Categories
Computer & Network Security|Information Security

IT and the C-Suite: 3 Tips for Communication

Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.

A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?

Communication Between C-Suite Executives and IT

There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.

If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.

3 Tips for Communication Between IT and the C-Suite

The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.

Tip #1: Don’t Use Industry Lingo

IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.

Tip #2: Make Substantial Recommendations

While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.

Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach

Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.

Conclusion

I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:

Bonus Tip #4: Get an Outside Perspective

IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.

At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.

We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.

Categories
Compliance > Privacy

Your CCPA Compliance Checklist for 2020

You’ve read about it for months now, and it’s finally here. The California Consumer Protection Act went into effect on January 1st, 2020. Unlike asking a telemarketer to put you on the mythical “Do Not Call List,” consumers’ new privacy rights under the CCPA are very real and very enforceable. We’ve waded through all the confusing information on the CCPA to put together a handy list of answers to questions you may have had when hearing about CCPA and considering its impact on your business.

What is it?

The California Consumer Protection Act, or AB-375, was passed on June 28, 2018. It is a comprehensive piece of legislation designed to significantly elevate privacy regulations and to protect California consumers from having their personal data stolen, sold, or shared without their knowledge. Businesses will be under increasing scrutiny to have complete transparency in how they are currently collecting, storing, and using consumer data.

What kind of consumer data is protected?

Be careful – the CCPA takes a very broad view of what constitutes “personal data” about consumers. It’s not just credit card information! The specific definition of personal data under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition to a customer’s name, this “personal information” includes: IP address, postal address, email address, Social Security Number, driver’s license number, passport number, biometric information, geolocation data, consumer photos, and messages…the list goes on. ALL of these things are now protected under the CCPA. Due to the connected nature of the growing Internet of Things, more consumer data of an alarmingly personal nature is being unwittingly shared online. The regulations under the CCPA are an attempt to control and curb the spread of that data.

What are consumers’ rights under the CCPA?

In short, the CCPA is designed to give consumers greater control legal over what information businesses know and share about them. Consumers have the right to:

  • Disclosure – Consumers can make verifiable requests to know what personal information is being collected or sold about them, and businesses must disclose this information.
  • Access – At the point of collection, a consumer must be informed of what type of information is being collected, and how it is being used.
  • Deletion – Consumers can request to be “forgotten,” ie. they can request for all personal information about them to be deleted from a business’ system. This includes the removal of consumer information from third-party vendors.
  • Antidiscrimination – Consumers cannot be discriminated against because they have exercised their rights under the CCPA.
  • Ability to Opt-Out – A business must provide a “Do Not Sell My Personal Information” option on its website.
  • Privacy Policy Requirements – Businesses are required to state their online privacy policy plainly, and update it every 12 months.

What are the new privacy policy requirements for businesses under the CCPA?

Maintaining all of these rights for consumers sounds like a big ask, but there are five main CCPA requirements that will help you achieve this. The CCPA asks that business take part in the following activities:

  • In-house data inventory, mapping of relevant personal data, and highlighting instances of selling data
  • Setting up new individual rights to data access and erasure
  • Setting up new individual rights to opt-out of data selling
  • Updating service agreements with third-party vendors and data processors to ensure that they are also CCPA-compliant
  • Identifying and eliminating information security gaps and business system vulnerabilities

Will it affect my business?

“My business isn’t based in California, so I’m in the clear, right?” Not so much. There is a broad swath of companies that will have to comply.

If your business is for-profit, and if your business:

  • Is owned and operated in California OR:
  • Sells to consumers in California OR:
  • Has an annual revenue of $25 million or more OR:
  • Buys receives, sells, or shares consumer data from 50,000 or more consumers, households, or devices OR:
  • Gains a majority of their annual revenue from the selling of personal data

You will be bound by this legislation! As you can see, this definition includes most of the companies in the U.S.

Are there any exceptions?

The main exceptions to the rule are where it conflicts with federal regulation. The CCPA shall not restrict a business’ ability to:

  • Comply with federal, state, or local laws
  • Collect, use, sell, or disclose consumer information that is aggregated consumer information
  • Collect or sell personal information if every aspect of the transaction takes place wholly outside of California

The CCPA shall not apply to:

  • Medical Information or protected health information, pursuant to regulations established by HIPAA
  • Personal information collected pursuant to the California Financial Information Privacy Act

So, unless your industry is medical or financial (which are already strictly regulated), you need to pay close attention to the CCPA!

