Rocky Mountain Information Security Conference is back! It is back to its regularly scheduled time of year, in June. The call for papers is open and we are building out our 3-day agenda. Once again, Wed June 7 will be a full day of Privacy. While it is not formally called Privacy Day, it is still the same level of programming you are used to.

In order to attend the Privacy Training either sign-up for the 3-day conference or just pay for a single day and select Wed June 7th.

We at AmericanCSM.com are proud to be a sponsor again for this year’s RMISC and hope to see you there.

---

Early Bird Registration

You can register early and get a good discount before March 31, 2023. Be sure to use your ISSA or ISACA membership for an additional discount.

---

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com

With all of the bad actors using Facebook to lure citizens into false relationships, false advertising, deep fakes, and their numerous privacy violations, we have decided to drive more awareness around these issues with this post and by NOT participating in a historically insecure and privacy disrespecting environment.

Facebook has seen a long list of privacy and security violations, to list a few:

• Nov 2022 – €265M by Irish DPA
• April 2021 – 533 million user’s data leaked
• July 2020 – WhatApp breached
• July 2019 – $5B by FTC
• June 2019 – WhatApp infects 25 Million Android devices with malware
• April 2019 – Facebook uploads 1.5 million users data without consent
• April 2019 – 540 million users data exposed on Amazon
• March 2019 – Improper phone number collection via 2FA since 2011
• 2019 – Continual lobbying against privacy regulations
• March 2018 – Cambridge Analytica accesses 50 million users data unlawfully
• 2017 – Evidence is exposed showing Facebook selling user’s data 2012-2014
• May 2011 – 100,000 apps are found to be leaking FB data
• August 2008 – Violates federal wiretap law

An individual’s privacy and the secure control of their information is of utmost importance and social media systems need to take better care of every user’s data. We are choosing not to contribute to the bad actors taking advantage of Facebook user’s and as such will be halting our posting to this platform.

If you are visiting our Facebook page, please be aware that, at this point, most of the followers of our site are not real people and they are most likely bots or bad actors. If you are a follower of our Facebook page we encourage you to UnFollow us.

To learn more about how ACSM can help support your data privacy needs, please use our website contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

On October 7, 2022, President Biden signed an Executive Order to implement a data privacy framework for data transfers between the European Union and the United States.

The EU’s General Data Protection Regulation (GDPR) places restrictions on transfers of personal data to certain countries outside of the EU and the European Economic Area (EEA). The United States is considered to be a high-risk country due to its lack of comprehensive privacy legislation along with laws such as the Foreign Intelligence Surveillance Act (FISA), which governs electronic surveillance by law enforcement of foreign powers and agents of foreign powers, particularly § 702 which permits law enforcement to conduct targeted surveillance of foreign persons located outside of the United States with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information when this information transverses U.S. territory.

For GDPR compliance, an adequacy decision from the European Commission is required for the lawful transfer of data between the EU and countries such as the United States. Said adequacy decisions are made by the European Commission and certify that data transfers between the EU and the country in question are sufficient to satisfy GDPR restrictions.

The now invalidated EU-U.S. Privacy Shield used to permit EU-based companies to lawfully transfer personal data to U.S.-based companies that were in compliance with the Privacy Shield Framework. However, in the Court of Justice of the European Union’s 2020 Schrems II decision, compliance with the Privacy Shield as an adequacy decision was invalidated, leaving EU-based companies with few means of lawfully transferring personal data between the EU and the United States.

As was noted in a publication announcing the signing of the new Executive Order, transatlantic data flows are critical to the $7.1 trillion in economic activity between the EU and the United States, and the Executive Order will reestablish a legal basis for lawful transatlantic data transfers by addressing concerns that the Court of Justice of the European Union raised in striking down the EU-Privacy Shield framework as a valid data transfer mechanism under EU law in Schrems II.

The Executive Order imposes restrictions on access by the U.S. government to data transferred from some jurisdictions, including the EU, and provides for legal redress for individuals with claims that their privacy rights have been infringed. The Executive Order requires that relevant surveillance activities be conducted only in pursuit of defined national security objectives and must take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. Moreover, said surveillance must be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportional to that priority. The Executive Order further requires the U.S. Intelligence Community to update its policies and procedures to reflect the privacy and civil liberties safeguards contained in the Executive Order.

