Download ISO/IEC 27701 2019 Standard and Toolkit
CPRA compliance gap assessment tool
Jan 19 2021
CPRA Compliance
This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
Dec 01 2020
Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020
Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020
Purpose and Intent. In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles:
Consumer Rights
- Consumers should know who is collecting their personal Information and that of their children, how it is being used, and to whom It is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children,
- Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal Information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
- Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
- Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
- Consumers should be able to exercise these rights without being penalized for doing so.
- Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
- Consumers should benefit from businesses’ use of their personal information.
- The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and Intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023
Adds a right to opt out of automated decision-making technology, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Opt-out right explicitly extends to sharing of PI used for cross-context behavioral advertising.
Strengthens opt-in rights for minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
For all inclusive details, download a pdf of THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020 (Amendments to Version 3)
California Privacy Rights Act (CPRA): 10 Big Impacts on Your Business
httpv://www.youtube.com/watch?v=bqC8kSSSV-A
Jun 18 2025
DISC WinerySecure™: Cybersecurity & Compliance Services for California Wineries
Overview: DISC WinerySecure™ is a tailored cybersecurity and compliance service for small and mid-sized wineries. These businesses are increasingly reliant on digital systems (POS, ecommerce, wine clubs), yet often lack dedicated security staff. Our solution is cost-effective, easy to adopt, and customized to the wine industry.
Wineries may not seem like obvious cyber targets, but they hold valuable data—customer and employee details like social security numbers, payment info, and birthdates—that cybercriminals can exploit for identity theft and sell on the dark web. Even business financials are at risk.
Target Clients:
- Wineries with 100–500 employees
- Using POS, wine club software, ecommerce, or logistics systems
- Limited or no in-house IT/security expertise
Service Bundles
1. Risk & Compliance Assessment (One-Time or Annual)
- Winery-specific security and compliance checklist
- Key focus: POS, ecommerce, backups, privacy laws (CCPA, CPRA, GDPR), NIST CSF, ISO 27001, SOX, PCI DSS exposure
- Deliverable: 10-page Risk Scorecard + Executive Summary + Heat Map
2. Winery Security Essentials (Monthly)
- Managed endpoint protection (EDR-lite)
- Basic firewall and ISP hardening
- 2FA setup for admin accounts
- Phishing and email security implementation
- POS and DTC site security guidance
3. Employee Awareness & Policy Pack
- Annual virtual 30-minute training
- Phishing simulations (2x/year)
- Winery-specific security policies:
- Acceptable Use
- Access Control
- Incident Response
- Tracking of policy acceptance and training logs
4. vCISO-Lite Advisory (Quarterly)
- Quarterly 1-hour consults with DISC vCISO
- Audit readiness and compliance roadmap (CCPA, PCI, ISO)
- Tech stack and vendor security guidance
Optional Add-Ons
- Penetration test (web or cloud systems)
- PCI-DSS SAQ support
- Vendor security assessments
- Business continuity/ransomware recovery plans
Pricing Tiers
| Tier | Description | Monthly | Annual |
|---|---|---|---|
| Starter | Essentials + Training | $499 | $5,500 |
| Growth | Starter + vCISO-Lite | $999 | $11,000 |
| Premium | Growth + Add-Ons (Customizable) | $1,499+ | Custom |
Benefits for Wineries:
- Reduces risk of ransomware, fraud, and data loss
- Supports audit, insurance, and investor requirements
- Protects customer data and tasting room operations
- “Secure Winery” badge to promote trust with guests
- In addition to winery protection, DISC specializes in securing data during mergers and acquisitions.
Next Steps: Let us prepare a customized scorecard or walk you through a free 15-minute discovery call.
Contact: info@discinfosec.com | www.discinfosec.com
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
May 29 2025
Why CISOs Must Prioritize Data Provenance in AI Governance
In the rapidly evolving landscape of artificial intelligence (AI), Chief Information Security Officers (CISOs) are grappling with the challenges of governance and data provenance. As AI tools become increasingly integrated into various business functions, often without centralized oversight, the traditional methods of data governance are proving inadequate. The core concern lies in the assumption that popular or “enterprise-ready” AI models are inherently secure and compliant, leading to a dangerous oversight of data provenance—the ability to trace the origin, transformation, and handling of data.
Data provenance is crucial in AI governance, especially with large language models (LLMs) that process and generate data in ways that are often opaque. Unlike traditional systems where data lineage can be reconstructed, LLMs can introduce complexities where prompts aren’t logged, outputs are copied across systems, and models may retain information without clear consent. This lack of transparency poses significant risks in regulated domains like legal, finance, or privacy, where accountability and traceability are paramount.