How do I achieve compliance?

“Ok, I get it. It will affect me. Now, what do I do to maintain compliance?” It’s all about putting in “reasonable security protection.” Your business should check for the following points to ensure CCPA compliance:

  • Stringent processes and protections in place for how you collect and store customer data
  • Consumer notifications of what type of information is being stored and used at the point of collection
  • Strong endpoint protection and encryption
  • Strong emergency processes in place in case a data breach occurs
  • An Opt-Out option on your website so that consumers can request to be “forgotten”
  • An updated privacy policy that you’ve shared with your third-party vendors
  • An updated privacy policy posted clearly on your website

Update your systems so that your consumers are made aware of what information you are gathering and how you are using it, and you should have no problem.

What will happen if I’m non-compliant?

There is a higher cost than ever for non-compliance, whether voluntary or involuntary. The CCPA Enforcement states that “any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty.” If you knowingly disclosed consumer personal data, the penalty is $7,500 for each intentional violation. If you unknowingly violate the CCPA (which shouldn’t happen if you are reading this post!), the penalty is $2,500 for each violation.

In addition to that, consumers can individually bring a civil action against your company for up to $750 per incident, or the cost of the actual damages, whichever is greater. This civil action will question whether your business has implemented “reasonable security procedures and practices,” so if you can’t prove you had privacy protection measures in place, watch out.

What should I do if there’s a breach?

If there is an attack on your business’ data systems and an information breach, you must act quickly to protect your consumers’ personal information, as well as to notify them of the breach. If you fail to do this within 30 days, you will be subject to maximum penalties. However, if you can prove that your violations have been amended and that no more will occur, you will be spared additional fines.

When will I have to enforce CCPA compliance?

If you feel like there’s a great deal you need to do to achieve compliance, you still have some time to do it. Even though the legislation goes into effect January 1st, 2020, there is a grace period that lasts until “6 months after the publication of such regulations,” or July 1st, 2020.

There. I’m done. Now I don’t have to hear about CCPA ever again, right?

Not quite. This legislation is following the trend of the EU’s GDPR (General Data Protection Regulation), which is actively creating and expanding the definitions of consumer rights. Right now, though, there is still turmoil as the CCPA tries to bring some cohesion to what is a dynamic policy area. There will be great changes in the legislation until homeostasis is reached. Businesses can expect similar laws to be passed across the country in the next few years, so if you don’t have to deal with consumer privacy rights now, don’t worry. You will.

Why is this important?

The CCPA legislation will impact your business, whether you realize it now or not. With many business’ marketing strategies relying heavily on using and predicting consumer identities, removing personal information about your customers introduces holes into the picture. This law will greatly affect the accuracy and efficacy of established marketing approaches like attribution.

The increased connection of the Internet of Things begins to reveal the many vulnerabilities that are emerging in sharing, storing, and protecting consumer personal information. According to Risk Based Security, 2018 was the second-most active year for data breaches, with 6,500 reported breaches that included some 5 billion records. And those numbers can only be expected to increase. The CCPA is an attempt to mitigate some of these breaches.

The CCPA may seem like a headache, but it is a good opportunity for your business to focus its attention on upgrading your security and privacy practices all around.

What’s going to happen next?

You can expect a rocky start to the enactment of the CCPA. First off, despite its being around for over a year, there is a great deal of contention as to the exact scope of the legislation. Two bills are currently under consideration to expand the CCPA, while nine bills are being considered that would narrow its scope. In addition, a federal privacy law is still under consideration in Washington, DC, that would affect the exact provisions of the CCPA.

In addition to this lack of agreement, there is a general lack of knowledge about the CCPA. A recent survey by ESET polled 625 business owners and executives to see how prepared they are for the enforcement of the CCPA on January 1st, 2020. Of these 625 owners, half had never heard of CCPA, 34% were unaware if they needed to change for compliance, and only 12% knew specifically how the law would affect them. Because of this confusion, you can expect to hear about a great deal of litigation in the new year as businesses are faced with the high cost of non-compliance.