Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period? KirkpatrickPrice offers a wide variety of information security testing and auditing services. To learn more, contact a KirkpatrickPrice information security specialist today.

GDPR Implications for Marketing

What does GDPR mean for marketing? We’re worried that not enough business leaders and marketers have heard of GDPR or have prepared for this radical privacy law because of a common misconception that GDPR is for lawyers and information security teams. But GPDR is more than a data privacy law: GDPR is a mandate that affects how organizations market, collect, use, and store consumers’ personal data, so GDPR compliance and awareness are just as important for the marketing departments as they are for IT departments. Has your business considered the GDPR implications for marketing?

What Does GDPR Mean for Marketing?

How do you know if GDPR applies to your marketing activities? Do you market or sell your products or services to EU data subjects? Even if you are based outside of the EU, GDPR applies wherever organizations process personal data of EU data subjects when providing goods or services to those data subjects or monitoring the behavior of those data subjects. There is immediate tension between GDPR requirements and marketing principles. A marketer’s goal is to gain identification information (name, email, birthday, phone number, etc.) for the purposes of promoting a good or service, but GDPR’s goal is to protect that identification information by giving data subjects control over their personal data. This tension is why there is such a need to focus on GDPR implications for marketing. What have we seen from marketers so far?

  • Education: It’s hard to not see GDPR topics throughout webinars, blogs, infographics, white papers, videos, and social media. The experts are providing educational content to marketers. There’s no excuse not to learn and prepare for GDPR compliance.
  • Data Mapping: Data mapping is a critical area of data privacy. It’s not practically possible to determine whether an organization is a data controller or data processor without a full knowledge of the personal data it holds, where the personal data comes from, who the personal data is shared with, and how the organization processes that personal data. Data mapping also gives you the opportunity to ensure your vendors, like email services, are also GDPR compliant. For example, take a look at Pardot’s GDPR guidance.
  • Consent: When it comes to GDPR and marketing consent, a consumer must actively and freely confirm their consent. Article 7 describes consent requirements in detail, requiring organizations to demonstrate that anyone who shared personal data gave consent to use that data for activities like marketing. We’ve seen organizations revising contact forms on their webpages to include consent and sending their consumers opt-in emails to ensure they obtain consent.
  • Objections to Direct Marketing: GDPR gives data subjects multiple rights over their personal data (access, erasure, and restriction – just to name a few), but the most absolute right is the right to object to direct marketing. Unlike other rights in GDPR, there are no exceptions to the requirement to cease direct marketing upon the request of a data subject. When a data subject objects to direct marketing, organizations must grant that request.
  • Update Privacy and Notices: Have you received a flood of updated privacy policies from brands you are subscribed to? This is one way that many organizations are addressing GDPR’s requirement to ensure transparency about their data uses so that data subject’s can make an informed decision about whether or not to share their personal data. Check out Twitter’s FAQ for its approach to GDPR.

Benefits of GDPR for Marketers

Although GDPR presents challenges for marketers and many are intimidated by the GDPR implications for marketing, compliance also brings many benefits.

  • Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. GDPR compliance is an opportunity to present your organization as a secure and trustworthy service or source, and even has the potential to rebuild the trust that many digital consumers have lost. This trust may actually result in greater sharing of personal data.
  • Complying with GDPR pushes marketers to put the user experience first and demonstrate that you respect user preferences. With GDPR enforcement on the rise and its data privacy controversies, Facebook, Uber, and Wells Fargo have all begun advertising campaigns that attempt to demonstrate their dedication to putting the user experience first.
  • GDPR compliance gives marketers the opportunity to improve their data security as they engage with prospects and consumers.
  • Because email marketing strategies may need to be shifted for GDPR compliance, this gives marketers an opportunity to focus on areas that may not be so heavily impacted by GDPR, like social media, SEO strategies, and content creation.
  • GDPR compliance may bring a competitive advantage for two reasons. First, meeting GDPR compliance demonstrates to prospects and consumers that your organization prioritizes data security and user privacy. Second, once you’ve taken steps towards GDPR compliance, you can reduce the likelihood that your organization or your clients will face regulatory investigations and fines.

GDPR has a worldwide impact that will change the way organizations collect, use, store, and secure personal data. Want to learn more about GDPR implications for marketing? Contact us today to speak with a privacy expert.

More GDPR Resources

The rules around business to business marketing, the GDPR and PECR

Auditor Insights: Are you a Data Controller or a Data Processor?