The decentralized adoption of AI tools across enterprises exacerbates these challenges. Various departments may independently implement AI solutions, leading to a sprawl of tools powered by different LLMs, each with its own data handling policies and compliance considerations. This fragmentation means that security organizations often lose visibility and control over how sensitive information is processed, increasing the risk of data breaches and compliance violations.
Contrary to the belief that regulations are lagging behind AI advancements, many existing data protection laws like GDPR, CPRA, and others already encompass principles applicable to AI usage. The issue lies in the systems’ inability to respond to these regulations effectively. LLMs blur the lines between data processors and controllers, making it challenging to determine liability and ownership of AI-generated outputs. In audit scenarios, organizations must be able to demonstrate the actions and decisions made by AI tools, a capability many currently lack.
To address these challenges, modern AI governance must prioritize infrastructure over policy. This includes implementing continuous, automated data mapping to track data flows across various interfaces and systems. Records of Processing Activities (RoPA) should be updated to include model logic, AI tool behavior, and jurisdictional exposure. Additionally, organizations need to establish clear guidelines for AI usage, ensuring that data handling practices are transparent, compliant, and secure.
Moreover, fostering a culture of accountability and awareness around AI usage is essential. This involves training employees on the implications of using AI tools, encouraging responsible behavior, and establishing protocols for monitoring and auditing AI interactions. By doing so, organizations can mitigate risks associated with AI adoption and ensure that data governance keeps pace with technological advancements.
CISOs play a pivotal role in steering their organizations toward robust AI governance. They must advocate for infrastructure that supports data provenance, collaborate with various departments to ensure cohesive AI strategies, and stay informed about evolving regulations. By taking a proactive approach, CISOs can help their organizations harness the benefits of AI while safeguarding against potential pitfalls.
In conclusion, as AI continues to permeate various aspects of business operations, the importance of data provenance in AI governance cannot be overstated. Organizations must move beyond assumptions of safety and implement comprehensive strategies that prioritize transparency, accountability, and compliance. By doing so, they can navigate the complexities of AI adoption and build a foundation of trust and security in the digital age.
For further details, access the article here on Data provenance
Interpretation of Ethical AI Deployment under the EU AI Act
AI Governance: Applying AI Policy and Ethics through Principles and Assessments
Businesses leveraging AI should prepare now for a future of increasing regulation.
Digital Ethics in the Age of AI
DISC InfoSec’s earlier posts on the AI topic
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
Dec 03 2024
Why Your Organization Needs ISO 27001 Amid Rising Risks
Why ISO 27001 Is Essential for Thriving Businesses
The Growing Importance of ISO 27001
Data breaches, ransomware attacks, and increasing compliance requirements pose significant risks to businesses of all sizes. Without a structured approach to safeguarding sensitive data, organizations remain vulnerable. ISO 27001, the international standard for information security management, provides a proven framework to protect businesses and reassure stakeholders. Its structured methodology can address security gaps and mitigate risks effectively.
Sign 1: Rising Cybersecurity Threats
With cyberattacks becoming more sophisticated, businesses of all sizes are targets. Small companies, in particular, face devastating consequences, as 60% fail within six months of a breach. ISO 27001 offers a systematic, risk-based approach to identify vulnerabilities, prioritize threats, and establish protective controls. For instance, an e-commerce company can use ISO 27001 to secure payment data, safeguard its reputation, and maintain customer trust.
Sign 2: Client Expectations for Security Assurance
Clients and partners increasingly demand proof of robust security practices. Questions about how sensitive information is managed and requests for certifications highlight the need for ISO 27001. Certification not only enhances security but also demonstrates commitment to data protection, building trust and offering a competitive edge in industries like finance, healthcare, and technology. For example, a marketing agency could avoid losing key clients by implementing ISO 27001 to showcase its security measures.
Sign 3: Navigating Regulatory Challenges
Strict regulations such as GDPR, PCI DSS, CPRA, and HIPAA mandate stringent data protection protocols. Non-compliance risks legal penalties, financial losses, and eroded customer trust. ISO 27001 simplifies compliance by aligning with various regulatory requirements while improving operational efficiency. For example, a software company handling EU data avoided GDPR fines by adopting ISO 27001, enabling regulatory compliance and global expansion.
Take Action Before It’s Too Late
If your business faces inconsistent security practices, data breach fears, or rising regulatory pressures, ISO 27001 is the solution. Scalable and adaptable for organizations of any size, it ensures consistent security across teams, prevents breaches, and facilitates recovery when incidents occur. Starting with a gap analysis and prioritizing high-risk areas, ISO 27001 provides a strategic path to safeguarding your business, strengthening trust, and gaining a competitive edge. Don’t wait—start your journey toward ISO 27001 certification today.
