What is the California Privacy Rights Act (CPRA)?

You’ve made sure you’re complying with GDPR. Everything is taken care of for CCPA. That’s great!

Now what about CPRA?

Wait, you might be saying, you just said that – you mean CCPA. And I’m squared away, thank you very much.

Not the case. While the California Consumer Privacy Act has just become enforceable as of July 1, there’s another privacy rights act lining up for the November 2020 ballot. This new act aims to build off of the work accomplished by CCPA to increase transparency and control for consumers over their personal information.

For consumers, the California Privacy Rights Act (CPRA) – affectionately referred to by some as CCPA 2.0 – represents an expansion of privacy rights. For businesses, it represents both a challenge to keep up with compliance requirements as well as an opportunity to create an exceptional customer experience.

How so? Awareness of privacy issues are on the rise. Your customers are going to increasingly expect transparency on how you’re handling their data. Your privacy plans and policies are a big part of building a relationship with them.

Ultimately, compliance isn’t just important to stay in line with the law. It’s important to sustain your consumers’ relationship with your business.

Where Did CPRA Come From?

Who’s driving this policy train? Californians for Consumer Privacy, the nonprofit group that helped get CCPA on the 2018 ballot.

Although CCPA had yet to become enforceable at that time, in September 2019, Californians for Consumer Privacy submitted a ballot initiative for a new, in-depth privacy act that would build off of CCPA: the California Privacy Rights Act (CPRA).

By May 2020, they had gathered more than 900,000 signatures to qualify for the ballot and on June 24th, 2020, the California Secretary of State announced that CPRA was eligible for the November 2020 election.

It’s important to note that CPRA is being brought forth as a ballot initiative. If CPRA is enacted by voters as part of a ballot initiative, it will only be able to be amended through another ballot initiative, not through legislation. This gives voters a greater voice in privacy measures rather than relying on the legislative process to move the needle forward.

What is CPRA?

CPRA takes many of the ideas and concepts from CCPA and expands them for California residents, allowing them a greater degree of control over their personal information while implementing further requirements for businesses in regards to how they collect, use, and store that personal information. Some aspects of it even move the law closer to the General Data Protection Regulation (GDPR), such as new requirements on data retention, an expanded right to know and access personal information, and further definitions of sensitive data.

Much like CCPA, the impact of CPRA would be felt far beyond California’s state borders. Also similar to CCPA, it would apply to businesses and organizations that meet certain eligibility requirements and process California residents’ personal information – regardless of where the business or organization operates from.

But these are generalities. What are some of the important – and specific – additions and changes being made to CCPA within this legislation if it ends up being enacted?

Establishment of a California Privacy Protection Agency

This agency would oversee enforcement of CPRA rather than the California Attorney General, who is the sole arbiter of CCPA enforcement.

Until the California Privacy Protection Agency is enacted, the Attorney General would have rulemaking authority to issue regulations on topics like identifying business purposes for the use of personal information, updating the definition of personal information, and more.

Sensitive Personal Information

Sensitive personal information is at the core of privacy issues. The CPRA would establish a further category of sensitive personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available including:

Social security number
Driver’s license number
Passport number
Financial account information
Precise geolocation
Race and ethnicity
Religion
Union membership
Personal communications
Genetic data
Biometric and health information
Sexual orientation and sex life information

Sound familiar? Some of these items are reminiscent of GDPR and its categories of sensitive data – genetic data and biometric information, religion, race and ethnicity, sexual orientation and sex life information, and union membership are all held in common between the two regulations.

As part of this new category of personal information, businesses have to offer transparent disclosures about what sensitive data they process. Those same businesses would be subject to greater restrictions in its use as well.

Along with the expanded definition, CPRA would allow consumers more extensive rights around the use of their sensitive personal information. Among those rights would be the right to request to correct personal information held by a business if that information is inaccurate.

This may sound like an odd provision to include in the law, since many businesses already provide this service to their customers as a courtesy. However, mandating a correction mechanism increases the stakes if you don’t.

Think about it from the consumer’s perspective: It’s all about trust and relationships. When consumers give you their information, they’re trusting you with just that. THEIR information!

They have a right to access and control it. By helping them exercise that right, your business actively demonstrates their rights and needs matter to you. Your relationship is a two-way street!

