Category: CyberSecurity

Our favorite time of the year is finally here—and yes, we know the winter holidays have already come and gone. But as much we may love warming up with a cup of hot cocoa (topped off with unreasonable amounts of marshmallows, please!), there’s one day that holds a special place in our hearts: January 28th is World Data Privacy Day.

And while there aren’t any seasonal beverages to enjoy along with it, we think Data Privacy Day represents something fundamental: the right of every person to control their own personal data with the confidence that it won’t be shared, sold, or otherwise exposed without their consent. 

World Data Privacy Day: a short background

Observed annually worldwide, Data Privacy Day honors the signing of Convention 108 in 1981, the first international treaty to deal with privacy and data protection. 

1981 was a long time ago, though.  

Since then, generations of activists, lawmakers, and ordinary citizens have advocated long and hard for a future where an individual right to their private data doesn’t get lost in the crowd.

That’s why we like to look at January 28th as something like a Data Privacy New Year’s for our industry: it’s a chance to stop and acknowledge the progress we’ve made, celebrate our privacy accomplishments, and look ahead to the work that still needs to be done. 

Data privacy day? Let’s make it a week (or even a year)

This year, the National Security Alliance decided to expand its Data Privacy Day campaign to cover an entire week—to which we say, why not? After all, privacy is an ongoing issue, and there’s only so much work you can do in a day.

In fact, we’d like to propose an even more ambitious idea: what if we made 2022 a Data Privacy Year? Because as much as we love the 28th, the things you do on those other 364 days are more important. 

Three good reasons to make data privacy your New Year’s resolution

We know the ball dropped weeks ago (and some of us even managed to stay up long enough to see it), but that doesn’t mean it’s too late to make a few more resolutions. 

Our suggestion? You guessed it: making data privacy a priority. From legal compliance to business considerations to just straight up doing the right thing, here are a few good reasons to keep data privacy top of mind as you plan for your business’s future in 2022.

1. Regulatory compliance

Convention 108 was left all by its lonesome, and lax (or nonexistent) data privacy laws allowed dangerous privacy practices to thrive for a long while. Consumer’s private information was often collected and sold without their knowledge or consent, and insufficient data security measures led to high-profile breaches of private consumer data.

Thankfully, Convention 108 finally got help. If your company sells products or collects data from users, you’re probably already familiar with the EU’s General Data Protection Regulation (GDPR), adopted in 2016. This far-reaching privacy and data security law placed a wide range of restrictions on how organizations collect, store, and use consumer data—at least within the EU. 

Since then, several US states have joined the EU in creating consumer privacy regulations, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA)

More state laws are likely to follow, and for those who care about consumer privacy, that’s cause for celebration. But it also means that companies need to carefully monitor their regulatory compliance obligations. Failing to prioritize privacy issues in the coming years could put your company on the wrong side of the law if you ignore policy changes.

2. Privacy is what your consumers expect

Even if you put regulatory concerns aside, prioritizing data privacy is simply good business. Consumers are increasingly aware of how their private data is being collected and used, and most Americans now report concern over companies’ use of their personal information.

That gives your company an excellent opportunity to differentiate itself by putting privacy first. In fact, a whopping 97% of companies report one or more tangible benefits after investing in robust privacy policies, from more significant competitive advantages to lower data-breach losses to increased investor appeal. 

(And that’s not a bad way to start the year.)

3. It’s simply the right thing to do

No matter what your industry is or who your consumers are, your relationship with the people you serve is built on trust: trust in your professionalism, trust in the quality of your goods or services, and trust that your business will uphold its core values.

Data privacy efforts are one way to pay them back for that trust. Each of your consumers is a living, breathing human being who has a right to privacy and control of their personal data, and helping them protect that right is an excellent New Year’s resolution.

Seven resolutions for a privacy-first 2022

Look, we know that staying true to your resolutions is hard (raise your hand if you’ve already broken the ones you made on New Year’s Eve). 

But when it comes to data privacy, staying ahead of the trends is a year-round effort, and it helps to have a plan you can commit to. Here are seven goals to keep the privacy fire burning bright when Data Privacy Day is just a warm and fuzzy memory.

1. Start with awareness and empathy

Successful privacy efforts need to go deeper than policy—you also need to foster a culture that values your privacy plans. And one of the best ways to do that is to remember the people you serve.

Whenever you implement steps to keep your clients’ and customers’ data safe, you’re also protecting the legal and ethical rights of the people who trust you. Keeping an awareness of this responsibility top-of-mind can help you fuel your efforts with empathy, even when breaking your privacy resolutions is oh-so-tempting.

2. Train and educate your team

Setting goals is admirable, but implementing real and lasting change requires full-team buy-in and participation. If you want to create a company culture that values privacy, you’ll need to equip your team with the knowledge they need to put privacy first.

That involves clearly articulating your privacy goals to your team, providing them with opportunities to engage with your privacy policies, and making it as easy as possible for them to comply. Instituting company-wide use of privacy measures like VPNs, encryption, and two-factor identification can help you make privacy awareness the norm.

3. Plan for 2023 (and ’24, and ’25 . . .)

Another thing to reflect on as we enter a new year: didn’t that last one go by really fast?

There’s simply no stopping the future from rolling on in, and data privacy regulations are now evolving more quickly than ever before. By 2023, it’s estimated that current data privacy regulations will impact 65% of the world. 

That’s a lot of new privacy laws to keep up with. If you’re planning on staying ahead of new compliance demands, you’ll need to start future-proofing your privacy efforts today. And while you can’t perfectly predict the privacy demands of tomorrow, implementing a robust privacy program based on today’s best practices and current data protection laws will set you up for success as the years roll by.

4. Put the cookie jar down

Speaking of future-proofing, one of your priorities right now should be to move beyond reliance on third-party cookies. With data protection regulations like the GDPU banning the use of most third-party cookies without explicit uses consent, even major browsers are now dropping cookie support. 

Thankfully, the kind of cookies you eat is still on the table—and there are plenty of viable ways to move toward a cookieless future.

5. Build a robust preference center

As third-party cookies quickly become a thing of the past, the preference center is stepping up to become your new privacy best friend. Preference centers give your site’s users all the tools they need to opt-in or out of the collection or use of their data.

It’s a vital way to stay in compliance with privacy regulations and an easy way to build trust with your site’s users. 

6. Data mapping

One of the cardinal rules of responsible data collection: never collect or keep data you don’t need. 

But how do you get started if you don’t know what data you have? Enter data mapping, an irreplaceable tool for taking stock of the data you’re collecting, where it’s coming from, how (and how long) you’re storing it, and how it’s being used. 

Building one out should be a priority if you don’t have a data map yet. Thorough data mapping helps your company stay compliant and can serve as the first step toward effective preference centers.

7. Work with a privacy consultant

All of the above resolutions are well worth the effort, but when you’re navigating the increasingly complex world of privacy regulations, sometimes you just need some extra professional help.

Working with an experienced data privacy consultant is one of the best ways to ensure your efforts don’t go to waste. Letting privacy professionals take the lead this year can take the load off your shoulders while allowing for a more informed and comprehensive strategy.

Contact us if you’re ready to make 2022 your Data Privacy Year. We’d love to help you move your data privacy program forward.

Every action and adventure movie in the history of movies has a scene that looks like this:

IN SECRET LAIR — NIGHT

Hilariously funny computer-nerd sidekick with crushing social anxiety is talking with an uber-suave, secret super-agent about taking down moles in the government intent on destroying society as we know it.

Sidekick: Wait a second. Just wait. You’re saying we have to steal the bomb from the crazy secure military base? 

Secret super-agent: It’s the only way we can save the world. [smolder]

Sidekick: But that’s insane! Assuming we can even get past the ID checks at the entrance, there are five additional checkpoints between the front door and the vault where the bomb is stored. The final checkpoint requires a 25-digit passcode that is randomly changed every 30 minutes and retinal scans from four different people! 

[Sidekick begins pacing in front of a desk littered with random, techy-looking stuff]

IF, and that’s a big if, we make it through all that security, the vault is temperature- and pressure-controlled. Any unscheduled access triggers the alarm system and activates the laser-shooter/oxygen-deprivation/flame-throwing system. We will die if we can’t hack the system to schedule our currently unscheduled visit! Do you hear me?! DIE!

Secret super-agent: You can do it. I need you to do it. The world needs you to do it. [extra long smolder]

In that scene, the overworked and underpaid sidekick identifies factors that could interfere with successful operations. In other words, they’re conducting a risk assessment.

Luckily, running an excellent privacy program doesn’t usually involve saving the world. But that doesn’t mean you can get out of a thorough privacy risk assessment.

What is a privacy risk assessment?

A privacy risk assessment is a tool companies use to protect the personal information (also called PII—think name, address, SSN, race, financial information, biometric identifiers, specific geolocation, etc.) of natural persons from inappropriate use by a company, use that creates great risk for the individual's rights or freedoms, or exposure in a data breach. They can help identify, monitor, and resolve issues that put their internal and customer data at risk of exposure in a data breach. 

While security against data breaches is essential, privacy risk assessments also consider your privacy practices in the scope of relevant privacy laws, current consumer expectations, and the risks to individuals. In short, they take the pulse of your privacy program. 

What’s more, a privacy risk assessment isn’t a one-off exercise, but according to the European Commission, a living, flexible tool that can help you safeguard your business and customers. 

These risk assessments go by several names—data protection impact assessments (DPIA is the GDPR term) or privacy impact assessments (PIA)—but their ultimate function is to reduce privacy risk factors and improve data management practices by providing a holistic view of the opportunities and challenges facing your company.

Why does my company need a privacy risk assessment?

PIAs aren’t just good risk management. They’re also a statutory requirement.

The European Union set the standard for regular risk assessments when it passed the General Data Protection Regulation in 2016. Nearly all data protection regulations passed since then have similar requirements and establish heavy fines for noncompliance.

Unlike many other countries, the United States doesn’t have a federal data privacy law. Instead, the US government has opted to take a sectoral approach that gives states the burden of protecting consumers’ personal information. Legislation like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) make it clear that moving forward, companies are going to be responsible for safeguarding the personal data they collect.

Regardless of your legal obligations, though, privacy rights will be a significant issue for consumers for the foreseeable future. Almost across the board, consumers have proven they’ll walk away from a company if they have concerns about privacy practices.

If you aren’t actively trying to manage your privacy risks, it’s going to cost you in the long run.

What are the steps in a privacy risk assessment?

Saying that you’re going to conduct a privacy risk assessment is kind of like saying you’re going to make cookies—there are a lot of techniques you can use and types you can make. But there are fundamental principles that work across the board.

To conduct a privacy risk assessment, you need to:

  1. Set the scope
  2. Establish responsibilities
  3. Map your data
  4. Adjust processes
  5. Notify stakeholders of changes

Set the scope

Not every PIA has to be organization-wide. If you’re changing a single process in your direct marketing program, you may not necessarily need to examine how your customer service department accesses your customers’ personal data. 

The scope of your PIA will be determined by the interaction between proposed changes and the privacy laws you need to comply with.

Under the GDPR, for example, a DPIA is required if you’re going to implement new technology, if you’re tracking the location or behavior of individual users, if you’re systematically monitoring a publicly accessible place on a large scale, if your data processing will be used in automated decision-making with legal ramifications, or if you’re processing data from children.

You’ll notice those examples don’t specifically name advertising or internal data processing as a trigger for a DPIA. And there are some exceptions in the law if you’ve recently conducted a DPIA for a reasonably similar situation. 

Looking for further guidance on when to conduct a PIA? Both the ICO and CNIL provide guidance on steps to take. 

Setting parameters for your DPIA will help you be as thorough as possible while also helping control your costs and timelines. 

Establish responsibilities

Let’s go back to the bomb-stealing action movie from the intro. Sometime after the “risk assessment” scene, there will be another scene where the heist crew will sit and go over their plan in minute detail, with every person listing off their responsibilities. 

You should do the same thing when prepping for a PIA. Every person involved in the process should clearly understand their role, how the chain of command works, and the deadlines.

It’s the same concept the American Red Cross uses when teaching people first aid (“You in the blue shirt! You call 911!”). Clear performance expectations eliminate confusion and improve performance, making the process more efficient.

Map your data

This step is the big one. If you get nothing else from this article, remember this:

YOU NEED TO KNOW YOUR DATA.

But getting to know your data doesn’t magically happen. You have to take the time to get your know your data. Buy it a cup of coffee. Ask it about its family. 

Just kidding. That’d create even more data. 

In all seriousness, you can get to know your data simply by creating a data map.   

We’ve written extensively about data maps, sometimes called data inventories, but at its core, data mapping explains what happens to every data record in your system. It will tell you:

  • What data you’re collecting
  • Who you’re collecting it from
  • Why you’re collecting it
  • Who has access to it (including third-party vendors)
  • Who you’re sharing it with or selling it to
  • How you’re using it
  • Where and how long you’re storing it 
  • Where it’s at risk for exposure

Basically, a data map is the fastest, best way to understand and identify privacy risks in your data management program. In theory, this should be information you know already. In practice, companies rarely completely understand what their data collection and management practices look like. 

Unlike the GDPR, US privacy laws don’t technically require companies to have a data inventory. But it’s hard to see how you could build an efficient compliance program without one. 

Analyze and review

Once you’ve made a data inventory analysis of how the proposed changes will potentially affect the privacy of data subjects, you should have all the information necessary to address potential risks and be ready to implement the new technology or process. Feeling lost during the analysis and review? You should be looking to answer questions like:

  • Where are the weaknesses in our program?
  • How will changes or updates impact privacy operations?
  • Will we need to update privacy notices need to change?
  • Do we have the correct consents in place?
  • Should contracts be drafted or updated?

Make the appropriate changes

Now comes the fun part—making the privacy changes that are going to move your business forward, build better relationships with customers, and stay compliant with all relevant laws.  

To make the changes you identified as critical through your privacy risk assessment, make sure you keep communication clear and consistent between team members, departments, and relevant stakeholders. Clear internal communications help fully integrate changes into your operations—and if you want to be super on top of it, make your updated privacy practices part of a privacy training initiative. 

When it comes to external communications, it’s also important to have a plan to notify customers of any substantive changes to your privacy policies or practices.

Take it one bite at a time

It’s always easier to manage large programs in small chunks, and privacy is no different. A big-picture strategy is vital in establishing a culture of privacy and managing priorities. Still, privacy risk assessments are much more effective if they’re a regularly utilized tool and not an occasional strategy.

If you need help designing productive privacy risk assessment processes, let us help. We can be the sidekick that supports your efforts, or we can be the super-agent that creates a functional plan.

Either way, Red Clover Advisors is passionate about practical, pragmatic privacy solutions. Call us today to schedule a consultation.

A long time ago in a galaxy far, far away, all banking had to be done in person. Mobile deposits didn’t exist, stocks couldn’t be bought and sold on a cell phone, account statements were snail-mailed, not emailed, and friends had to pay each other back with actual cash.

Fintech changed all that. 

Like Bennifer and Brangelina before it, fintech is the celebrity couple name for the increasingly important and prevalent intersection of the financial services industry sector and the technology sector. 

Advances in mobile and ecommerce tech capabilities have affected every part of our economy, but almost no industry has been shaken up by these changes as much as banks and investment firms. Although these industries were once firmly in-person, brick-and-mortar operations with the power balance heavily weighted against consumers, fintech has:

  • Automated many financial services processes
  • Accelerated the growth of the startup economy 
  • Increased industry focus on omnichannel experiences (individualized customer touchpoints across apps, email, social media accounts, websites, etc.)
  • Enabled creation, use, and acceptability of cryptocurrencies (Bitcoin, Dogecoin, etc.)
  • Disrupted the loan market
  • Deepened business’s dependence on Big Data to analyze and understand risk

Fintech’s prevalence and success, however, means that the industry is relentlessly attacked by the Dark Side, er, hackers on the dark web just like Darth Vader followed the heroes of Star Wars across the galaxy. 

In this complicated environment, a strong data privacy program can act like the Force that made Jedi so powerful. It can warn you of incoming threats, protect you from multifaceted attacks, and show you your company’s strengths.

