Learning from Twitter’s Privacy Mistakes

Because of the ever-changing landscape of privacy laws, standards, and guidelines, it has become difficult for businesses to know what their obligations are, and even harder to determine what could constitute non-compliance. Fortunately, Twitter’s mistakes now provide us with an example of what a violation looks like. Twitter has been in the spotlight for a recent hack, and now the Federal Trade Commission is investigating its privacy practices regarding targeted ads.

What Led to the FTC’s Investigation at Twitter?

In October 2019, Twitter admitted to using personal data obtained for security reasons for targeted ads purposes. The company stated, “We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.”

We now know, through Twitter’s SEC filing, that the FTC began its investigation after this announcement and Twitter received a complaint on July 28, 2020. Twitter faces a fine of up to $250 million for the violation.

3 Takeaways from Twitter’s Privacy Choices

We asked our privacy experts to comment on the FTC’s investigation and they found three key takeaways for businesses looking to avoid privacy mistakes.

  1. Qualified, third-party verification of privacy practices is critical because almost every organization believes they are using personal data appropriately. Twitter does not admit to intentionally misusing personal data (i.e. using the data for a purpose other than what the data was originally collected for). Twitter says the use of the personal data collected for security purposes in advertising was “inadvertent.” This is why privacy auditing is so important. An auditor can help you verify that your business is not misusing personal data and provide that assurance as a third party.
  2. There are legal and compliant ways to use existing personal data for new purposes. Twitter could have addressed this issue by getting a second level of consent, prior to using the personal data in ads, by asking users for permission to use the personal data obtained for security purposes in targeted advertising. If you’re a Twitter user, you may have been asked about this on your account recently, because the platform is now obtaining that second level of consent – but it’s too little too late for Twitter.
  3. Voluntary privacy commitments are just as significant as legal requirements. Twitter is in the hot seat because they broke their own promise that they make in their privacy commitments, not because they broke a law. You may not even be aware of it, but your business could be at risk for privacy sanctions even if there isn’t a specific law that applies to the collection and use of personal data for your industry, clients, or location. If an organization makes a promise regarding the use of personal data and breaks that promise, the FTC can fine them.

8 Elements of Privacy

As you navigate the privacy practices and obligations of your business, it is crucial to follow the industry best practices that already exist. This will empower your organization to develop appropriate processes for collection and use of personal data that are adaptable to new laws, regulation, and enforcement activity. We recommend reviewing and following the eight privacy criteria under SOC 2, stipulated by the AICPA, which are organized as follows:

  1. Notice and Communication of Objectives
  2. Choice and Consent
  3. Collection
  4. Use, Retention, and Disposal
  5. Access
  6. Disclosure and Notification
  7. Quality
  8. Monitoring and Enforcement

Could your organization unintentionally fail to meet any of these eight criteria? Twitter’s issues stem from failing to provide proper notice and communication of its objectives related to privacy, failure to obtain consent for the use of personal data for targeted advertising, improper use of personal data collected for security purposes, and potentially failing to perform proper monitoring.

At KirkpatrickPrice, we want to help your organization navigate your privacy obligations and enhance your privacy practices. We have a built a team of privacy experts to perform assessments, and they are watching enforcement trends, state laws, and federal legislation closely to ensure that you protect the personal data you are responsible for. Let’s talk today!

What’s Going On With the EU-US Privacy Shield Agreement?

The Latest With Privacy Shield

On July 16, the Court of Justice for the European Union made a landmark decision to invalidate the EU-US Privacy Shield arrangement for international data transfers. Prior to this announcement, Privacy Shield was one of several mechanisms for meeting GDPR data protection requirements for data leaving the EU for the US. The Court’s decision impacts the thousands of organizations participating in and relying on Privacy Shield to facilitate international commerce.

Privacy advocates and the Court’s real contention was not with Privacy Shield itself, but with the nature of US federal surveillance abilities and practices. The Court’s statement explains, “In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to that third country…not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

How Does This Impact Your Business Today?