Children’s Data

Protecting children’s privacy has been a major point for CCPA. CPRA takes it even further. Under CPRA, businesses and organizations that violate CCPA’s opt-in right will face triple the amount of fines.

They will also have to get opt-in consent to sell or share data from any consumer under the age of 16. (Currently, under CCPA, parents must provide consent for children under the age of 13. For children between 13-16, the child themselves must provide consent.) (Currently, under CCPA, this applies to consumers under the age of 13.)

Transparency

CPRA would add new layers of transparency and data governance policies. One meaningful addition is that it would require businesses to notify consumers at or before the collection of data:

Whether information is sold or shared
Information on sensitive categories of personal information that are collected
How long consumer’s personal information is retained

Moreover, CPRA would aim to prohibit keeping personal information for longer than is “reasonably necessary” for the specifically disclosed purposes of collection. It would also limit the collection, use, retention, and sharing of data to what is “reasonably necessary” to achieve those same disclosed purposes.

It’s especially important for your business to take transparency requirements to heart. This isn’t just a legal need. It’s a customer experience need. Think of all the stories in the news about lack of transparency. It may not sink the boat immediately, but it significantly damages your customers’ ability to trust you.

Data Breach Liability Provision

Data breaches are a significant – and increasing – worry for consumers. Almost half of surveyed consumers in a 2019 report by Ping Identity were more worried about data breaches than they were the previous year. But while they’re worried about it, they expect businesses to help safeguard them: 63% of consumers believe that a company holds responsibility for protecting their data.

So it’s not surprising that a data breach liability provision was included in CPRA to expand on existing CCPA rules. The CCPA already grants consumers in California the right to bring legal action for damages resulting from a data breach. However, CPRA provides greater clarity by stating that breaches compromising a consumer’s email address and either their password or security question/answer can result in liability for the company.

This provision helps resolve the ambiguity in the current CCPA regarding a business’ duty to implement reasonable security and when a consumer’s right to legal action following a data breach might apply.

Is your team smart on data breaches? How you handle it has a huge impact on how quickly you recover from one. A training program can make all the difference.

If it’s enacted, would CPRA apply to my business or organization?

If you’re already required to comply with CCPA, then the new terms of CPRA would apply to you. However, CPRA changes the scope of CCPA in some significant ways.

CPRA will extend the CCPA’s exemptions for workplace-related information until January 1, 2023 (i.e., for employees, job applicants and business-to-business contacts). If CPRA doesn’t pass, these CCPA exemptions will expire on January 1, 2021.
Increases the threshold of businesses to for-profit entities that process 100,000+consumers or households, meaning that many small businesses would fall outside of the scope of the legislation. However, if enacted, this wouldn’t go into effect until 2023, meaning that these businesses would still need to comply with CCPA requirements.
Requires entities sharing common control and common branding that also share consumer personal information to be considered the same “business”

What if CPRA passes in November? What comes next?

CPRA will be voted on by California residents in the General Election in November 2020. If it passes, eligible businesses and organizations will have until January 2023 to bring their data collection programs into compliance with the new law.

Two years is a long time, though, in terms of data and security issues. As per CPRA, the California Privacy Protection Agency would be established during this time. Until it is established, CCPA would continue its regulatory work under the Office of the Attorney General.

There is still a lot of discussion to be had around CPRA as November inches closer and closer. But it shows a continued movement towards GDPR-type legislation in the US and increases the likelihood that other states will follow suit. For businesses, this indicates clearly: compliance (and transparency) is becoming more than a best practice. It’s becoming a business necessity.

We know that new compliance requirements can be a challenge to juggle with existing ones. It can be even harder to make sure that they’re part of your consumer relationships. We’re here to help with that. Contact Red Clover Advisors today for a free consultation.

July 18, 2020/by seotech

What Do I Need To Have In My Cookie Banners To Comply With CCPA And GDPR?

All, CCPA, GDPR, Privacy

For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.

These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant?

Differences Between GDPR and CCPA: The Nutshell Version

Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:

Transparency in businesses practices dealing with personal data
Security and control over personal information for consumers
Defining digital identifiers (cookies) as personal information

One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.

Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)

On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:

Has a gross revenue of more than $25 million
Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
Derives 50% or more of annual revenues from selling consumers’ personal information.

