As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. American Cyber Security Management would like to bring together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our first meeting will be a collaboration of the attendees to define our future meetups and put a framework for the meetings in place that will be designed to aid in information sharing.

Our first meeting will be held on Wednesday, January 17th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.

Who was breached today? This is the common question. Days are gone where we wonder if a business was breached or if our data was stolen from a public system. But what happens after May 25th, 2018 when GDPR is in full effect?

With the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), if breached systems contain European citizen information then specific steps and the timing of those steps are now mandated.

How many cases have we seen where U.S. companies are taking weeks, months, to even a year to disclose to their customers that their data has been inappropriately accessed, lost or stolen? In the recent case of Uber’s announcement, it took them more than one year to notify their customers of a massive data breach. Uber announced that over 57 million people were affected by their data breach and that 2.7 million were located in the UK.

How would this look under GDPR and the EU’s new watchful eye and powerful penalties? The EU wants to ensure communications of data breaches are accurate and timely. According to GDPR Article 33, any business who is suffering a breach of EU citizen information must notify the EU authorities within 72 hours. And the notice must contain, at a minimum; Nature of the breach, Name and contact details of the company’s Data Protection Officer (DPO), Description of the likely consequences, and a description of the corrective steps being taken. Secondarily, the business must also notify the EU citizens under Article 34 definitions. This article requires that notice is given “without undue delay” and the content of the breach notice to be a subset of the information sent to the EU authorities.

These few rules will change how many global U.S. companies handle breach notification and it will undoubtedly impact their processes for incident management. The good news is that we are seeing many companies implement GDPR in a holistic way whereby they are including all customer data, regardless of citizenship, in their data classification strategy when approaching GDPR. This means that these companies will treat all customer data the same way as they need to under GDPR, and not silo EU citizen information, which would require a duplication of many business processes. GDPR is also helping these larger multinational businesses understand the value and role of the DPO, the one responsible for the assurance of the new privacy controls.

The GDPR may be one of the largest privacy regulations the world has ever seen, but it may be just in time. In a world of constant data breaches, we all need to be more diligent and concerned of how companies collect and use our data, share that information with their third party suppliers, and keep us notified of the access to our information.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

Where is the best website for breach data history? This has been a common question and one that everyone seems to have a personal answer to. In the spirit of Cyber Security Awareness Month, here are some good resources to consider.

As breaches to our privacy continue on a daily basis, they can be hard to keep up with. These resources can help you justify and improve your preventative, detection, and responsive investments.

https://www.privacyrights.org/data-breaches – This site allows you to search on the data based on 8 Type categories (i.e. Payment card), 7 Organizational categories (Education, Military) and Year (back to 2005).

http://breachlevelindex.com/ – This site has good visuals and shows summarized data over time. It also allows for data compilation over Type, Industry, and Source.

http://www.idtheftcenter.org/Data-Breaches/data-breaches – The Identity Theft Resource Center has compiled breach data since 2005, and allows access to their summarized graphs and charts.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/ – If you want a thorough and well-written report, then I suggest the Verizon at the Data Breach Investigations Report.

https://dashboard.healthit.gov/quickstats/quickstats.php – For good summarized information on healthcare, the Office of the National Coordinator for Health Information Technology provides up to date dashboards and data sets.

The recent Equifax breach shows what a massive and destructive force not learning from our mistakes can be. If you need any help in understanding how to put these lessons into practice, contact us at American Cyber Security Management.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels

With the General Data Protection Regulation (GDPR) from the European Union (EU) nearing enforcement in May 2018, many still see it as a project.

Many enterprises still see GDPR as a project and not a privacy strategy. Here are some excerpts from conversations I have had with managers about GDPR:

• “Since Safe Harbor failed we’ll see what happens with GDPR.”
• “I don’t think it applies to us”, this was a SaaS based company.
• “We know this is very important, but we have so many other things to do.”
• “We really need help here; this is a very big deal.”
• “We have a project manager and myself, we need more help.”

GDPR implementations are still in their early days and time will tell on the impacts of non-compliance. However, it is clear that bringing together the regulatory and compliance sides of the enterprise with the mainstream product, marketing, and engineering sides is becoming more urgent. In an Agile culture of rapid delivery, integrated teams, and more intimate customer conversations, enterprises still struggle to fully incorporate their legal and compliance teams into the process. When was the last time you saw a lawyer in a scrum? Have your product owners ever engaged legal in defining a privacy model? It is hard enough to get security requirements into stories, how will enterprises incorporate privacy?

GDPR’s requirements around EU citizen rights will surely make an impact in how global enterprises handle EU citizen data. Many see this as a new default privacy model and embrace the change; others are still determining what it means to their organizations. In either case, GDPR shines a light on the opportunities for enterprises to integrate privacy, governance, and product in order to improve the quality of services we all consume.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

Are you ready for GDPR? Penalties, that is. The General Data Protection Regulation (GDPR) from the European Union (EU) has been announced and required for ANY company that sells to or monitors European citizens, since early 2016.

GDPR is an international law that has already been enacted. This law is intended to clarify and strengthen prior privacy laws and is extremely encompassing, and global in nature. It enforces that data is used in a lawful, fair and purposeful manner. It requires companies who use personal data to do so in a minimalistic fashion, ensure the data is accurate, protected, and durable. The responsibility for the compliance focuses on the use, or processing, of the data. The scope drives responsibility from the controller of the system down to the potentially multiple processors and sub-processors, making this thorough and inescapable for most businesses.

This law requires that EU citizens be given certain rights when they use software systems. These basic privacy rights are:

• Right of Access
• Right of Rectification
• Right of Erasure
• Right of Restricted Processing
• Right of 3rd-Party Notification
• Right of Data Portability
• Right to Object

Any company that is found to be in breach of these new requirements will be subjected to a €20 Million or 4% revenue penalty, whichever is greater. For those companies that have only started their analysis or partially through their implementation may face a €10 Million or 2% revenue penalty. This law has significant risk for smaller businesses who are not in compliance or only partially compliant.

There is no doubt that GDPR is the biggest change in recent privacy law. Taking a risk-based approach to your implementation will be important. Your implementation could be large, take years and cost millions, or it could be as simple as documentation, change of process and some new technology.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

If you are unsure if GDPR applies to you, or wish to investigate with an assessment, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialist can help you make sense of and comply with GDPR.