First, data transfers between the EU and the US will still be permitted, but the invalidation of the EU-US Privacy Shield agreement will require US businesses receiving EU data to find an alternative compliance solution. Specifically, US organizations will need to use either the standard contract clauses or binding corporate rules to satisfy GDPR’s international data transfer requirements.

Second, just because Privacy Shield no longer satisfies GDPR does not mean that you can stop following Privacy Shield requirements. The Federal Trade Commission commented, “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.”

Third, now is the time to review your contracts and requirements of your processors or sub-processors. What is their plan to replace Privacy Shield? How will their plan impact you?

What Will Happen to EU-US Data Transfers in the Future?

The bottom line is that we are operating in a period of uncertainty. Fortunately, we now have a baseline for privacy best practices, but it gets complex when then there are specific regulations and requirements for your business. That is why it’s crucial for your organization to continue to meet the baseline, but also assign responsibility to someone internally to monitor new developments.

In the future, the US may create a Privacy Shield replacement. U.S. Secretary of Commerce Wilbur Ross stated, “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.”

KirkpatrickPrice’s team of privacy experts will be closely watching new developments with Privacy Shield and other data privacy regulations. If you have concerns or questions about this update’s implication for your business or if you need GDPR compliance solutions, let’s talk.

More Privacy Resources

CCPA Roadmap for Compliance

How to Write a Privacy Policy

Trends in Privacy, Breach Notification, and Data Security Legislation

Guide to Industry-Accepted Hardening Standards

The goal of systems hardening is to further protect your organization by reducing vulnerabilities in your applications, systems, and information technology infrastructure. By doing so, you’re creating less opportunity for malicious attacks and operational malfunctions because you are removing unnecessary programs, applications, and access points that increase the security of your system. Just as removing unnecessary hazards on a busy interstate increases traffic flow and reduces risk of accidents, removing unnecessary technology in your system decreases the risk of malicious activity and can increase overall operational productivity.

System Hardening Standards

For all the parts of your ever-changing systems, you want to prevent attacks and vulnerabilities as best you can. Hardening your network, servers, applications, database, and operating systems is a great start to meeting industry-accepted configuration standards. Your hardening standards will vary as your systems and technology will differ, but you can focus on developing standards to implement these five areas of system hardening:

Network Hardening

  • Firewall configuration
  • Regular network auditing
  • Limit users and secure access points
  • Block unnecessary network ports
  • Disallow anonymous access

Server Hardening

  • Administrative access and rights are allocated properly
  • Secure your data center where servers are located
  • Disallow shut down initiation without log in

Application Hardening

  • Application access control
  • Remove default passwords
  • Implement password best practices
  • Configure account lockout policy

Database Hardening

  • Implement admin restrictions on access
  • Encrypt data entering and leaving the database
  • Remove unused accounts

Operating System Hardening

  • Apply necessary updates and patches automatically
  • Remove unnecessary files, libraries, drivers, and functionality
  • Log all activity, errors, and warnings
  • Limit sharing and system permissions
  • Configure file system and registry permissions

The implementation of these hardening techniques is by no means a comprehensive approach to security, but it’s a great start to ensure your organization is headed in the right direction for a more secure information security program. By gathering the right tools and techniques, you can set yourself up for security success.

Industry-Recognized Experts on System Hardening

The information security industry has endless information on industry-accepted system hardening standards through experts such as CIS, NIST, and SANS. You can dive deeper into hardening standards through NIST’s National Checklist Program for IT Products, NIST’s Guide to General Server Security, and security hardening checklist examples from SANS and The University of Texas at Austin. These experts have extensive resources to provide you with industry-accepted standards for all your security needs. At KirkpatrickPrice, our security practices are influenced and built upon the foundation of these industry-recognized experts. As you establish your own system hardening techniques, you can turn to these experts and the information security specialists at KirkpatrickPrice for security guidance. Contact us, today, to learn how we can help you further establish your security presence.

