Aug 18 2023

What Are Your Data Breach Notification Requirements?

Category: Data Breachdisc7 @ 9:47 am
What Are Your Data Breach Notification Requirements?

Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.

Some even have substantially different definitions for what a ā€˜data breachā€™ or ā€˜personal dataā€™ is.

As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.

We address these issues in this blog, bringing some much-needed clarity to the subject.

State laws on data breach notification

There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.

To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.

Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.

The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizationsā€™ requirements.

Organizations in the U.S. that process EU residentsā€™ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.

You can find aĀ summary of each stateā€™s federal data breach notification lawsĀ on our website, along with links to the texts themselves.

The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residentsā€™ personal data, which is particularly common for organizations that have an online presence.

GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.

You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) ā€“ A compliance guide for the US.

This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.

Youā€™ll also learn about the Regulationā€™s core principles and data subject rights, and the benefits of GDPR compliance.

We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.

Download now

Data Privacy Solutions

CISSP training course

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blog

Tags: CPRA, Data Breach Notification Requirements, Data Privacy Solutions, gdpr, hipaa

Aug 17 2023

Data Privacy Solutions

Category: Information Privacy,Security and privacy Lawdisc7 @ 10:09 am

Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive

A global leader in privacy guidance, audits, tools, training and software

IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.

ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.

Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.

Templates and Tools

Training and staff awareness

Books

Checkout our ISO 27701 related posts to assess and built your PMS

Checkout our previous posts on CPRA

Checkout our previous posts on GDPR

CISSP training course

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blog

Tags: CCPA, CPRA, data privacy, Data Privacy Solutions, gdpr, ISO 27701

Aug 23 2022

ITG is offering bestselling implementation guides free with each toolkit purchase

Category: GDPR,Information Security,ISO 27kDISC @ 4:12 pm
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*

All the pre-written policies and procedures youā€™ll ever need.

Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.

Reviewed throughout the year to ensure youā€™re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.

Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.

GDPR Documentation Toolkit

GDPR Toolkit

Receive a free copy of EU General Data Protection Regulation (GDPR) ā€“ An implementation and compliance guide
Code: GDPR-DK-NEW-0822



ISO 27001 Toolkit

ISO 27001 Toolkit

Receive a free copy of ISO 27001 controls ā€“ A guide to implementing and auditing
Code: ISO27001-DK-NEW-0822

Tags: gdpr, iso 27001

Feb 10 2022

French data protection authority says Google Analytics is in violation of GDPR

Category: data security,GDPRDISC @ 10:28 pm
French data protection authority says Google Analytics is in violation of GDPR

French data protection authority says Google Analytics is in violation of GDPR

The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Unionā€™s General Data Protection Regulation, following a similar decision by Austria last month

The root of the issue stems from the websiteā€™s use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the toolā€™s use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.

European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EUā€™s top court that invalidated the U.S.ā€™s ā€œPrivacy Shieldā€ agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers.Ā Ā 

Privacy Shield, which went into effect in August of 2016, was a ā€œself-certification mechanism for companies established in the United States of America,ā€ according to CNIL. 

Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards. 

An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.ā€™s failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found. 

CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.

ā€œIndeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,ā€ CNIL said. 

The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data.Ā 

The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. ā€œConcerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produceĀ anonymousĀ statistical data, thus allowing anĀ exemption from consentĀ if the data controller ensures that there are no illegal transfers,ā€ the watchdog said.Ā 

source: https://

therecord.media
/french-data-protection-authority-says-google-analytics-is-in-violation-of-gdpr/

GDPR Practitioner Guide

Tags: French data protection authority, gdpr, GDPR Practitioner Guide, Google Analytics

Nov 22 2020

How does the Schrems II ruling affect your organization?

Category: GDPRDISC @ 5:01 pm

GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EUā€“US Privacy Shield invalid.

Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution ā€“ with even some multinationals unsure how to proceed.

If youā€™re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.

EU General Data Protection Regulation (GDPR) ā€“ An implementation and compliance guide

This comprehensive guide covers:

  • DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
  • When organizations must conduct DPIAs (data protection impact assessments);
  • GDPR implementation FAQs;
  • Guidance on how to create data protection processes that are in line with best practices; and
  • An index of the GDPR.
EU General Data Protection Regulation (GDPR) ā€“ An implementation and compliance guide, fourth edition
 

Ā  Ā  Ā  Ā Buy now

EU GDPR ā€“ An international guide to compliance

Ideal for those trying to understand the essentials of GDPR compliance,Ā EU GDPR ā€“ An international guide to compliance:

  • Explains the terms and definitions used in the GDPR;
  • Sets out the circumstances under which organizations may receive fines;
  • Shows how to meet your compliance requirements; and
  • Provides guidance on the technologies and documentation you can use to protect the personal data that you process.
EU GDPR ā€“ An international guide to compliance
 

Ā  Ā  Ā  Ā Buy now




Tags: gdpr, Schrems II

Dec 19 2019

ISO/IEC 27701 2019 Standard and Toolkit

Category: GDPR,Information Privacy,ISO 27kDISC @ 12:35 pm

ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).

Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.

SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS

Key features:

* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data


ISO 27701 Gap Analysis Tool


Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.


What does the tool do?

  • Contains a set of sample audit questions
  • Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
  • Provides a clear, colour-coded report on the state of compliance
  • The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.


    • The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.



    ISO 27701 The New Privacy Extension for ISO 27001
    httpv://www.youtube.com/watch?v=-NUfTDXlv30

    Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
    httpv://www.youtube.com/watch?v=ilw4UmMSlU4

    General Data Protection Regulation (GDPR) | The California Consumer Privacy Act (CCPA)

    Subscribe to DISC InfoSec blog by Email




    Tags: CCPA, gdpr, iso 27001, iso 27002, ISO 27701, ISO27701, PIMS

    Aug 27 2019

    What the New NIST Privacy Framework Means to You

    Category: Information PrivacyDISC @ 11:12 pm

    Big news is coming when NIST takes the wraps off a new privacy framework. Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.

