May 21, 2024
A Guide to Navigating NIST 2.0
NIST 2.0 is an important update to NIST’s seminal cybersecurity framework. Learn what has changed and what that may mean for businesses.
Read MoreCategory: Regulatory Compliance
November 03, 2020
Will the Vastaamo Patient Data Breach Set a GDPR Penalty Record?
The huge data breach at Vastaamo is setting a new standard for ransomware demands as cybercriminals try a new kind of double extortion. Will it also set a new GDPR penalty record?
Read More
February 18, 2020
Six Similarities Between GDPR & US Regulatory Requirements
As companies collect and store more and more personal information, they face data privacy risks on many fronts. Increasingly, they are being held accountable for protecting their customers’ digital privacy. New regulations, led by Europe’s General Data Protection Regulation (GDPR) in 2018, are quickly becoming normative in countries around the world. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation.
Read More
February 10, 2020
The NY SHIELD Act is Almost Here: How to Stay Compliant
Data privacy regulations are quickly becoming par for the course in countries around the world, each one bringing new, nuanced responsibilities for companies to follow. While Europe’s expansive General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have made most of the headlines, we are just months away from the latest privacy regulation, New York’s “Stop Hacks and Improve Electronic Data Security (SHIELD) Act.”
Read More
December 23, 2019
Consumers Respond to Data Privacy Regulations
After years of seemingly unending data privacy violations, governments around the world have begun enacting regulations intended to bolster personal privacy in the digital age. Most prominently, in 2018, Europe’s General Data Privacy Regulation (GDPR) set a new standard for data security, prompting companies around the world to take the issue more seriously by instituting financial penalties against organizations that fail to protect their customers’ data. In the US, California’s Consumer Privacy Act is scheduled to go into effect on January 1st, 2020, bringing comprehensive regulation to the US and further promulgating the legal ramifications of data security standards. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation. These laws are intended to support rapidly shifting consumer sentiments that value data protection and personal privacy, two priorities that have gone wildly adrift in the digital age. Unfortunately, despite their best intentions, there is growing evidence that privacy laws aren’t improving consumer confidence in data security. In response, every company should be mindful of this attitude, as it will inevitably shape the business landscape for years to come. Consumers Don’t Trust Companies Until recently, digital platforms participated in a quiet arrangement with their customers who gained free access to platforms in exchange for copious amounts of personal data. Today, that information is some of the most valuable in the world, often compared to digital gold, which companies deploy to provide targeted advertising and other personalized services that drive their bottom lines. However, today’s consumers are well-aware of this arrangement, and many are fighting back. For example, after Facebook’s now-notorious Cambridge Analytica scandal, nearly half of users aged 18 – 29 deleted the app from their phones, signaling a distrust of the platform’s data management standards and disgust with its practices. Moreover, after a data breach, 81% of consumers indicated that they would stop engaging with a brand online, and many consider cybersecurity a prerequisite for making purchases.
Read More
September 26, 2019
Best Practices for GLBA and FINRA Compliance
When it comes to security compliance and regulatory oversight across America, no verticals or functions are being spared. The financial services industry is one that has recently come under scrutiny, as stakeholders begin to realize the sensitivity of data flowing through their processes and organizations. Keep reading for a breakdown of Gram-Leach-Bliley Act (GLBA) compliance, along with a checklist of the top 10 cybersecurity best practices as reported by the Financial Industry Regulatory Authority, Inc. (FINRA). Financial Privacy and Safeguards The Gram-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, requires financial institutions to explain how they share and protect their customers’ private information. Additionally, these rules apply to entities outside of the financial services industry that process or receive such information, which can range from real estate companies to tax preparers and more. Below are the two key components to the GLBA, with the second holding specific implications for data security: Financial Privacy Rule – In order to be compliant, organizations must communicate how they share sensitive data, inform customers of their right to opt out of information-sharing agreements, and explain how they protect customer data. Safeguards Rule – Regulating the confidentiality of customer information is separated into three main initiatives: employee security awareness training, information systems, and system failure. Although there are many steps and requirements, we’ve got you covered. With BullPhish ID™, you can check security awareness training off the list and move one step closer to compliance. The ROI of Compliance At this point, you may be wondering