Meet Your GDPR Cookie Banner Compliance Requirements

GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.

A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.

But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place.

Opt-in Cookie Consent

When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)

How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment.

More on Cookie Deployment

Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it?

Third-Party Data Sharing

When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data.

Link to the Website’s Cookie Policy.

You’ve got a cookie policy. (Right?) Don’t be shy about sharing it with your website visitors – it’s part of your compliance journey.

The most straightforward way to get people to your policy is by adding a link to your website’s cookie policy in your cookie banner. Your cookie policy should cover the details of how cookies are used on your site and include an exhaustive list of all the cookies you’ve put into place.

Win Brownie (Err…, Cookie) Points

You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data.

Meet Your CCPA Cookie Banner Compliance Requirements

The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases.

Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR.

However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.

The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach.

With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner.

Information About Cookie Use

CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties.

A Button to Accept Cookies

As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.)

As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience.

Do Not Sell Button

Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA

(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.)

To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page.

Your “Do Not Sell” needs to include some specific information, as well. It needs to have:

A link to your website’s privacy policy
A button that allows them to opt-out of personalized ads

Let us reiterate: Your “Do Not Sell” button isn’t the same thing as or interchangeable with a cookie banner. Don’t treat it as such. It’s a separate function. However, it’s smart to use it alongside your cookie banner to help your website use cookies to process data in a CCPA-compliant manner.

Tying it all together

Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it.

But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.

If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.

June 29, 2020/0 Comments/by seotech

What You Need To Know About CCPA 2.0

All

The California Privacy Rights Act (CPRA) is intended to amend the California Consumer Privacy Act (CCPA) and ultimately to give consumers more control over their information. The Californians for Consumer Privacy coalition is working to obtain enough signatures to put CPRA on the November 2020 ballot. If successful, Californians would have the opportunity to vote this ballot initiative into law. Should it pass, it will go into effect January 1, 2023.

CPRA at a glance:

Sensitive Information: Creates new rights allowing consumers to stop businesses using sensitive personal information (“SPI”). SPI includes SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation, email + password.
Children’s Datta: It will triple 2018’s CCPA fines for collecting and selling children’s private information. It will also require opt-in consent in order to sell info from consumers under the age of 16.
Geolocation: Prohibit businesses from tracking precise geolocation for most purposes, including advertising, to a location within roughly 250 acres.
Enforcement Arm: Establishes an enforcement arm called the California Privacy Protection Agency and institutes a 5 year statute of limitations for filing claims of violations of the Act.

Comparison of existing Privacy Laws GDPR & CCPA to CPRA.

Rights	GDPR	CCPA	CPRA
Right to Know What Information a Business has Collected About You	√	√	√
Right to Say No to Sale of Your Info	√	√	√
Right to Delete Your Information	√	√	√
Data Security: Businesses Required to Keep Your Info Safe	√	√	√
Data Portability: Right to Access Your Information in Portable Format	√	√	√
Special Protections for Minors	√	√	√
Requires Easy “Do Not Sell My Info” Button for Consumers	X	√	√
Provides Ability to Browser with No Pop-Ups or Sale of Your Information	X	X	√
Penalties if Email Plus Password Stolen Due to Negligence	√	X	√
Right to Restrict Use of Sensitive Personal Information	√	X	√
Right to Correct Your Data	√	X	√
Storage Limitations: Right to Prevent Companies from Storing Info Longer than Necessary	√	X	√
Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary	√	X	√
Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile)	√	X	√
Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer)	√	X	√
Provides Transparency Around “Profiling” and “Automated Decision Making”	√	X	√
Establishes California Privacy Protection Agency to Protect Consumers	√	X	√
Restrictions on Onward Transfer to Protect Your Personal Information	√	X	√
Requires High Risk Data Processors to Perform Regular Cybersecurity Audits	√	X	√
Requires High Risk Data Processors to Preform Regular Risk Assessments	√	X	√
Appoints Chief Auditor with Power to Audit Businesses’ Data Practices	√	X	√
Protects California Privacy Law from being Weakened in Legislature	√	X	√
Provides Transparency Around “Profiling” and “Automated Decision Making”	√	X	√
Establishes California Privacy Protection Agency to Protect Consumers	√	X	√
Restrictions on Onward Transfer to Protect Your Personal Information	√	X	√
Requires High Risk Data Processors to Perform Regular Cybersecurity Audits	√	X	√
Requires High Risk Data Processors to Preform Regular Risk Assessments	√	X	√
Appoints Chief Auditor with Power to Audit Businesses’ Data Practices	√	X	√
Protects California Privacy Law from being Weakened in Legislature	N/A	X	√

