I’ve got a proposal: let’s not talk about how turbulent 2020 has been. Instead, let’s talk about the ways that we can make the rest of the year better, safer, more manageable for everyone. Since it’s Cybersecurity Awareness Month, of course, we’re thinking about improvements in that context.
Turbulent times, after all, have a way of getting us to reassess our priorities. But in cybersecurity, COVID-19 has hammered a few realities in more than others:
- Are there cracks in your cybersecurity foundation? Now isn’t the time to paper over them — we need real fixes.
- In a time of damaged public trust, businesses need to prioritize establishing trust with their consumers
- Resilience is foundational to weathering any kind of difficult periods
Cybersecurity, of course, is a big umbrella. Some of the big sticking points right now, though, are ones that have been with us for a while. Consider these ongoing issues then take a look at our top ten ways to step up cybersecurity at the end of 2020.
What we’ve seen in 2020
Data breaches: That friend who you definitely didn’t invite to the party
Data breaches aren’t new news. But they’ve been on the uptick for years now. It’s not pretty, but closing your eyes and wishing reality away never helped anyone.
- In general, a cyberattack occurs every 39 seconds
- A big breach is big money: on average, it costs businesses $392 million for the breach of more than 50 million records
- 39% of surveyed SMBs report that their organizations lack any incident response plans
And it looks like businesses simply aren’t prepared to face these risks.
- The average time to identify and contain a breach is 280 days
- 53% of companies found over 1,000 sensitive files accessible to every employee
- Only 5% of a company’s folders are protected
- 34% of data breaches in 2018 came from internal actors
These are just SOME of the statistics — there’s a lot of information to process. And if it’s a lot of cybersecurity professionals to process, imagine how it feels for non-IT employees at your business.
Consider the number of people internally who are responsible — either in a malicious way or not — for data breaches. This number shows why it’s critical to:
- Have rigorous training programs in place for all staff
- Implement consistent internal measures to monitor for security risks among staff
CCPA right of action
The California Consumer Privacy Act (CCPA) — yes, it’s about privacy, but it’s got security provisions written into the legislation that make it imperative for cybersecurity professionals to pay attention. Among the most pressing issues: the right of action.
Under CCPA, consumers have the right to legal action if their records are exposed in a data breach IF the company hasn’t taken “reasonable measures” to secure their data. While “reasonable measures” currently has a vague definition, there are some takeaways that can help protect your data.
- Keep on top of your data assets
- Know where personal information is located, what access permissions are, and any other risk factor.
- Is your data stale? Toss it to avoid unnecessary security threats.
- Implement appropriate permission levels to limit access to sensitive data
- Regularly review data and permissions
A common issue with CCPA compliance — really, any kind of compliance — is that we think once we’ve met the guidelines, we’re in the clear to infinity and beyond.
That’s unfortunately not the case. It’s an ongoing process and one that requires close monitoring.
Remote work: More risk, more reward
It’s a mark of just how wild 2020 has been that one of the most major shifts in the US workforce took place and yet it feels like a mere footnote. But it shouldn’t be, at least for anyone dealing with cybersecurity.
There are upsides to working from home these days — public health, childcare, work-life balance (maybe?) — but it presents undeniable security risks. Consider this:
- 88% of the organizations, worldwide, made it mandatory or encouraged their employees to work from home after COVID-19 was declared a pandemic.
- The number of unsecured remote desktop machines rose by more than 40%
- 46% of global businesses have encountered at least one cybersecurity scare since shifting to remote
8 Steps to Cybersecurity for 2020 and 2021
In an increasingly tech-centered and remote-working world, there are ample opportunities to do this in a way that makes cybersecurity a core business practice rather than applying it as a bandaid when things go sidewise.
What’s important for your customers is important for your business. Here’s how to communicate,
1. Best practices start with communication
Best practices can feel pretty opaque to those who aren’t fluent in cybersecurity-ese. To combat this, place strategic messaging about your security measures throughout your points of contact.
For example, when your customers sign in, you should use multifactor authentication (MFA), but why are you using it? What should they expect and how does it benefit the customer? Weave this information into signup forms, pop-ups, or emails to your customers are clued in along the way.
