Download ISO/IEC 27701 2019 Standard and Toolkit
CPRA compliance gap assessment tool
Jan 13 2022
Jan 19 2021
This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
Dec 01 2020
Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020
Purpose and Intent. In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles:
Consumer Rights
Adds a right to opt out of automated decision-making technology, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Opt-out right explicitly extends to sharing of PI used for cross-context behavioral advertising.
Strengthens opt-in rights for minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
For all inclusive details, download a pdf of THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020 (Amendments to Version 3)
California Privacy Rights Act (CPRA): 10 Big Impacts on Your Business
httpv://www.youtube.com/watch?v=bqC8kSSSV-A
Aug 17 2023
Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive
IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.
ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.
Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.
Checkout our ISO 27701 related posts to assess and built your PMS
Checkout our previous posts on CPRA
Checkout our previous posts on GDPR
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
Mar 15 2023
Whether your looking to develop a career in data privacy or cybersecurity, we have the perfect training solution for you! Pick bestselling ITG self-paced online training courses today and receive 15% off till March 31st 2023
May 08 2022
Data protection is challenging for many businesses because the United States does not currently have a national privacy law — like the EU’s GDPR — that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.
For companies doing business in California, Virginia, Colorado and Utah* — or any combination of the four — it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times.
While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments — audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.
Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments.
Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).
The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury — Colorado only recognizes its assessment requirements to meet compliance.
Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.
There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.
The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.
Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips.
It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies.
From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.
Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.
The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.
Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights.
The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.
*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.
Data Privacy Law: A Practical Guide to the GDPR
Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices
👇 Please Follow our LI page…
#InfoSecTools and #InfoSectraining
Jan 02 2022
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
Nov 29 2021
Save 15% off books, toolkits, self-paced training courses, and selected Live Online training courses. Use code BF15 at checkout to claim your discount. But hurry, offer ends tomorrow 30 November, midnight PDT*.
This Black Friday ITG is offering you 15% off ITGP books, ITGP toolkits, self-paced training courses, and selected Live Online training courses.
Discover all resources |
Bestselling books |
The California Privacy Rights Act (CPRA) – An implementation and compliance guide This book gives you a comprehensive understanding of the CPRA, covering key terms, security requirements, the breach notification procedure, and the penalties for non-compliance. ISO 27001 controls – A guide to implementing and auditing The must-have book to understand the requirements of an ISMS (information security management system) based on ISO 27001. Certified ISO 27001 ISMS Foundation Self-Paced Online Training Course This course provides a complete introduction to the key elements required to achieve ISO 27001 compliance. |
Jun 07 2021
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.
Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.
In a press conference today, Australian police said the sting operation got underway in 2018 after the FBI successfully seized encrypted chat platform Phantom Secure.
Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called Anøm (also stylized as AN0M).
Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.
The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.
No phone number was required to use the app, which relayed all its messages via An0m’s central platform.
But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.
According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.
Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.
Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.
Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.
Source: In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat
Listening In: Cybersecurity in an Insecure Age
Mar 13 2021
If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
Feb 15 2021
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Jan 28 2021
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager