InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Using an opt-in approach will help curb the excesses of Big Tech.
Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner’s automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.
But that’s the daily reality on the internet. Every minute a person spends online helps countless companies build a thicker dossier about that person.
Despite what corporations profess, much of this personal data is used not to improve products themselves, but to make those products more attractive to advertisers.
One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely.
Virginia recently had the opportunity to extend firmer data protection rights to its residents. But the state’s Consumer Data Protection Act, signed into law this month, is a business-friendly package, supported by Amazon and Microsoft, that puts the onus on consumers to opt out of most data collection, except for the most sensitive personal details. Washington State lawmakers are advancing similar legislation.
If you are a business looking to comply with various data privacy laws, look no further. We can help with Privacy as a Service. 👍
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly * Remain one step ahead of legislative developments with affordable advice and support * Reduce privacy risks with one simple subscription service * Enjoy peace of mind with your own dedicated data privacy manager
Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.
With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.
So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.
Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.
This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.
It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.
You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.
Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.
It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.
It also provides invaluable advice on how you can meet the GDPR’s requirements.
This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.
If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).
The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.
Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.
A privacy bug in the Brave Browser caused the leak of the Tor onion URL addresses visited in the Tor mode by the users.
A bug in the Private Window with Tor implemented in the Brave web browser could reveal the onion sites visited by the users.
The Tor mode implemented in the Brave web browser allows users to access .onion sites inside Brave private browsing windows.
When users are inside a Private Window with Tor, Brave doesn’t connect directly to a website, instead, it connects to a chain of three different computers in the Tor network.
An anonymous researcher initially reported that the Brave’s Tor mode was sending queries for .onion domains to public internet DNS resolvers, other experts confirmed his findings.
“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.” explained the researcher. “Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time.”
OneLogin’s recent research into remote working practices shows it is proving to be fertile ground for hackers – Here’s how to stay safe
How to stay secure
Another key step to keep your business safe from breaches is to ensure that your employees are following security best practices. To celebrate Data Privacy Day, we’ve provided some practical steps to do this. For example:
Don’t share your work computer with friends, housemates or family members: 26% of respondents admitted doing this
Don’t download personal applications onto a company device: 23% of respondents admitted doing this
Don’t work on a public wifi that is not protected: 22% of respondents admitted doing this
Don’t share your corporate password with others: 12% of respondents admitted doing this
Don’t leave your corporate devices unattended in a public space:10% of respondents admitted doing this
Do encourage your company to engage with multi-factor authentication (MFA), which gives you multiple layers of protection: Only 36% of respondents suggested that MFA had been implemented
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
Define terms used in the CCPA/CPRA and contrast to the GDPR 
Articulate the rights of consumers, and determine the duties of a business 
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Here are our five key data privacy trends for this year.
1. There will be more public awareness of privacy rights
This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.
All of this information is helping consumers become more aware of their rights.
Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.
The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.
There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.
Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.
2. Brexit will continue to cause headaches
Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.
For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.
Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.
3. We shouldn’t expect an adequacy decision imminently
Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.
For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.
But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.
Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.
In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.
The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.
4. GDPR enforcement will be more consistent
In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.
In some cases, the fines were miniscule, but in others the penalties were large.
It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.
We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.
Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.
5. Cookie laws will come under greater scrutiny
From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.
So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.
Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.
Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.
Meet your data privacy requirements with IT Governance
One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.
The simplest, fastest, and most affordable way to comply with privacy legislation like the EU’s GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), New York’s SHIELD Act, and others. With Privacy as a Service, you can:
* Achieve scaled privacy compliance quickly * Remain one step ahead of legislative developments with affordable advice and support * Reduce privacy risks with one simple subscription service * Enjoy peace of mind with your own dedicated data privacy manager
By design, Brave Today doesn’t let the company or third parties build user profiles.
Brave Software, maker of the Brave Web browser, is introducing a news reader that’s designed to protect user privacy by preventing parties—both internal and third party—from tracking the sites, articles, and story topics people view.
Brave Today, as the service is called, is using technology that the company says sets it apart from news services offered by Google and Facebook. It’s designed to deliver personalized news feeds in a way that leaves no trail for Brave, ISPs, and third parties to track. The new service is part of Brave’s strategy of differentiating its browser as more privacy-friendly than its competitors’.
Key to Brave Today is a new content delivery network the company is unveiling. Typically, news services use a single CDN to cache content and then serve it to users. This allows the CDN or the service using it to see both the IP address and news feed of each user, and over time, that data can help services build detailed profiles of a person’s interests.
The Brave Today CDN takes a different approach. It’s designed in a way that separates a user’s IP address from the content they request. One entity offers a load-balancing service that receives TLS-encrypted traffic from the user. The load balancer then passes the traffic on to the CDN that processes the request.
The load balancer knows the user’s IP address, but because the request is encrypted, it has no visibility into the content the user is seeking. The CDN, meanwhile, sees only the request but has no way of knowing the IP address that’s making it. Responses are delivered in reverse order. To prevent the data from being combined, Brave says that it will use one provider for load balancing and a different one for content delivery.
Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020
Purpose and Intent. In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles:
Consumer Rights
Consumers should know who is collecting their personal Information and that of their children, how it is being used, and to whom It is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children,
Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal Information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
Consumers should be able to exercise these rights without being penalized for doing so.
Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
Consumers should benefit from businesses’ use of their personal information.
The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and Intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023
Adds a right to opt out of automated decision-making technology, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Opt-out right explicitly extends to sharing of PI used for cross-context behavioral advertising.
Strengthens opt-in rights for minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
These scams seek to collect personal information about you, often appearing to come from a real business or agency. Someone may pose as an official disaster aid worker, or send you a fraudulent COVID contact tracing email. If you receive a message with a link, you should not click it as it may download malware to your device to steal passwords and personal information. Government agencies like FEMA or the IRS will never contact you asking for a FEMA registration number, a Social Security number, or a bank account or credit card number to give you a COVID or FEMA payment—or ask you to pay anything up front to fill out an application or to access state or federal resources.
Before sharing, check that what you are reading is from a trustworthy source. Disinformation can be life threatening in a global pandemic.
No cures or vaccines have been approved for COVID-19 yet. Online offers claiming to provide a medicine or device to treat or prevent COVID should be ignored. When there is a new breakthrough in the treatment and prevention of COVID, it will be widely reported on by reputable news sources.
Fake charities often emerge following a crisis, soliciting donations, but not using them for the described purpose. Before donating, check out www.ftc.gov/charity  to research the organization and make sure it’s legitimate.
If you receive a robocall, you should hang up instead of pushing any buttons or giving away any personal information. If a call claims to be from the IRS or FEMA, but demands immediate payment through debit card or wire transfer, it is fraudulent. Federal agencies will never demand immediate payment over the phone, threaten immediate arrest, or ask you to make a payment to anyone other than the U.S. Treasury.
Warning Signs that a Loved One may be the Victim of a ScamÂ
Victims to a scam may be embarrassed or uncomfortable asking for help. It’s not always obvious when someone has been scammed, so check in with your loved ones frequently, especially if they are older, live alone, or are otherwise high risk.
Warning signs include large ATM withdrawals, charges, or checks; secretiveness and increased anxiety about finances; large quantities of goods being delivered that they do not need; an unusual number of phone calls or visits from strangers; and a sudden lack of money, unpaid bills, or a change in daily habits.
For more information, and to get help with a potential FEMA fraud, you can call the National Center for Disaster Fraud Hotline at 866-720-5721 or FEMA’s Public Inquiry Unit at 916-210-6276. For questions about pandemic scams, go to www.ftc.gov/coronavirus or www.cdc.goc/coronavirus/2019-ncov .
Brave Browser, the privacy-focused web browser, announced today that it grew in usage by over 130% in its first year of the release of its ‘Stable’ version.
Tracking allows the companies to improve their algorithm and app experience, but this experience comes at the cost of your digital data. In this guide, we’re going to focus on the search engines and browsers that you’ll want to use if you care about your online privacy.
Popular search engines and browsers do a great job at finding and browsing content on the web, but can do a better job at protecting your privacy while doing so.
With your data being the digital currency of our times, websites, advertisers, browsers, and search engines track your behavior your on the web to deliver tailored advertising, improve their algorithms, or improve their services.
Privacy-focused search engines
Below are the best privacy-focused search engines that do not track your searchers or display advertisements based on your cookies or interests.