More Resources

Compliance is Never Enough: Hardening and System Patching

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

5 Network Monitoring Tools and Techniques

Network monitoring is an important piece of information security that every organization should be implementing. Using helpful network monitoring tools, you can track performance issues and security problems to mitigate potential issues quickly. But, with such a saturated market, it can be overwhelming to choose a network monitoring tool that best fits your organization. To help you better track and monitor the security of your network continuously, we’ve pulled together five network monitoring tools to consider using.

5 Network Monitoring Tools

These network monitoring tools monitor various aspects of your network and include features such as SNMP, alerts, bandwidth monitoring, uptime/downtime, baseline threshold calculation, network mapping, network health, customizable reports, wireless infrastructure monitoring, and network performance. In no particular order, these five tools were discovered to aid in some of the top network security needs.

ManageEngine OpManager

ManageEngine OpManager is a network monitoring tool that continuously monitors devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, VMs, printers, and storage devices. Manage Engine OpManager must be installed on-site, but it comes with pre-configured network monitor device templates for increased ease-of-use.

Key features include:

  • Real-time network monitoring
  • Physical and virtual server monitoring
  • Multi-level thresholds
  • Customizable dashboards
  • WAN Link monitoring
  • SNMP monitoring
  • Email and SMS alerts
  • Automatic discovery

Paessler PRTG Network Monitor

Paessler PRTG Network Monitor allows organizations to monitor all their systems, devices, traffic, and applications in their IT infrastructure without additional plugins. You can choose between a number of sensors that will monitor areas of your network, such as bandwidth monitoring sensors, hardware parameters sensors, SNMP sensors, VOIP and QoS sensors, and others.

Key features include:

  • Integrated Technologies (SNMP, WMI, SSH, HTTP requests, SQL, and more)
  • Live-status dashboards
  • Email, push, or HTTP request alerts
  • Threshold-based alert system
  • Reports system
  • Scan for devices by IP segment

Solarwinds NPM

While Solarwinds Network Performance Manager has performance in the name, it is still a valuable network security monitoring tool because of the tracking of network elements such as servers, switches, and applications. Solarwinds NPM can jump from SNMP monitoring to packet analysis to give your organization greater control over the segmentation monitoring of your network and increase network security.

Key features include:

  • Critical path visualization
  • Intelligent mapping
  • WiFi monitoring and heat maps
  • Advanced alerting
  • SNMP monitoring
  • Discovers connected devices automatically

Nagios

Nagios is a monitoring and alerting engine designed to run natively on Linux systems. The open-source model of Nagios provides the opportunity for organizations to customize and adapt the system to meet their needs. The tool breaks down statuses into three categories – Current Network Status, Host Status Totals, and Service Status Totals. Through the use of APIs, you can integrate other services for true flexibility.

Key features include:

  • Performance dashboard
  • API integration
  • Availability reports
  • Alerting
  • Extended add-ons
  • Upgrade capabilities for Nagios XI

WhatsUp Gold

WhatsUp Gold is a tool that pulls infrastructure management, application performance management, and network monitoring all into one tool. It’s a user-friendly tool based on features with customizable pricing packages to fit your organization’s exact structure and network security needs.

Key features include:

  • Hybrid cloud monitoring
  • Real-time performance monitoring
  • Automatic report generation
  • Network mapping
  • Easy-to-use monitoring dashboard

Things to Consider When Choosing a Network Monitoring Tool

Scalability – Depending on the size of your organization and corresponding network size, you need to look for a tool that is able to accommodate that scale. Choose a network monitoring tool that grows in capability as your network grows in size.

Security vs. Performance Tracking – Network monitoring tools vary in the type of monitoring they perform. Network performance tracking tools focus on performance issues and data such as network traffic analysis and network delays. If your goal is to decrease security threats by early detection and prevention tactics, you should consider network security tracking tools.

Cost – The good news about the number of network monitoring tools out in the world is that there is an option for every organization. Whether you’re looking for a free tool to start with or ready to invest funds into a quality networking monitoring tool, there are plenty of options for you.