2. Make beefy passwords standard
Speaking of MFA, it’s a great tool, but it only works in tandem with strong passwords. Require customers to set up passwords that are hard to crack. Characteristics of a strong password include:
- Combination of capital and lowercase letters, numbers, and special characteristics
- No obvious substitutions (like $ for s, ! for i)
- 12 characters of longer
- Doesn’t contain recognizable or attributable words, names, dates, or numbers (like birthdays, phone numbers, etc.)
- Unique to your customer’s account with you (i.e., not reused)
Password practices can be made even more secure by encouraging or requiring customers to change passwords regularly and not allowing reuse of passwords.
3. Prioritize maintenance
Cue up the cybersecurity mom voice in your head: Is your site secure? Are you updating to the latest versions and keeping everything patched? Are you backing up your data regularly?
If you are avoiding doing these basic cyber-housekeeping tasks, remember that when you ski them, you leave a window open for hackers to compromise your customers’ data. Yes, it’s tedious to schedule maintenance, updates, and reboots, but it takes a whole lot more time to deal with the aftermath of a cybermess.
4. Stay ahead of the compliance curve
Compliance isn’t one of those static areas of business. (Is there such a thing anymore?) Bridge the gap between privacy, security, and your customers needs by investing in staying current on what’s new with regulations like California Consumer Privacy Act and the EU’s General Data Protection Regulation, but also up-and-coming regulations.
1. Create workforce awareness and accountability
Training. Training, training, training. We can’t stress this enough. One of the best things that you can do for your entire workplace is to develop company-wide training that helps everyone in cybersecurity and privacy issues by implementing company-wide training.
Get them smart on everything from phishing to password security to data management and privacy and the WHY of it all and you’ll have a team that’s more prepared to keep your business and its data safe.
Pro move: Don’t just make this a standalone training. Incorporate cybersecurity continuously, from onboarding to holiday party protocol and make it relevant and engaging. (Whatever that looks like in the future.)
2. Working remotely, the secure way
Yes, it’s been seven months since everyone went home en masse but lots of us are still there. Your team might well be among them. Have you gotten your remote work cybersecurity details in place? This is a whole big topic, but some low-hanging fruit that you can achieve includes:
- Implementing good VPN practices
- Setting up Two-factor Authentication (It’s not just for customers!)
- Developing safe standard practices for file access and management
- AND training (see above)
Even if you had worked out cybersecurity strategies for remote work this summer, with the upcoming cold/flu/COVID season, it’s advisable to revisit it to make sure your plans are working for your business and its employees. (And not hackers.)
3. Protect personal devices
Personal devices are an extension of ourselves these days, always within arms reach. They’re indispensable for managing our lives both inside and outside of work.
This expansive utility makes them a unique cybersecurity risk. Your employees are probably (definitely?) using them for work purposes, but how secure are they? (Spoiler: probably not very.)
The best practice is to have employees only use company-owned laptops and smartphones so you can control security measures. However, this isn’t always possible so make sure you have policies and practices in place for security measures like enabling strong passwords, app downloads, file access policies, and location services.
4. Test for vulnerabilities
Bringing in an outsider like an ethical hacker or security expert to test your system is a great way to get a better understanding of where your weaknesses are. Let’s be honest, it’s really difficult to see where your problem spots are when you’re looking at them every day. On the other hand, someone whose job it is to find problems will be pros at rooting out coding bugs, finding backdoors, and other potential security threats.
Cybersecurity Awareness Month is a prime opportunity to expand awareness and improve upon your practices. However, it’s also not really a once-a-year event — cybersecurity should be taking place every day for your customers and your employees.
Want to learn more about how you can support cybersecurity and privacy? We’d love to chat with you. Drop us a line!
Now what about CPRA?
Wait, you might be saying, you just said that – you mean CCPA. And I’m squared away, thank you very much.
Not the case. While the California Consumer Privacy Act has just become enforceable as of July 1, there’s another privacy rights act lining up for the November 2020 ballot. This new act aims to build off of the work accomplished by CCPA to increase transparency and control for consumers over their personal information.
For consumers, the California Privacy Rights Act (CPRA) – affectionately referred to by some as CCPA 2.0 – represents an expansion of privacy rights. For businesses, it represents both a challenge to keep up with compliance requirements as well as an opportunity to create an exceptional customer experience.
