Category: Compliance

Brexit Uncertainity and Resulting Cybersecurity Concerns

Will it be deal or no-deal? With Theresa May no longer officially the Prime Minister and the race to name her next successer in full swing, British exit (Brexit) deal negotiations have been called further into question while the successor is sought. The previous European Parliament election results further complicated the matter, with both the far-right and liberal parties gaining ground, shaking up the traditional system.
The biggest question surrounding the next phase of changes we are seeing is whether the UK will leave the European Union with an agreement designed to minimise economic disruption and create a beneficial agreement or will they step out with a no-departure pact?
Securing the necessary votes in the House of Commons will require concesssions from the EU around some areas of the deal, and a potential compromise on elements of the backstop agreement with MPs.  The clock is ticking and the next Prime Minister, whatever their political stance on the issue, will have a huge task on their hands.
Since UK citizens voted to withdraw from the EU in 2016, Brexit details have been a delicate and complicated dialogue. The resulting fragmented international architecture could have far-reaching impact on business relations, information flow, regulatory standards and of course, cyber-security concerns with many businesses concerned about what this means for their future.
Information sharing
One early concern surrounding Brexit and cybersecurity practices is information sharing, or lack thereof, among intelligence organisations in the UK and the EU. Particularly in the case of a no-deal Brexit, could and would European countries continue to work together efficiently to fight cyberattacks? In the absence of timely information sharing and a cooperative response, cyber-criminals — who regularly sell exploit kits and vulnerability details with other hackers — are at a distinct advantage. That leaves everyone vulnerable to a breach and opens up a problem that doesn’t necessarily need to exist.
While sharing threat intelligence is a real concern, so is GDPR compliance. The new legislation around data protection is only just finding its feet within Europe and Brexit is set to affect this. Both the UK government and the GDPR’s enforcement arm, the Information Commissioner’s Office (ICO) maintain the one-year-old data protection regulation will remain law in the UK post-Brexit.
The challenge, however, is that GDPR contains provisions prohibiting the transfer of personal data to ‘third countries’ outside the EU that do not ensure adequate protection. Post-Brexit, the UK could become a ‘third country’. In this scenario, EU Member states would not be able to transfer personal information to the UK unless an appropriate data transfer solution is in place.
With so many unknown factors around Brexit, most organisations are moving forward with the better-safe-than-sorry principle when it comes to complying with GDPR which is ultimately what we need to see. Smarter security, including heightened visibility over your growing number of endpoints and formalised data breach notification procedures are but two ways they are staying audit-ready.
Whilst many have feared the heafty fines the ICO have set (Up to €10 million, or two percent annual global turnover – whichever is greater or up to €20 million, or four percent of annual global turnover – whichever is greater depending on the seriousness of the breach) we have only now seen an organisation in the UK hit by GDPR, with yesterdays BA fine of £183 million.
Earlier French data protection authority CNIL issued Google a €50m fine for violating GDPR transparency rules and failing to have a legal basis for processing user data in advertising.
Adapting to change
The international business climate can be tenuous at the best of times. It often seems as if there is little we can do about sweeping global change but adapt to it. Continuous endpoint device compliance can be achieved with active compliance checks, sensitive data discovery, and automated workflows to restore protections.
Whilst the road ahead may be complex, ensuring the highest standards of data security across borders and within businesses is paramount. Whatever the final outcome of Brexit, companies need to have the highest standards of data security in place, at all times.
This article was originally published in SC Magazine UK.
Learn more about how Absolute helps organizations comply with GDPR on our website.

Escalating Risks to Healthcare Data

The challenges of securing medical devices from cyberattacks made headlines again last week as the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and is providing patients with alternative pumps.
As the healthcare industry quickens its pace toward incorporating more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. The connectivity inherent in these same medical devices can also pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. Due to the high value of healthcare data, the risks are escalating rapidly.
Weighing Risks and Rewards
Healthcare organizations and patients alike must weigh the risks and rewards of relying on such medical devices the same way they already consider the pros and cons of their network connected endpoints. Laptops, tablets and phones have proven to be a critically important piece to delivering cutting-edge patient care as well as growing organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints has long been a real problem for the industry. More than 2 million people saw their information exposed via a healthcare data breach in May alone.
Government regulations that oversee the protection of personal information — including HIPAA and a host of others — are busy trying to keep up with breach investigations. Large fines are regularly doled out, yet the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers.
Read: The State of Endpoint Health in 2019
Now What?
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their more than 10,000 devices.
With Absolute, Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove that security controls such as patch management, antivirus and encryption are always in place. In addition, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.

Education & Internet Safety: Prove CIPA Compliance with Absolute

As technology continues to be rapidly adopted in education, the pressure is on to secure and retain the grants that make devices in the classroom possible. Schools must compete to prove effective technology utilization while taking steps to ensure compliance with the Children’s Internet Protection Act (CIPA), and the E-Rate Program.
The E-Rate Program supports connectivity. Through grants, it provides discounts up to 90 percent to help schools and libraries obtain affordable internet and telecommunication access.
Eligible schools need to certify they have an online safety policy in place that is supported by technology protection measures. These measures must block or filter harmful content, and monitor the activities of minors.
While school districts can meet CIPA compliance requirements by installing software that filters web content, it’s another challenge to know and prove these programs remain installed and are effective.
With Absolute’s unique solutions for education, K-12 school districts have uncompromised visibility and remediation of their devices – whether inside or outside the school network. Absolute also gives districts true, layered visibility into data and applications that can’t be removed or tampered with by overzealous students, or malicious attackers.
The self-healing capabilities of Absolute’s Persistence technology helps school districts ensure that critical security features such as web filtering or cyber-attack protection remain in place and stay functional – making it easier to prove CIPA and E-Rate compliance.
Absolute’s Student Technology Analytics unlocks the door to a host of detailed information that can be applied to contextualize device and end-user activity.
Using data from Student Technology Analytics, schools can better analyze the impact and outcomes of their technology investments. Districts not only see how users interact with technology, but gain insight into online behaviors like application use, websites visited, and device usage.
Absolute is empowering schools globally to deliver safe, secure, and more productive learning environments. Read our whitepaper to learn three important ways that integrating Student Technology Analytics into your technology plans can help your school district.
Read 3 Ways Student Technology Analytics Validate Technology Analytics in Classrooms

What is Regulatory Compliance?

A Brief Definition of Regulatory Compliance
While regulatory compliance is a broad topic, the definition is quite simple – it’s all about making sure an organization is following the rules for its industry. With regulatory compliance, you are required by an outside authority to perform certain obligations or comply with regulations, and there are consequences for not doing so.
Regulatory compliance should not be confused with corporate or internal compliance, as the mandate between an internal and external policy may differ significantly. Essentially, being compliant can save a company from potential legal entanglements.
Why Is Regulatory Compliance Important?
Today, concerns surrounding privacy and IT security are of top importance with regulatory compliance. Especially over the last five years, people are catching on to how often privacy is being abused. While compliance regulations have existed for many years now, they weren’t created with privacy in mind — it’s only recently where we see a merging with IT security.
If you’re fully compliant, it represents a big step in the right direction for data protection. However, compliance should be viewed as a minimum standard — an organization should strive to reach higher.
What does this mean? It means doing the right things and having sound controls. If you’re doing those things, the compliance should come naturally.
If you think about SOX (Sarbanes-Oxley), one of the earlier compliance acts, at the end of the day you’re required to understand the risks, and you need to have controls and processes to address those risks to prevent a financial mistake. It means you need to understand your environment, its associated risks and the controls to mitigate risks. SOX was one of the first regulatory compliance acts in which risk was the main driver — and mitigating risk (especially from a privacy perspective) is prominent in many recent regulatory compliance acts.
The recent General Data Protection Regulation (GDPR), for instance, was developed with risk in mind and focuses on the need to understand the risks of processing certain types of information.
Once you have your risks and compliance methodologies in place, you can leverage them to not only comply with one regulation but comply with many. Besides, compliance can be used as a stepping stone for your organization as a whole. Further, if there’s a new regulatory compliance law coming up in the future, you may already be compliant.
On the other hand, if you’re not compliant, the costs can be damaging. There may be fines, reputational risks, impacts to stock price or revenue, or a loss of customers. Over and above that, there are industry risks to consider. If you’re not compliant with PCI regulations for credit card processing, for example, your ability to process transactions may go away.
The risk of continuing to do business may even be at stake.
Compliance Challenges
There are numerous challenges companies face in order to remain compliant, but the primary obstacles impact finance, HR, and IT.
It’s unfortunate, but the biggest challenge for compliance is that it can be expensive. Let’s face it: many organizations are running lean as it is, and now they’re faced with an edict of “You shall manage risk.” Then, organizations must decide whether to outsource or dedicate internal resources to compliance. From a human resources standpoint, it can be time-consuming. In some companies, these developments may require the introduction of compliance-centric positions such as Regulatory Compliance Officer or Manager.
For the IT department, the never-ending stream of new technologies creates considerable compliance complications. As employees continue to incorporate their own devices in today’s BYOD (bring your own device) landscape, we must understand that those endpoints store sensitive, compliance-relevant company data. Compounding the issue is the massive growth of IoT — meaning even more endpoints and interconnected devices (which may or may not be secure) on an organization’s network.
Keeping up with updates, patching software quickly, and staying on top of vulnerabilities are all requirements for maintaining compliance.
Endpoint management is a crucial component of regulatory compliance.
Regulatory Compliance Examples 
One of the most prominent examples of regulatory compliance, especially today, is HIPAA. Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.