why you have to be compliant. The threat of non-compliance penalties may seem enough, amounting to $100,000 per violation, but it barely scratches the surface. Individuals can face additional charges that include prison time, and although the risk of reputational damage is not easily quantifiable, it is often even more crippling. In a world where customer loyalty and trust are king, unauthorized sharing or leaks in customer data can result in brand erosion and revenue loss. Practice Makes Perfect As your go-to solutions provider, we’re not here to spell out doom-and-gloom, but instead to help solve your problems. Click the link below to download the Small Firm Cybersecurity Checklist by FINRA: https://www.finra.org/compliance-tools/cybersecurity-checklist. Ready to take the first step to being GLBA compliant? Learn how BullPhish ID can help you easily manage the recommended security awareness training:
Read More
September 05, 2019
HIPAA 101
Maintaining compliance in today’s ever-changing environment is no easy task, particularly within the healthcare space. In the past, hackers opportunistically targeted providers due to poor security networks and infrastructure. Over time, however, cybercriminals have realized the true value of personally identifiable information (PII) and protected health information (PHI), which can be leveraged for identity theft, financial fraud, and other lucrative attack types. Exposed patient data is quickly becoming a sought-after commodity on underground marketplaces such as the Dark Web, forcing companies and MSPs to take notice. Follow the ID Agent team as we provide a snapshot of the Health Insurance Portability and Accountability Act (HIPAA) today and discuss its implications for your business. History of HIPAA Established in 1996, the Health Insurance Portability and Accountability Act was introduced by the Department of Health and Human Services (HHS) to set standards for data security and privacy in the healthcare sector. The legislation was passed with good intentions but designed for a world that still operated using paper records. As technology drastically shifted market dynamics, some of the provisions quickly grew outdated, Nevertheless, the Security Rule has passed the test of time in many ways, providing administrative, physical, and technical safeguards for protecting individuals’ electronic personal health information. Cybersecurity Guidelines In December of 2018, HHS issued new cybersecurity guidelines in an effort to drive voluntary adoption of best practices. Such guidance could signal impending legislation to come in the near future, so our experts curated some key takeaway: 1) Risk Analysis Organizations must assess all potential risks and vulnerabilities affecting the confidentiality, integrity, and availability of PHI across their ecosystem. This is easier said than done. Many companies underestimate how far PHI travels inside or outside their networks, which have led to costly HIPAA violations in the past. Determining the need for business associate agreements is a key element of a risk analysis, since they govern how entities handle PHI. 2) Social Engineering As evidenced by recent events, healthcare organizations are often subject to phishing and ransomware attacks. Even though employee training and simulated phishing attacks have been recognized as the best defense to mitigating social engineering hacks, they are rarely facilitated (see graph below). Thankfully, BullPhish ID™ offers robust security awareness training campaigns to educate employees and demonstrate the cybersecurity posture of your organization. Employee training – 2019 Security Metrics Guide to HIPAA Semi-Annually Yearly Never train Don’t know how often they train 8% 60% 10% 13% 3) Insider Threats Whether it’s born out of innocent curiosity or malicious intention, employee snooping is a serious vulnerability to PHI. Even worse, it can not only result in HIPAA violations, but also be identified as criminal activity by state attorney generals. As public vigilance of security and privacy continues to increase, being featured in headlines as the victim of an insider attack poses serious consequences for brand equity and customer loyalty. 4) Enterprise Risk Management Iliana L. Peters, Former Acting Deputy Director for HIPAA at HHS, recommends that organizations partner with solution providers that can perform comprehensive risk management and offer expert counsel. Given that the majority of Office for Civil Rights settlements are related to risk management, organizations have a financial incentive to enlist in IT security best practices and training. Solutions Although ongoing HIPAA compliance may seem like an arduous undertaking, it can greatly benefit your organization from a strategic perspective. Far too often, it’s the simple, easy-to-patch vulnerabilities that slip through the cracks and lead to expensive violations or breaches. Even those with advanced defenses can be inadvertently compromised by bad passwords or employee phishing. However, we’re not here to spell out doom-and-gloom. Find out how our experts and solutions can help you: Proactively monitor the Dark Web for compromised employee or patient data Transform your employees into the best defense against cybercrime with simulated phishing attacks and security training Consider implementing Compliance Process Automation Also, download our guide below to see how HIPAA compliance varies by state and region.
