Data Privacy Day (2021): Commercial Businesses

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This third article is for commercial businesses focusing on latest updates and resources.

2021 Privacy Updates and What It Means for Businesses

In commemoration of Privacy Day this year, we are going to talk about the latest news in privacy and share some tips and resources to help organizations keep current. A lot has happened last year and privacy risks continue to emerge for organizations. As global laws continue to evolve and the US laws play catch up, organizations are drawn to increasing their compliance efforts. 

Global Privacy Updates

Let’s talk about the elephant in the room, Brexit finally happened. The trade deal between Britain and the European Union has been approved and we are now in the interim “grace period” when data can continue to flow between the EU and the UK in the next four to six months.

To safeguard from data flow interruptions, the following are precautionary measures organization should consider: 

• Standard Contractual Clauses (SCC) are reviewed and updated.
• ICO may no longer be a part of GDPR’s One Stop Shop, review your interactions with data protection authorities.
• Appoint EU and UK data protection representatives if necessary.
• Update privacy notices, policies and DPIAs (Data Privacy Impact Assessment).

Meanwhile in the southern hemisphere, Brazil’s comprehensive privacy law went in effect last September 2020. It’s called Lei Geral de Proteção de Dados, or “LGPD”. Penalties will take effect in August 2021.

LGPD is heavily inspired by the GDPR and the following are key areas to pay attention to: 

• LGDP protects every user in Brazil irrespective of the data subject’s nationality and regardless of where the processing agent’s company is based.
• Individual rights are consistent with GDPR but in addition, LGPD also gives people a right to access information about those with whom an organization has shared the individual’s data.
• Organizations may transfer personal data to other countries that provide an “adequate level of data protection.” Brazil has not yet identified which countries it considers as providing an adequate level of protection.

Domestic Privacy Updates

You may already be aware of the California Consumer Privacy Act (CCPA), a pivotal law put into effect last year as the first major privacy law to give American consumers control over their personal information.

Within months of CCPA going into effect, the California Privacy Rights and Enforcement Act (CPRA) was passed this past November and will replace the CCPA as of Jan 1, 2023 – giving businesses two years to revisit their privacy programs to be compliant.

There are key differences between the two – here is a snapshot of a handful of the most notable ones:

• The definition of “business” is shifting and will change the types of business this law will be applicable to. One of these includes the threshold of customers, which will increase from 50,000 to 100,000. 
• There is also a new type of personal information defined in the CPRA: Sensitive Personal Information, or SPI. This includes (but is not limited to) passport data, social security numbers, financial account information, race, ethnicity, health records, and union membership.
• New rights will also be set in place, such as right to opt out of automated decision-making technology and right to restrict sensitive PI.

California’s privacy laws have not only impacted businesses everywhere. Many state legislatures around the country are looking to model a similar law as more consumers have demanded transparency over their PII.

The State of Washington, which has numerous times tried to pass a privacy act in the past, is working on a new version for 2021.

This proposal adds stricter protections for consumer data collected during public health emergencies, as well as introduces a private right to action which allows for civil lawsuits in cases for using personal data.

More information around this new Washington Privacy Act will be released as the year goes on, so stay tuned.

Additional Resources

How does one keep abreast of the ever changing regulations? We’ve listed out some resources you can subscribe and follow on.

Organizations should continue to monitor the development of LGPD, the privacy implications of Brexit, and the US State Privacy laws, and are encouraged the following:

• Perform Data Privacy Impact Assessments (DPIA’s) regularly
• Follow the strictest rule applicable to your organization
• Adopt the Privacy By Design Principles (PbD)

If you haven’t already checked out these resources, here are some options to get more information on privacy standards.

• NIST
• CIS
• IAPP
• AICPA 

Cited Sources:

https://www.dataguidance.com/sites/default/files/gdpr_lgpd_report.pdf

https://iapp.org/resources/article/state-comparison-table/

https://www.jdsupra.com/legalnews/third-time-could-be-the-charm-for-20529/

https://www.manatt.com/insights/newsletters/client-alert/the-california-privacy-rights-act-has-passed

Data Privacy Day (2021): Government Agencies

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This second article is focused on the data privacy responsibilities of federal, state, and local governments. Millions of people in Nevada share their personal data with government organizations on a regular basis and may not know what steps those agencies are required to take to protect that data

 What data privacy rules do government agencies have to follow?

The Privacy Act of 1974, and the amendments applied to it over the years, provide explicit guidance on how federal agencies can collect, maintain, use, and disseminate information about individuals contained in any system of records they control. It also contains rules allowing individuals to access the data federal agencies collect and maintain on them and obtain a copy of the data or any portion of the data.  One of the most important elements of the Act is the rule for disclosing information about an individual to third parties.  The Act mandates that, with a limited number of exceptions, the data on an individual can only be disclosed to a third party with the written consent of the person to whom the record pertains.

You can read more on the Privacy Act of 1974 and its amendments on the U.S. Department of Justice website.  

The State of Nevada has similar legislation which applies to more than just State agencies.  Nevada Revised Statute 603A contains the rules government agencies, institutions of higher education, corporations, financial institutions, retail operators, or any other type of business entity or association must follow if they handle, collect, disseminate or otherwise deal with nonpublic personal information.  It contains requirements for how agencies must destroy records when they are no longer needed, steps agencies must take to protect data, and rules for disclosing a breach of the system of records maintained by the agency.

Your local city or county may have their own rules for protecting an individual’s private data. 

What do I need to do?

If you work for an agency that collects personal data on customers and you have access to that data:

• KNOW YOUR RESPONSIBILITIES: Ask your employer what steps you are required to take when gathering, using, or disclosing personal data you access.  Familiarize yourself with your agency’s privacy policy, and be prepared to discuss it.  If your agency doesn’t have a privacy policy, ask them to create one.
• INFORM YOUR CUSTOMERS: Whenever possible, let your customers know why you are collecting their information, how you are using it, and what steps they can take to ensure it is accurate and protected.  Usually, the best way to do that is to provide them a copy of, or link to, your agency’s privacy policy.

As a customer, there are some basic steps you can take to help safeguard your privacy:

• DO YOUR RESEARCH: Know what laws protect your data when it’s in the hands of federal, state, local, or commercial agencies.   Find out how an agency meets the requirements of those laws before giving them your personal information.
• LIMIT THE DATA ABOUT YOU:  Only provide agencies with the minimum amount of information about you they need to provide you the services you are requesting.  
• READ THE PRIVACY POLICY:  Almost all organizations have a privacy policy (quite often a link near the bottom of their main web page).  Read it to understand what information they are collecting and how they will be using that information.

Take action:

Update the privacy settings on at least one of your online accounts this Data Privacy Day (January 28).  Check the privacy and security settings on web services and apps and set them to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. Get started with NCSA’s Manage Your Privacy Settings page:  https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

Data Privacy Day (2021): Individuals

Data Privacy Day is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This first article is focused on individuals, with subsequent articles focused on small business and large enterprises. Millions of people, worldwide, are using the Internet to share data including our banking credentials, personal photograph’s, and our geolocations.  Although cyberspace is an exciting environment with a myriad of benefits, opportunities, and conveniences, it is also an increasingly risky one, with numerous threats to our privacy.

 Why do you care?

Data about individuals can be and is used in a variety of ways.  Unfortunately, all too often, the manner in which the data is used is not known, expected, or even approved by you, the individual.  For example, when connecting to social media as well as mobile and smart devices (e.g. mobile phones, wearables, speakers, headsets, cameras, TVs, cars, toys and appliances), you are continuously generating information about your use, yourself, and others. This becomes an abundance of data that is very valuable to commercial entities and advisories.   Bad actors target those data sets to steal and use for larger campaigns or missions.  That’s why it is important to understand the value of your personal information and how to manage it.  Your personal information is like money! Value it. Protect it.

Please see this infographic from the National Cyber Security Alliance (NCSA) to help you gain a quick perspective.  

What is Privacy really?

It is important to note privacy and cyber security overlap – but is not one and the same.  There is a difference between privacy and security.  Cyber Security is necessary to protect data, but security alone is not sufficient to ensure privacy.  Privacy includes other aspects such as:

• telling users what data is collected and how it will be used,
• giving users a choice when their data will be used for purposes other than originally disclosed,
• ensuring data is protected and can only be used for the purposes disclosed, and
• ensuring data practices comply with federal, state, and international laws.

Sounds simple.  Don’t the companies and organizations need to take care of that?

As individuals, we need to share personal details and identifiable information (PII) in order to gain a service or conduct transactions.  However, we don’t want the information to be abused, lost, or used for purposes other than the reasons we shared the data.   This appears to be an easy ask but its not easy to achieve and meet because of conflicted local laws that requires public access.  

For example, court records must be made publicly available for public scrutiny and review to ensure citizen’s confidence in court ruling.  This need must be balanced with the need to ensure privacy of the litigants. However, it becomes very difficult to balance of the two objectives because most court cases, both civil and criminal, documentation until recent years includes personal information and some sensitives like individuals’ Social Security numbers and other sensitive data.

What do I need to do?

Here are some basic steps to help safeguard your privacy:

• DO YOUR RESEARCH: Before connecting your smart device to the Internet, do some research.  Ideally, you would conduct this research before purchasing any new internet-connected device by checking out user reviews on the product, exploring whether there have been any security/privacy concerns, and understanding what security features or limitations that the device has. 
• CONTROL YOUR ONLINE PRESENCE:   configure your privacy and security settings the moment you turn on a new smart device and are asked to sign-in, sign up for a new online account, or integrate an existing account from other platforms like Google, Facebook, etc.  Most devices and accounts default to the least secure settings, so take the time and moment to change those settings to be more secure.  For example, disable any features you don’t need, such as location tracking, (your Livingroom TV doesn’t need to track location); and update your software on those devices.  
• LIMIT THE DATA ABOUT YOU:  It is best to limit what information you put online.  For example, when completing or integrating a profile for an account, you don’t have to fill in everything.  If you do need to answer every field, consider answering those fields with illegitimate answers about yourself.  It’s not against the law to do so; however, you may need to pick a date of birth that shows that you are over 18 years of age.  Just remember those responses in case you need recover you account.  If you find that a company does require truthful information about you, question whether you feel comfortable about providing it as well as understand what they do with that information.  Then reconsider creating a profile with that company.

Take action:

Update the privacy settings on at least one of your online accounts this Data Privacy Day (January 28). Here’s how: staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

17th Annual CSAM – Week 4 Social Engineering Increases Risks in Cyber Security Posture

Hackers are getting more clever with social engineering tactics, especially through COVID-related campaigns, putting you and your organization at risk of handing over sensitive data and credentials.

Simply put, social engineering is the non-technical strategy cyber attackers use to manipulate people into giving up confidential information. Instead of exploiting vulnerabilities in an application, they find vulnerabilities within humans. Even with the most sophisticated security technologies in place, falling victim to social engineering tactics puts bad actors one step closer to achieving their goals.

Social engineering is nothing new – however, the pandemic created a huge surge in people’s reliance on IT, from communicating with family or friends to maintaining productivity at work.

This increased dependence on work-from-home and our online footprint has made us a much easier target for social engineering attacks, so it is important now more than ever before to be mindful of who we are interacting with over the phone and over the Internet.

Common social engineering hacks that have risen during COVID:

• Emails or calls posing as someone in your organization’s IT department which ask you to click a link or provide a two-factor authentication code and bypass multi-factor authentication (MFA) controls.
• “Officials” from your local government or healthcare agency, or insurance carrier, who ask for personal information.
• Unsolicited requests for account changes or information via email alone.

Some recommendations for you:

• Closely inspect any unknown email address to verify it is legitimate before clicking on links or attachments.
• Do not provide information about your organization to outside entities without proper authorization.
• Double check a request’s legitimacy by calling or contacting the company or internal department directly.

Awareness that social engineering attacks are increasing alone is an instrumental first step towards protecting yourself and your organization against a successful cyber attack. If you are suspicious about an email, report it to your IT organization’s staff immediately, and don’t answer any calls you are not expecting.

17th Annual CSAM – Week 3

2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Week 2 of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet-connected devices for both personal and professional use.

Get Savvy About WIFI HotspotsPublic wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them.  Limit what you do on a public WiFi, and avoid logging in to key accounts like email and bank accounts.  Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection.

When in Doubt, Throw it OutLinks in e-mail, tweets, texts, posts, social media messages and online advertising are the easiest way for cyber criminals to get your sensitive information.  Be wary of clicking on links or downloading  anything that comes from a stranger or that you were not expecting.  When available, use the “junk” or “block” option to no longer receive messages from a particular sender.  Don’t trust those links.

Cybersecurity is Everyone’s JobNo matter your career or position, it is everyone’s job to practice good cyber security.  Organizations and homes cannot be secure without each and every person doing their part.  Online safety and security are a responsibility we all share.

Stop.Think.Connect:  The Stop.  Think.  Connect.TM is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online.  www.stopthinkconnect.org

17th Annual CSAM – Week 2

As the 17^th annual Cyber Security Awareness Month (CSAM) continues, it’s time to look at the impact of COVID-19 on the way we work.  Since the start of the pandemic, cybersecurity teams around the world have seen a drastic increase in attacks on both corporate and private computer systems.  More employees than ever are working from home using a combination of corporate and personal devices.  Companies are taking a variety of steps to protect their assets, and it’s just as important that you take a few steps to protect your home network and the personal computing devices you use to work from home from the bad guys that want to exploit them.

1. Install the latest software updates and security patches from your device’s manufacturer.  In many cases, you can simply turn on automatic updates and let the system handle the rest.
2. Setup and use multi-factor authentication, sometimes called two-factor authentication, when it’s offered by your financial institutions, email provider, or any other organization you interact with online.  With multi-factor authentication, you’ll have to enter a code sent via text message to your phone or respond to a push notification from an app when attempting to login, ensuring that you are in fact the one trying to access your account.
3. Ensure that your home router password is not easily guessed and does not include your address or personal names.  The Federal Trade Commission has more tips for securing your wireless home network at https://www.consumer.ftc.gov/articles/0013-securing-your-wireless-network.
4. Limit the amount of personal data you share on social media.  The less the bad guys know about you, the less info they have to manipulate you into doing what they want.
5. As always, remember to stop and think before you click a link, or provide confidential data over the phone.  Malicious actors are constantly developing new strategies and building websites designed to manipulate people into clicking on malicious links or giving up personal information.

For more information about ways to keep you and your family safe online visit https://www.cybersafenv.org.  Stay #CyberSafeNV!

CyberSafeNV 2020 CSAM

CyberSafeNV is excited to be greeting the 17^th annual Cyber Security Awareness Month (CSAM), previously known as the National Cyber Security Awareness Month (NCSAM).  “National” was dropped from the original name to allow for this month to be adopted around the world; making October a Cyber Security Awareness Month, a global effort to help everyone stay protected whenever and however you connect.   Annually, there are different themes.   This year’s theme is Do Your Part. #BeCyberSmart, emphasizing the role everyone plays in protecting their online lives. 

CyberSafeNV is proud to be a champion, do our part, and support this online safety and education initiative this October.

COVID-19 has fundamentally, and most likely permanently, changed the way we work, do business, socially interacts, and engage over the internet. Organizations around the world have shifted much of their workforce to work from remote-home offices; changing the types of security controls needed and required.   To support these challenges, CyberSafeNV will develop and send some best practice guides for telework as well as information on general cyber security topics to help you, your family, co-workers, and our community and state become more cyber security aware and smart  Therefore, throughout the month of October, you will receive and see emails, website updates, and/or social media postings.   So please follow us on Twitter @CyberSafeNV, Facebook (https://www.facebook.com/cybersafenv/), and LinkedIn (https://www.linkedin.com/company/cybersafenv).  For more information about ways to keep you and your family safe online visit https://www.cybersafenv.org.

Important information pertaining to the Equifax data breach…

Family Life