Businesses subject to CCPA would need to make some updates to their CCPA programs, including:

Update categories of personal information to include sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a)
Provide a right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
Provide notice to consumers about the length of time each category of personal information will be retained and provide right to data minimization, as well as.
Be able to correct inaccurate personal information.
Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
Direct obligations on service providers to assist with CPRA compliance activities.
Definition of cross-context behavioral advertising and limitations exempts certain analytics functions but clearly now targets this activity to do-not-sell obligations so even if you are collecting data for analytics purposes only, you’d need to offer a “opt-out/do not sell” option in this context.
Expands the definition of “Business” to include a joint venture or partnership composed of businesses in which each business has at least a 40% interest.

June 1, 2020/0 Comments/by Jodi Daniels

Staying Safe and Secure on Zoom

All

During the COVID-19 crisis, Zoom meetings for adults and kids are becoming the norm. Everything from team meetings, religious services, 3^rd grade math classes, girls’ night in happy hours, and lots of things in between are now happening on this online platform. This brings with it security concerns most commonly known as Zoombombings – someone getting into your meeting who shouldn’t be there and saying or showing inappropriate language.

Since it’s highly unlikely you can avoid using Zoom during the pandemic, how can you stay safe?

Take advantage of default security settings like the waiting room feature and password usage. Effective this week, Zoom has enabled certain security settings on users accounts to help assist in keeping users’ meeting private. While it takes a little extra work on your part to monitor who is in the waiting room and letting them in, this can be a key tool in keeping unwanted participants out of your meeting. Also, using a password prevents hackers from simply typing in Zoom room numbers and stumbling upon your meeting.
Avoid using your personal ID to host public events. Your personal ID should only be given to those you trust and know. Public events should use a Pro account that allows for additional security features and is often set up and managed by an organization’s IT department.
Require registration for large and/or public events. Asking people for their information prior to the meeting helps weed out someone who has disruptive intentions. If you are hosting a virtual workshop or interactive lecture, this is a good idea and allows you to say thank you to attendees after the meeting.
Lock a meeting once it has started. Once you know all attendees are present, lock your meeting. This prevents unwanted visitors from coming into your meeting and hearing potentially confidential information or creating chaos.
Don’t give up control of your screen. If you are the host of the meeting, lock the share screen feature at the outset. If you are co-leading a meeting with a colleague, make that person a co-host and then lock the share screen feature so that only the two of you can share your screens. This prevents anyone who may find your meeting from sharing explicit language or graphics to your attendees from their screen.
Don’t share your meeting ID on social media. Even with security settings you may have enabled on social media, it’s a best practice not to share your meeting ID on platforms like Facebook and Instagram.

With these online privacy tips, you and the information you are sharing on Zoom will stay safer. Wishing you virtual and physical safety and health during this stressful time! For additional information on how to stay safe using Zoom, check out this podcast our CEO, Jodi Daniels, did with North Fulton Business Radio.

If you are interested in learning more about data privacy, we are always here to help. Contact Red Clover Advisors today for a complimentary 15-minute consultation.

April 16, 2020/0 Comments/by Jodi Daniels

Coronavirus Phishing Emails: How to Protect Against COVID-19 Scams

All

COVID-19 has distributed a wave of anxiety across the world.

Worry of getting sick in addition to economic meltdown has people on every continent shivering with fear. And as if that wasn’t enough, some people see the pandemic as an opportunity to exploit this fear for financial gain.

One way they’re doing this is through emails that trick you into spending your money or providing sensitive information.

We call these phishing scams.

In fact, Google reports a 350% increase in the creation of phishing websites since the pandemic started in 2020.

Because almost everyone is working remotely at this time, phishing scams are easier to pull off. After all, home cyber security is almost never as beefed up as a company workplace. When you consider the speed at which the world transitioned from the office to a home work environment, there really wasn’t any time to set up cybersecurity for personal computers.

Add in the fact that almost all children are now finishing the year’s educational tasks on personal devices, and phishing scams have a world of opportunity in front of them.