How so? Awareness of privacy issues are on the rise. Your customers are going to increasingly expect transparency on how you’re handling their data. Your privacy plans and policies are a big part of building a relationship with them.
Ultimately, compliance isn’t just important to stay in line with the law. It’s important to sustain your consumers’ relationship with your business.
Where Did CPRA Come From?
Who’s driving this policy train? Californians for Consumer Privacy, the nonprofit group that helped get CCPA on the 2018 ballot.
Although CCPA had yet to become enforceable at that time, in September 2019, Californians for Consumer Privacy submitted a ballot initiative for a new, in-depth privacy act that would build off of CCPA: the California Privacy Rights Act (CPRA).
By May 2020, they had gathered more than 900,000 signatures to qualify for the ballot and on June 24th, 2020, the California Secretary of State announced that CPRA was eligible for the November 2020 election.
It’s important to note that CPRA is being brought forth as a ballot initiative. If CPRA is enacted by voters as part of a ballot initiative, it will only be able to be amended through another ballot initiative, not through legislation. This gives voters a greater voice in privacy measures rather than relying on the legislative process to move the needle forward.
What is CPRA?
CPRA takes many of the ideas and concepts from CCPA and expands them for California residents, allowing them a greater degree of control over their personal information while implementing further requirements for businesses in regards to how they collect, use, and store that personal information. Some aspects of it even move the law closer to the General Data Protection Regulation (GDPR), such as new requirements on data retention, an expanded right to know and access personal information, and further definitions of sensitive data.
Much like CCPA, the impact of CPRA would be felt far beyond California’s state borders. Also similar to CCPA, it would apply to businesses and organizations that meet certain eligibility requirements and process California residents’ personal information – regardless of where the business or organization operates from.
But these are generalities. What are some of the important – and specific – additions and changes being made to CCPA within this legislation if it ends up being enacted?
Establishment of a California Privacy Protection Agency
This agency would oversee enforcement of CPRA rather than the California Attorney General, who is the sole arbiter of CCPA enforcement.
Until the California Privacy Protection Agency is enacted, the Attorney General would have rulemaking authority to issue regulations on topics like identifying business purposes for the use of personal information, updating the definition of personal information, and more.
Sensitive Personal Information
Sensitive personal information is at the core of privacy issues. The CPRA would establish a further category of sensitive personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available including:
- Social security number
- Driver’s license number
- Passport number
- Financial account information
- Precise geolocation
- Race and ethnicity
- Union membership
- Personal communications
- Genetic data
- Biometric and health information
- Sexual orientation and sex life information
Sound familiar? Some of these items are reminiscent of GDPR and its categories of sensitive data – genetic data and biometric information, religion, race and ethnicity, sexual orientation and sex life information, and union membership are all held in common between the two regulations.
As part of this new category of personal information, businesses have to offer transparent disclosures about what sensitive data they process. Those same businesses would be subject to greater restrictions in its use as well.
Along with the expanded definition, CPRA would allow consumers more extensive rights around the use of their sensitive personal information. Among those rights would be the right to request to correct personal information held by a business if that information is inaccurate.
This may sound like an odd provision to include in the law, since many businesses already provide this service to their customers as a courtesy. However, mandating a correction mechanism increases the stakes if you don’t.
Think about it from the consumer’s perspective: It’s all about trust and relationships. When consumers give you their information, they’re trusting you with just that. THEIR information!
They have a right to access and control it. By helping them exercise that right, your business actively demonstrates their rights and needs matter to you. Your relationship is a two-way street!
Protecting children’s privacy has been a major point for CCPA. CPRA takes it even further. Under CPRA, businesses and organizations that violate CCPA’s opt-in right will face triple the amount of fines.
They will also have to get opt-in consent to sell or share data from any consumer under the age of 16. (Currently, under CCPA, parents must provide consent for children under the age of 13. For children between 13-16, the child themselves must provide consent.) (Currently, under CCPA, this applies to consumers under the age of 13.)
CPRA would add new layers of transparency and data governance policies. One meaningful addition is that it would require businesses to notify consumers at or before the collection of data:
- Whether information is sold or shared
- Information on sensitive categories of personal information that are collected
- How long consumer’s personal information is retained
Moreover, CPRA would aim to prohibit keeping personal information for longer than is “reasonably necessary” for the specifically disclosed purposes of collection. It would also limit the collection, use, retention, and sharing of data to what is “reasonably necessary” to achieve those same disclosed purposes.
