to know New York and California have drafted similar laws. New York’s Personal Privacy Protection Law is already in place and California’s Consumer Privacy Act is due to start 1/2020. Many other State legislatures, including KY, are conducting hearings and drafting similar legislation and there is a bi-partisan effort in Congress regarding national legislation going on right now.
What impact might it have on my business?
Without national legislative guidelines, your business might be impacted by several different state laws, which adds complexity to adhering to them. Adhering to new legislation always comes with effort, planning and the potential of additional cost. In 2019, cybersecurity defense spending must have some place in your budget unless your business is completely offline, which is very unlikely. Where a firewall and antivirus used to afford good protection from cyber-crime, that is no longer the case. Since cyber-crime does pay well, we see no indications of it slowing down and the attacks are growing more sophisticated. This is evidenced by the growing number of breaches – a few of the largest, Equifax, Marriott, and Yahoo impacted over 1.4 Billion people! The large ones get the attention, however, there are small business breaches happening every day and those are more likely to impact you. For many small businesses, a breach causes them to permanently close as they don’t have the resources to bounce back. With little to no penalty or consumer recourse, the demand for legislative remedies to prevent and punish these data breaches is growing. If you are aware of the security of your environment and make efforts to prevent breaches, you still may be a victim. With sincere efforts to do the right thing, the cost of a breach is significantly less.
Core Principles of Legislation.
The tenants of legislation appear to be coalescing around a few core principles.
- What data are you collecting?
- What are you doing with the data? Disclosure and transparency particularly about selling the data to undisclosed third parties (Facebook and Cambridge Analytica provide a recent example of this).
- The right to be forgotten (GDRP term). Making it easier for individuals to obtain copies of the data you collect and to opt out or request destruction of their personal data.
So that all sounds great from a personal/consumer point of view but typically with this type of legislation, there comes requirements that businesses who hold PII (personally identifiable information) must follow to protect it and fines if a breach occurs and they were not in compliance. If you know about HIPAA and healthcare, then you have an idea of how this is already in practice. There will likely be a set of minimum cybersecurity standards that must be met and measured regularly to prove a business is complying with protecting PII. Typically, these cybersecurity requirements go well beyond having a firewall and antivirus in place.
Businesses that are proactive about their cybersecurity start in a much better place for any legislation that is coming. The most significant thing will be managing the “right to be forgotten”. If you do business with or have customers in the EU, New York, or California, you likely are already required to be doing these things. A great place to start down the path of becoming a cyber-secure business is with a comprehensive security risk assessment (SRA) that includes vulnerability scanning and a thorough review of administrative, technical and physical controls your business has in place. This is compared to baseline standards from NIST (National Institute of Standards and Technology) and SANS. Next, a work plan is generated for any identified gaps. Any proactive cybersecurity plan must include a cybersecurity awareness training program as technology alone cannot protect against you and your staff inviting hackers into your network. To help manage the privacy aspect of client and prospect interactions, follow the Top Three Tips for Transparency and Trust (see below) and look at how you can use your current relationship management system to track opt-ins and outs.
We will continue to follow Data Privacy legislation initiatives closely and, in the meantime, please reach out to Integrity IT for any questions you may have or to help you with an SRA for your business. With over 20 years of HIPAA compliance, Security and Privacy are well-known to us. We have an experienced team of Cybersecurity professionals ready to provide answers and guidance.
Integrity IT is a Champion of the National Cyber Security Alliance’s DATA PRIVACY DAY!
We are dedicated to security and privacy best practices and follow the Top Three Tips for Transparency and Trust.
- If you Collect it, Protect it! At Integrity IT, we protect our data using tools, training, auditing (SRA) and vulnerability scanning.
- Be Open and Honest About How You Collect, Use and Share Personal and Business Information. Any data we collect on clients, prospective clients, partners, and vendors, we use only to communicate our services and educational information. We NEVER SELL any data to a third party. The data is stored in password protected applications. We use these applications to send email communication, which includes the ability to opt out. The system tracks who has elected to opt out to help us not accidentally send information against their preferences.
- Build Trust by Doing What You Say You Will Do. Integrity is in our name and in our employees. Our core values include “We do what we say we will do” and “We do the right thing”.
Data Privacy Day – January 28th FREE LIVE STREAM presentations from top privacy experts
2 pm PT/5 pm ET – 4:15 PT/7:15 ET
Lock Down Your Login
Managing Your Families Technology Usage
Check your Privacy Settings
Security Risk Assessment and Analysis
Free Online Training Platform
Creating a Cyber-Safe Culture