    Source: What the New NIST Privacy Framework Means to You

    Developing the NIST Privacy Framework – Part 1
    httpv://www.youtube.com/watch?v=W-snx9jRFf4

    Developing the NIST Privacy Framework – Part 2
    httpv://www.youtube.com/watch?v=gZ7ED0t09zk

    Developing the NIST Privacy Framework – Part 3


    NIST Privacy Framework: An Enterprise Risk Management Tool





    Tags: CCPA, gdpr

    Aug 30 2018

    4 bad things happening every minute on the Internet

    Category: GDPRDISC @ 11:46 am

    4 bad things happening every minute on the Internet

    Ā byĀ Alan CalderĀ Ā 

    Risk IQā€™s Evil Internet MinuteĀ infographic tells you the bad things happeningĀ every minuteĀ on the Internet:

    • 5 successful ransomware attacks
    • 9 phishing attacks
    • 1,274 new malware variants
    • 5,518 records compromised

    Any data you look at shows that the scale of ā€˜Internet evilā€™ increases every year. The economic impact of cyber crime now exceeds $1.1 million per minute. This is a major corporate risk, irrespective of organisational size, and cyber insurance is an inadequate response ā€“ insurers will not pay out where you have been negligent.

    TheĀ EUā€™s GDPRĀ (General Data Protection Regulation) makes the tests for negligence pretty clear: absence of accountability, insufficient corporate governance and countermeasures that do not adequately respond to the frequency and virulence of todayā€™s attacks.

    In an environment where four potentially vulnerable web components are discovered every minute, an annual penetration test is only slightly better than not bothering at all. We run penetration tests about once a month; you should be doing them at least quarterly. However, even if you do this, you need to recognise that purely technical responses have limited benefits. Staff are the weakest of your links, particularly as phishing and ransomware attacks get smarter every day. And your supply chain may increasingly be your attackersā€™ fastest route into what passes for your secure environment.Ā Staff awareness training only every year or two would be desperately short-sighted.

    Weā€™re going to see more and more organisations reporting data breaches ā€“ itā€™s now an offence to not report one, and you can be punished with significant fines. The costs donā€™t stop there. After you report a breach, and undergo investigation, fines and reputational damage, you still have to spend the money to get secure. It therefore probably works out less expensive in the long run to make comprehensive cyber security investmentsĀ beforeĀ you are breached (assuming that you havenā€™t already been breached, and you just donā€™t know it yet).





    Tags: gdpr

    Oct 18 2017

    GDPR essentials and how to achieve compliance

    Category: data security,GDPRDISC @ 9:51 am

    gdpr

    The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018. Ā The GDPR applies to all EU organizations ā€“ whether commercial business or public authority ā€“ that collect, store or process the personal data (PII) of EU individuals.

    Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultantĀ must know the following 9 tenants of the GDPR.

     

    • Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EUā€™s 28 member states, making it simpler and cheaper for companies to do business in the EU.

     

    • Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

     

    • Processor must be able to provide ā€œsufficient guarantees to implement appropriate technical and organizational measuresā€ to ensure that processing will comply with the GDPR and that data subjectsā€™ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controllerā€™s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

     

    • Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be ā€œfreely given, specific, informed and unambiguous indication of the individualā€™s wishesā€. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

     

    • Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

     

    • Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

     

    • Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

     

    • Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or ā‚¬20 million of group annual worldwide turnover.

     

    Data protection by design ā€“ Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.Ā  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

     

    How to improve information security under the GDPR

    Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

     

    Seven steps that can help you prevent a data breach:

    1. Find out where your personal information resides and prioritize your data.
    2. Identify all the risks that could cause a breach of your personal data.
    3. Apply the most appropriate measures (controls) to mitigate those risks.
    4. Implement the necessary policies and procedures to support the controls.
    5. Conduct regular tests and audits to make sure the controls are working as intended.
    6. Review, report and update your plans regularly.
    7. Implement comprehensive and robust ISMS.

     

    ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

    Related articles on GDPR and ISO 27k

    The GDPR and Personal Dataā€¦HELP! from Cloud Security Alliance




    Tags: gdpr, gdpr compliance

    Sep 27 2017

    Data flow mapping under the EU GDPR

    Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

    As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing aĀ data protection impact assessment (DPIA), which is mandatory for certain types of processing.

    The key elements of data mapping

    To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

    1. Understand the information flow

    An information flow is a transfer of information from one location to another, for example:

    • From inside to outside the European Union; or
    • From suppliers and sub-suppliers through to customers.

    2. Describe the information flow

    • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
    • Make sure the people who will be using the information are consulted on the practical implications.
    • Consider the potential future uses of the information collected, even if it is not immediately necessary.

    3. Identify its key elements

    Data items

    • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

    Formats

    • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

    Transfer method

    • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

    Location

    • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

    Accountability

    • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

    Access

    • Who has access to the data in question?

     

    The key challenges of data mapping

    • Identifying personal dataĀ Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
    • Identifying appropriate technical and organizational safeguardsĀ The second challenge is likely to be identifying the appropriate technology ā€“ and the policy and procedures for its use ā€“ to protect information while also determining who controls access to it.
    • Understanding legal and regulatory obligationsĀ Your final challenge is determining what your organisationā€™s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once youā€™ve completed these three challenges, youā€™ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

     

    Data flow mapping

    To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

     

    Order Today

     





    Tags: data flow mapping, data privacy, data security, gdpr