With that in mind, we’re revealing how to identify a phishing scam and how to protect yourself proactively against being a target.

What is a Phishing Email?

Phishing scams are the most popular type of cybercrimes, making up for 90% of data breaches in 2019.

The successful attacks have resulted in billions of dollars lost to scammers – $26 billion in the past four years, to be exact. But how do people fall for these scams?

It’s simple really… they were tricked.

A phishing email – sometimes also referred to as business email compromise – is a targeted email in which a cyber criminal sends an email that appears to be from a legitimate company or person. This message asks the recipient to click a disguised malware link or provide sensitive information.

Imagine you just received an email from your company’s “CEO” stating he’s on a business trip and needs you to provide him the company credit card information.

You might not think twice… he is the CEO after all.

But what you may not know is it’s very easy for a scammer to disguise himself or herself as someone else via email. This is a common example of a phishing email.

Who Do Phishing Emails Target?

Who phishing emails target really depends on the cybercriminals behind the computer. Sometimes they’re attempting to go after an individual and sometimes they’re trying to go after an entire organization.

Attacks on Individuals

When attacking individuals, scammers might pose as a business you actively use or trust. For example, a store you frequently shop at, a social network, or a bank. They might even pretend to be someone you know.

Attacks on Businesses

Phishing emails are one of the most common attacks on businesses with 76% of businesses reporting they were victims of phishing attacks in 2019.

And don’t think because you’re a small company they won’t come after you: 43% of all phishing scams target small businesses.

For example, hackers will send an email asking masking themselves as an employer that needs you to wire money to them. Another common occurrence is a malware link: An email contains an innocent-looking URL that actually installs destructive malware that gives hackers access to your devices.

SMS, apps, and networks are other ways hackers can attack via the internet.

To get a head start on protecting your business, implement cybersecurity best practices for small businesses. You can also protect your business by understanding the hacker’s playbook. Cybercriminals execute their phishing emails with a four-step process:

Identify a Target

First, cybercriminals will choose their victims. Typically, this is someone in your organization who’s close to the money. This might be someone in accounting or the financial department. They’ll find this person by doing some research about your company, its employees and its executives.

Groom the Target

Next, the cybercriminal will write up and send an email addressed from a customer or an executive of the company. The email will always have some type of urgent call to action.

Exchange Information

The victim will receive the scam email. But naturally, they’ll be deceived and begin executing upon the call to action believing they’re conducting a legitimate business transaction.

Hack Completed

Once the transaction is complete, it’s too late. If a link was clicked or money was transferred, the scammer has won.

How to Identify a Phishing Email During COVID-19

Phishing emails have been a growing issue for as long as email has been around. But they’ve become especially common during the COVID-19 pandemic.

Why? Because when people are afraid, they’re more vulnerable.

Today, a phishing email targeted COVID-19 information such as places to get medical equipment like masks or free technology to stay in touch with friends and family remotely.

So, how do you identify a phishing email before you make an irreversible and damaging mistake?

There are advising services and even a slew of software options available to help stop scams before they happen. But training yourself and your employees to spot phishing emails is an easy place to start.

The Red Flags

During COVID-19, you or someone in your company might receive a phishing email that appears to be from the CDC or a credible health organization. And it will likely prompt you to take urgent action by clicking a link or downloading a file.

Let’s take a look at an example.

This looks like a legitimate email. But there are a couple red flags you can notice almost immediately. Here are a few red flags that might indicate you received a phishing email:

Poor Grammar

Attackers often live in different countries than the people they’re scamming. For this reason, there will often be some type of language barrier in the form of spelling and grammatical errors.

Check the Introduction

A legitimate business will address you by your name, especially if it’s asking you to take action on an account. Informal or impersonal salutations are a major red flag.

Urgent Call to Action

If the email instills a bit of panic, that’s a red flag. Keep an eye out for terms such as immediate or urgent. In the email example above, the line “you are immediately advised to go through the cases above for safety hazard” is a huge no-no. The hacker is setting up a sense of urgency in hopes the end user will click the malware link.

Verifying a Phishing Email

Once you’ve identified a red flag, how do you verify you have in fact received a phishing email? There are a couple of ways.

