Category Archives: Compliance

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Land Rover Telematics Not Secure – Gee, I Am Surprised

While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model.  If this is a surprise to you, it should not be.

If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.

In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner.  That does not always happen.

In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.

When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.

That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.

Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner.  Sure!  Right!

After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.

They did say that he could take the car to the dealer and the dealer would reset it.  Probably for a not-so-nominal fee, but they did not address that.

So, as a buyer of a used car, what do you need to do?

First of all, hopefully, if the car is a new car from the dealer, this should not be a problem.  This is only a problem with used cars.

If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics.  To be safe, you can get the dealer to help you download the app and connect the car to the app.  That way if the dealer is lying, you can call him on it right then, right there.

If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).

One other note.

With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market.  After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read.  I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.

Facebooktwitterredditlinkedinmailby feather

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

EU’s GDPR May Cause Challenges For Businesses

According to a survey conducted by storage software vendor Veritas,  2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have  within the first six months after the GDPR goes into effect later this month.

Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.

Under GDPR, businesses have about 30 days to provide that information.  They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it.  All within less than 30 days.

Which companies have to deal with GDPR?

In general, companies that collect data on EU people – customers or just people who visit their website.

Different companies face different risks.  The companies at the highest risk are those located in Europe.  Those are followed by ones that have operations (business units) in Europe.  At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.

Other responses from the survey include:

  • 56% plan to approach financial firms with data privacy requests
  • 48% plan to approach social media firms
  • 46% plan to approach retailers
  • 24% plan to approach employers and
  • 21% plan to approach healthcare providers
  • 65% of those who plan to contact these businesses will ask for access to the data those companies have
  • 71% of those who contact businesses will ask them to delete the data

Information for this post came from Computing.co.uk .

Based on that, what should you do?

First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.

BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.

What we don’t know is what the EU regulators plan to do.

Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.

UNLESS someone or more than one complains about you to the regulator.

And we don’t know how many resources each regulator plans to allocate to this process.

It will certainly be interesting to watch.  Unless you are the one that the regulator picks on.

 

Facebooktwitterredditlinkedinmailby feather

New EU Privacy Law Could Bankrupt Your Company

The European Union has passed a new privacy law called the General Data Protection Regulation and it goes into effect in May of 2018.

For companies that do not do business or have customers in Europe, this regulation may not effect you.   However, if you have customers in Europe, even if you do not have offices in Europe, you are still bound by the regulation.

There are a number of things about the regulation that are very different than the way U.S. companies treat your data and mine.

What is unclear is whether multi-national companies will operate differently in different countries.

For example under GDPR, a company has to get express permission to collect, store, use and transfer data that they have about you.  Will Facebook, for example, have a different user agreement for customers in Europe than in the United States?  This is still unclear, but given their appetite for stealing our data, it would not surprise me if they did treat the two groups of users differently.

On the other hand, for smaller companies who do not make a lot of money from your data, it may be easier to treat everyone uniformly.

Other requirements of the regulation include –

  • Companies must report breaches within 72 hours of realizing it.  In the U.S., things are much looser.  You must report breaches sorta, kinda, reasonably quickly.  In many states what that means is undefined.  In other states it might be 30 to 90 days.  It is not 72 hours in any state for a general business.  Effective January 1, 2018, defense contractors will have to report breaches to the DoD within 72 hours and financial institutions in New York will have the same reporting requirement with a bunch of exceptions, but those two groups represent a tiny percentage of the total population of businesses.
  • The definition of personal data is way broader than any definition in the U.S.  For example, the Internet address (IP address) you are using is considered personal data.  So is your genetics.
  • Probably the biggest change is the potential fines.  The EU could fine a company up to 20 million Euros or 4 percent of their annual global revenue, WHICHEVER IS GREATER.  For a large company, that could be billions of dollars.  For a small company, the fine alone could bankrupt the company.

In addition, there are a number of other conditions that the law requires.

There are plenty of businesses in the United States that have European customers and many of them will be totally unprepared for the changes that come about in less than a year.

Obviously, the place for all businesses to start is to inventory what data the company collects, where it is stored, what it is used for, how long it is kept and who it is shared with.  That, by itself, is a huge challenge for most businesses.  This does not just apply to “corporate”.  If some department collects data and doesn’t have the proper consent, the company could be fined.  If that department shares the data with a third party and that was not disclosed, again the company could be fined.

This would include data that is stored on laptops, in the cloud and on home PCs.  Most companies will not be able to figure that part out.

If you share data with a third party – a vendor or supplier, you have to be able to prove that they are following the rules as well.

For British citizens, even though Great Britain is leaving the E.U., the government says that they are going to implement the same law.

For businesses that are subject to this law and who have not already started planning for this, there is not a lot of time to get caught up.  There is a lot of work to be done.

Information for this post came from the BBC.

Facebooktwitterredditlinkedinmailby feather