On May 25, 2018, the GDPR went into effect, putting the world’s attention on data privacy. Since the enforcement deadline has passed, there have been questions about how to comply with the law, who must comply with the law, how the law will be enforced, and so much more. Now a full year later, let’s take a look at developments and predictions for GDPR throughout 2019 and beyond.

What is the Future of GDPR Certifications and GDPR Certification Trainign?

While the EU announced the GDPR enforcement deadline nearly two years before the law went into effect, many organizations were left scrambling last-minute to comply with the law. In large part, this was due to the ambiguity of the law, leaving organizations unsure if it actually applied to them and the data they collected. A year later, the future of official GDPR certifications is still relatively unclear, but the European Data Protection Board (EDPB) recently issued guidelines that will assist in certifying controllers and processors as GDPR-compliant.

GDPR Enforcement Updates: Who’s Been Fined?

Perhaps one of the most talked-about components of GDPR was the potential fines organizations were faced with. According to the law, organizations who fail to comply with GDPR could face fines of up to €20 million or 4% of annual global turnover – whichever is greatest. For many enterprises, this meant that non-compliance could lead to tens of millions of dollars in fines, or worse, bankruptcy. As the first few months after enforcement passed, EU supervisory authorities saw an influx of reported data breaches, with DLA Piper indicating that nearly 60,000 data breaches were reported since the May enforcement date. However, enforcement of the law has been relatively small with only three companies having been fined: Google, an unnamed German social media platform, and an Austrian entrepreneur.

  1. Google: Receiving the largest GDPR fine to date, Google’s €50 million fine by French regulator, CNIL, was the result of Google’s insufficient transparency and vague consent agreements.
  2. Social Media Platform: This German social platform received a fine of €20,000 from the German data protection authority, LfDl Baden-Wurttemberg, for failing to hash data subjects’ passwords, leading to a breach of personal information.
  3. Austrian entrepreneur: This business owner received a fine of €4,800 for placing an unmarked CCTV camera system outside of their establishment, unlawfully surveying a public sidewalk.

Will Facebook Be Fined Under GDPR?

The debate over whether or not Facebook will be fined under GDPR has been a hot topic since the law went into effect. In July 2018, the social media giant was hit with a €500,000 fine by Britian’s ICO due to the infamous Cambridge Analytica data breach. In recent developments, it was also discovered that Facebook has been storing the passwords of hundreds of millions of users in plain text. While the investigations of the social platform’s data privacy practices could take years, the outcome could help clarify GDPR requirements and expectations for the future.

How Has GDPR Influenced Data Privacy Laws in the US and Abroad?

GDPR was viewed as the top regulatory focus of 2018 and for good reason; however, it has also become the catalyst for many other data privacy laws going into effect around the globe. In the United States, the California Consumer Privacy Act went into effect, Washington state introduced the Washington State Privacy Act, and Congress has introduced several data privacy bills, including the American Data Dissemination Act (ADD Act) and the Social Media Privacy Protection and Consumer Rights Act of 2019. Internationally, there’s also been many developments in data privacy laws, many of which resemble GDPR, including: Canada’s PIPEDA, China’s Cybersecurity Law, Singapore’s Cyber Security Agency of Singapore, the Brazilian National Monetary Council’s Resolution No. 4,658, and many others. Throughout 2019 and beyond, it’s expected that many more data privacy laws will go into effect throughout the world.

In just one year, GDPR has had a tangible impact on the way the world views data privacy. If your organization has questions about GDPR compliance or complying with the many other data privacy laws either in effect or in the process of going into effect, contact us today.

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

More GDPR Resources

GDPR Readiness Webinar Series

10 Key GDPR Terms You Need to Know

The Cost of GDPR Non-Compliance: Fines and Penalties

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Today’s organizations rely on data to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.

With the growing amount of data collected by various organizations and industries, it’s no wonder why creating and enforcing a robust data retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what data they need to retain and for how long.