Call the sender

Whether it’s the “CDC” or your “CEO” who sent the email, give them a call. They’ll be able to verify whether the email is legitimate before you click a link or send back any sensitive information. Better to be safe than sorry!

You’re asked for personal information

A coronavirus-themed email that asks you for any kind of personal information is a phishing scam. A government agency will never ask for that kind of information over email. Never respond to an email and include your personal information.

Check the email address or link

You can inspect a link without clicking it. Simply hover over the hyperlink with your mouse and see to what it actually links. If it isn’t from the proposed sender, delete the email immediately.

To check the email address, click on the sender’s email address. If it’s not an email address from the proposed sender (xxx@cdc.com) delete the email. Beware of any email that says it’s from the CDC but when you check it, it’s actually from a generic email such as yahoo.com or gmail.com. And don’t trust emails from the government with links ending in .org instead of .gov.

Protecting Yourself from Phishing Emails

Usually, red flags and simple checking methods can expose a phishing email. But not always. Sometimes a phishing email is so well crafted even the most trained IT professionals can be deceived.

It’s always best to protect yourself. Here are a few ways to do just that:

Email Filters

Email filters alone won’t keep the phishing emails away for good. But it will definitely help. Some email providers have more effective spam filters than others, so choose your email provider wisely.

Antivirus Softwares

Antivirus softwares will protect you from all kinds of dangerous cyberthreats. Make sure you regularly scan your device and keep the software updated.

VPNs

Virtual Private Networks (VPNs) help to maintain security while online, particularly when using a public WiFi connection. Download this guide for a list of suggested VPNs to use.

Educate yourself and your employees

Training is critical to identifying phishing emails. Run simulated phishing tests and let people know if they passed or failed. This will allow you to be confident everyone in your office is aware of the risks.

Conclusion: Always Go to the Source

Keep in mind it’s extremely unlikely the CDC or World Health Organization will personally send you an email. And understand that at a time like this, ne’er-do-wells are taking advantage of the fact that fear and stress is at an all time high and attention to things like cybersecurity is not top of mind.

Anyone who’s looking to steal money or gain access to confidential information is going to try to do so at this time when your guard is down. Knowing these things, it’s imperative to be on alert. If you think you might have received a phishing email, it’s always best to go directly to the source.

Here are a few of the best resources to follow to get the most updated information about the COVID-19 outbreak:

If you’re interested in setting up security measures for your business, contact us today for a complimentary consultation.

April 9, 2020/0 Comments/by Jodi Daniels

Today is Data Privacy Day!

All

Did you know there’s an entire day dedicated to data privacy? Well, it’s an important subject, so it’s no wonder. Here’s the scoop!

Data Privacy Day is an international holiday that occurs annually on January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Israel, and dozens of European countries.

It began as a day focused on educating young people – mostly teens and young adults – about how to be safe online and keep their personal information safe with social networking platforms. Over the past four years with more elements of our lives being digitized, Data Privacy Day has expanded to include companies and consumers and the more general concerns with data privacy.

Data Privacy Laws

With the U.S. at the forefront of new data privacy laws being recently passed or under review in various state legislatures, data privacy is a popular subject as of late. This year’s theme for Data Privacy Day is also quite timely given the focus on the value of data as recognized by the California Consumer Privacy Act (CCPA) and General Data Protection Regulations (GDPR). The theme is: Personal information is like money. Value it. Protect it.

Today is a great day to remind your employees that data privacy is a key player in the way you conduct business. As part of CCPA compliance, your employees should already be trained in your privacy policies and how to handle customer individual rights claims, but today is a great day for extra attention and some refreshers.