The Force Awakens: Fintech’s Rise

The fintech origin story began in 1886 with the successful installation of the first transatlantic cable. The launch of credit cards in the 1950s and the introduction of ATMs in the 1960s led to increased digitization of financial institutions which in turn facilitated the creation of digital stock exchanges and SWIFT, a data-sharing network still used by banks and investment firms to quickly, accurately, and securely send and receive information

The growth of ecommerce in the 1990s and early 2000s also played a significant role in the expansion of the fintech industry, but the fintech we know today started when the global market crashed in 2008. As distrust for traditional banks, mortgages, and investment firms spiked dramatically, plenty of entrepreneurs were ready to give consumers innovative new ways to manage their money.

Fintech has expanded and changed more in the last 10+ years than it did in the first 125. EY found that global adoption of fintech services grew from 16% in 2015 to 64% in 2019. With the ongoing pandemic increasing our reliance on virtual solutions for nearly everything, fintech use in Europe alone has increased 72% since 2020.

According to PWC, other drivers of fintech dominance include:

  • Decreasing age in the average workplace
  • Rapidly increasing urbanization
  • A growing global middle class
  • Increasing use of mobile apps for financial transactions

The Empire Strikes Back: Current Privacy Threats in Fintech

In Star Wars canon, the Rebel Alliance’s successful destruction of the first Death Star results in swift and harsh retribution from the Galactic Empire. By the end of The Empire Strikes Back, the secret base on Hoth is destroyed, the Alliance is scattered across the galaxy, Yoda is dead, Han is frozen in carbonite, and Luke is down a hand but up one evil dad. 

Just like the Rebel’s success brought new problems, fintech’s increased importance in our lives means the fintech industry is facing a new and ever-growing threat matrix.

Because they enable access to real-time financial data and other sensitive personal data like social security numbers and credit card details, fintech firms were a primary target for hackers even before COVID. 

Current security challenges include:

  • Modernization of legacy systems that do not have adequate data security capabilities
  • Undersecured mobile apps
  • Processing consumer data using third-party vendors with poor protections
  • Phishing, spoofing, and other social engineering techniques
  • Synthetic identity fraud
  • Transaction fraud

The biggest threats facing fintech aren’t that different from the threats facing everyone else, but the economic, reputational, and individual ramifications of fintech data breaches are staggering.

Fintech data usage

Another issue facing fintech that can be spun into a positive: how data is collected and used—and how consumers feel about it. When users provide information for financial purposes, the intent is different than when making an online purchase for a pair of shoes or a new light fixture.  Financial information is sensitive and very personal to individuals. 

Fintech companies need to design their practices to address those expectations. Make it clear how data is shared, what pieces and what users should expect. Even if the law, which is often a grey area, allows this sharing, customers might not be willing to. 

Take Venmo for example. Transactions are shared via a social feed when you log in, but users have the option to make their transactions private. But this approach raises the question of what truly gives consumers the greatest privacy control. By taking an opt out rather than opt in approach, Venmo users who didn’t make the change or who might be unaware of the feed could be unknowingly sharing their financial transactions. 

To provide the greatest level of consumer control over privacy, opt in should be privacy by design approach companies choose. 

A New Hope: How to Protect Privacy and Still Profit

People often talk about data privacy and cybersecurity like they’re the same thing, but they aren’t. They need each other, but they have nuanced differences. Where cybersecurity focuses heavily on solutions for securing consumer data, data privacy is a more holistic approach that combines tech, process, and people to instill a culture of privacy best practices while focusing on the use and collection of data. 

In A New Hope, the first movie in the Star Wars saga, Luke, Leia, and Han provide the Rebel Alliance with the missing pieces of their battle plan. We’re here to give you the keys you need to protect your customers from the Dark Side by building a strong, cost-effective data privacy program.

Create cross-functional compliance

You can’t have a good privacy program without input from every department in your organization. Your customer service reps who access private data to verify mobile payments need to be following the same standards as your marketing team does when they send customized promotion information and as your IT department does in managing the technical details of a transaction.

But while the standards need to be the same, the processes may not be. Depending on what platforms your teams use and how matrixed your company is, the way teams achieve privacy compliance may look different.

To ensure all your teams are working towards the same goal, it’s crucial to create a cross-functional task force that allows departments to collaborate on troubleshooting, process updates, and employee training.

Define your data

All fintech firms need to analyze their data collection practices, but this is especially true for financial technology companies that use legacy programs. If this is you, listen up.

The more data you have, the more access points hackers have. The older the systems your data is on, the less likely it is to be well-protected.

The best way to figure out if you’re collecting data you don’t need, keeping it too long, or storing it unsafely is through what privacy experts call data mapping. Also known as a data inventory, data mapping involves following a data record through its entire journey in your system.

Figuring out what types of consumer data you’re collecting, which consent options fire at collection, who the data is shared with, what your teams are doing with it, where you’re storing it, how you’re protecting it, and how long you’re keeping it will help you identify vulnerabilities and opportunities for improvement.

Analyze your access

One of the easiest, most low-tech ways to protect your data is to restrict access to it. If you use legacy platforms, data mapping may even show you that former employees still have access to databases, entry-level employees can get into what are supposed to be highly secure files, and vendors can enter records that have nothing to do with their contracts. 

By using the principle of least privilege, which gives employees the minimum amount of data needed to complete their job, you can instantly eliminate risk.

Vet your vendors

Hackers know that it’s much easier to breach a small company that sends customers notifications of payment details than it is to hack an actual bank. And, increasingly, that’s exactly what they’re doing.

There’s nothing worse than paying the price for a mistake you didn’t make. Take some time to ask your vendors about their privacy practices. If they don’t match yours, ask them to up their game or find a new provider. 

Train your teams

Just like you want every department on your privacy planning team, you need to make sure employees in every department are getting the same privacy training. Almost all data breaches are caused by human error. Whether it’s clicking a suspicious link, opening an infected attachment, or using a weak password, your employees can either be the best defense or the biggest liability your privacy program faces.

Spending a little bit of time in every staff meeting, email blast, or company-wide event setting clear expectations for how financial account information can be used, who can access it, and how to avoid fraud will deliver a huge ROI.

Do or do not. There is no try.

Here’s a hard truth—if you aren’t actively working on a data privacy program, you’re setting yourself up to fail. 

Rome wasn’t built in a day, and you don’t have to create a just-add-water program that launches with all features all at once. 

But you also can’t expect to avoid hacks with half-measures.

Forty percent of fintech businesses that have invested in upgrading their cybersecurity and privacy systems have seen a return two to three times over their initial investment. On a basic, bottom-line level, implementing data privacy best practices is a sound business strategy.

But even more importantly, proactive privacy efforts can improve your reputation with both consumers and clients while saving you from embarrassing breaches.

Red Clover Advisors is a privacy consulting firm that specializes in helping businesses design and implement practical, functional privacy strategies. Give us a call to see how we can help you.

Ahhh, October. Changing leaves, dropping temperatures, pumpkin spice everything. What’s not to love?

One of the best things about the only month to start with an O? Our favorite holiday, one that unites people around the country, is in October.

That’s right, folks. October is home to Cybersecurity Awareness Month.

Wait, did you think we were talking about Halloween?

Halloween is great, but candy and costumes don’t hold a candle to cybersecurity.

How cybersecurity took over October

In 2004, as part of an expansive effort to protect people online, the US Department of Homeland Security and the National Security Alliance launched the first-ever Cybersecurity Awareness Month. Initially, goals for the month focused mostly on getting people to update their antivirus software and stop sharing identifying information online.

Over the last 18 years, however, there has been an explosion in eCommerce, cloud-based solutions, and app usage for everything from banking to project management. This dramatic digital growth has transformed cybersecurity awareness from a cute consumer campaign to a key component of economic (and national) security.

Coffins and cauldrons and criminals, OH MY!

It’s our theory that the head honchos made October Cybersecurity Awareness Month because a data breach is one of the spookiest, scariest things that can happen to a company. But to be successful, the spirit of cybersecurity awareness needs to stay in your heart all year long.

Because cybercriminals will attack you all year long, not just in October. And just one hack can cost your business a lot, both financially and reputationally.

Statistics on cyber skullduggery

If you don’t think you need to pay attention to cybersecurity because your business is small or you’re in a niche industry, consider the following facts:

We could go on and on, but the proof is in the pumpkin pie. Cybersecurity really is just part of the cost of modern business operations, even if you aren’t an international corporation with a major online presence.

The global COVID pandemic made that abundantly clear.