If your organization has anything to do with the healthcare industry, you’ll want to check out our HIPAA compliance checklist.
The Sarbanes-Oxley or SOX Act of 2002 mentioned above was created to oversee corporate fraud from a financial perspective. Along with protecting whistleblowers, SOX banned company loans to executives, and holds CEOs personally accountable for financial missteps.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was created to reorganize and improve financial regulation and also created the Consumer Financial Protection Bureau. It may be one of the most complex pieces of legislation written.
Two new regulatory compliance acts to look out for, especially pertaining to privacy, are the California Consumer Privacy Act and the New York State Personal Privacy Protection Law. The California act, which takes effect in 2020, “gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. The New York law “protects you from the random collection of personal information by state agencies. The law enables you to access and/or correct information on file which pertains to you. It also regulates disclosure of personal information to persons authorized by law to have access for official use.”

How Can I Learn More?
As 2020 approaches, protecting privacy is going to be more critical than ever and will be a critical element for regulatory compliance.
Privacy laws give organizations parameters to work within and help ensure accountability. However, in the face of resource constraints and rapidly evolving threats, IT is often caught in the crossfire in choosing where efforts should be focused.
If you need a path for harmonious co-existence between working within the law and advancing technology, we’re here to help.
Watch our IT on Trial — Guilty Until Proven Innocent? webinar to learn legal and ethical considerations for data privacy, the value legal frameworks provide to technological advancement, and get predictions about the direction and increasing importance of privacy laws.
This article is for informational purposes only.  The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice.  You should contact a licensed lawyer in your area to assist you in legal and regulatory matters.  Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article. 
©2019 Absolute Software Corporation.  All rights reserved.  ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation.   Other names or logos mentioned herein may be the trademarks of their respective owners.

The Biggest Challenges of Encryption

Encryption is a staple security control for most organizations. In a recent Ponemon study, enterprise use of encryption hit an all-time high this year with 45 percent of organizations now having a comprehensive encryption policy in place. Conversely, just 13 percent of organizations have no encryption capabilities. What is the biggest challenge organizations face in implementing their encryption policy? Simply having visibility into their data and knowing which needs to be protected.
What is Encryption?
According to Techopedia, Encryption is the process of algorithmically transforming information to make it unreadable for unauthorized users. The encoded data may only be decrypted or made readable with a key and while it can be used to protect data at rest, it’s most often used during the transfer of information. In 2018, encrypted traffic reached 72 percent of all network traffic – a 20 percent increase over the year prior.
Encryption means data is only readable by senders and receivers, not third parties who may be trying to get their hands on it. In the age of big data, where organizations collect and share information at unprecedented rates, encryption is a critically important tool.
Adoption Driver: Compliance
Along with the need to protect against rising data breaches, another primary driver behind increasing encryption use is compliance. Data protection laws – including GDPR, CCPA, PIPEDA – require organizations to prove that encryption was in place at the time of a security incident or face some hefty fines – to the tune of $3.86 million dollars which is the average cost of a data breach now.
GDPR repeatedly highlights encryption as an ‘appropriate technical and organizational measure of personal data security.’ Under GDPR, organizations must notify regulators and impacted individuals of a data breach within 72 hours of the incident unless the data in question was sufficiently encrypted.
Having encryption in place can save your organization from potentially disastrous reputational damage. More than the cost of the fines, reputational damage caused by losing the trust in the eyes of customers and the public can ultimately be the factor that destroys an organization’s success.
The Human Element
Encryption isn’t without its challenges however and a big one is the very people who use it. Users are often the weak link in your security chain – another new study found employee mistakes continue to be the most significant threat to data security. Encryption may be mathematically guaranteed but it can also be complicated to implement and confusing for users. This often leads to employees disabling it or insecurely sharing decrypt keys which makes the entire program void.
Device Complexity Creates False Sense of Security
Encryption is a powerful tool but it’s still just one ingredient in your overall security mix. It is most often paired with other endpoint security solutions such as patch management, antivirus and antimalware along with firewalls, SIEM solutions and many others. All have their place, but the rising number of solutions deployed on any given device contributes to significant complexity making monitoring them a challenge. Tools don’t always integrate or work well together and/or controls easily become misconfigured.
The high volume of security tools often provides a false sense of security because broken tools can leave big gaps in an organization’s defenses. Instead, IT and security teams need to be able to better understand what’s happening on their devices and respond to suspicious events to reduce security failures. Adding more and more security controls to the endpoint may perpetuate the risk.
It’s imperative that encryption and any other fundamental security tools are working at all times, as intended in order to have visibility and control over devices that contain data or network access.
To learn more about how security tools degrade and how you can analyze the tools you already have to identify blind spots or opportunities to strengthen your defenses, listen to the recent webinar we did with Forrester analyst, Renee Murphy titled The State of Endpoint Security in 2019.

The Role of Dematerialization in Data Privacy

In the constant push for bigger, better, faster, it’s normal to see products and services evolve to meet shifting customer expectations. What’s different about today though, is how customers themselves are changing. Everyone has a growing digital footprint, regardless of whether or not they want one. What does this mean for personal data privacy?
The Dematerialization of Society
Look around your home today and compare it with a home in the 1980s or 90s. What’s missing? An answering machine, Rolodex, calendar, alarm clock, road maps, vinyl records, VHS tapes, cassettes, CDs, and DVDs, the list goes on. Each of those material goods has been replaced by our smartphones. Digital has “dematerialized” our world —even our money has been digitized, for the most part. It’s safe to say we’re much less dependent on physical stuff.
Digital has also dematerialized people. A person is a person because of the data that exists about them — our digital selves. We have become a collection of individual pieces of data made up of Personally Identifiable Information or PII.
Personal Privacy in a Dematerialized World
When all of our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we have somehow managed to sacrifice our personal privacy along the way.
We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes around in the cloud — and somehow this shift made the data seem less valuable for a while.
For more on the three general attitudes people have on data protection, read
Data Privacy in Our Digital World.
New and Updated Regulations to Protect Our Digital Selves
There have been too many stories in the news about organizations and institutions for all the wrong reasons — negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and so on.
As a result, governments around the world are stepping up to the challenge of protecting the privacy of the individual with strict regulations (backed by law) that govern the use and misuse of digital data, and shift power back to the individual.
Sweeping regulations, such as the EU General Data Protection Regulation (GDPR), are prompting regulators around the world to implement compatible standards and, in some cases, start levying their own fines.
Most recently, the California Consumer Privacy Act (CCPA) as well as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) were introduced. Both have been heavily influenced by GDPR and give people more control over the personal information that is being collected about them.

The C-Suite Has an Ethical Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect PII. Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.
Secondly — and more importantly —there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for the government to impose it.
The C-suite has a responsibility to take an active role in ensuring data security and privacy controls are in place — failure to do so puts innocent people at risk and could potentially be the digital world equivalent of reckless endangerment.
In my next post on C-suite responsibility, I’ll discuss the different data privacy considerations that too often go overlooked. In the meantime, if you’d like to learn more, get our new eBook, 3 Overlooked Data Privacy Considerations. 

Global Data Privacy Laws in 2019

As our personal information becomes digitized and organizations push to collect more and more of it, data privacy has become a critical issue. Regulations are needed to protect the growing volume of data and a majority of nations’ governments are responding with a multitude of global data privacy laws.
The Road to Regulation
According to a new, interactive map by the United Nations Conference on Trade and Development (UNCTAD), 58 percent of the 194 UNCTAD member countries report having data protection and/or privacy legislation on the books and another 10 percent have draft legislation in the works. Unfortunately, 21 percent of countries have no legislation or anything in process.
A global map of cyberlaws, the Global Cyberlaw Tracker monitors the state of e-commerce legislation including laws over e-transactions, consumer protection, data protection/privacy, and cybercrime. It’s a helpful tool for organizations as they work to safeguard the personal information of citizens around the globe. However, it’s also a good illustration of the significant challenge organizations face in data protection compliance.
To further complicate matters for the companies that do business with Americans, there is no federal data privacy law in the United States. Instead, companies are left to interpret and comply with a growing patchwork of individual state laws — a movement now gaining momentum thanks to the California Consumer Privacy Act (CCPA) of 2018.
Read: Will CCPA Pave the Way to a Federal Data Privacy Law?
Is GDPR the Future of Global Data Privacy Laws?
To avoid having to comply with 50 different state laws, big tech companies are calling for a unified law similar to the European Union’s GDPR, though more so in concept than in scope. Most data privacy activists champion the regulation, however many organizations are cautious about what they ask for. GDPR is considered the world’s most stringent data protection law. Since going into effect in May of last year, nearly 60,000 data breaches have been reported but only 91 fines have been imposed to-date. According to one report by international law firm DLA Piper, the three biggest offenders so far are the Netherlands, Germany, and the United Kingdom.
Keeping up with the evolving regulatory landscape requires constant attention – just like monitoring sensitive data that is always on the move. While the world’s lawmakers scramble to keep up with escalating data privacy issues, costly fines and the court of public opinion is already underway. It’s important to understand what data you collect, where it’s shared, and how it’s protected. While many data privacy regulations are still being developed, implementing measures to align with larger privacy frameworks like GDPR can ensure your organization’s data is protected and you’re prepared for forthcoming regulations.
For more information on the global state of data privacy, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to or full Cybersecurity Insights video series on YouTube.
global data privacy laws
Video Transcript:
Hello again! Josh here from Absolute. In our last episode, we saw how the digital world has made data privacy a top priority. In this episode, we’ll look at some of the laws designed to protect data privacy.
The most obvious place to start is with the General Data Protection Regulation (GDPR) which is fashioned as a statement of rights, including:
-The right to rectify
-The right to be forgotten
-And the right to civil action
Rectify simply means when someone requests a change details of her digital self, you must find every place her data could be so that you can rectify the information and comply with GDPR.
The right to be forgotten is also key, a person’s digital identity to be purged; in legal jargon this is called the ‘right to erasure’.
Once again, we need to find it, which means we need to probe every endpoint to discover where the data is so that we can remove it.
Finally, the GDPR guarantees the right to sue for damages when personal data is misused or left unprotected.
Okay… well, now we have to demonstrate safeguards are active, up-to-date, and working effectively,
It’s the only way to prove your innocence and avoid a fine, which can be as high as 4% of your organization’s annual revenue.
Fumbling on data privacy is a costly mistake.
What about outside Europe?
In the US, we find laws like HIPAA (for health information) and S-P and S-ID statutes for personal financial information, enforced by the SEC. But no national privacy standard.
In the meantime, we need to follow state laws like CCPA in California. Some have called CCPA, ‘GDPR-lite’. But that’s only for the penalty amounts. CCPA imposes more restrictions, demands faster reporting and tighter controls than GDPR. If it’s true as they say, ‘As California goes, so goes the country’, then we can expect the US to end up with more stringent standards than the EU.
Then, we come to PIPEDA, Canada’s newly refreshed hammer for privacy. Not only is reporting unauthorized access required (like GDPR), but even if the safeguards – anti-virus, encryption, security agents – have broken, regardless if the attacker was successful.
Wait! You have to prove your security posture was airtight when incident happened, not just if data was stolen? Yep, that’s what we’re sayin'(eh)!
Data Privacy is today’s great challenge for IT and security teams, and with 35% of sensitive data on out-of-sight on endpoints, there has never been a stronger need for persistent endpoint visibility and control.
Next time we will explore the steps you can take to ensure data remains private. Be sure to subscribe and drop your comments below, I’ll see you then.