Read MoreAugust 15, 2019
The link between GDPR and the Dark Web
Over a year after its widely anticipated debut on May 25th, 2018, the General Data Protection Regulation (GDPR) is still a point of confusion for many SMBs. Although our European partners have been keeping a pulse on developments for quite some time, privacy regulations are quickly pervading into the global security landscape across the US, Canada, Australia, and New Zealand with cascading consequences and implications. In order to prepare MSPs and business owners for upcoming change, the ID Agent Team will unravel how the Dark Web and GDPR are inextricably connected. But first, let’s refresh on the basics: A GDPR Crash Course Designed to protect the data security and privacy of EU citizens, the GDPR was introduced as a replacement to the Data Protection Directive of 1995. As an overview, the regulations empower consumers with greater ownership over their personal information; highlights including the “right to be forgotten”, a fortified consent process, and more stringent breach notification protocol requirements. Aside from expanding the definition of “data processing” to include collection, retention, deletion, breaches, and disclosures of personal data, the penalties associated with infractions are no laughing matter. Since its implementation, multinational corporations have seen fines amounting to $23M. Or even worse, 4% of global revenue. Dark Web + GDPR So where does the Dark Web fit into this? Just this past week, we covered a recent report by the Federation of Small Businesses (FSB) proclaiming that UK-based SMBs were suffering nearly 10,000 cyber attacks per day. Although the majority of these are serious security breaches, some are slipping through the cracks as “leaks” that go unnoticed. These manifest themselves as vulnerabilities caused by password recycling, lost devices, accidental website updates/ emails, and even rogue employee behavior. Unlike more overt incidents, data compromises are much more difficult to detect, especially for small businesses with minimal security measures in place. Therefore, sensitive information collected from such leaks ultimately finds a home on the Dark Web, without anyone being the wiser. As we know, cybercriminals will exchange valuable credentials for cryptocurrency, and then leverage leaked information to orchestrate crippling fraud tactics. In the past, companies were able to sidestep any ties back to them due to loose privacy regulations and limited feedback loops. However, those days are soon coming to an end. The GDPR mandates that companies of all shapes and sizes must disclose consumer data breaches, and will also be held liable for such accidental leaks. For example, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) of the UK has published specific guidance for risk management, data protection, detection, and minimization of impact. The Solution The global standards for data protection may be rising, but so have the solution sets for SMBs. By partnering up with MSPs who have enlisted in proactive Dark Web monitoring solutions (like Dark Web ID!), you can future-proof your company from facing GDPR fines or dealing with business process interruptions. Case dismissed. Need more proof? See what Ryan Markel, President of Take Ctrl, LLC, has to say about working with our team: “My clients are so grateful that they are not aware when their passwords are compromised that they are telling their colleagues at other companies they have to work with us”. Sources: https://www.parkersoftware.com/blog/gdpr-dark-web https://www.law.com/legaltechnews/2019/01/23/could-the-gdpr-right-to-access-make-personal-data-more-vulnerable/?slreturn=20190712111548 https://cybersecuritysummit.co.uk/wp-content/uploads/sites/29/2017/10/White-Paper-GDPR-Data-Breaches-the-Dark-Web-June-2017.pdf https://www.swknetworkservices.com/dark-web-breaches-compliance-gdpr/ https://gdpr.report/news/2017/07/03/growing-threat-dark-web/ http://www.securityeurope.info/the-eus-gdpr-and-crime-throwing-some-light-on-the-dark-net/ https://mashable.com/article/how-gdpr-changed-internet-2018/ https://lmgsecurity.com/should-your-data-breach-response-plan-include-dark-web-scanning/ https://cyansolutions.co.uk/monitor-dark-web-stop-security-breaches-fast/ Cybersecurity and GDPR: https://www.ncsc.gov.uk/information/GDPR UK’s Cyber Essentials certification: https://www.cyberessentials.ncsc.gov.uk/advice/
Read More
February 22, 2019
Webinar Recap: An Update on Data Security Breach Laws in the U.S. & Canada
Data Security Breach Laws Becoming Stricter The webinar “An Update on Data Security Breach Laws in the U.S. & Canada” was offered February 13 by ID Agent. The top-line message is that the many overlapping laws and regulations governing data security are becoming stricter. Moderated by Jessica Retka, an associate in the Intellectual Property and Technology Group at Baltimore law firm Whiteford Taylor Preston LLP, the webinar featured legal experts S. Keith Moulsdale, a partner in the Cyber Security, Information Management and Privacy Group at Whiteford Taylor Preston, and Judith Payne, a partner at Winnipeg-based Pitblado Law who specializes in privacy, regulatory compliance, and information technology in corporate and commercial enterprises.
Read More