It’s especially important for your business to take transparency requirements to heart. This isn’t just a legal need. It’s a customer experience need. Think of all the stories in the news about lack of transparency. It may not sink the boat immediately, but it significantly damages your customers’ ability to trust you.
Data Breach Liability Provision
Data breaches are a significant – and increasing – worry for consumers. Almost half of surveyed consumers in a 2019 report by Ping Identity were more worried about data breaches than they were the previous year. But while they’re worried about it, they expect businesses to help safeguard them: 63% of consumers believe that a company holds responsibility for protecting their data.
So it’s not surprising that a data breach liability provision was included in CPRA to expand on existing CCPA rules. The CCPA already grants consumers in California the right to bring legal action for damages resulting from a data breach. However, CPRA provides greater clarity by stating that breaches compromising a consumer’s email address and either their password or security question/answer can result in liability for the company.
This provision helps resolve the ambiguity in the current CCPA regarding a business’ duty to implement reasonable security and when a consumer’s right to legal action following a data breach might apply.
Is your team smart on data breaches? How you handle it has a huge impact on how quickly you recover from one. A training program can make all the difference.
If it’s enacted, would CPRA apply to my business or organization?
If you’re already required to comply with CCPA, then the new terms of CPRA would apply to you. However, CPRA changes the scope of CCPA in some significant ways.
- CPRA will extend the CCPA’s exemptions for workplace-related information until January 1, 2023 (i.e., for employees, job applicants and business-to-business contacts). If CPRA doesn’t pass, these CCPA exemptions will expire on January 1, 2021.
- Increases the threshold of businesses to for-profit entities that process 100,000+consumers or households, meaning that many small businesses would fall outside of the scope of the legislation. However, if enacted, this wouldn’t go into effect until 2023, meaning that these businesses would still need to comply with CCPA requirements.
- Requires entities sharing common control and common branding that also share consumer personal information to be considered the same “business”
What if CPRA passes in November? What comes next?
CPRA will be voted on by California residents in the General Election in November 2020. If it passes, eligible businesses and organizations will have until January 2023 to bring their data collection programs into compliance with the new law.
Two years is a long time, though, in terms of data and security issues. As per CPRA, the California Privacy Protection Agency would be established during this time. Until it is established, CCPA would continue its regulatory work under the Office of the Attorney General.
There is still a lot of discussion to be had around CPRA as November inches closer and closer. But it shows a continued movement towards GDPR-type legislation in the US and increases the likelihood that other states will follow suit. For businesses, this indicates clearly: compliance (and transparency) is becoming more than a best practice. It’s becoming a business necessity.
We know that new compliance requirements can be a challenge to juggle with existing ones. It can be even harder to make sure that they’re part of your consumer relationships. We’re here to help with that. Contact Red Clover Advisors today for a free consultation.
For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.
These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant?
Differences Between GDPR and CCPA: The Nutshell Version
Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:
- Transparency in businesses practices dealing with personal data
- Security and control over personal information for consumers
- Defining digital identifiers (cookies) as personal information
One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.
Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)
On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:
- Has a gross revenue of more than $25 million
- Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
- Derives 50% or more of annual revenues from selling consumers’ personal information.
Meet Your GDPR Cookie Banner Compliance Requirements
GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.
A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.
But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place.
Opt-in Cookie Consent
When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)
How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment.
More on Cookie Deployment
Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it?
Third-Party Data Sharing
When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data.
Win Brownie (Err…, Cookie) Points
You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data.
Meet Your CCPA Cookie Banner Compliance Requirements
The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases.
Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR.
However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.
The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach.
With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner.
Information About Cookie Use
CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties.
A Button to Accept Cookies
As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.)
As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience.
Do Not Sell Button
Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA
(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.)
To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page.
Your “Do Not Sell” needs to include some specific information, as well. It needs to have:
- A button that allows them to opt-out of personalized ads
Tying it all together
Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it.
But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.
If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.