Will CCPA Pave the Way to a Federal Data Privacy Law?

If GDPR is the unification of data privacy laws across Europe, could the California Consumer Privacy Act of 2018 (CCPA) serve the same role in the U.S.? While many privacy advocates hope it does, there’s no question that there is still much work to be done on CCPA before the new California law truly paves the way to a federal data privacy law.
What is CCPA?
CCPA was signed into law on June 28, 2018 and will go into effect January 1, 2020. Under California law, citizens can propose new laws and can incite a vote if they have enough signatures. That’s how CCPA was brought into play – and very quickly made into a reality. As it stands, the law currently provides California residents with four basic data privacy rights:

The right to know which personal information a business is collecting about them, where it’s being sourced, what it’s being used for, whether it’s being disclosed/sold and if so, to whom
The right to opt out of allowing a business to sell their personal information to third parties
The right to have a business delete their personal information, with a few exceptions
The right to receive equal service and pricing from a business even if they exercise their privacy rights

Read our blog post about Data Privacy
Unlike GDPR, CCPA comes with a narrower scope to whom the data privacy requirements apply. CCPA impacts any company that does business in the state and meets one of the following criteria:

annual gross revenues over $25 million
receives/discloses the personal information of 50,000 or more CA residents
derives 50 percent or more of their annual revenues from selling CA residents information

Violation comes with a civil penalty of up to $7,500 per incident and gives consumers the ability to seek damages either individually or collectively.
CCPA in 2019
Starting in January 2019, the Attorney General (AG) of California has been holding forums across the state to gather comments from the interested public. The input gathered during this rulemaking process — which is set to end on March 8 — will then be considered as legislators draft CCPA rules in the coming months. The first draft of CCPA regulations is expected to be published this fall whereby another public comment period will be scheduled.
CCPA is by no means final, yet already several copycat laws are popping up across the country —Massachusetts, Rhode Island, Washington and New York have all introduced their own state laws too. Other state AGs have said they will take California’s lead on data privacy. Separately, a couple of data privacy bills have been introduced – one back in December by a group of 15 Senators and another by Florida Senator Marc Rubio last month.

The evolving patchwork of U.S. data privacy laws begs the question – when will federal lawmakers finally step in and address consumer privacy rights as was done in the EU with GDPR? Tech giants Cisco, Apple, Facebook and Google recently joined forces calling for this. CCPA and others like it are building awareness and driving momentum for the effort.
Regardless, it’s increasingly important to pay close attention to the legislative landscape as compliance fees continue to climb. Perhaps equally as important though, companies should be taking a stand on data privacy because it’s morally, ethically and legally the right thing to do. It also makes good business sense. Consumers want to do business with companies they trust. In California at least, they are the ones driving data privacy into law.
If you would like more information on how you can be sure your organization is doing what it can to protect the data in its care, download our new eBook 3 Overlooked Data Privacy Considerations.