Let’s take a look at some data retention best practices and how following them can help your organization establish and enforce a more compliant and useful data retention policy suitable for your organization’s needs.

What is a Data Retention Policy?

A data retention policy is documentation that your organization has created to stipulate when data no longer serves its purpose and should be deleted, or if the data retention period has been met. Implementing a data retention policy begins by knowing what kinds of data your organization holds and then classifying that data.

Data Retention Policies are critical to ensuring all local and federal regulations and retention schedules are being met. This includes retaining data and records for the specified period of time, and also prompt deleting or destroying records once the retention policy is up.

What are Best Practices for a Data Retention and Purging Policy?

1: Identify and classify the data your organization holds

Implementing a robust data retention policy begins by knowing what kinds of data your organization holds and then classifying that data. For healthcare companies, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data, and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history or loan information.

Classifying data is a best practice for data retention because not all data requires the same retention.  Recognizing this, many frameworks and legal regulations have specific requirements that encourage organizations to classify data. For example, the 2017 SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.

For GDPR compliance, organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categories certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore subject to additional protection.  This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

2: Know which legal requirements apply to you

Within the last few years, there’s been a renewed focus placed on data privacy, leading to an increase in new, complex data privacy laws and regulations across the globe that generally include data retention standards. In addition to the mix of regulatory frameworks organizations are already tasked with complying with, organizations may also have contractual and business needs that dictate data retention schedules.

For instance, if an organization has to comply with the data retention standards for GDPR and the PCI DSS, how do they know which data retention requirement to follow if there is a conflict or difference between the two requirements?

This is why when following best practices for data retention, organizations should consult with either internal or external regulatory compliance specialists to determine which legal requirements for data retention apply to their organization.

Best Practices for Data Retention: a cheat sheet for PCI, GDPR, CCPA, HIPAA, FERPA, GBLA, & More

3: Delete data once it is no longer required or after the data retention period has been met

This is a critical best practice for data retention that many organizations fail to follow because they believe that holding onto data longer than required could be more secure than deleting it and needing it later. However, this misconception couldn’t be further from the truth.

Holding onto data longer than required by law or longer than needed for use can have various ramifications, including but not limited to:

  • Increasing chances of experiencing a data breach or security incident
  • Placing client data at greater risk for being breached
  • Contributing to cluttered hardware and/or software, making it difficult to find data that’s actually needed
  • Expanding the regulatory compliance burden related to data access

Ultimately, in order for an organization to implement an effective data retention policy, data that no longer serves a purpose to the organization or data that has been held for the required retention period should be deleted.

If your organization collects, stores, or transmits data, it might be time to re-evaluate your data retention policy. To learn more about how you can follow and implement these best practices for data retention or find out how KirkpatrickPrice can help you ensure compliance with data retention requirements, contact us today.

More Data Privacy Resources

Privacy vs. Security: What’s the Difference?

Destroying Media When it is No Longer Needed

Are You a Data Controller or Processor? 

As technology advances, it touches every facet of society – and that includes correctional facilities. There’s an obvious need and investment in physical security at correctional facilities, but cybersecurity is presenting new areas of risk in prisons and detention centers. New technology makes it possible for inmates to send messages, read e-books, download music, participate in video visitation, and receive money transfers. What happens if that technology is compromised by an inmate or a hacker? Is cybersecurity for correctional facilities a major area of concern?