The California Privacy Rights Act (CPRA) is intended to amend the California Consumer Privacy Act (CCPA) and ultimately to give consumers more control over their information. The Californians for Consumer Privacy coalition is working to obtain enough signatures to put CPRA on the November 2020 ballot. If successful, Californians would have the opportunity to vote this ballot initiative into law. Should it pass, it will go into effect January 1, 2023.
CPRA at a glance:
- Sensitive Information: Creates new rights allowing consumers to stop businesses using sensitive personal information (“SPI”). SPI includes SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation, email + password.
- Children’s Datta: It will triple 2018’s CCPA fines for collecting and selling children’s private information. It will also require opt-in consent in order to sell info from consumers under the age of 16.
- Geolocation: Prohibit businesses from tracking precise geolocation for most purposes, including advertising, to a location within roughly 250 acres.
- Enforcement Arm: Establishes an enforcement arm called the California Privacy Protection Agency and institutes a 5 year statute of limitations for filing claims of violations of the Act.
Comparison of existing Privacy Laws GDPR & CCPA to CPRA.
|Right to Know What Information a Business has Collected About You||√||√||√|
|Right to Say No to Sale of Your Info||√||√||√|
|Right to Delete Your Information||√||√||√|
|Data Security: Businesses Required to Keep Your Info Safe||√||√||√|
|Data Portability: Right to Access Your Information in Portable Format||√||√||√|
|Special Protections for Minors||√||√||√|
|Requires Easy “Do Not Sell My Info” Button for Consumers||X||√||√|
|Provides Ability to Browser with No Pop-Ups or Sale of Your Information||X||X||√|
|Penalties if Email Plus Password Stolen Due to Negligence||√||X||√|
|Right to Restrict Use of Sensitive Personal Information||√||X||√|
|Right to Correct Your Data||√||X||√|
|Storage Limitations: Right to Prevent Companies from Storing Info Longer than Necessary||√||X||√|
|Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary||√||X||√|
|Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile)||√||X||√|
|Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer)||√||X||√|
|Provides Transparency Around “Profiling” and “Automated Decision Making”||√||X||√|
|Establishes California Privacy Protection Agency to Protect Consumers||√||X||√|
|Restrictions on Onward Transfer to Protect Your Personal Information||√||X||√|
|Requires High Risk Data Processors to Perform Regular Cybersecurity Audits||√||X||√|
|Requires High Risk Data Processors to Preform Regular Risk Assessments||√||X||√|
|Appoints Chief Auditor with Power to Audit Businesses’ Data Practices||√||X||√|
|Protects California Privacy Law from being Weakened in Legislature||√||X||√|
|Provides Transparency Around “Profiling” and “Automated Decision Making”||√||X||√|
|Establishes California Privacy Protection Agency to Protect Consumers||√||X||√|
|Restrictions on Onward Transfer to Protect Your Personal Information||√||X||√|
|Requires High Risk Data Processors to Perform Regular Cybersecurity Audits||√||X||√|
|Requires High Risk Data Processors to Preform Regular Risk Assessments||√||X||√|
|Appoints Chief Auditor with Power to Audit Businesses’ Data Practices||√||X||√|
|Protects California Privacy Law from being Weakened in Legislature||N/A||X||√|
Businesses subject to CCPA would need to make some updates to their CCPA programs, including:
- Update categories of personal information to include sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
- Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a)
- Provide a right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
- Provide notice to consumers about the length of time each category of personal information will be retained and provide right to data minimization, as well as.
- Be able to correct inaccurate personal information.
- Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
- Direct obligations on service providers to assist with CPRA compliance activities.
- Definition of cross-context behavioral advertising and limitations exempts certain analytics functions but clearly now targets this activity to do-not-sell obligations so even if you are collecting data for analytics purposes only, you’d need to offer a “opt-out/do not sell” option in this context.
- Expands the definition of “Business” to include a joint venture or partnership composed of businesses in which each business has at least a 40% interest.
During the COVID-19 crisis, Zoom meetings for adults and kids are becoming the norm. Everything from team meetings, religious services, 3rd grade math classes, girls’ night in happy hours, and lots of things in between are now happening on this online platform. This brings with it security concerns most commonly known as Zoombombings – someone getting into your meeting who shouldn’t be there and saying or showing inappropriate language.
Since it’s highly unlikely you can avoid using Zoom during the pandemic, how can you stay safe?