Data Privacy in a Digital World

Data privacy is top of mind these days – for good reason. The number of exposed online records has doubled since last year, reaching a total of 446.5 million. International regulations such as the EU’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA) in the U.S., and the Personal Information Privacy Act (PIPEDA) in Canada have helped to provide standards for governance over our information, but it is not always simple.
We Are Our Data
When all our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we somehow managed to sacrifice our data privacy along the way. We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes of data around in the cloud — and somehow this shift made the data seem less valuable…for a while.
When it comes to data protection, most people fall into one of three categories:

Just stay offline.
My data will be used/misused and it’s no big deal.
Wait a second – that data is who I am!

Despite your opinion however, there have been too many stories about organizations mishandling data recently including negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and on the list goes on.
A Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect Personally Identifiable Information (PII). Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.

Secondly — and more importantly — there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for a government to impose it.
The C-suite has a responsibility to take an active role in ensuring that data security and privacy controls are in place. Failure to do so puts innocent people at risk and could be likened to the digital world’s version of reckless endangerment.
3 Simple Aspects of Data Privacy
Data Residency. Your organization is full of sensitive data and, unfortunately, employees unwittingly put it at risk all the time.  An organization is responsible for understanding where the data it collects and stores resides, especially if it is stored in another country. However, your data sits out there on more endpoints than you think, not to mention what happens when one of those devices goes missing.
You need the equivalent of Google for your endpoint data — a lexicographical crawler for PII that can alert you to any unauthorized data hiding out there on endpoint devices. Unless you have that, you simply won’t be able to track all the places where the data resides.
Orchestration of Controls. There is no shortage of security controls, whether they be native in the operating system or come as third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place where data resides is secure.
The problem is in ensuring that the third-party controls remain in place and functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should, or if the user of the device is acting suspiciously.
Continuous Monitoring. Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.
Data privacy affects all of us. As the speed at which the world operates in digital increases, we can expect everyone to take a greater interest in their personal data. The organizations that act now to build data privacy into their company’s mission statement will be the ones that retain customer trust.
For more information on data privacy in our digital world, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Welcome back! Josh here from Absolute. If you’ve been on planet Earth the last couple of years, you know one topic in Information Security is grabbing everyone’s attention: Data Privacy
Look around at a home of 2019 and compare it with a home of 1980s or even the 90s. Take notice of what’s likely missing…

Answering machines
Alarm clock
Vinyl records, VHS tapes, cassettes, CDs or DVDs

Each (and there are many more) have been replaced by a smartphone. Digital has dematerialized our world. The things people need are no longer dependent on physical stuff but are satisfied by digital technology.
What this have to do with data privacy?
Well, digital has also dematerialized people. We live in a digital reality. Who we are has become a collection of individual pieces of data; we call it Personally Identifiable Information or PII.
People have always been conscientious about their personal privacy, but now that we’ve been dematerialized, personal privacy takes a new shape. Each person’s right to privacy is more easily overthrown, because we’re not moving physical material around in space, but manipulating bits and bytes that compose a person.
One school of thought says, ‘Just stay offline.’
Another way of thinking says, ‘Hey, my data will be used (or misused), it’s no big deal.’
While others contend this by saying, ‘Wait! That’s my data and that is who I am!’
For starters, just saying ‘stay offline’ isn’t reasonable for a 21st century person: the digital world is where things happen. That’s why we call it The Digital Transformation. Business, government, school, research, and even friend-to-friend interactions, all happen in the digital town square.
For those saying ‘No big deal’, would you say that if you were being harassed or stalked by someone in the physical world? And even if you don’t care about how your data is used, other people do… and they want assurances that their privacy is always secure.
You can see why data privacy is all the rage right now. And it’s not just social media data scraping to create ‘fake news’; we see credit bureaus, city governments, and even hospitals, schools and universities all fail to safeguard individual privacy.
Data privacy goes to the heart of what we value as a society, which demands that we do our best work to protect those digital persons in our care.
Be sure to subscribe and put your comments below. I’ll see you next time, and we’re gonna take a deeper dive into the laws that are designed to protect personal privacy.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.