Which GDPR Requirements Do You Need to Meet?

Auditor Insights: Where to Start with GDPR Compliance

Effective Vendor Risk Management

An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance.

Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into the vendors’ hands, so managing vendor risk must be an integral part of any business.

What happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what are the consequences to your organization?

These are the types of scenarios your organization must consider when selecting vendors and effectively managing vendor risk.

How to Manage Vendor Risk

When engaging with a vendor, there are many steps to take: conducting a risk assessment, scoping, setting expectations, establishing communication methods, and verifying compliance requirements.

Because there’s so much to do, we see many common gaps in organizations who are managing vendor risk, including a lack of exercising due diligence, limited involvement from senior management, lack of contract development and review, issues with a risk ranking system, and ineffective monitoring procedures.

Lack of Due Diligence

What is your process for vendor selection? If you choose a vendor without assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can damage your business. Do they have a Disaster Recovery Plan? Are policies and procedures updated and implemented? What types of security and compliance resources do they have? What is their reputation related to security? What types of vendor risk are critical to your organization? Have you performed a risk assessment?

It’s critical to exercise due diligence when selecting vendors and even during the course of the relationship, especially when considering a renewal of a contract.

Limited Vendor Management Involvement

A mistake that many organizations make is not including senior management in vendor compliance management. The FDIC’s Guidance for Managing Third-Party Risk explains that an organization’s senior management is responsible for managing the activities conducted through vendor relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within their own organization. Senior management’s involvement is critical to effective vendor risk management.

Lack of Vendor Contract Review

Specific expectations and obligations of your organizations and your vendors must be outlined in a written contract prior to entering into the relationship. This contract should include the scope of the relationship, cost, performance standards, reporting guide, security standards, dispute resolution, and termination rights. Thorough contract development and review could prevent legal consequences for your organization, making it a major element of effective vendor risk management.

No Vendor Risk-Ranking System

Vendors should be ranked based on their access to confidential or sensitive information, the criticality of the product/service they provide, and the complexity of the product/service they provide. Types of vendor risk are also reputational, strategic, financial, operational, regulatory, privacy, environmental, and legal risks. If you’re not risk-ranking your vendors, how do you know which brings critical risks to your environment?

Vendor Monitoring Issues

A key component of effective vendor risk management is oversight and monitoring. The extent of oversight will depend on the types of vendor risk they present and the scope of the relationship, but your organization must have qualified staff allocated to monitoring vendor relationships. Monitoring your vendors’ performance, audit reports, compliance requirements, training effectiveness, quality of services, and risk management practices will assist your organization in evaluating the effectiveness of the relationship.

Common Gaps in Vendor Compliance Management

Vendor Management Across Disciplines

For many industries, validation of a vendor’s security practices is not optional. Consider the following guidance:

  • The OCC Bulletin 2013-29 provides guidance to banks for assessing and managing vendor risk and third-party relationships, defining a third-party relationship as any business arrangement between a bank and another entity, by contract or otherwise.
  • 23 NY CRR Section 500.11 describes the need for financial services companies to have security policies related to managing vendor risk, which should include identification and risk assessment of vendors, minimum cybersecurity practices to be met by vendors in order to do business with the covered entity, due diligence processes used to evaluate the adequacy of cybersecurity practices of vendors, periodic assessment of vendors based on the types of vendor risk they present and the continued competence of their cybersecurity practices.
  • Under HIPAA, covered entities are generally required to enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information (PHI). Business associates must contractually agree to not use or disclose PHI other than as permitted or required by law, use appropriate safeguards, report breaches of unsecured PHI and any other security incidents to the covered entity, among other requirements.
  • The PCI SSC says that when entities use vendors to store, process, or transmit cardholder data on the their behalf, vendors then impact the security of the cardholder data environment and the entity’s PCI compliance. That’s why contractual agreements and policies should be established between the entity and its vendors for all applicable security requirements. An effective vendor risk management program helps an entity ensure that the cardholder data entrusted to vendors is maintained in a secure and compliant manner.
  • In the ACIPA’s SOC 2 Guide, it states that service organizations may implement policies, procedures, and controls for managing vendor risk. This could include how to assess risk that vendors bring, assigning responsibility and accountability for managing vendor risk, establishing communication and resolution protocols for issues with vendors, how to assess the performance of vendors, and how to terminate vendor relationships.

