Cybersecurity: Key Data Security Sources for Surviving Covid-19

Briefing  

The coronavirus pandemic has created an explosion in information security awareness and a sense of hyper vigilance. Cybersecurity attacks have increased, especially malware, phishing, vishing and ransomware. As cyber awareness increases, boards, leadership teams and individuals need access to the most reliable sources of information and advice. Excellence, expertise and the ability to communicate security threats, risks, priorities, trends and effective responses are crucial. These trusted insights are vital for companies and organisations.  

Leading Data Security Sources: Centres of Excellence

The organisations below have consistently helped companies, organisations and individuals to identify threats, improve controls, increase training and reduce the risk of cybersecurity breaches and loss of reputation. Covid-19 has reinforced their importance. They understand the national and international security landscape. Their experience spans many sectors. Several of the organisations play a key role in national cybersecurity strategies and so are trusted by governments and the public services.   The organisations raise awareness, issue threat alerts, produce guidance, publish analysis, create training materials, lead certification activities, respond to data breaches, secure critical national infrastructure and work with companies and organisations to improve their cyber resilience.

UK National Cyber Security Centre (NCSC)

The NCSC was created in 2016 and spun out of the UK’s GCHQ. It combines the CESG (GCHQ’s information security arm), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related work of the Centre for the Protection of National Infrastructure (CPNI). It has responsibilities across government, for critical national infrastructure protection and the national cyber security strategy. Its guidance, standards-setting, alerts, website, social media, work with all sectors make it a leader in information security.  

National Institute for Standards and Technology (NIST)

NIST is non-regulatory agency of the United States Department of Commerce with a central role of promoting innovation and industrial competitiveness. Its main laboratory programmes include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. For cybersecurity and data privacy, its standards and frameworks are very popular and underpin the information systems of organisations around the world. This work is supported by the Computer Security Resource Center (CSRC). Its guidance, standards, measurements, publications, website and social media output are authoritative.  

The European Agency for Cyber Security (ENISA)

ENISA is an agency of the European Union, created in 2005 and located in Athens and Heraklion in Greece. The agency works with EU Members States to advise, offer solutions and improve cybersecurity capabilities. It builds capacity to respond to large cross-border cybersecurity incidents or crises. It has developed cybersecurity certification schemes since 2015. ENISA acts as a key centre of expertise for member states, EU institutions and private organisations on network and information security. Its guidance, CERT co-ordination, standards, certification schemes, publications, website and social media output are highly influential.  

United States Computer Emergency Readiness Team (US-CERT)

US-CERT analyses and reduces cyber threats, vulnerabilities, disseminates cyber threat warnings and coordinates incident response activities. It uses advanced network and digital media analysis to identify malicious activity targeting networks in the United States and abroad. US-CERT is part of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Its work includes threat analysis and information sharing, digital analytics, operations, communications and international work. Its publications, advisories, alerts, analysis, advice, website and social media output are respected. Its unique selling point is to analyse and disseminate information about the most persistent international cybersecurity threats.

Federal Bureau of Investigations (FBI) – Cyber Division

Created in 2002, the FBI’s Cyber Division leads US national effort to investigate and prosecute internet crimes, cyber based terrorism, espionage, computer intrusions and major cyber fraud. It proactively informs the public about current trends in cybercrime. Its three key priorities are computer intrusion, identity theft and cyber fraud. It works with other agencies and takes part in cross-border initiatives.

Other Influential Data Security Organisations, include:

Australian Cyber Security Centre

Canadian Centre for Cyber Security

National Cyber Security Centre (Ireland)

National Cyber Security Centre (Netherlands)

National Cyber Security Centre (New Zealand)

The National Cybersecurity Agency of France

Cyber Security Agency of Singapore

PS102020

Five Key Things to Know about Dubai DIFC Data Protection Law 2020

The Dubai International Financial Centre (DIFC) Data Protection Law 2020 (DP Law) applies to the DIFC financial services free zone in Dubai, United Arab Emirates and took effect on 1 July 2020. The DIFC DP Law protects the personal data held and processed by organisations that are registered in the DIFC as well as linked external organisations. New data protection rights include the right to access personal data, the right to data portability, the right to withdraw consent, the right to object to automated decisions (including profiling) and the right not to suffer discrimination for exercising data protection rights. Businesses have an overriding duty to demonstrate compliance with the data protection principles. The DIFC Commissioner of Data Protection is the regulator. Regulator enforcement starts on 1 October 2020.

1.What types or organisations are covered by DIFC DP Law?

The law applies to businesses that are registered in the DIFC or businesses that process personal data in the DIFC as part of stable arrangements. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law.

2. What types of data or information are covered by DIFC DP Law?

The DIFC DP Law protects personal data which is defined as information that identifies or makes living individuals identifiable. Identified or identifiable means reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors about an individual’s biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

3.What are the main DIFC DP Law obligations for businesses?

Businesses must:

  1. Comply with additional data protection principles of accountability (demonstrate compliance), transparency and process personal data in line with the rights of individuals.
  2. Appoint a Data Protection Officer (DPO), if they are DIFC bodies or carry out high risk processing on a systematic or regular basis. Other controllers or processors may appoint DPOs.
  3. Report data breaches as soon as practicable in the circumstances to the DIFC Commissioner of Data Protection and to individuals affected (if the breach is a high risk to security or individual rights).
  4. Register with the regulator and publish detailed data protection notices.
  5. Complete Data Protection Impact Assessments (DPIAs) for high risk data processing.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with DIFC DP Law?

Yes, in large part, but not completely. GDPR and DIFC DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. DIFC DP Law was enacted to include provisions that largely mirror GDPR. It is likely that the DIFC will make an application to the European Union (EU) for an adequacy decision to ease international data transfers between the DIFC and the EU. GDPR data mapping and records of processing activity logs can help to identify DIFC DP Law impacted personal data. GDPR Privacy Notices, policies and GDPR processes used to respond to GDPR rights can assist DIFC DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated.

5. Does the DIFC DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses process personal data and are registered in DIFC or process personal data in the DIFC as part of stable arrangements in the DIFC, then the DIFC DP Law will apply. The law also applies to businesses that process data on behalf of organisations registered in the DIFC or for organisations that process data in the DIFC as part of stable arrangements. The DIFC Commissioner for Data Protection can impose administrative fines of up to $100,000. DIFC Courts can order businesses to pay compensation to individuals.

Five Key Steps to Take ahead of CCPA Enforcement

The California Consumer Privacy Act 2018, or CCPA, took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement beings on 1 July 2020. California is the world’s fifth largest economy and is home to some of the world’s most innovative companies and discerning consumers.

  1. How can we plan for CCPA enforcement, during Covid-19?

The regulator, the California Attorney General can enforce the CCPA after 1 July 2020 but can look back to January 1, 2020 when making enforcement decisions. The coronavirus covid-19 pandemic period is included. Companies and organisations need to document their pre Covid-19 CCPA compliance steps as well as the changes made to these compliance programmes by the impact of Covid-19.

  1. How important are data flow mapping and personal information inventories?

Data flow mapping and the creation of personal information inventories are key to CCPA compliance. There are many ways to create these and work from General Data Protection Regulation (GDPR) compliance activities can help. As part of this process, the approach taken by key suppliers, such as making CCPA rights available to all citizens across the USA or worldwide, will impact your company’s or organisation’s risk profile.

  1. What are the key areas we should spend time on at this stage?

The CCPA, like similar laws, places consumers and users personal information at the centre of data governance. Companies and organisations should focus on consumer touch points including privacy policies, consumer notices, consumer opt-out mechanisms, terms of service and data subject rights processes. It is very important that companies and organisations put in place and test their identity verification processes. For App-only companies and organisations or those with a lot of App-based customers, developing just-in-time consent notification solutions is a CCPA requirement that can lead to real and lasting consumer innovations.

  1. What should be our approach to CCPA and cybersecurity?

Where there is change, uncertainty or fear, cybercrime and cybersecurity incidents rise. CCPA requires substantial changes to data governance and data flows, which is significantly affected by the impact of coronavirus covid-19. Companies and organisations should strengthen their information security defences to reduce the impact of phishing attacks, impersonation, fraudulent CCPA applications and social engineering that uses the CCPA as a trigger.

  1. What are the steps to take to prepare for the next stages of privacy changes in California?

The California Attorney General will publish the finalised CCPA enforcement regulations in the coming weeks for agreement. Federal and California state-level coronavirus covid-19 rules will impact consumers across a range of sectors affected by CCPA. There are plans to submit a new California Privacy Rights Act (CPRA) into the November 2020 ballot to extend the scope of CCPA. Companies and organisations should avoid CCPA programme mission creep, especially as the global economy cools. Speculative or draft privacy changes should be monitored and assessed, but not confuse or detract from core CCPA compliance.

Further Information:

PrivacySolved Briefing: Five Key Things to Know about California Consumer Privacy Act (CCPA)

California Attorney General CCPA Resources

Californians for Consumer Privacy CPRA Resources

For Enquiries:

contact@privacysolved.com

Five Key Things to Know about California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act 2018, or CCPA, is a US state privacy law that took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement begins on 1 July 2020.

1. What types or organisations are covered by CCPA?

The law applies to businesses that operate for profit and that fall into any one of the following categories:

  • Annual gross revenue in excess of $25 Million (US Dollars); or
  • Buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
  • Earns 50% or more of annual revenues from selling consumer personal information

2. What types of data or information are covered by CCPA?

The CCPA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

3. What are the main CCPA obligations for businesses?

Businesses must:

  • Provide notices to consumers at or before data collection
  • Create procedures to respond to consumer requests to opt-out, know and delete information, including putting “Do Not Sell My Information” notices on websites and mobile applications.
  • Respond to consumer requests to know, delete and opt-out within specific timeframes
  • Verify the identity of consumers who make requests to know and to delete, whether or not the consumer has a password-protected account with the business

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with CCPA?

No. GDPR and CCPA have different scopes, definitions and compliance requirements. However, there are important similarities. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. GDPR Privacy Notices, Policies and GDPR processes used to respond to GDPR rights can assist CCPA compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Do Not Sell notices and their underlying systems are unique to CCPA and present several practical, technical and technological challenges.

 5. Does the CCPA apply to businesses in other US states or to foreign companies?

Yes, it can. If a business falls within the CCPA qualifying criteria and holds personal information about California consumers, then CCPA applies. Businesses that are based in other US states and companies from outside of the United States may have to comply with the CCPA.  All organisations should seek specialist advice, monitor the development of the CCPA enforcement regulations, examine official guidance and watch the Regulator.