Notably, the Executive Order creates a mechanism for individuals from qualifying countries to obtain an independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law.

While the European Commission must still determine whether the Executive Order is sufficient for an adequacy decision, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is likely to provide some sense of direction for organization leaders striving to remain ahead of the rapidly changing privacy and security landscape. For said forward-thinking organization leaders, American Cyber Security Management is available to assist in proactively assessing and remediating their data privacy and cybersecurity management needs. To learn more about how ACSM can help your organization, please use our contact page at https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation. https://www.americancsm.com

Last year, Apple released a software update featuring advances to sustain its privacy leadership.  These new features help users control and monitor apps’ use of their data. Apple’s approach to protecting customers’ privacy by positioning customers into a more active role in protecting their own privacy appears to be popular with Apple’s customers. Still, it seems less popular with social media platforms such as Facebook, as it has caused shifts in online advertising that have had a considerable impact on the tech giant’s ad business.

Among the changes to its privacy policy, Apple requires apps to ask users if they want to be tracked. As expected, these new privacy standards diminish apps’ ability to gather customer data needed for generating revenue from targeted ads.

Consumers today utilize more apps and other technology than ever before, and they are acutely aware of the value of their data and personal information. Consequently, consumers are attracted to products and services offered by companies that make safeguarding consumer data a priority. At the same time, the increased prevalence of technology usage and data transfers have resulted in more opportunities for malfeasance.

Understandably, data privacy and cyber security are top of mind for business leaders who collect or otherwise interact with consumer data. As data continues to be collected in growing forms and amounts for an increasing variety of purposes, forward-thinking business leaders will ensure their organizations are responsibly managing their collection and use of customer, employee, and user data.

American Cyber Security Management has direct experience assessing and remediating data privacy management programs for optimal efficacy. Our approach allows us to address vulnerabilities and give organization leaders the insight and specific step-by-step recommendations necessary to reduce risks and address any identified vulnerabilities. To learn more about how ACSM can help your organization please use our contact page https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com

Earlier this summer, a draft was released of the  American Data Privacy and Protection Act (ADPPA) that is making its way through the legislative process. Although any formally proposed legislation will likely vary in some respects, this draft of the ADPPA provides some insight into what can be expected from any upcoming final iterations of the legislation. 

The stated purpose of the ADPPA is “to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The ADPPA identifies four key components to achieve its purpose: (1) a duty of loyalty; (2) consumer data rights; (3) corporate accountability; (4) enforcement and applicability. 

ADPPA outlines a duty of loyalty which is based on data minimization, certain loyalty duties, privacy by design, and loyalty to individuals with respect to pricing. In general, a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to provide or maintain a specific product or service. With some exceptions, ADPPA restricts the collection, processing, and transferring of certain information, including Social Security Numbers, geolocation data, biometric information, and other sensitive personal information. 

To be ADPPA compliant, a covered entity must establish and implement policies, practices, and procedures regarding the collection, processing, and transfer of covered data, which adequately safeguard data, mitigate privacy risks, and promote compliance with all applicable privacy laws. 

Under ADPPA, a covered entity may not deny, charge different prices or rates, or condition (or effectively condition), the provision of a service or product to an individual on the individual’s agreement to waive any privacy rights guaranteed by the ADPPA. 

Included in consumer data rights are: consumer awareness, transparency, individual data ownership and control, right to consent and object, and data protections for children and minors. To support these consumer data rights, ADPPA includes provisions governing third-party collecting entities, civil rights and algorithms, data security and protection of covered data, and opt-out mechanisms. 

In addition to recognizing consumer rights and organizations’ duties, ADPPA also establishes certain corporate accountability measures for executives such as the required designation of at least one corporate privacy officer. 

Although it is unclear when the United States will join the growing list of nations with comprehensive privacy legislation on the books, American Cyber Security Management is positioned to assist companies and organizations in proactively assessing and remediating their data privacy and cybersecurity management needs. 

To learn more about how ACSM can help your organization please use our contact page https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com