Posts

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

It’s hard to keep track of the different privacy, breach notification, and data security laws that exist in each state – but that’s the job of a thorough, expert auditor. Because of technology advancements and the implementation of GDPR, the momentum to update, amend, and create new legislation is elevated right now. Our mission is to educate you on the latest trends, legislation, and threats so that you can meet the requirements ahead of you.

Trends in Legislation

All 50 states now have breach notification laws, and many states are following suit for privacy and data security. In 2019, the trends in privacy, breach notification, and data security legislation revolved around three areas. How is your business addressing these trends?

Expanding the Definitions of Personal Information

Many states have amended their current laws to include a wider scope of what constitutes personal information. The definitions vary from state to state; for example, Maine’s LD 946 focuses on information derived from the customer’s use of the ISP services because the law specifically relates to ISPs. Many others have expanded to include biometric data, PII of children, health insurance information, financial information, or web browsing data.

Adjusting Timeframe for Data Breach and Security Incident Reporting

State legislation is enacting more stringent timelines for breach notification to the affected consumers and to regulatory bodies. Washington’s deadline is within 30 days of discovery, Maryland’s is within 45 days, and Texas’ is within 60 days. For vendors of businesses in the state of Oregon, though, the deadline to report to their covered entity is 10 days.

Reporting Requirements to the State Attorney General

A third trend from legislation in 2019 is involvement from state attorney generals. This regulatory notification provides businesses with more oversight and accountability at the state-level. While the notice requirements are different from state to state, businesses must generally include a detailed description of the data breach, information about how many consumers were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified. For states like Oregon and Texas, this requirement begins when 250 residents are affected and in Washington, it’s not required unless 500 or more residents are affected.

State Legislation and Amendments in 2019

While the California Consumer Privacy Act has garnered the most attention in the industry, most states have enacted or amended their own laws to include the same information or trends as CCPA and GDPR. Do you do business in, collect data from, or a serve a vendor in the following states? You may need to consider how you’re tackling the privacy, breach notification, and data security laws at a state-level.

Proposed Federal Legislation in 2019

Considering that a number of states have adopted or amended data privacy legislation, it’s become clear that a federal privacy law is needed. Recognizing this and the dangers associated with ineffective privacy laws at the federal level, legislators in both the Senate and the House introduced federal privacy bills, including the following:

  • Mind Your Own Business Act: In October, Sen. Ron Wyden (D-OR) released his own privacy act that “protect Americans’ privacy, allows consumers to control the sale and sharing of their data, give the FTC the authority to be an effective cop on the beat, and spur a new market for privacy-protecting services.”
  • Online Privacy Act of 2019: On November 5th, two Silicon Valley Congresswomen, Congresswomen Anna Eshoo (CA-18) and Zoe Lofgren (CA-19), introduced this bill intended to create user rights, place clear obligations on companies, strengthen enforcement of privacy violations, and place clear obligations on businesses. What’s more, under this law, a new federal agency would be created to enforce privacy rights.
  • Consumer Online Privacy Rights Act (COPRA): On November 28th, U.S. Sen. Maria Cantwell (D-WA) introduced COPRA, a bill that gives citizens many of the same rights as CCPA, but takes it a bit further, stressing affirmative consent, rights to access and transparency, language, right to delete, and duty of loyalty.
  • United States Consumer Data Privacy Act of 2019: On December 4th, U.S. Sen. Roger Wicker (R-MS) introduced an opposing federal privacy bill to COPRA. In his federal privacy bill, the United States Consumer Data Privacy Act of 2019 would override many of the state laws listed above, like CCPA.

In 2020, we expect to see an even heavier focus on consumer privacy rights. Want to discuss what state-level legislation applies to your business? Need to know how close you are to gaining compliance? Let’s talk today so we can begin mapping your compliance journey.

More Resources

IAPP’s State Comprehensive-Privacy Law Map

4 Things to Know About the AG’s Proposed CCPA Regulations

GDPR: One Year In

November Breach Report

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during November, how hackers compromised these organizations, and the lessons we can learn from them.

Twitter

What Happened?

According to a November 7th press release from the Department of Justice, two former Twitter employees and a Saudi National have been charged with acting as illegal agents of Saudi Arabia. The former Twitter employees accessed various account information, including user emails, phone numbers, IP address information, the types of devices used, user-provided biography information, logs that contained the user’s browser info and logs of all particular user’s actions on twitter platform at any time, and they specifically targeted critics of the Kingdom of Saudi Arabia and The Royal Family.

Lessons Learned

While organizations rightfully focus on making sure that outside threats don’t impact their company, insider threats are equally important to focus on. In a statement regarding the Twitter data breach, FBI Special Agent in Charge John F. Bennett said, “Insider threats pose a critical threat to American businesses and our national security.” This also points to the dangers of foreign government involvement in American tech companies – something that U.S. Senator Bob Mendez (D-NJ) raised concerns about in a letter to Twitter’s CEO and to the U.S. State Department.

Macy’s

What Happened?

On November 14th, Macy’s notified their macys.com customers that the website was impacted by a Magecart card-skimming attack. The notice explains that the hackers inserted malicious code onto the website’s “Checkout” and “My Wallet” pages between October 7th and 15th. The compromised data included first names, last names, addresses, cities, states, zip, phone numbers, email addresses, payment card numbers, security codes, and month/year of expiration. Investigations into the incident are still underway; however, Macy’s has contacted all customers believed to have been impacted by the data breach and are offering affected users free 12-month subscriptions to Experian IdentityWorks.

Lessons Learned

Online shopping, while much more convenient to do, poses many threats to consumers and businesses alike. For businesses that sell products and services online, implementing a robust information security program must be made a priority, because customers expect the businesses they buy products and services from to secure their personal data, especially with large retailers like Macy’s. But consumers cannot solely rely on businesses to protect them against cyber threats. Instead, consumers should follow these six best practices for shopping online.

PayMyTab

What Happened?

On November 19th, cybersecurity researchers from vpnMentor disclosed a massive data breach at PayMyTab, a supplier of card and mobile payment terminals for US restaurants. According to the researchers, the data breach was caused by an unsecure AWS S3 bucket and occurred between July 2, 2019 to November 2019. The exact size and impact of this data breach has yet to be determined, but we do know that malicious hackers compromised sensitive PII and partial financial details, including customer names, email addresses, telephone numbers, order details, restaurant visit information, and the last four digits of customer payment card numbers.

Lessons Learned

S3 buckets are a major component of using AWS, but they’re also a major security concern. McAfee reports that 5.5% of all AWS S3 buckets that are in use are misconfigured and publicly readable. Why? S3 buckets are extremely complex, and anything that is complex is harder to secure. Randy Bartels, Vice President of Security Services at KirkpatrickPrice, comments, “AWS has an obligation to make it less complex, and users have an obligation to understand the complexity and make sane choices in setting up policies.” Make sure your S3 buckets are protected and align with best practices for AWS security by following these guidelines.

Louisiana Government

What Happened?

Happening just four months after a malware attack impacted several Louisiana school districts and caused the governor to declare a state of emergency, on November 18th, Louisiana’s Office of Technology Services discovered a ransomware attack that impacted some of the state servers. Affected offices included the Office of Motor Vehicles, Department of Children and Family Services, Department of Health, the Secretary of State’s office, and the Public Service Commission. According to a series of tweets from Governor Edwards, many of the outages were due to the state immediately implementing its incident response plan and taking extra precautions to prevent the spread of malware by taking other servers offline. Governor Edwards also confirmed that the state did not pay a ransom, and at this time, there is no anticipated data loss.