Cybercrime increased 600% over the course of 2020 and 2021 as companies around the globe were forced to quickly set up work from home and remote work operations. Advanced phishing scams, malware emails, and ransomware attacks have grown exponentially in sophistication, frequency, and destructiveness, which means governments are starting to pass legislation aimed at protecting sensitive consumer data and mandating stricter cybersecurity programming.

Basically, you really can’t afford to not be proactive.

A manual for magical security measures

Technology changes so frequently and so rapidly that it’s normal to feel like you need a spell to build an effective cybersecurity program—but you don’t.

Following a few simple steps can dramatically increase your ability to protect your business.

  1. Hire a cybersecurity professional
  2. Tighten up your data collection and storage practices
  3. Improve your security measures
  4. Increase the frequency and quality of your employees’ cybersecurity training

Hire a cybersecurity/privacy officer (or contractor)

Your success as a company is likely based on your specific expertise. If you want your cybersecurity program to succeed, you need an expert. 

Whether you hire a full-time Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO), engage a fractional executive, or seek out an independent contractor, having a cybersecurity pro on your side will save you time and money.

Tighten up your data collection and storage practices

Every digital data record you have is a cyber risk. Some types of data, like consumer information, are more valuable than others, but all data is valuable to hackers.

This means that if you’re collecting more data from employees or customers than you actually need (do you really need to know their favorite ice cream flavor?), you’re more likely to be the victim of a breach.

The same thing applies to how and how long you store all that data. Storing unnecessary data in databases that a bunch of people have access to over several years is kind of like leaving a key to your front door under an obviously fake plant on the porch. That key doesn’t guarantee that someone will break in, but it also makes it easier to open the door. 

Improve your security measures

Improving security measures usually requires the help of an IT specialist, but knowing what to ask for can go a long way towards getting your company to the cutting edge of what’s possible.

If your company is regularly handling sensitive data, you should look into:

  • Two factor or multifactor authentication (requiring more than just a password for system, network, or data access) 
  • A policy mandating regularly scheduled password changes and setting complex password requirements (10-character minimum, use of special characters, etc.)
  • Strict and enforceable mobile device management policy that explicitly prohibits the use of company devices for personal business (and vice versa) 
  • Clear, cross-functional plan for ensuring software patches and updates are regularly and correctly installed
  • Least permissions principle, limiting data access to the minimum amount of data needed to complete a task

Improve the frequency and quality of your cybersecurity training

Hackers change their tactics to match technological advancements all the time. To keep up, your training needs to be engaging and consistent.

This doesn’t mean, however, that you need to be sending your team to day-long symposiums every quarter. Cybersecurity awareness training can be:

  • A five-minute refresher on how to avoid phishing scams during a monthly staff meeting
  • A weekly email reminding employees of requirements for password complexity or the use of public WiFi networks
  • Using a direct-from-the-shelf product to cover essential data protection practices (we have our favorites)—or opt for a tailored version like we offer for companies who want to make sure all aspects of their business are addressed

The most important thing about your training is that it needs to be frequent. 

Employees are far more likely to comply if they understand why your cybersecurity policies are important and what role their actions play in helping protect your business.

The best way to help them understand all that is to make those best practices part of your company culture.

Avoid the tricks and keep the treats

Having a month dedicated to raising awareness of online threats is a great way to get everyone on the same page and to educate people about emerging threats.

But just like the smart kids try to ration their Halloween candy so it lasts until the next big candy holiday (Valentine’s Day), smart businesses will use Cybersecurity Awareness Month to jumpstart a commitment to building a robust cybersecurity program that includes frequent, cross-functional reviews of internal policy, increased dedication of resources to program maintenance, and expanded access to quality training.

If you need help figuring out what your company needs, give us a call.

When you go on a road trip, you need to know where you’re going and how you’re going to get there. When you are building a data privacy and security program, you need to know the same things.

How to Plan Your Data Mapping Road Trip

Anyone who has used a map to plan a road trip knows there is more than one route to get you where you’re going. Some ways are faster than others, some have better views, and some are just a bad idea (driving from Iowa to Disneyland only on country roads under construction will still get you there, but probably not without a few flat tires along the way).

Building and managing compliant data privacy programs with proven best practices, or “good roads,” can save you time and money, reduce your risk of a data breach, and increase your customers’ trust in your commitment to them.

When it comes to data privacy, you need a data map.

Why you need a data map

New consumer privacy rights laws have created an urgent need for companies to understand how and why they are using the data they collect from their customers. 

The European Union’s General Data Protection Regulation (GDPR) mandates that businesses have a legal basis to collect and store sensitive consumer personal information. 

The United States employs a sectoral, or state-by-state approach to privacy legislation, and the state laws adopted so far mimic the provisions of the GDPR. The California Privacy Rights Act (CPRA), which will be operative beginning January 1, 2023, and the Virginia Consumer Data Protection Act (VCDPA) are moving US legal standards towards requiring a business purpose for the storage of consumer data.

A data map can help you make sure you are complying with all those requirements.

Packing the car

Packing the car for a road trip is an art as much as it is a science. You have to pack what you need for where you’re going, but you also have to prepare for what might come up while you’re getting there. 

That means packing snacks, bags in case someone gets carsick, games to alleviate boredom, music to keep you awake, earplugs to block out fighting kids, and ibuprofen for when the earplugs don’t work. 

Building the infrastructure and processes for your data privacy program is like packing your car for a road trip. You need to know where you’re headed (compliance!) and what you need to get there (a granular understanding of your data).

You need to know:

  1. What data elements, or types of data (name, address, phone number, username, password, financial data, location), you are collecting.
  2. Where the data came from (phone contact, online forms, messaging interfaces, etc.)
  3. Where, how, and how long you are storing your data (In-house? On a vendor server? In the cloud?)
  4. How each data element is used (in-house analytics? Customer outreach? Third-party applications like shipping management?)

How to build a packing checklist for your data

Data records play a key role across multiple business functions, so the best way to get a granular understanding of your data is to have a cross-functional team spend a day being a data record.

Working with IT, marketing, customer service, and operations teams, track a single piece of data through your entire system. Figure out all the places you are collecting data, all the types of data you are collecting, where it goes once it enters your system, who has access to it, and where it is vulnerable to breaches or corruption.

Small businesses may be able to track all this information in a spreadsheet, whereas mid-sized companies and larger companies probably need to automate the process using a software platform. But tracking this data is only half the battle.

You also need to know the rules for using it.

Rules for the road

Just like seat belt laws and speed limits, the laws that govern data privacy vary by region and sometimes by industry. But there are basic rules that provide good markers for you to follow.

Rule 1: Go backward to go forward

One of the most common mistakes people make when building a data privacy program is to silo updating their privacy and cookie notices from their data mapping process.

It’s much better to start with data mapping—you need this knowledge in place before you can develop your privacy notice. 

When you know everything there is to know about your data and what you’re doing with it, creating a privacy policy to explain it all is a piece of cake.

And here is one more piece of advice: don’t create a privacy policy that is only four pages of legal speak. Although your situation might require a lengthy (and not particularly reader-friendly) privacy notice, that doesn’t mean you can’t also create a short, visually engaging summary containing icons and infographics to help your reader digest the information.

Rule 2: Don’t use cookie-cutter solutions

Nearly all data privacy laws around the world make it risky for companies to collect more data than they need and to store it for longer than they need to because these laws give consumers the right to, for example:

  • Know what information companies have collected about them
  • Correct collected data that is inaccurate
  • Delete data from a company’s database
  • Opt-out of having their data shared and/or sold

These laws also require companies to take “reasonable security measures” to protect their data. 

There are two main problems with using a spreadsheet or an off-the-shelf software solution to handle the management of your data. One is that these solutions don’t take your company’s unique challenges into account, and the other is that implementing any tracking tool requires an understanding of privacy laws and risks.

One example—privacy laws don’t really specify what “reasonable security measures” look like, and there are different fines and penalties associated with which types of data are exposed if your reasonable security measures get hacked.

But if your business and the email marketing company are using the same software solution, they may recommend the same security measures. Even scarier, if you’re only using Google Sheets, you’re on your own to figure out what a reasonable security measure looks like.

Hiring a privacy consultant or fractional privacy officer who is an expert in identifying and resolving privacy risks can protect you from mistakes your DIY or off-the-shelf program might not catch.