If you want to learn more about the various tools and techniques you can use to properly secure your network, contact KirkpatrickPrice today. As a firm, we do not partner with any of these tools, but we are passionate about consulting on which solution could benefit your network monitoring techniques.

More Resources

What is Network Penetration Testing?

Think Like a Hacker: Common Vulnerabilities Found in Networks

Know Your Options: Levels of Service for External Network Penetration Tests

Anti-Virus Best Practices: 5 Tools to Protect You

Anti-virus versus anti-malware – what’s the difference? These two categories of protective tools are often misunderstood. It stems from confusion between viruses and malware. A virus is code that can damage your computer, system, and data by copying itself. Malware is used as a catch-all term for malicious software such as spyware, ransomware, trojans, adware, worms, and viruses. Malware is ever evolving whereas viruses have been around for a long time and continue to stay generally the same. Wendy Zamora of Malwarebytes Labs expands further on these differences for you to gain better understanding as you follow anti-virus best practices.

Once you grasp these differences, you can turn your focus to the policies and tools you need to implement to protect against malicious attacks. We’ve gathered a list of five tools to get you started on proper anti-virus protection and a few tips on establishing thorough anti-virus policies to be implemented by your employees.

Protecting Through Anti-Virus Tools

In the world of information security, we often see Internet searches looking for help with Windows Defender or anti-virus for Macs, as well as questions about which anti-virus tools are the best to use. While this list isn’t exhaustive, it’s a good starting place if you’re looking to protect your systems with anti-virus software.

  1. Bitdefender – Bitdefender has enterprise security solutions for all business sizes that helps you manage your security from endpoint, to network, to cloud all of which can include anti-virus and anti-malware software.
  2. Kapersky – Kapersky has solutions to predict, prevent, detect, and respond to cyber threats through a number of adaptive security services.
  3. AVG Business – AVG Business offers security tools geared to small business security needs with software that automatically updates to keep your security up to date always. KirkpatrickPrice uses AVG Business to protect our own devices from viruses and various threats.
  4. McAfee – McAfee offers security solutions designed around your business outcomes – transformation, risk management, or automation and efficacy. All of these solutions come with protection against viruses and malware.
  5. Norton – Norton Small Business provides a single solution security service to protect all your devices according to your specific security needs, including malware protection and anti-virus software implementation.

Keep your data secure with anti-virus software that will detect threats, remove all malware, and protect against new threats. Once you’ve implemented anti-virus tools, you can turn your focus to developing detailed policies regarding anti-virus software.

Establishing Anti-Virus Policies

Don’t drop the ball by just adding anti-virus programs to company laptops and expecting that to protect you from all threats. Create policies that expand your protective efforts to ensure your software is patched, anti-virus tools are working effectively, and anti-virus mechanisms are maintained. The PCI framework includes a number of requirements regarding anti-virus and anti-malware software that can be referenced to develop your own policies. Let’s take a look at a few of the PCI requirements that can guide your anti-virus practices:

  • PCI Requirement 5.1.1 requires that your organization’s anti-virus program is capable of detecting all types of malware, removing all known types of malware, and protecting against all known types of malware.
  • PCI Requirement 5.2.1 states, “For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.”
  • PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7”
  • PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”

These requirements express the need to create policies that will ensure your anti-virus software is kept up to date, effective, and purposeful as part of your information security program. Establish procedures that your organization can implement to further secure your systems and protect against malicious malware and unwanted viruses.

Educating Your Employees on Anti-Virus Best Practices

Once you’ve implemented an anti-virus tool, created policies to maintain that software, and established procedures to follow, you need to educate your employees on anti-virus best practices. Anti-virus training should be included in your annual organization-wide security awareness training. User education should be a top focus to ensure the work you’ve put into mitigating these threats is implemented all devices. Any small gap can lead to big problems, but your employees can be the first line of defense against these threats. If you’re interested in learning more about security awareness training and how regular education can improve your security posture, contact KirkpatrickPrice today.

More Resources

10 Ways to Conduct Patch Management

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies