2.4 Billion

That’s the number of records that, according to Identity Force, have been accidentally exposed since the beginning of the year.

In other words, someone misconfigured their systems to provide access to unencrypted data or accidentally emailed them to the wrong person.

And that does not include the hundreds of million of records that were exposed on Facebook this year.

Pogo had it right.  I see the enemy and he is us.

 

 

 

 

 

 

Making it Real

I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city.  The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture.  That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.

 I guess we shouldn’t be surprised.  Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction.  And when you are focused every day on real issues with customers, patients and staff, abstractions come last.

 The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.

 Making It Real

 In order to “make it real” for the business, you need three things:  1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending.   Cybersecurity tells a lot of stories, almost all of which are fear-based.  That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation.  It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice?  If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand.  Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.

 Bringing Value

 Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested.  Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us.  That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.

Instead, cybersecurity should really be framed in terms of reputation and brand.  It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you.  Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.

Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult.  But if we want to make inroads to cyber protection, we will need to do so.

 

 

 

 

 

 

 

The Impact of the CCPA on Small Businesses

With the new year coming up fast, businesses are all scrambling to begin implementing necessary changes before the California Consumer Privacy Act (CCPA) goes into effect. And as one might expect, this poses some unique difficulties for small business that don’t have the same resources as larger companies might.  

This month, the International Association of Privacy Professionals (IAPP) released the findings of a number of surveys they conducted with small and medium sized businesses about their preparation for the CCPA. The findings highlight the unique impact compliance with the CCPA is having on smaller businesses 

Here are some of the key findings:

Confusion is Universal

One interesting aspect of the survey was that confusion surrounding CCPA compliance was universal to both small and large businesses. However, small businesses expressed a specific lack of clarity regarding what employee data is covered, how the sale of data relates to basic advertising, and potential conflicts with existing regulations.   

Vendor Management

Another key concern for small businesses is how the CCPA will affect their use of vendors and third parties. Because they have a limited number of employees, small businesses are more likely to outsource some of their work onto third parties. And, according to the IAPP’s findings, small businesses are less likely to have specific programs in place to ensure vendors’ privacy policies meet their own standards and comply with regulations. The report found that while small businesses do generally include privacy clauses in vendor contracts, “they use privacy questionnaires and audits significantly less often than larger companies.”  

Lack of Automation

The survey also found that small businesses are less likely to have privacy-focused automation in place. Because the CCPA requires business to process consumers’ data access requests, processing these requests along with managing data inventories will likely become more of a burden for small businesses. Without the resources to automate these processes, small businesses fear that implementing and managing data access requests will require an overwhelming amount of time and energy.  

What’s more, lack of automation could make it easier for fraudulent data access requests to slip by, resulting in data breaches that would leave them in violation of the CCPA. This has already been an issue with the GDPR, and small business worry that they don’t have the tools necessary to effectively verify the identity of individuals requesting access to their data.  

While preparation for the CCPA is a top concern for businesses of all sizes, the IAPP’s findings show that small business are facing a number of unique challenges. When it comes to compliance, the CCPA holds all businesses to the same standard. And while this gives consumers greater assurance that their privacy is protected across the board, the impact this will have on small business is greater than what larger companies are experiencing.

Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1

As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.  

Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in Julya number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.  

In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information. 

Here is an overview of some of the changes that made it through: 

Non-discrimination 

While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”  

This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.  

Definition of Personal Information 

The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.  

This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.  

Employee Information is Exempt 

The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.  

 

While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year. 

iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”