- Take advantage of default security settings like the waiting room feature and password usage. Effective this week, Zoom has enabled certain security settings on users accounts to help assist in keeping users’ meeting private. While it takes a little extra work on your part to monitor who is in the waiting room and letting them in, this can be a key tool in keeping unwanted participants out of your meeting. Also, using a password prevents hackers from simply typing in Zoom room numbers and stumbling upon your meeting.
- Avoid using your personal ID to host public events. Your personal ID should only be given to those you trust and know. Public events should use a Pro account that allows for additional security features and is often set up and managed by an organization’s IT department.
- Require registration for large and/or public events. Asking people for their information prior to the meeting helps weed out someone who has disruptive intentions. If you are hosting a virtual workshop or interactive lecture, this is a good idea and allows you to say thank you to attendees after the meeting.
- Lock a meeting once it has started. Once you know all attendees are present, lock your meeting. This prevents unwanted visitors from coming into your meeting and hearing potentially confidential information or creating chaos.
- Don’t give up control of your screen. If you are the host of the meeting, lock the share screen feature at the outset. If you are co-leading a meeting with a colleague, make that person a co-host and then lock the share screen feature so that only the two of you can share your screens. This prevents anyone who may find your meeting from sharing explicit language or graphics to your attendees from their screen.
- Don’t share your meeting ID on social media. Even with security settings you may have enabled on social media, it’s a best practice not to share your meeting ID on platforms like Facebook and Instagram.
With these online privacy tips, you and the information you are sharing on Zoom will stay safer. Wishing you virtual and physical safety and health during this stressful time! For additional information on how to stay safe using Zoom, check out this podcast our CEO, Jodi Daniels, did with North Fulton Business Radio.
If you are interested in learning more about data privacy, we are always here to help. Contact Red Clover Advisors today for a complimentary 15-minute consultation.
COVID-19 has distributed a wave of anxiety across the world.
Worry of getting sick in addition to economic meltdown has people on every continent shivering with fear. And as if that wasn’t enough, some people see the pandemic as an opportunity to exploit this fear for financial gain.
One way they’re doing this is through emails that trick you into spending your money or providing sensitive information.
We call these phishing scams.
In fact, Google reports a 350% increase in the creation of phishing websites since the pandemic started in 2020.
Because almost everyone is working remotely at this time, phishing scams are easier to pull off. After all, home cyber security is almost never as beefed up as a company workplace. When you consider the speed at which the world transitioned from the office to a home work environment, there really wasn’t any time to set up cybersecurity for personal computers.
Add in the fact that almost all children are now finishing the year’s educational tasks on personal devices, and phishing scams have a world of opportunity in front of them.
With that in mind, we’re revealing how to identify a phishing scam and how to protect yourself proactively against being a target.
What is a Phishing Email?
Phishing scams are the most popular type of cybercrimes, making up for 90% of data breaches in 2019.
It’s simple really… they were tricked.
A phishing email – sometimes also referred to as business email compromise – is a targeted email in which a cyber criminal sends an email that appears to be from a legitimate company or person. This message asks the recipient to click a disguised malware link or provide sensitive information.
Imagine you just received an email from your company’s “CEO” stating he’s on a business trip and needs you to provide him the company credit card information.
You might not think twice… he is the CEO after all.
But what you may not know is it’s very easy for a scammer to disguise himself or herself as someone else via email. This is a common example of a phishing email.
Who phishing emails target really depends on the cybercriminals behind the computer. Sometimes they’re attempting to go after an individual and sometimes they’re trying to go after an entire organization.
Attacks on Individuals
When attacking individuals, scammers might pose as a business you actively use or trust. For example, a store you frequently shop at, a social network, or a bank. They might even pretend to be someone you know.
Attacks on Businesses
Phishing emails are one of the most common attacks on businesses with 76% of businesses reporting they were victims of phishing attacks in 2019.
And don’t think because you’re a small company they won’t come after you: 43% of all phishing scams target small businesses.
For example, hackers will send an email asking masking themselves as an employer that needs you to wire money to them. Another common occurrence is a malware link: An email contains an innocent-looking URL that actually installs destructive malware that gives hackers access to your devices.
SMS, apps, and networks are other ways hackers can attack via the internet.
To get a head start on protecting your business, implement cybersecurity best practices for small businesses. You can also protect your business by understanding the hacker’s playbook. Cybercriminals execute their phishing emails with a four-step process:
Identify a Target
First, cybercriminals will choose their victims. Typically, this is someone in your organization who’s close to the money. This might be someone in accounting or the financial department. They’ll find this person by doing some research about your company, its employees and its executives.
Groom the Target
Next, the cybercriminal will write up and send an email addressed from a customer or an executive of the company. The email will always have some type of urgent call to action.
The victim will receive the scam email. But naturally, they’ll be deceived and begin executing upon the call to action believing they’re conducting a legitimate business transaction.
Once the transaction is complete, it’s too late. If a link was clicked or money was transferred, the scammer has won.
How to Identify a Phishing Email During COVID-19
Phishing emails have been a growing issue for as long as email has been around. But they’ve become especially common during the COVID-19 pandemic.
Why? Because when people are afraid, they’re more vulnerable.
Today, a phishing email targeted COVID-19 information such as places to get medical equipment like masks or free technology to stay in touch with friends and family remotely.
So, how do you identify a phishing email before you make an irreversible and damaging mistake?
There are advising services and even a slew of software options available to help stop scams before they happen. But training yourself and your employees to spot phishing emails is an easy place to start.
The Red Flags
During COVID-19, you or someone in your company might receive a phishing email that appears to be from the CDC or a credible health organization. And it will likely prompt you to take urgent action by clicking a link or downloading a file.
Let’s take a look at an example.
This looks like a legitimate email. But there are a couple red flags you can notice almost immediately. Here are a few red flags that might indicate you received a phishing email:
Attackers often live in different countries than the people they’re scamming. For this reason, there will often be some type of language barrier in the form of spelling and grammatical errors.
Check the Introduction
A legitimate business will address you by your name, especially if it’s asking you to take action on an account. Informal or impersonal salutations are a major red flag.
Urgent Call to Action
If the email instills a bit of panic, that’s a red flag. Keep an eye out for terms such as immediate or urgent. In the email example above, the line “you are immediately advised to go through the cases above for safety hazard” is a huge no-no. The hacker is setting up a sense of urgency in hopes the end user will click the malware link.
Verifying a Phishing Email
Once you’ve identified a red flag, how do you verify you have in fact received a phishing email? There are a couple of ways.
Call the sender
Whether it’s the “CDC” or your “CEO” who sent the email, give them a call. They’ll be able to verify whether the email is legitimate before you click a link or send back any sensitive information. Better to be safe than sorry!
You’re asked for personal information
A coronavirus-themed email that asks you for any kind of personal information is a phishing scam. A government agency will never ask for that kind of information over email. Never respond to an email and include your personal information.
Check the email address or link
You can inspect a link without clicking it. Simply hover over the hyperlink with your mouse and see to what it actually links. If it isn’t from the proposed sender, delete the email immediately.
To check the email address, click on the sender’s email address. If it’s not an email address from the proposed sender (firstname.lastname@example.org) delete the email. Beware of any email that says it’s from the CDC but when you check it, it’s actually from a generic email such as yahoo.com or gmail.com. And don’t trust emails from the government with links ending in .org instead of .gov.
Protecting Yourself from Phishing Emails
Usually, red flags and simple checking methods can expose a phishing email. But not always. Sometimes a phishing email is so well crafted even the most trained IT professionals can be deceived.
It’s always best to protect yourself. Here are a few ways to do just that:
Email filters alone won’t keep the phishing emails away for good. But it will definitely help. Some email providers have more effective spam filters than others, so choose your email provider wisely.
Antivirus softwares will protect you from all kinds of dangerous cyberthreats. Make sure you regularly scan your device and keep the software updated.
Virtual Private Networks (VPNs) help to maintain security while online, particularly when using a public WiFi connection. Download this guide for a list of suggested VPNs to use.
Educate yourself and your employees
Training is critical to identifying phishing emails. Run simulated phishing tests and let people know if they passed or failed. This will allow you to be confident everyone in your office is aware of the risks.
Conclusion: Always Go to the Source
Keep in mind it’s extremely unlikely the CDC or World Health Organization will personally send you an email. And understand that at a time like this, ne’er-do-wells are taking advantage of the fact that fear and stress is at an all time high and attention to things like cybersecurity is not top of mind.
Anyone who’s looking to steal money or gain access to confidential information is going to try to do so at this time when your guard is down. Knowing these things, it’s imperative to be on alert. If you think you might have received a phishing email, it’s always best to go directly to the source.
Here are a few of the best resources to follow to get the most updated information about the COVID-19 outbreak:
If you’re interested in setting up security measures for your business, contact us today for a complimentary consultation.
Did you know there’s an entire day dedicated to data privacy? Well, it’s an important subject, so it’s no wonder. Here’s the scoop!
Data Privacy Day is an international holiday that occurs annually on January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Israel, and dozens of European countries.
It began as a day focused on educating young people – mostly teens and young adults – about how to be safe online and keep their personal information safe with social networking platforms. Over the past four years with more elements of our lives being digitized, Data Privacy Day has expanded to include companies and consumers and the more general concerns with data privacy.
Data Privacy Laws
With the U.S. at the forefront of new data privacy laws being recently passed or under review in various state legislatures, data privacy is a popular subject as of late. This year’s theme for Data Privacy Day is also quite timely given the focus on the value of data as recognized by the California Consumer Privacy Act (CCPA) and General Data Protection Regulations (GDPR). The theme is: Personal information is like money. Value it. Protect it.
Today is a great day to remind your employees that data privacy is a key player in the way you conduct business. As part of CCPA compliance, your employees should already be trained in your privacy policies and how to handle customer individual rights claims, but today is a great day for extra attention and some refreshers.
Data Privacy Employee Training Tips
- On-going education. Don’t let today be the only time you talk about data privacy this year. Create a monthly or quarterly tip series on how to protect data, what relevant privacy laws like GDPR or CCPA mean to someone’s role and reminding employees how and when to conduct a privacy impact assessment or contact the privacy office.
- Test data privacy scenarios. Based on employee roles, present them with a data privacy scenario and see how they handle the issue. According to Shred-It’s State of the Industry report, nearly half (47%) of C-suite executives and 42% of small business owners report that human error or accidental loss by an employee is the cause of a data breach. Employees are both the strongest and weakest link in a privacy program. And, thanks to CCPA and other regulations, those breaches can result in penalties above and beyond real-life costs.
- Use signage as reminders. You can create attention-grabbing signage to put in the break room, on the elevator, in the bathrooms, or other frequented spots with tips and updates to your data privacy policies and practices. Be sure to change their locations and content to keep them fresh and employees engaged with the information you are sharing.
- Create a recognition system. Use this as an opportunity to recognize the employees who really understand and implement your company’s data privacy practices day in and day out. You can recognize a few people each month or quarter in a company-wide email. You can create an on-going system in which employees could earn 10 points for every week in which they do not commit any data privacy errors. After collecting 50 points, they could earn rewards like a $5 gift card for coffee. Make the amount of points work for your team, budget, and the recognition frequency you want to maintain energy around data privacy.
- Communicate effectively with employees. Data privacy regulations are fluid with more states joining the CCPA way of thinking. Keep your team up to date with any changes or additions to their practices. To be effective, this communication needs to align with the company culture. Maybe it is a short funny video or an online game or quiz, a short email from an executive or an article to an intranet. A mix of styles is important to have quality engagement.
- Bring in an expert. Your employees may get tired of hearing about data privacy from you or another superior, so change it up a little! Host a lunch and bring in a data privacy expert. Learning about the subject from someone new who has more credentials on the subject can re-excite people about data privacy. Plus, free lunch never hurts!
Make Everyday Data Privacy Day
It’s important to remember that data privacy policies and practices are not something you can just think about once and year and then forget about. Continually make this part of staff meetings and company-wide communications. Be sure you are on top of any updates and changes that are made in national data privacy regulations. And, above all, remember that data privacy should be a driver in your business strategies in 2020 and beyond.
If you’d like to discuss how to make data privacy an integrated part of your company’s day-to-day celebrations, please schedule a 20-minute complimentary consultation. We’d love to help you make everyday Data Privacy Day!
CCPA regulations are now official. It is important to achieve CCPA compliance, understand potential CCPA pitfalls, and how you can avoid making costly mistakes.