Lessons Learned

Local governments are facing growing cybersecurity threats and cunning hackers. While creating a thorough incident response plan is necessary to have a robust information security program, it shouldn’t be the only focus. Instead, local governments must implement information and cybersecurity best practices at the foundation of their organizations. They should also invest in proactive measures like cybersecurity awareness training programs for citizens and elected officials, using forensic services after incidents and breaches, conducting cybersecurity exercises, and undergoing vulnerability scanning and penetration testing.

At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in or the size of your company. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected against creative and cunning hackers. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.

Why Bother with an Information Security Program?

When headlines about companies like Capital One, Imperva, Marriott, Target, or Home Depot becoming victims of a data breach are released, we understand why small and medium size businesses start wondering if their efforts put towards an information security audit are worth it. If enterprise-level companies and household names can’t protect themselves, why should startups and smaller companies even try? If they can’t do it, no one else can either, right? Wrong. If your organization tends to align with this dangerous, unproductive line of thinking, then this blog post is for you. The threats you’re up against are real, but you can protect yourself and your clients’ data – you may just need some help establishing an information security program.

You vs. Them

Hackers don’t discriminate based on company size, industry, or location. They’re after sensitive assets like PHI, CHD, passport information, dates of birth, travel reward numbers, and Social Security numbers. The methods they use to go after small, medium, and enterprise-level businesses are different, though.

Hackers cast a wide net to catch small and medium businesses in their areas of weakness. When they can send phishing emails to 100 companies with 100 employees, the odds are good that an untrained, unaware employee will fall for it – even better if it’s an employee who should know better. There are plenty of breaches that happen each day that could have easily been prevented by security testing, employee training, or a basic information security program. How frustrated would you be if one employee clicked on a malicious link and it cost you hundreds of thousands of dollars, when security awareness training could’ve prevented this entire situation?

For enterprise-level businesses, hackers have more to gain, so they can spend more time planning and executing an attack. They can spend months testing their methods and observing vulnerabilities, maybe even collaborating with other hackers. This is something that, unless you have extremely sensitive data, you probably don’t have to worry about. Does that mean you shouldn’t have an information security program? Absolutely not.

Protect Yourself

When a data breach happens, it’s not just your clients who are impacted. Your name is in the headlines, and you’re the one who will pay for it (literally).

Legal Ramifications – New, state-level breach notification, cybersecurity, and privacy laws are consistently passed, with non-compliance resulting in hefty fines. When you ignore these laws or try to find loopholes, there will be legal ramifications to face.

Regulatory Responsibility – If you are subject to a regulatory body, what will happen if they find your organization non-compliant?

Costly ConsequencesAccording to IBM, the average cost of a data breach in the United States is $8.19 million, with 67% of the cost occurring within in the first year, coming from data breach detection and escalation, notification cost, incident response, and lost business. Does this cost outweigh your hesitancy to establish an information security program?

Competitive Disadvantage – If you don’t establish an information security program and have a data breach, your competitors can learn from your mistakes and use your data breach during sales conversations. If you don’t establish an information security program and haven’t been a victim of an attacker yet, your competitors can still have an advantage over you by pursuing information security audits to prove their commitment.

Protect Your Clients

When a client trusts you with their sensitive data and you can’t even provide them with evidence of your commitment to protect that data, do you think they’ll be loyal clients? Is the cost of an audit or information security personnel worth more to you than client data being sold on the dark web? According to Symanetc, here’s what hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35

When you have no formal information security program in place and no way of showing it even if you do, your clients won’t be satisfied with your service. In some cases, a client legally cannot contract your service without seeing your audit report or policies.

Partner with KirkpatrickPrice

When you have the right partner, information security best practices can be an integral, sustaining part of your business. Audits are hard. We get it. But, they’re the only way to prove your commitment to protecting your clients and protecting yourself. Let’s partner together to define an accurate scope, implement industry best practices, and establish an information security program that will protect you and your clients.

KirkpatrickPrice is an audit firm whose goal is to provide the guidance you need to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and worries, or who holds you to unrealistic expectations. Contact KirkpatrickPrice to get the partner your organization deserves to have on its compliance journey.