Rule 3: Don’t make a map and then not use it

What’s the point of asking Siri for directions if you don’t listen to the answer?

As we mentioned earlier, data privacy isn’t the responsibility of just IT or just marketing or just customer service or just legal. 

Data privacy is the responsibility of every single person in your organization.

Another common mistake companies make in putting their data management program together is to let one team develop the data collection and storage protocols while a totally separate team develops the processes consumers use to file individual rights requests or data subject access requests (DSARs).

If these teams aren’t talking to each other, your consumer-facing protocols may not match up with your internal systems. Even though you were trying to do the right thing in creating these processes, isolating the two development processes creates a mismatch that will make more work for you, expose your data to a higher risk of exposure, and confuse your customers.

Just like with a road trip, the map comes first. Once your data map is finished, your whole team will be able to see the best route for employees and customers to take when interacting with your data assets.

Rule 4: Don’t forget to change your oil

No one wants to be that person stuck on the side of the road, holding up the hood of the car and staring down at a smoking engine while screaming kids standing in the tumbleweeds throw Goldfish crackers at each other.

Your car needs regular maintenance to be able to perform, both on trips to the grocery store and trips across the country.

A data privacy program is like a car—it needs regular checkups to run smoothly.

If you can update your privacy plans once a year, it will be exponentially easier to stay compliant with changing laws and best practices. 

We can be your privacy mechanic

At Red Clover Advisors, we believe in the power of data privacy to manage to build trust, give more value than you take, and create great experiences. If you need help drawing or following your data map, we can help. Give us a call today to get started.

 

What is the difference between privacy and security?

Good question! If you’re not sure, you’re not alone. These two issues are related—but they’re not exactly the same. Curiosity piqued? Allow us to explain.

Two sides of the same data governance coin

Most people use privacy and security interchangeably when they talk about data. Because they are so closely related to and dependent on each other, it’s understandable.

But it’s not accurate.

What is data privacy?

In the professional privacy world, we define data privacy as anything related to the way organizations collect, handle, process, use, and store the personal information of individuals who could be consumers, users, clients, patients, employees, or citizens. Part of data privacy is maintaining compliance with local and federal laws.

What is data security?

Data security, on the other hand, is defined as the practice of protecting digital information from malicious threats, corruption, or theft. Touching every operational application of information security, data security encompasses the tools, technology, and security controls used to deter and/or prevent bad actors from gaining unauthorized access to sensitive information.

They go together like PB&J

Taken together, data privacy and security are the perfect example of cybersecurity symbiosis. In fact, the title of this article is misleading—it’s not privacy versus security. They aren’t fighting each other for dominance, they are working together to lift each other up.

But like most symbiotic relationships, it’s a complicated, delicate balance. Think about it like this: your house needs windows to protect your privacy and your security. If your house has no windows, anyone can climb in and go through your fridge or your files and walk out with your family heirlooms.

If you install windows, your security is dramatically increased because your would-be thief can’t get in your house without significant effort. You also have more privacy, since no one can see the secret guilty stash of spray cheese you have in your fridge for bad days. (Also, you know, they can’t go through your cabinets and find your social security card or other private data).

But your privacy isn’t totally protected. Someone could still look through your windows and watch you eat your spray cheese after your boss chews you out on Zoom, or worse. Even with the windows, you need to put up blinds to safeguard your privacy.

We can keep this metaphor going. Adding alarms to your windows? That’s another security control. Hanging drapes over your blinds? Ta-da! You’ve got extra privacy control in your arsenal. Good data protection programs have interrelated safety measures layered on top of each other in a cozy cybersecurity cocoon.

So which comes first, the peanut butter or the jelly?

Most clients come to us asking which program they should build first, their data security or data privacy program. 

The answer?

Because they are so intertwined, you need to do it simultaneously. And with more and more jurisdictions starting to pass legislation similar to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you need to start soon.

So let’s talk best practices, the kind that can help confused, overwhelmed, and/or resource-strapped teams make meaningful changes.

Data security best practices

Even the most un-techy business owners know they need secure systems to protect the private data they collect from their users. Data breaches and the resulting identity theft that often follows have real financial and reputational costs. 

A strong data security system is built on the three pillars of information security—confidentiality, integrity, and availability.

  • Confidentiality means data is only accessible to individuals with the appropriate permissions. 
  • Integrity means data is not tampered with, modified, or degraded at any point in the data lifecycle.
  • Availability means data is protected against things like power surges, hardware failures, and cyber threats while still being accessible to authorized users on demand.

No system is 100% secure, but here are a few examples of ways you can lower your rirsk.

  • Data mapping: Following a data record through its full lifecycle will expose where data is vulnerable in your system.
  • Access controls: The principle of least privilege, only granting access to the minimal amount of data needed to complete a task, can dramatically reduce the risk of exposure through low-level accounts or devices.
  • Strict password requirements: Encourage your teams to change their passwords regularly and to make sure their passwords are different from passwords they use for personal accounts.
  • Multi-factor authentication: Using a combination of passwords, pins, verifications, physical objects (like a key fob), and biometric scans provide additional security in verifying data access.
  • Device guidelines: If you don’t have company policies prohibiting employees from using work devices for personal reasons (or vice versa), you need them. The same thing goes for employees using public Wi-Fi channels.
  • Encryption: De-identifying and anonymizing your data removes personally identifiable information, so even if you’re hacked, it’s much harder for the bad guys to use your data.

I have to give you one warning: you can have the absolute best security practices in the world and not meet regulatory and best practice standards for privacy. 

That’s why it’s so important to build your security processes alongside your privacy program. You don’t want to have to redo all the hard work you put into your information security program because your privacy practices aren’t up to snuff.

Data privacy best practices

With consumers developing a growing awareness of the privacy landscape and demanding more control over how their sensitive information is collected and used, even companies that aren’t subject to privacy laws like the GDPR or the CCPA should be actively invested in building privacy into their workplace culture.

Strong privacy programs are built on the following principles:

  • Choice means your users get to decide what data they want you to collect, how they want you to use it, and how you share or sell it. 
  • Transparency means your users/consumers can easily find clear descriptions of your privacy policies, including what data you are collecting and how you are using it.
  • Data minimization means you collect the minimal amount of data needed to make your business function and store it for the minimum time necessary. 
  • Confidentiality means you protect the data you collect with the most stringent security controls possible.

These principles are important, but the most important, most foundational principle for privacy programs is choice

Choice gives your customers a voice in their relationship with you, no small thing in a world where personal data is part of almost every transaction. And on a non-philosophical-but-still-important level, giving your customers choice makes your life easier. By utilizing a preference center, you give your customers the chance to correct their personal data if the information you’ve collected is inaccurate, and control how and how often you contact them. This benefits your own data sets and marketing campaigns!

Here are some specific steps you can take to strengthen your privacy practices:

  • Data mapping: Yep. This process is critical to both data security and data privacy. If you don’t know what you’re collecting, what you’re doing with it, or where you’re storing it, how can you possibly protect it?
  • Privacy policy updates: Is your privacy notice outdated and hard to understand? Take this opportunity to update your privacy notices and make them user-friendly.
  • Cookie/vendor audits: Privacy laws hold companies accountable for how their vendors use the data they share, so you need to make sure your third-party vendors and the cookies they provide have the same strict standards for privacy management.
  • Training: Your employees can make or break your security and privacy programs. They are simultaneously your biggest risk and your greatest asset. It’s up to you to actualize their potential by training them well enough that they clearly understand their role in your privacy program.
  • Build a preference center: A preference center, a centralized location where your users can interact with all aspects of your privacy program (request access to data, opt-in or opt-out of data collection/sale, change communication preferences, read privacy policies, etc.) streamlines privacy management processes for you and them. Win-win!

It’s sandwich-making time

As evidenced by the battles overusing social media and facial recognition programs as part of law enforcement and intelligence gathering investigations, the balance between privacy and security will continue to evolve. As technology and consumer expectations change, you can expect best practices and regulatory requirements to follow. 

While it may seem like a lot of work now, the best way to prepare yourself for these changes is to build an agile, responsive process now. Then, as changes come, you can build on your progress instead of having to start from scratch.

Red Clover Advisors is here to help you. We are experts in creating the perfect balance of peanut butter and jelly, er, privacy and security, in your data governance program. Contact us today to learn more.

“Regarding social media, I really don't understand what appears to be the general population's lack of concern over privacy issues in publicizing their entire lives on the Internet for others to see to such an extent… but hey it's them, not me, so whatever.” Axl Rose

Yes, that quote is really from Axl Rose. 

As in Axl Rose, the lead singer of Guns N’ Roses.

When the frontman for the “most dangerous band in the world” starts talking about data privacy, you know the issue is part of the cultural zeitgeist.

Tie it in somehow

Big tech companies have a big problem

Machine learning happens when software programs “teach” themselves by using algorithms to extract and analyze a lot of data. And you may not realize it, but advances in machine learning have changed everything about our digital experience.  

Voice-recognition assistants like Siri and Alexa use machine learning to recognize commands. 

Social media and streaming platforms use it to recommend connections and content. 

Banks rely on machine learning to detect fraudulent activity and identify scams. 

Machine learning allows educational software to customize sessions for each student.

Basically, machine learning makes our lives markedly easier. But this ease comes at a tremendous cost.

Because machine learning requires a tremendous volume of incredibly detailed and frequently updated user data, technology companies tend to conveniently “forget” about privacy, leaving discussion of their privacy policies and programs until the last afternoon of a weekend retreat at the end of the year.

And so, often without even realizing it, technology leaders set themselves up to fail.

Privacy (by Design, that is.)

Were you thinking about privacy when you founded your startup? 

It’d be great if the answer was a wholehearted “YES!” but even if you’re just now joining the party, there’s still lots of ways to make privacy a guiding light for your tech company. Where do you start? Consider Privacy by Design.

Privacy by Design, a concept originated by the former Information and Privacy Commissioner of Ontario, Ann Cavoukian, operates on seven core principles: 

  • Being proactive, not reactive 
  • Making privacy the default setting 
  • Embedding privacy into design of all things 
  • Fully functional privacy 
  • End-to-end security 
  • Visibility and transparency for all stakeholders 
  • Respect user privacy

While Privacy by Design is actually required for website developers under the EU’s General Data Protection Regulation, it’s also important for tech companies to consider. It provides the opportunity to refocus products, operations, services—really, anything in the scope of their business—on their user’s right to privacy. It doesn’t need to be any more complicated than having an finance department that handles payroll or a marketing department that sends out email. 

When done correctly, it’s just part of the process. 

Social media section

You’d think after watching Mark Zuckerberg get hauled into a Congressional hearing after the Facebook/Cambridge Analytica scandal that other social media CEOs would make privacy a priority. But so far, they seemingly haven’t.

Clubhouse, the newest social media app taking the world by viral storm, is a prime example of tech companies putting profits before privacy.

Clubhouse is a free, audio-only app that is kind of like an old-school conference call, except that anyone in the world can join in on conversations hosted by experts on topics ranging from cryptocurrency to Real Housewives to immunology. Going from two million users in January 2021 to 10 million by February 2021, Clubhouse is so popular you have to be invited by a current user to even access the platform.

At first glance, Clubhouse seems like it would be a privacy dream. No video. Nothing is recorded. Hosts can kick trolls out of their rooms, block people from joining, keep people from speaking…it feels like Twitter and Facebook had a baby, gave it a flip phone instead of a smartphone, and set strict house rules for inviting friends over. 

But the reality is much more complicated.

Right now, Clubhouse allows new users to invite two friends to join the app. But to invite those two friends, users have to give Clubhouse access to all their contacts. 

All of them. 

Let’s say you, a privacy-savvy consumer, decide to join Clubhouse but are smart enough to protect yourself and your friends by not sharing your contacts. You don’t invite anyone. That doesn’t mean you’re safe lurking anonymously in the back of Clubhouse chat rooms. Once you sign up, Clubhouse notifies everyone who has you in their contacts that you are there, even if they aren’t in your contacts.

Facebook has updated their privacy settings and given its users more options for protecting their profile. Instagram now allows ‘Grammers to manage which and how many photos the app can access. Twitter allows you to change the privacy settings for each tweet. All three apps require an email address, and while they offer phone number verification, you don’t have to give them your phone number to use the platforms.

Clubhouse has none of those options.

You have to give Clubhouse your phone number. They say they’re working on it, but the app also doesn’t have great options for moderating/removing hate speech and dis/misinformation. On February 24, 2021, Clubhouse confirmed their security had been compromised and hackers had figured out how to live-stream feeds from multiple rooms. According to Business Insider, the Stanford Internet Observatory (SIO) found some of Clubhouse’s back-end infrastructure was transmitting audio and data traffic without encryption

Everything but the kitchen sink

We’ve gotten so used to companies taking data from us for everything that everyone, from users to Clubhouse engineers themselves, probably don’t even realize the risk this type of sweeping, all-encompassing data collection practice exposes everyone to. Consumers put themselves at risk of having their identities stolen, identifying information exposed, and accounts hacked.

And for businesses, freewheeling data and privacy policies can cause lasting and permanent damage. Take a look at American Express’ list of seven risks every business should plan for:

  • Economic
  • Financial
  • Reputation
  • Operational
  • Competitive
  • Compliance
  • Security

With increasing privacy legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), companies that don’t give their privacy program the same consideration as their human resource, financial, and legal policies are taking on risk in every single one of these categories.

The CCPA levies civil penalties of $7500 for intentional violations of its restrictions and $2500 for each unintentional violation. This means that if you wait to shore up your privacy policy and you get caught not being able to tell a consumer what data you’ve collected from them or if your users’ personal data is exposed after a hack, you can accidentally cost your company tens of thousands of dollars. The law also allows the California Attorney General to seek an injunction against and halt business operations of offenders.

While the CCPA is the first and most aggressive privacy law in the United States, it definitely won’t be the last. States across the country either have passed or are considering a multitude of privacy laws, including some that are more robust than anything California has enacted. Privacy rights are the wave of the future, and waiting to do something about it increases the risk you’ll fall afoul of regulatory requirements.

Is there another part of your enterprise that you’d leave so vulnerable?

Don’t leave your door unlocked, and don’t expect IT to lock all the doors either

In 2015, Apple CEO Tim Cook gave a speech about privacy and security. It’s a great speech that provides some key insights into a mind that is shaping the world’s tech future. Even five years later, there’s a quote that still stands out:

 “If you put a key under the mat for the cops, a burglar can find it, too.”

And since then, he's spoken about the imperative for the digital marketing market to stop horning in on people's privacy. At the Privacy & Data Protection conference in January 2021, he said:

“As I’ve said before, if we accept as normal and unavoidable that everything in our lives can be aggregated and sold, we lose so much more than data, we lose the freedom to be human. And yet, this is a hopeful new season, a time of thoughtfulness and reform.”

With this, Cook is highlighting how mission-critical privacy is for companies. When companies put sales and revenue growth ahead of privacy and security, they are taking on as significant a business risk as leaving their offices unlocked.

Luckily, you don’t have to be a privacy expert or a tech genius to take real steps to protect your company.

Prioritize privacy

Smart companies protect themselves by making their privacy program part of their core operations. Human resources, legal, financial, product and engineering, operations, and IT departments should be working collaboratively on workflows and processes that integrate forward-thinking data privacy policies across the entire organization. If you need help figuring out how to start, check out our privacy strategy, privacy compliance, and fractional privacy officer services. 

Train. And then train again.

Going along with the theme that every department should be part of developing your privacy program, it won’t do you any good to create the most amazing privacy program in the world if your employees don’t understand it. Privacy training doesn’t have to be full-spectrum seminars (but it can be!). Weekly email reminders, a quick agenda item in regular staff meetings, and small sections in a newsletter are all great ways to reinforce your expectations.

Less is more

One reason you need every department involved in your organization’s privacy work is you need to figure out exactly what data you need from users and employees to optimize your systems. And then you need to collect exactly that and nothing else. Limiting data collection decreases both your risk and your data storage costs while simultaneously making it easier for you to manage an agile response to changes in privacy regulations and best practices.

Sell it!

For some reason, even though they sacrifice privacy for sales and growth, everyone seems to forget that being privacy-friendly gives you a competitive advantage. You need to use it.

Remember that Tim Cook speech referenced earlier? Check out what else he said:

“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.

Apple doesn’t need privacy to differentiate itself. They launched our modern, smartphone culture, made everyone a photographer, forever altered software development and distribution, and changed the way we access the internet. But they are smart enough to see that while everyone is willing to invest in developing the next generation of big data tech, far fewer companies are willing to put their resources towards protecting that data. 

Google Chrome controls 69% of the browser market and has a much higher usage rate than Apple Safari, but Apple was first to eliminate third-party cookies. They require software developers to include privacy labels detailing what type of data is collected for every app sold in the App Store. In short, Apple’s forward-thinking privacy policies have allowed them to continue changing their industry, even as other companies catch up technologically.

Your company can be like Apple. You can go beyond what is legally required to give your consumers maximum control of their personal information. And then, like Apple, you can control the conversation. 

Keep your eyes on the prize

Don’t get lost in the race to create and sell the best tech. Make sure you remember that your consumers are not your product. Their trust is the product that will make you perpetually profitable.

If you need expert help matching your privacy program goals to what is actually happening in your company, get in touch today and let Red Clover Advisors show you how easy and affordable privacy compliance can be.

Privacy compliance is a long road. Luckily, you don’t have to go it alone.

Privacy management software can help you set up a robust privacy program. But without a privacy expert, you will be driving blind.

If privacy laws had a relationship status, it would be “It’s complicated”

If you’re reading this article, chances are you know at least the basics outline of today’s data privacy landscape. Maybe you are already compliant with the European Union’s General Data Protection Regulation (GDPR), or maybe you’re in charge of managing a California Consumer Privacy Act (CCPA) compliance program. 

Maybe you are really on top of things and are heading up a project to be ready for the 2022 California Privacy Rights Act (CPRA) rollout.

But even if these acronyms don’t mean anything to you (yet), you recognize that companies need strong data privacy programs to stay competitive in the marketplace.

The California State Legislature and the EU General Assembly were the first governing bodies to pass modern, aggressive privacy laws, but they definitely won’t be the last. Right now, dozens of states are considering California-esque bills that will continue the trend of giving consumers more control over how their personal information is collected and used online well into the next decade. 

While the laws vary across jurisdictions, there are some common themes including:

  • Expanding the definition of what’s considered “sensitive personal information” beyond names, birthdays, and SSNs by adding things like your phone number, health information, sexual orientation, religion, political affiliation, etc.
  • Giving consumers a way to deny permission to have their sensitive personal information collected, shared, or sold
  • Requiring companies to provide transparent and understandable privacy and cookie notices at or before the time they collect personal data
  • Mandating companies take reasonable security measures to protect consumer data
  • Levying harsh civil, even criminal, fines and punishments for noncompliance or if data breaches result in consumers’ personal information being exposed

So if you’re here and reading this, you know enough to know you probably need help to manage it all.

The United States is a melting pot — and so are its privacy laws

Unlike the EU, which took a unilateral approach to defining privacy law for all member states—although it should be noted that member states do have unique laws pertaining to data privacy on top of them—the United States has adopted a sectoral approach to privacy, meaning that unless the data is part of a federal regulation like HIPAA, privacy and data protection laws are by and large driven by individual states.

Because so much of our nation’s economy and tech infrastructure comes out of California, most large corporations complied with CCPA regulations. This new best practice standard shifted consumer expectations, leading to a domino effect of mid-and small businesses following suit.

But other states are now working on their own laws, making internet privacy the wild west, with each town having a different sheriff.

And the digital world isn’t going anywhere anytime soon. In 2020, consumers dropped a cool $861.12 billion in e-commerce sales with U.S. merchants alone. The Internet of Things continues to drive technological advancements. 

Companies increasingly need a data privacy expert to guide them through the unmarked places on the map.

Enter Privacy as a Service (PaaS).

PaaS is your own personal privacy butler

Batman’s butler, Alfred Pennyworth, makes Batman’s life so much easier. Working quietly behind the scenes, Alfred keeps the Batmobile tuned up, the suits ready, and the gadgets loaded. He is the reason Batman can swoop down into the Batcave and rush out to save Gotham without thinking twice.

If you do business in multiple jurisdictions, have a complicated privacy program, or manage large amounts of personal data, PaaS (also known as Data Protection as a Service or DPaas) can be your Alfred.

PaaS is a software platform that offers products and services to help you operationalize your company’s privacy program. It can be a real lifesaver for companies that don’t have a dedicated privacy team.

Privacy management groups like OneTrust build solutions that use advanced machine learning to help you build a program that complies with whatever privacy regulations affect you while simultaneously helping you be smarter about your data collection. 

Assessments and mapping and permissions, oh my!

Here is what PaaS can do for you:

  • Conduct privacy impact/data protection impact assessments for automating privacy processes
  • Map your data and help you collect a data inventory (data inventories, required by many new legislations, make it possible for you to remove/correct consumer data more easily and accurately)
  • Identify and predict risk and other weak points in your processes
  • Create and deploy privacy notifications, cookie consent banners, etc. with the standard contractual clauses required by law
  • Establish least-privilege access permission structure
  • Manage app consent processes on mobile devices
  • Automate breach incident actions and notifications
  • Onboard vendors and mitigate the risks they pose
  • Establish compliance with laws and regulations across multiple jurisdictions

It’s important to note that, while as close as cousins, PaaS programs are not the same thing as cybersecurity. The best privacy programs integrate privacy solutions into their larger cybersecurity plan.

But Alfred can’t be Batman…

I rarely tell clients that investing in privacy management software is a bad idea. 

But I also rarely tell them it’s all they need.

Anyone who has tried to get Siri or Alexa to answer a nuanced question knows that machine learning and AI has its limitations. Privacy management software is critical for companies to set up automation that can help with the privacy process, but if you don’t have a privacy expert guiding you through the process, well, you might as well hand the Batmobile keys and the Batarang to Alfred and send him off to save Gotham from the Joker.

The Joker (hackers, data thieves, and general internet bad guys) will win.

But if you combine the technology from the Batcave (privacy management software) with the experience and knowledge of Batman (your privacy expert), then you are in good shape.

Let’s leave the Batcave and talk about what this would look like in the real world.

Data Inventories

Data inventories are a big part of privacy programs, but let’s face it—they can be a big undertaking. However, the right software can cut down on the legwork by finding and documenting data. 

This alone is hugely helpful, but it doesn’t cover all your bases. You still need to determine the legal basis for data collection for GDPR. Or if the data has been sold under the scope of CCPA. Or if you can even collect and use that data in the first place. 

These kinds of questions are why privacy professionals are a critical resource for businesses. They have technical expertise and industry insight that can help you get answers—and solutions—to these questions. 

Social Media 

Facebook, Instagram, Twitter, and LinkedIn have historically been free advertising channels for businesses. But events like the Facebook/Cambridge Analytical scandal have made consumers much less likely to share personal information online.

The GDPR and CCPA control what categories and types of personal data a business can store about its users, but not all of the ramifications are clear yet. 

For example, it’s totally normal for a social network to host digital advertising. If a user clicks a link in one of those ads, now the app and the advertiser have the consumer’s information. Was the consumer adequately notified before the advertiser started collecting data? Is the activity considered the sale of data under CCPA? How should that be disclosed to the consumer?

The same principle works in reverse. If you have buttons for users to share your blog post or infographic on their social media accounts, are you confident you don’t have any exposure regarding whatever data that app collects from them? 

Notifications

The laws regarding privacy notices and cookie consent are constantly changing. Now that Apple and Google are eliminating third-party cookies, so are industry best practices. A privacy expert can help you maximize the functionality of your privacy management software so that your notifications are accurate and in line with industry standards so that you stay ahead of your competitors. If you do this, your privacy program can be a differentiating factor instead of just a cost center.

Individual rights requests

One of the most complicated parts of CCPA is the individual rights request provision. Under CCPA, consumers have the right to see what data you’ve collected about them and correct it if it’s wrong or delete it altogether.

A privacy management software can help you map the data so you can find it easily and quickly, but it can’t train your employees on how to execute a request. It can send notifications, but it can’t parse nuanced data to see if the request is valid. For that, you need a privacy expert. 

Privacy isn’t a one and done

Privacy is complex. So is software. And the implications of the wrong choice can be overwhelming! Don’t feel like you need to manage your company’s privacy program on your own.