Data Privacy Employee Training Tips

On-going education. Don’t let today be the only time you talk about data privacy this year. Create a monthly or quarterly tip series on how to protect data, what relevant privacy laws like GDPR or CCPA mean to someone’s role and reminding employees how and when to conduct a privacy impact assessment or contact the privacy office.
Test data privacy scenarios. Based on employee roles, present them with a data privacy scenario and see how they handle the issue. According to Shred-It’s State of the Industry report, nearly half (47%) of C-suite executives and 42% of small business owners report that human error or accidental loss by an employee is the cause of a data breach. Employees are both the strongest and weakest link in a privacy program. And, thanks to CCPA and other regulations, those breaches can result in penalties above and beyond real-life costs.
Use signage as reminders. You can create attention-grabbing signage to put in the break room, on the elevator, in the bathrooms, or other frequented spots with tips and updates to your data privacy policies and practices. Be sure to change their locations and content to keep them fresh and employees engaged with the information you are sharing.
Create a recognition system. Use this as an opportunity to recognize the employees who really understand and implement your company’s data privacy practices day in and day out. You can recognize a few people each month or quarter in a company-wide email. You can create an on-going system in which employees could earn 10 points for every week in which they do not commit any data privacy errors. After collecting 50 points, they could earn rewards like a $5 gift card for coffee. Make the amount of points work for your team, budget, and the recognition frequency you want to maintain energy around data privacy.
Communicate effectively with employees. Data privacy regulations are fluid with more states joining the CCPA way of thinking. Keep your team up to date with any changes or additions to their practices. To be effective, this communication needs to align with the company culture. Maybe it is a short funny video or an online game or quiz, a short email from an executive or an article to an intranet. A mix of styles is important to have quality engagement.
Bring in an expert. Your employees may get tired of hearing about data privacy from you or another superior, so change it up a little! Host a lunch and bring in a data privacy expert. Learning about the subject from someone new who has more credentials on the subject can re-excite people about data privacy. Plus, free lunch never hurts!

Make Everyday Data Privacy Day

It’s important to remember that data privacy policies and practices are not something you can just think about once and year and then forget about. Continually make this part of staff meetings and company-wide communications. Be sure you are on top of any updates and changes that are made in national data privacy regulations. And, above all, remember that data privacy should be a driver in your business strategies in 2020 and beyond.

If you’d like to discuss how to make data privacy an integrated part of your company’s day-to-day celebrations, please schedule a 20-minute complimentary consultation. We’d love to help you make everyday Data Privacy Day!

January 28, 2020/0 Comments/by Jodi Daniels

4 CCPA Pitfalls

All

CCPA regulations are now official. It is important to achieve CCPA compliance, understand potential CCPA pitfalls, and how you can avoid making costly mistakes.

January 21, 2020/0 Comments/by Jodi Daniels

Small Business Owners – 5 Simple Steps to CCPA Compliance Success

All, CCPA

Running a small business can be stressful. Trust me, when I started Red Clover Advisors, I felt overwhelmed by day-to-day operational challenges, building our client base, and ensuring that we were providing top-notch advice and service. Regardless of your industry, being a small business owner means you wear a lot of hats and there are certain areas in which you just don’t have expertise.

Perhaps the CCPA regulations that take effect on January 1, 2020 are one of those items that have piled onto your stress list. Don’t worry! Here are five simple steps to CCPA compliance success for small business owners that I think will really help you navigate the process.

Data is king. If you do not know what customer data you have or understand its implications, it is nearly impossible to comply with the CCPA regulations. The key here is that under the CCPA, data you collect qualifies as personal information. You should start the data mapping process now, if you have not already. Here are some questions to consider when you undergo data mapping:
- Where do you host your data (including with any third parties)?
- For what purpose is the data you collect used?
- Do you collect and sell data on children?

Notify, notify, notify. You can no longer tell a customer once that you are collecting their information. Under the CCPA, you must provide four different notices and update them appropriately. These include, notice of collection of personal information, customer opt-out rights, financial incentive notice, and your business’ privacy policy. While the CCPA regulations may sound like legal jargon to you, it is important that your notices are consumer friendly. Here are some questions to consider when creating or reviewing your notices:
- Are your notices easy for anyone to understand?
- Do the notices detail the data you collect such as the sources of information or categories of personal information collected?
- Do they provide information regarding what your business plans to do with the information collected?
- Are they designed to grab a customer’s attention? What about individuals with disabilities?
- Do you do business in another country or with those who speak a language other than English? If so, is each notice available in that language?

Consumer-Centric. You need to have a plan for individual’s rights, which includes being accessible for consumer requests, verification of data, and opt-out options. Under the CCPA, you must explain what you plan to do with the data you collect and provide two ways for customers to contact you regarding said data. Here are some questions to consider when developing your plan:
- Do you have methods for contact in place? For nearly all businesses, one of these methods must be a toll-free phone number; is it set up? Many businesses also opt for an electronic method; is this right for your business?
- Do you have a system to ensure timely responses to consumer requests? This can be hard when you are juggling so many things, but it is very important to be aware of these time constraints and abide by them. Did you know that the CCPA regulations state you have to acknowledge most consumer requests within 10 days? And, that the data verification process has to be complete within 45 days?
- Does your team know how to verify consumer information or what to do in cases that you cannot verify a consumer?
- Do you have an opt-out policy and process in place? And, is it in the CCPA-approved format?