More Information Security Resources

Was the Audit Worth It?

Audits are Hard, Period.

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Disney+ Plagued by Credential Stuffing

Streaming services like Netflix, Hulu, HBO Now, and Prime Video have revolutionized the way people consume television and movies – and Disney is the latest company to join the craze with its newly-released and much-anticipated Disney+ streaming service. With more than 10 million users creating accounts within the first day the service was rolled out, Disney had to be aware of the extreme cyber threats facing the streaming service. After all, to sign up for the streaming service, users must input their name, email address, phone number, address, and payment card information. In other words, the anticipation of the rollout of the streaming service coupled with the kind of data Disney+ required to set up an account created the perfect breeding ground for malicious hackers to steal data and make a quick profit.

Disney+ Security Incident: What Really Happened?

Within just a few hours from the rollout of the newest streaming service, Disney+ users reported experiencing technical issues including being forced out of their accounts and having their email addresses and passwords changed. Shortly after, ZDNet reported that hackers were selling Disney+ accounts on the dark web from $3 to $11. In response to the backlash, Disney says it takes the privacy and security of users’ data very seriously, “and there is no indication of a security breach on Disney+.” They contend that those accounts impacted by the security incident were due to users recycling old usernames and passwords that were likely stolen during a separate data breach; however, some users have said that they used unique usernames and passwords for their Disney+ account and still got hacked. This points to two key takeaways: preparing your organization against cyber threats and the need to understand the dangers of credential stuffing.

Preparing for a Rollout

Preparing a product or service for market is a lengthy process – and one that can be greatly impacted if security is not ingrained in the creation of that product or service. When an organization, especially an enterprise-level organization like Disney, debuts a product or service that fails to secure the data of its customers, there’s a lot at stake. To prepare your organization against advancing cyber threats, organizations would be wise to start with the following:

  1. Identify Key Assets: What data do you collect? Why? Where is it kept? How is it protected?
  2. Conduct a Risk Assessment: Identify and rank the risks to your organization, determine ways to mitigate those risks, and implement new processes.
  3. Establish an Incident Response Plan: Malicious hackers are on the prowl. You should assume that you’ll experience a security incident at any given time. Make sure you have a thorough and tested incident response plan, so you’re prepared for when not if a data breach occurs.

The Dangers of Credential Stuffing: Users Beware

According to KirkpatrickPrice Director of Audit Delivery, Richard Rieben, the Disney+ breach isn’t a breach of Disney’s infrastructure. Instead, it’s a credential stuffing attack. Why is this attack method so effective for big media companies? In their State of the Internet/Security – Credential Stuffing report, Akamai explains, “The media, gaming, and entertainment industries are prized targets for criminals who are looking to trade in stolen information and access. The accounts are sold in bulk, and the goal for the criminals is to move their goods by volume, rather than single account sales.” Rieben explains, “Password management is key here. If you reuse usernames and passwords across multiple platforms, and then one platform experiences a breach, anywhere you used that email/password combination is now susceptible to attack and account compromise.” What can users do to prevent falling victim to credential stuffing attacks? It’s simple: use unique usernames and passwords, and consider following these password best practices. Companies like Disney, on the other hand, can help their customers avoid falling victim to credential stuffing attacks by implementing security controls like multi-factor authentication.

While it’s too early to tell the impact of this security incident, Disney+’s nightmare debut offers valuable insight into the dangers of credential stuffing. If your organization is planning on debuting a new product or service, let us help you ensure its security. Contact us today to get started.

More Cybersecurity Resources

How Much is Your Data Worth to Hackers?