Using a privacy management software can dramatically simplify your life, but if you don’t do it right, you’ll have a false sense of security. To have full confidence, you need to combine your PaaS program with the expert advice and knowledge of an expert. This expert doesn’t have to be a full-time employee. You can hire a consultant or cross-train another employee. 

Whatever you choose, remember to do regular checkups to make sure your program is keeping up with constantly changing legislation.

At Red Clover Advisors, we are experts in data privacy programs and training. If you need help picking a privacy management program, implementing the program you’ve picked, or maximizing your PaaS, drop us a line.

In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.” 

This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”

Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.

Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.

Because in today’s world, data=$$$$$.

All the bad actors

Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware. 

These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.

As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.

Ransomware — the internet’s highwayman

Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments. 

Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.

Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion. 

There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.

Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.

Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand. 

The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.

Double extortion ransomware

Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.

This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.

Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.

Protect yourself against highway robbery

The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses. 

Note: Keep Solar Winds in the back of your mind. We’ll come back to it.

Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up. 

Train your employees

There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.

The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:

  • What phishing emails look like 
  • Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
  • How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
  • What can happen if they download unapproved/not whitelisted software and/or apps
  • When it’s appropriate to give a program administrative permissions

Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards. 

The important thing in establishing a privacy culture is consistency and clarity from the top down.

Backup your data

Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout. 

Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.). 

One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.

One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”

Use robust security software

I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong. 

You need a comprehensive, behavior-based security solution.  Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.

By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.

Re-evaluate your permissions structure

Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago. 

There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks. 

Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.

Have a recovery plan

You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.” 

Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.

Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should: 

  • Identify the personnel needed to manage a breach
  • Include detailed documentation on your network infrastructure
  • Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
  • Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
  • Set clear recovery time objectives (RTO) and recovery point objectives (RPO)

You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change. 

The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.

Back to SolarWinds

Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations? 

They used employees across all levels of each organization.

Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.

SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.

Things to remember in a stickup

Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:

  • Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
  • Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
  • Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc. 
  • Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it. 
  • Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
  • Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data. 

Stand and deliver…yourself

When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.

And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices. 

We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.

Avoid return-to-work security risks.

After a forced retreat to semi-permanent work-from-home status, many executives are now considering calling back their workers into the office. There are no doubt health risks that have to be taken into account when mapping out what this return-to-work process looks like.

However, there’s a bigger liability hiding in the shadows, nearly invisible to the return-to-work plans at the forefront of most executives’ minds. It’s the silent killer that has the potential to take your company down for good.

This disaster waiting to happen? Not addressing security issues.

It became common knowledge that cybersecurity needed to be prioritized during the lockdown, especially with phishing scams on the rise and problems with popular video sharing app Zoom plaguing users.

But what many executives don’t realize is returning to full-time office life presents major security issues. But this is dangerous without making appropriate updates, upgrades, and policy changes.

Companies must step up to the challenges of the time, setting up processes and procedures that cover both work-from-home scenarios and working-from-the-office norms. After all, company hardware has been off-network and personal hardware may be storing company (and client) data. And there’s a good chance this will continue, with the new norm most likely trending towards a mix of work-from-home and work-from-the-office.

To help you understand the number of security implications for moving your workforce from home back to the office, we’re covering critical areas you need to know to address every angle of risk. This will help you maintain safety in the areas you can’t see and highly impact your business success.

The Return-to-Work Security Checklist

There are three areas you need to consider when addressing the risks of returning your team to a physical office location. Once these areas are implemented in full, there should be nothing standing in your way to return to a normal way of operating, albeit slowly.

1 – Policies & ProceduresThe Remote Work Guide

During the rush to move all employees to work-from-home status, perhaps you taped together a plan for operations, bypassing existing measures in order to maintain productivity.

If this sounds familiar, you’re not alone.

But the quick fixes and Band-Aids employed in the fast-paced move to a work-from-home setup now must be reevaluated in light of returning to work. Even if you eventually created remote work policies and procedures, they won’t cover the new cybersecurity issues you’ll face for returning to work.

Either way, now is your opportunity to kill two birds with one stone: Combine work-from-home and return-to-work guidance into one policy and procedures standard.

The return-to-work portion should include:

  • Creating a cadence to aggregate and analyze return-to-work information.
  • Performing a risk assessment and a gap analysis for each facility.
  • Executing a safety plan based on risk assessment and mitigation.
  • Establishing communication protocols.
  • Evaluating cyber hardening policies.
  • Incorporating business continuity planning and compliance issues.

In addition to these, your policies and procedures should cover two other critical areas: password resets and new employee onboarding and training.

Password Resets

The reality is, your employees may have fallen into unknowingly bad cybersecurity habits during their work-from-home stints. This includes the possibility they’ve shared their laptops and passwords with family and friends. They may have re-used the same passwords when downloading software or setting up devices at home, too.

You must make it clear in your policies and procedures that passwords for all company devices and software must be reset before returning to a physical work location.

New Employees

If you’ve hired and trained new employees during the work-from-home exodus, you must provide training about how office life works when it comes to cybersecurity. This will be different in most ways from how you’ve trained them to work from home. Include company security policies pertinent to working in the office in your policies and procedures. And make sure you emphasize this portion to new hires entering your physical location for the first time.

2 – Rogue Devices and SoftwareCybersecurity tips for small businesses

Hardware and software can be a security blindspot when returning to work. It will be essential to update operating systems and software, as well as complete an inventory of personal and corporate devices being brought back into the workplace.

Steps you should take to do this include:

  • Run a scan on your network to identify new, unknown devices.
  • Train employees to avoid using personal devices at the office when possible.
  • Enforce device control to block unauthorized USB and other peripheral devices.
  • Revoke unnecessary software licenses and transition staff back to using resources provided on-site.

By taking these actions, you’ll ensure the safety of your company information, employee information, and client information when returning to work.

Software Patches

There’s a good possibility that your team has inadvertently welcomed viruses and other software risks onto their work and personal devices while working from home. There was no way to prevent this from happening, but there is a way you can stop these malicious bugs from infecting the rest of your software and devices.

Create a thoughtful plan for testing machines, identifying patch requirements, and updating the devices before an employee sets foot in the office. This will significantly decrease the risk of infecting your entire network and other devices with a virus from just one.

3 – Facilities & Team

You may be overwhelmed with the changes that have to be made and the monitoring that has to be done before an employee sets foot back into your physical office location again. Thus, this third step in lowering security risks: Determining which facilities and teams will come back to work first.

Making sure all cybersecurity risks are handled individually is easier when there are a slow trickle of returning workers. Allowing all employees to come back at the same time will likely overwhelm your IT department, increasing the risk of a cybersecurity breach or an accidentally harmful action by an employee who hasn’t received policies and procedures training yet.

Limiting what facilities and team members return to work first will ease the burden and decrease liability for security issues. You should plan accordingly.

Conclusion: A Roadmap for Managing Rapid Change

There’s no doubt change has been – and will continue to be – rapid and substantial in 2020 when it comes to work environments. One thing remains the same, though: Maintaining the security of information online and keeping everyone involved safe from cybersecurity threats.

Your best course of action in order to remain in control when environments change rapidly is having a plan in place. Use the lessons from the beginning of this year to inform the creation of a roadmap for work-from-home and work-from-the-office. The latter is most likely here to stay, so you’ll need a plan for it that works now and is scalable for the future.

Note: A privacy roadmap is a living document, not to be created at one point in time and used for the entire future of your company. Seismic shifts have taken place in the last 12 months in regards to privacy legislation, team working environments, and technology. When change is the only constant, you need a privacy plan that is scalable and flexible.

Having a plan can help your business manage future crises in the least amount of time, effort, and expense… and with the least amount of pain.

Most importantly, invite your employees into the plan. Give them clear, transparent communication about the information you have, the information you don’t, and what you’ll do as a company to lower cybersecurity risks for them.

Red Clover Advisors has been a strategic partner in creating work-from-home and workplace policies and procedures for companies across the country. We help you create a comprehensive plan covering cybersecurity, privacy regulations, and data protection unique to your company and team. To get started with your own roadmap, reach out to set up a free consultation with our experts today.

Disclaimer: Red Clover Advisors does not provide legal advice. The information within this article is meant to offer sound business advice. Businesses should seek final legal direction from counsel before publishing any policies and procedures.

Schedule a free consult!