Train your team.all know that customer service is important and would hate for this to happen, this training goes beyond getting a positive or negative review on social media. Under the CCPA regulations there are new requirements about documentation that anyone who handles consumer requests and data need to be aware of and have proper training regarding the specifics. Here are some questions to consider when creating a training manual:
- Do your employees know they must keep a record the customer requests that your business is receiving?
- Do they know these records must be maintained in a log or ticket format?>
- Do they know that the information maintained in these records cannot be used for any other business purpose?

Rinse and repeat. Once you have a plan in place and have mapped your data, it is important to keep in mind that this is not a one-time thing. Being responsible for consumer data and staying up to date on state and national regulations is the new norm, not something you can set up once and forget about. Here are some questions to consider as you look ahead:
- How will you integrate the plan for new consumers and their data?
- How will you keep up with adjustments to the regulations?
- How will compliance be maintained on an ongoing basis?

We hope this was a helpful resource. But, if you still have questions, please schedule a free call with us. Red Clover Advisors would love to help you navigate this process and make your life a little less stressful.

December 13, 2019/0 Comments/by Bev Bonds

2019 Year in Review: How to Win at Privacy Best Practices

All, Privacy

2019 has been quite a year for the privacy world.

The GDPR celebrated its first birthday with a slew of fines and investigations.

The Nevada privacy law (Senate Bill 220) passed and went into effect, as well as ones for Illinois and Maine. Vermont and South Carolina followed suit with minor updates to existing laws. And in all, 24 states considered enacting data privacy laws in 2019.

Not to mention with a deadline of Jan. 1, 2020, the California Consumer Protection Act (CCPA) has ushered in a slew of preparations of its own.

With all of these privacy regulations a part of business as usual in 2019 – and more coming down the pipeline – it’s important companies look at privacy best practices as more than just a nice-to-have. It could make or break your brand in the future.

Protecting consumer rights isn’t just the law anymore. It’s a way to prove your trustworthiness to consumers.

Because it’s such an important part of how brands will function and prosper in the future, we’re highlighting the ways big and small brands alike have embraced privacy best practices in 2019. Use these examples to shape your own strategy for privacy in 2020 and years to come. Read more

December 2, 2019/0 Comments/by Jodi Daniels

The CCPA Field Guide: Understanding Individual Rights Under the New Law

All

The CCPA field guide helps you understand individual rights under the new law.

Hailed by some to be a landmark law heralding the future of consumer privacy, the California Consumer Privacy Act (CCPA) will change the way we do business – across all industries – forever.

Nicknamed by some GDPR Lite because of how twin-like it is to the EU’s privacy law, the CCPA leverages a lot of the same strategies as GDPR. And just like its brother from across the pond, this U.S.-based, paradigm-shifting consumer privacy law is a gamechanger for everyone.

In fact, if your business is in the United States and collects information about California residents, the CCPA applies to you.

Small businesses who think they’re off the hook are in for a shock. If you have a contact form on your website, collect resumes from candidates for job openings, or operate a brick-and-mortar location, the CCPA probably applies to you.

Technically, the CCPA rules apply to a for-profit “business” that does business in California. It also conforms with one or more of the following:

Generates an annual gross revenue in excess of $25 million
Derives at least 50% of its annual revenue from selling California consumers’ personal information
Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices

Even if you think the CCPA doesn’t pertain to your business, you’d be wise to implement the requirements anyway. Although it’s the first state law of its kind, it most certainly won’t be the last. Consumers are growing more and more concerned about their private information, and there may be no going back.

The new individual rights requirements in the CCPA are so significant, the risk of non-compliance is an accident waiting to happen.

To help, we created this comprehensive field guide. It explains the CPPA individual rights requirements and provides step-by-step recommendations for implementation so U.S. businesses can comply with accuracy, timeliness, and confidence.

November 7, 2019/0 Comments/by Jodi Daniels