Password Expiration Policy and Best Practices

Finding and Mitigating Your Vulnerabilities Through OWASP

6 Information Security Basics Your Organization Needs to Implement

Amendments to TITEPA: Breach Notification and Privacy in Texas

Organizations are experiencing increasing commercial pressure from their business customers and individual consumers to provide timely, clear, and adequate breach notification. Now, organizations are facing increasing regulatory pressure to provide timely, clear, and adequate breach notification. One of the most recent regulatory changes apply to the Texas Identity Theft Enforcement and Protection Act (TITEPA). These changes create additional regulatory requirements and force businesses to disclose certain security breaches directly to the state which could lead to regulatory enforcement in response to the breaches.

What is TITEPA?

In March 2019, Texas legislators proposed two data privacy bills that enhance consumers’ data rights and require businesses to responsibly maintain personal information. One bill stalled and one has passed, HB 4390, which was intended to be a consumer privacy bill known as the Texas Privacy Protection Act. Instead, it updates the breach notification requirements in the TITEPA.

HB 4390 aims to protect personally identifiable information that poses privacy risks to consumers. This data could be anything from a Social Security number to cardholder security codes, unique biometric data, physical or mental health information, private communications of users that’s not publicly available, geolocation data, and unique genetic information. Wondering what constitutes a privacy risk under HB 4390? The bill state that a privacy risk is, “Any potential adverse consequences to an individual or society at large arising from the processing of personally identifying information.” These consequences could be financial loss, physical harm, psychological harm, reputational harm, discrimination, etc.

Failure to comply with TITEPA and its amendments will result in civil penalties. These updates to TITEPA took effect on September 3, 2019, with the exception of a few new amendments to take effect on January 1, 2020. Let’s discuss their impact to your organization.

3 Important Updates

The first amendment to HB 4390 requires that Texas residents must be notified of a data breach within 60 days of when the breach occurred. This amendment is significant because it gives a specific time period, instead of the vague, flexible requirement before it, which required businesses notified the impacted individuals “as quickly as possible.”

The second amendment stipulates that if a data breach impacts 250 or more Texas residents, then the business that experienced the breach must provide notice to the Texas Attorney General within the same 60-day notification period of Texas residents. This regulatory notification provides oversight and accountability, and must include a detailed description of the data breach, plus information about how many Texas residents were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified.

Both of these amendments highlight the importance of an incident response plan. If your organization doesn’t know what to do in the face of a data breach, how can you expect to give proper breach notification to impacted individuals and the Attorney General?

HB 4390 also establishes the Texas Privacy Protection Advisory Council, which will study data security laws to prepare recommendations for changes to the Texas Legislature by September 2020, prior to the legislative session beginning in January 2021. The updates to HB 4390 stipulate who will make up the council and how they will be appointed.

Is Privacy Legislation Coming to Texas?

Because HB 4390 is an update to TITEPA instead of the Texas Privacy Protection Act, we’ll still be waiting to see if comprehensive privacy legislation is passed in Texas in the near future. The passage of HB 4390 is a win, though, for making updates to the state’s breached notification law and establishing the Texas Privacy Protection Advisory Council. The recommendations found by the Council (and reported in September 2020) will likely for the basis for privacy legislation in the future – maybe even when the Texas Legislature session begins in January 20201.

Does HB 4390 Apply to You?

HB 4390 applies to businesses who do business in Texas, have more than 50 employees, and collects personal information of more than 5,000 individuals, households, or devices. The applicability of HB 4390 also depends on if the business has an annual gross revenue that exceeds $25 million or derives more than 50% of their annual revenue from processing personal information.

If you complete an audit with us, our auditors are trained to determine if state laws like these apply to your organization and impact your compliance. You may be in compliance and not know it, or you may have some gaps to close before you’re fully there. Hiring an auditing firm that shows you the full scope of your compliance obligations is crucial to becoming a security-conscious organization.

Ready to partner with an auditor who provides you with clear, comprehensive guidance? Let’s talk.

More Privacy and Breach Notification Resources

CCPA vs. GDPR: What Your Business Needs to Know

Preparation and Impact of PIPEDA

Best Practices for Data Privacy