What vendor compliance obligations does your industry require of you? Interested in learning more about effective vendor risk management? Contact us today to hear how we can validate the security of your vendors’ services or demonstrate the security of your own.

More Vendor Compliance Resources

OCC Bulletin 2017-21: FAQs to Supplement OCC Bulletin 2013-29

[24]7.ai Cyber Incident: How Your Vendors Can Impact Your Security

Vendor Compliance Management: Carve-Out vs Inclusive Method

Two of the most frequent questions asked about GDPR, especially from non-EU-based organizations, are:

If you’ve been asking these questions but can’t seem to find a clear answer, you are not alone. The answer to these questions can determine whether or not GDPR applies to your organization and to what extent it applies.

Let’s take a closer look at GDPR personal data and data subjects with everything you need to know at a high-level, starting with a couple of basic definitions.

What is a Natural Person According to GDPR?

Under the GDPR, a natural person is a living, breathing human being. Natural persons are contrasted with legal persons, which are entities that are not natural persons, but that have some of their legal rights. Examples include corporations and partnerships. The GDPR protects the personal data of data subjects who are natural persons. However, both natural and legal persons can be data controllers and data processors.

What is GDPR Personal Data?

A list of all GDPR personal data types including name, ID number, address, and more.

In Article 4(1), GDPR specifically states that “personal data” means any information relating to an identified or identifiable natural person, which is someone who can be directly or indirectly identified. This includes:

  • Name
  • Identification number
  • Location data
  • Physical address
  • Email address
  • IP address
  • Radio frequency identification tag
  • Photograph
  • Video
  • Voice recording
  • Biometric data (eye retina, fingerprint, etc.)
  • An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.

There are a few challenges that keep the definition of personal data under GDPR from being cut-and-dry, including:

Data from Devices

Recital 30 says that there are some online identifiers provided by devices, applications, tools, and protocols that leave traces which, when combined with unique identifiers and other information, may be used to identify natural persons. This broadens the traditional scope and definition of personal data to address the general lack of transparency when it comes to data use from devices and IoT.

Indirect Identification

A single element might not be considered personal data in some contexts, but when it is used in conjunction with other elements, it’s able to identify a data subject. Understanding what personal data is under GDPR isn’t just knowing a list of elements; it’s considering what you can do with those elements once you use them together.

Personal Data that isn’t always Personal Data

If you have a common name, so much so that 500,000 people in one country have the same name, then that name may not be personal data on its own. Again, when the name is used in conjunction with the name of an employer or a telephone number, then the data is more likely to identify a person, and therefore, the combination of very general data and more specific data may constitute personal data under GDPR.

Inferred and Derived Data

Article 29 Data Protection Working Party says that “a credit score or the outcome of an assessment regarding the health of a user is a typical example of inferred data” and is personal data that “does not fall within the scope of the right to data portability.” If we extend the concept that derived data is personal data that is not subject to all of GDPR, data from the right to data portability to the entirety of GDPR, then we may have an additional loophole or exception for GDPR compliance.

Anonymous Data

One thing about GDPR personal data is clear. Article 26 states anonymous data is not subject to the requirements of the law.

Despite the challenges, we do know that defining what personal data is under GDPR depends on the element, context, and reasonable likelihood of identification generated by the data.

Defining Data Subjects Under GDPR

Here’s the issue: the law uses the term “data subject” but doesn’t define the term. Some may assume that data subjects are EU citizens, but that analysis seems to exclude the explicit language of the law and practical considerations. There’s tourism, travel, residencies, students abroad, and much more to consider.

Because GDPR uses inconsistent qualifiers when referring to data subjects and informal descriptions of who a data subject is, the public has been left with varying interpretations and significant challenges.

When reviewing the law, you can see several different interpretations:

  • Article 3(2) states, “This Regulation applies to the processing of personal data of data subjects who are in the Union…”
  • Recital 2 gets a little more granular than Article 3(2), “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
  • Recital 14 states, “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
  • Recital 24 states, “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union.”

Who is a GDPR Data Subject?

Based on the language of the law above, we generally see five definitions proposed for “data subjects,” varying from any personal data physically located in the EU to citizens of the EU.

  1. Located in the EU
  2. Resident of the EU
  3. Citizen of the EU
  4. An EU Resident/Citizen Located Anywhere
  5. Personal Data in the EU

Located in the EU

A data subject is anyone physically within the borders of the EU whose data is being processed while that individual is physically within the Union. For example, a citizen of the EU, who is physically located in the EU, who provides personal information through the purchase of a product.