Contact us to explore how we can turn security challenges into strategic advantages.
10 key benefits of ISO 27001 Cert for SMBs
ISO 27001: Building a Culture of Security and Continuous Improvement
Penetration Testing and ISO 27001 – Securing ISMS
Secure Your Digital Transformation with ISO 27001
Significance of ISO 27017 and ISO 27018 for Cloud Services
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
Securing Cloud Services: A pragmatic guide
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
Nov 04 2024
The Risk Assessment Process and the tool that supports it
The “Risk Assessment analysis” covers key areas of risk assessment in information security:
- Risk Assessment Process: The core steps include identifying assets, analyzing risks, and evaluating the value and impact of each risk. This process helps determine necessary controls and treatments to mitigate or accept risks.
- Types of Risk:
- Asset-Based Risk: Focuses on assessing risks to tangible assets like data or hardware.
- Scenario-Based Risk: Evaluates hypothetical risk scenarios, such as potential data breaches.
- Risk Analysis:
- Impact Analysis: Measures the financial, operational, and reputational impact of risks, assigning scores from 1 (very low) to 5 (very high).
- Likelihood Analysis: Assesses how likely a risk event is to occur, also on a scale from 1 to 5.
- Risk Response Options:
- Tolerate (accept risk),
- Treat (mitigate risk),
- Transfer (share risk, e.g., via insurance),
- Terminate (avoid risk by ceasing the risky activity).
- Residual Risk and Risk Appetite: After treatments are applied, residual risk remains. Organizations determine their acceptable level of risk, known as risk appetite, to guide their response strategies.
These structured steps ensure consistent, repeatable risk management across information assets, aligning with standards like ISO 27001.
The Risk Assessment Process involves systematically identifying and evaluating potential risks to assets. This includes:
- Identifying Assets: Recognizing valuable information assets, such as data or physical equipment.
- Risk Analysis: Analyzing the potential threats and vulnerabilities related to these assets to assess the level of risk they pose.
- Evaluating Impact and Likelihood: Measuring the potential impact of each risk and estimating how likely each risk is to occur.
- Implementing Controls: Deciding on control measures to mitigate, transfer, accept, or avoid each risk, based on organizational risk tolerance.
To streamline this process, organizations often use risk assessment tools. These tools assist by automating data collection, calculating risk levels, and supporting decision-making on risk treatments, ultimately making the assessment more consistent, thorough, and efficient.
CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.
- Manage all your cybersecurity and data privacy obligations
- Accelerate certification and supercharge project effectiveness
- Get immediate visibility of critical data and key performance indicators
- Stay ahead of regulatory changes with our scalable compliance solution
- Reduce errors and improve completeness of risk management processes
- Identify and treat data security risks before they become critical concerns
Reduce data security risks with agility and efficiency
- Quickly identify and treat data security risks before they become critical concerns with the intuitive, easy-to-use risk manager tool
- Keep track of data security compliance requirements and the security controls you have in place in conjunction with critical laws and information security frameworks
- Demonstrate compliance with ISO 27001, the leading information security management standard, with powerful built-in reports
- The software includes control sets from ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27032, NIST, CSA CCM, the PCI DSS, SOC 2, and the CPRA
Need expert guidance? Book a free 30-minute consultation with a Risk assessment specialist.
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Sep 09 2024
AI cybersecurity needs to be as multi-layered as the system it’s protecting
The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.
For more details, visit the full article here
Benefits and Concerns of AI in Data Security and Privacy
Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.
AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.
AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.
Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.
1. Predictive Analytics in Cybersecurity
Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organization’s defenses are always one step ahead.
2. AI and Data Privacy
AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.
3. Security and Data Governance
Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.
Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps
Data Governance: The Definitive Guide: People, Processes, and Tools to Operationalize Data Trustworthiness
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Jun 01 2024
6 Expert Tips for Your 2024 Security and Compliance Management Planning
Follow these six expert tips to achieve successful security and compliance management planning.
1. Identify the assets you want to protect
Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
- Identify the systems, data, and people assets that you need to protect.
- Identify the threats to those assets, and prioritize them.
- Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.
DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:
- Review policies and procedures (including Acceptable Use Policy)
- Complete a risk assessment – this should be done annually
- Review security training – to ensure new employees, as well as current employees, are up to date on all their training
- Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
- Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
- Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources (RACI Matrix)
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year (Audit/ Assessment planning)
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
5. Document, document, (Document Management System)
If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.   Â
6. Plan ahead to future-proof your security program
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.
To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team.Â
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Aug 17 2023
Data Privacy Solutions
Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive
A global leader in privacy guidance, audits, tools, training and software
IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.
ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.
Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.
Templates and Tools
- GDPR Compliance Gap Assessment Tool
- GDPR Data Protection Policy Template
- GDPR Privacy Notice Template
- GDPR Privacy Procedure Template
Training and staff awareness
- Certified GDPR foundation course
- Certified GDPR practitioner course
- California Privacy Rights Act (CPRA) Foundation Training Course
- GDPR Staff Awareness E-learning Course​
Books
- The California Privacy Rights Act (CPRA) – An implementation and compliance guide
- EU GDPR – An Implementation and Compliance Guide
- ISO/IEC 27701:2019: An introduction to privacy information management
Checkout our ISO 27701 related posts to assess and built your PMS
Checkout our previous posts on CPRA
Checkout our previous posts on GDPR
InfoSec tools | InfoSec services | InfoSec books | Follow our blog
Mar 15 2023
Self-paced online training InfoSec courses
Whether your looking to develop a career in data privacy or cybersecurity, we have the perfect training solution for you! Pick bestselling ITG self-paced online training courses today and receive 15% off till March 31st 2023
Self-paced online training courses
May 08 2022
As data privacy laws expand, businesses must employ protection methods
Data protection is challenging for many businesses because the United States does not currently have a national privacy law — like the EU’s GDPR — that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.
For companies doing business in California, Virginia, Colorado and Utah* — or any combination of the four — it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times.
Understanding how data privacy laws intersect is challenging
While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments — audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.
Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments.
Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).
The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury — Colorado only recognizes its assessment requirements to meet compliance.
Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.
There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.
The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.
Overcoming ambiguity through proactive data privacy protection
Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips.
Partner with compliance and legal experts
It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies.
Identify data risk
From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.
Create policies for data protection
Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.
Integrate data protection in the analytics pipeline
The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.
Implement privacy-enhanced computation
Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights.
The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.
*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.
Data Privacy Law: A Practical Guide to the GDPR
Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining
Jan 02 2022
NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
NIST Cybersecurity Framework
![NIST Cybersecurity Framework: A pocket guide by [Alan Calder]](https://m.media-amazon.com/images/I/31zbdJvBpPL.jpg)
Data Governance
Nov 29 2021
InfoSec books, toolkits, and training courses – 15% off
Save 15% off books, toolkits, self-paced training courses, and selected Live Online training courses. Use code BF15 at checkout to claim your discount. But hurry, offer ends tomorrow 30 November, midnight PDT*.
This Black Friday ITG is offering you 15% off ITGP books, ITGP toolkits, self-paced training courses, and selected Live Online training courses.
Discover all resources  |
| Bestselling books |
 The California Privacy Rights Act (CPRA) – An implementation and compliance guide This book gives you a comprehensive understanding of the CPRA, covering key terms, security requirements, the breach notification procedure, and the penalties for non-compliance.  ISO 27001 controls – A guide to implementing and auditing The must-have book to understand the requirements of an ISMS (information security management system) based on ISO 27001.  Certified ISO 27001 ISMS Foundation Self-Paced Online Training Course This course provides a complete introduction to the key elements required to achieve ISO 27001 compliance. |
Jun 07 2021
In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat service AN0M for 3+ years to intercept messages between criminals globally
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.
Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.
In a press conference today, Australian police said the sting operation got underway in 2018 after the FBI successfully seized encrypted chat platform Phantom Secure.
Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called Anøm (also stylized as AN0M).
Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.
The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.
No phone number was required to use the app, which relayed all its messages via An0m’s central platform.
But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.
According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.
Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.
Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.
Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.
Source: In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat
Listening In: Cybersecurity in an Insecure Age
Mar 13 2021
Privacy as a Service can help
If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
Feb 15 2021
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Training course outline
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
- Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
- Define terms used in the CCPA/CPRA and contrast to the GDPR 
- Articulate the rights of consumers, and determine the duties of a business 
- Examine the CPRA’s security requirements and prepare relevant responses 
- Use the CPRA to determine what action(s) should be taken in the event of a breach 
- Demonstrate an understanding of the CPRA’s penalty provisions 
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Jan 28 2021
Privacy as a Service
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly
* Remain one step ahead of legislative developments with affordable advice and support
* Reduce privacy risks with one simple subscription service
* Enjoy peace of mind with your own dedicated data privacy manager