The Need for Effective Cybersecurity for Correctional Facilities

If you’re having trouble understanding cybersecurity for correctional facilities, take a look at the 2018 JPay incident. JPay is a service provider completely focused on correctional facilities, touting itself as “your home for corrections services.” JPay isn’t the only service provider for correctional facilities, but it is one of the most widely available. If you don’t have a family or friend in prison, you’ve probably never heard of JPay, but JPay is the sole provider of e-messaging services in 20 states. Along with e-messaging and other services, JPay has introduced tablets specifically made for inmates. In 2018, though, hundreds of inmates in Idaho found a way to add thousands of dollars of credit to their JPay accounts. The spokesman for the Idaho Department of Correction reported that over 300 inmates across five correctional facilities intentionally credited their JPay accounts by $224,772.40, which “required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.” Fortunately, this incident didn’t impact taxpayer money or inmates’ bank accounts, only their JPay accounts. This incident, though, proves  a lack of understanding cybersecurity for correctional facilities and that there are vulnerabilities within new technology that must be mitigated.

Securus Technologies, a prison technology company providing phone and video visitation services, has had several incidents that compromised data. In 2015, an anonymous hacker stole 70+ million records of phone calls placed by prisoners in at least 37 states, with links to downloadable recordings of the calls. This is bad enough for Securus, until you consider the nature of these calls. At least 14,000 of these recorded conversations were between inmates and their attorneys – calls that, legally, probably shouldn’t have been recorded in the first place in order to protect attorney-client communications. The Intercept reported that David Fathi, director of the ACLU’s National Prison Project, said, “This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about. A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.” In addition to Securus’ 2015 breach, in 2018 it was reported that Securus sold law enforcement data that gave them the ability to look up the location of cell phones on all of the major U.S. mobile networks. When Securus was hacked, its database of law enforcement officer usernames and passwords  was exposed.

These JPay and Securus examples don’t even cover the risks that face the technology that supports physical security. What happens if a cyber attack impacts the effectiveness of cell locks? What happens when security cameras stop working? Would a prison pay a ransom if a hacker infected their systems with ransomware? As technology advances and spread to prisons, so does the attack surface. Whether it’s from the inmate or an external hacker, there’s definite motivation behind hacking a prison’s connected technology. What does cyberecurity for correctional facilities look like in your city?

Cybersecurity Challenges within Prisons

When managing the security of prisons, developing and implementing effective cybersecurity strategies may not seem as important as physical security. Cybersecurity versus guards, surveillance, locks, and weapons? Cybersecurity cannot continue to be pushed aside due to limited budgets, lack of leadership, or lack of interest. Contact us today to learn more about how what the risk factors in your correctional facility are and how to implement effective cybersecurity strategies.

More Cybersecurity Resources

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

The components of every city’s public safety – law enforcement, fire, EMS – must perform their due diligence and meet best practices when creating effective cybersecurity strategies. Each department is targeted for different reasons, but each one impacts the safety of residents. You’d be surprised by how often cyber attacks against public safety happens and how little it’s talked about. Let’s take a look at five reasons why cybersecurity is crucial for public safety.

The Need for Effective Cybersecurity Strategies in Public Safety

1. 911 Centers

When there are serious cyber risks facing a 911 center or line, wouldn’t you want to do everything possible to mitigate the threat? 911 centers are the gateways of public safety. A compromised 911 line could worsen injury or property damage, and yet they are impacted all the time by cyber attacks. How could effective cybersecurity strategies benefit 911 centers?

The Need for Effective Cybersecurity Strategies in Public Safety

In 2018, Baltimore’s 911 dispatch system was attacked, causing staff to manually relay the details given by incoming callers. Obviously, this put a critical hold on the city’s ability to respond to emergencies. Fortunately, although this cyber attack caused inefficient processes, the city didn’t see a slowdown in responders’ response times. Within a week of this hack, the city determined it was caused by a ransomware. Frank Johnson, CIO in the Baltimore Mayor’s Office of Information Technology, called the attack a self-inflicted wound. Their IT team had inadvertently changed a firewall and left a port open for about 24 hours, likely letting the hackers into their network.

2. Law Enforcement

The information that police departments store can be incredibly sensitive – making it the perfect target for hackers. Hoping that law enforcement agencies will pay the ransom, attacks often find ways to infect computers with malware. WannaCry found its way into many police departments across the country, leaving irretrievable files in its wake.