Resident of the EU

A data subject is anyone who formally resides within the Union, regardless of citizenship, while that individual is physically within the Union. For example, a non-EU citizen who is studying abroad in the EU.

Citizen of the EU

A data subject who has formal citizenship in the EU while that individual is physically within the Union.

An EU Resident/Citizen Located Anywhere

A data subject is anyone who has residency/citizenship in the EU whose data is being processed, regardless of where the resident/citizen is physically located at the time of processing. For example, a data subject could be an EU citizen, who is located in the US, and who provides personal information during the purchase of a product.

Personal Data in the EU

A data subject is anyone whose personal data is located in the EU, regardless of the residence, citizenship, or physical location of the data subject. For example, a non-EU citizen, who is located in the EU, provides personal information through the purchase of a product.

Next Steps for Complying with GDPR

Here’s what we know: the law is not clear. Reasonable, intelligent, educated people disagree about what constitutes a data subject, but it’s crucial that organizations determine their definition of a data subject.

We believe that data subject location is important in defining GDPR scope, but we also know that practical realities, such as a desire to interpret and enforce the law broadly, will impact interpretation perhaps even more than the letter of the law.

So, now that you know who a data subject is and what personal data is under GDPR, what do you do next?

Make Defensible Definitions

First, we suggest that you retain competent legal counsel that understands your organization’s role in personal data and can help you determine what constitutes a data subject and personal data at your organization. You’ll want someone supporting your efforts, especially as the public learns from enforcement activity. Monitoring and learning from GDPR developments and enforcement action is crucial to your GDPR compliance.

Your organization also needs to make a defensible business decision around what constitutes a data subject and personal data. Organizations generally know when they’re making a decision that’s defensible or risky, and we encourage you to make this decision as defensible as possible.

Identify Vulnerabilities and Risk

Second, think through the risk.

Where are you most likely to experience a data subject complaint or inquiry? Where are you most likely to experience the threat of unauthorized access or disclosure? These are the places where you should prioritize your time and resources when determining who data subjects are and what personal data is.

Have a Compliance Plan

Finally, apply what you’ve learned from these concepts to your organization, especially if you don’t regularly process EU data subjects’ personal data but have the potential to process such data. You must have a plan of action in place to meet GDPR compliance.

Need help beginning your journey towards GDPR compliance? Contact us today.

More GDPR Compliance Resources

Auditor Insights: Where to Start with GDPR Compliance

GDPR Readiness: Are You a Data Controller or Data Processor?

GDPR Readiness: Whose Data is Covered by GDPR?

ICO’s Determining What is Personal Data

Testing Wireless Access Points

Exploitation of wireless technology, according to the PCI DSS, is one of the most common ways attackers attempt to gain unauthorized access to networks and cardholder data. This is due to the ease with which a wireless access point can be attached to a network, the difficulty in detecting their presence, and the increased risk presented by unauthorized wireless devices. This is why PCI Requirement 11.1 states, “Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.” It’s not entirely about testing for the presence of wireless access points that you do have; it’s more about testing for unauthorized wireless access points. Even if your organization prohibits the use of wireless technology, you must still perform the testing required by PCI Requirement 11.1.

To assess compliance with PCI Requirement 11.1, an assessor will want to see documentation of your quarterly testing of wireless access points, and your list of wireless devices. PCI Requirement 11.1.1 requires that organizations maintain an inventory of authorized wireless access points with a documented business justification. The PCI DSS guidance explains, “Knowing which wireless devices are authorized can help administrators quickly identify non-authorized wireless devices, and responding to the identification of unauthorized wireless access points helps to proactively minimize the exposure of CDE to malicious individuals.”

PCI Requirement 11.1 requires that as an organization, you are going to be testing for the presence of any unauthorized wireless in your environment. From an assessment perspective, many organizations tell their assessors, “No, I don’t have any wireless.” It’s not about testing for the presence of the wireless that you do have, it’s about testing for the presence of wireless that somebody might have installed in your environment from an unauthorized perspective. From an assessment perspective, then, we ask that you provide us your quarterly results because you are required to perform quarterly testing. If you do have any wireless within your environment, you need to maintain a list of what the wireless access points are that you would authorize from your environment.