Connected vehicles have ushered in a new era for cybersecurity, and this includes vehicles like police cars. Delivery of secure data to officers in the field is necessary for them to protect and serve, so effective cybersecurity strategies must be taken to secure the vehicles that they operate out of.

3. Fire Departments

Fire departments face many of the same risks that law enforcement face. Ransomware is becoming a more prominent issue, going after valuable assets. What happens when a fire departments dispatch system is intercepted? Lives are put at risk. Much like police cars, fire trucks are also connected vehicles that need to be protected in order to function as intended. What effective cybersecurity strategies make sense to implement within fire departments?

4. Emergency Medical Services

Medical transport is growing target for hackers – why? Ambulances must be able to communicate with hospitals, and this means GPS, WiFi, computer processors, and firewalls are all apart of medical transport technology. The threat landscape widens every time medical transport becomes more connected. What would happen if someone hacked into an ambulance tracking system in order to track, follow, and steal medical supplies from them?

These days, EMTs and paramedics can download patient records from an ambulance or send vitals directly to the hospital that they’re headed for. Intercepting communication that includes PHI is bad enough, but what if a hacker was able to take control of the ambulance? With EMS, cybersecurity becomes a matter of life and death.

5. Disaster Preparation and Recovery

Emergency Outdoor Warning Sirens are an integral part to public safety, as they prepare residents for impending weather. When sirens are victims of a cyber attack, it’s not only an annoyance, it’s dangerous. Siren systems around the country have experienced this, and each time, it scares residents. Initially, many city officials think it’s a malfunction and then later discover it was, in fact, a hacker. This happened in DeSoto, Texas. Sirens blared in the middle of the night and city officials finally made the statement, “It has become evident that a person or persons with hostile intent deliberately targeted our combined outdoor warning siren network.”

Key Cybersecurity Challenges within Public Safety

In public safety, developing and implementing effective cybersecurity strategies may not seem as important as the actual day-to-day job functions. Cybersecurity and IT versus responding to emergencies, putting our fires, and saving lives? Cybersecurity can’t continue to be left behind due to limited budgets, lack of leadership, or lack of interest. Contact us today to learn more about effective cybersecurity strategies for entities within public safety.

More Cybersecurity Resources

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

 

Securing Financial Institutions

Every business has an asset that they can’t bear to lose, and for financial institutions, those assets include money, financial information about consumers, and consumers’ personal data. Financial institutions need personal data in order to verify financial information and protecting all of that data is a responsibility. In this white paper, we’ll discuss four major areas of concern that financial institutions must take into consideration when securing their sensitive assets: ATMs, mobile and web applications, employees, and buildings.

Threats to the Outside of Financial Institutions

ATMs, mobile applications, and web applications all pose major threats to financial institutions. ATMs are vulnerable by nature. They are physical, they are left unattended more often than not, they have what a hacker wants, and they’re connected to a network. Older machines or ones that are stand-alone are typically easier targets, as there are less eyes on them and security measures may not be up-to-date. Banks and ATM providers have come up with physical ways to protect against and detect card skimming, but there are still ample ways for an ATM to be attacked. In fact, we see hackers turning to malware for a more damaging attack vector.

Likewise, today’s technology allows for convenience when banking, trading, insuring, or seeking advice on wealth management. Consumers can typically access their financial information at any time through mobile and web applications. When using a mobile app, the device’s attack surface is huge: the browser, the system, the phone itself, and the apps could all be targeted. When using a mobile or wireless app, the network is susceptible to weak encryption, Man-in-the-Middle attacks, packet sniffing, and more.

No matter how secure you believe your mobile or web app is, it needs to follow the guidance of frameworks and regulations like ISO 27000, FFIEC, SEC NIST, and NY CRR 500. Implementing these industry-accepted best practices will help financial institutions to secure mobile and web apps across devices, networks, data, applications, and user access.