During this week, research a recent law concerning privacy. Summarize this recent law for us:
- What information does it protect,
- What controls or limitations does the law specify,
- What organizations need to comply with the law, and
- In which regions would we need to be concerned with this law?
How does this law represent new risk(s) to the organization?
https://www.jdsupra.com/legalnews/connecticut-becomes-the-fifth-state-to-9560494/
Connecticut becomes the fifth state to enact a comprehensive data privacy law
Initial seems that no one is serious about online information and privacy database, privacy on the web has never been so widely discussed, but in the last couple of years, data breach attacks increase the high level, so many controversies happens. These incidents made us realize that modern technology can erode our privacy. To protect the privacy and handle user data secure way every companies and organization need to adhere to the new laws that regulate how companies and organization handle users’ data.
The privacy regulation is a law that complements the General Data Protection Regulation known as GDPR and the California privacy rights act (CPRA) the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (ColoPA), and the Utah Consumer Privacy Act (UCPA). That gives details regulations and instructions on how to deal with threats, IoT devices, email marketing, and other digital communication channels. Cause of privacy regulation directly affected electronic communications services, and publicly available directories, which process and store data in user terminal equipment.
The new law data privacy law is a complex collection of guidelines so many good and bad output comes from them such as eliminating weak lines in your system, examining where the user sends data, Find out if your software providers aid you in fulfilling your obligations, Consider data anonymization (de-identification) options, etc. All new laws directly affect an organization’s data management process and business that why it is risky for organizations to manage their business with new law enforcement.
The Colorado Privacy Act (CPA) passed in June 2020 and goes into effect on July 1, 2023. CPA follows similar right-to-privacy standards set forth by the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act, and the European General Data Protection Regulation. CPA seeks to grant residents of Colorado rights over their data by formally stating obligations that businesses must adhere to or risk fines. CPA applies to companies that collect personal data from 100,000 Colorado residents within one calendar year or collect personal data from 25,000 Colorado residents with the intent to generate revenue from personal data. CPA applies to any size of business, including small and medium-sized enterprises. However, data maintained for employment, health insurance (HIPAA compliance), and consumer reporting purposes are exempt from CPA. Primary controls required by CPA include data sanitization to anonymize collected identities and implementation of least privilege regarding who can access and view the data. Personal data is defined as anything personally identifiable to an individual (religion, health conditions, citizenship, etc.).
https://leg.colorado.gov/sites/default/files/documents/2021A/bills/2021a_190_rer.pdf
California Consumer Privacy Act (CCPA) was enacted in 2018, which provided consumers more control on how businesses collect and use their personal data. The CCPA protects against personal information such as name, SSN, email, internet browsing history, geolocation data, and even online profile preferences. The law allows the customer to have the right to know what personal information is collected and how it is used. It offers the consumer the right to delete the collected information. Additionally, consumers are allowed to opt-out of the sale of their information and lastly, cannot be discriminated for exercising their CCPA rights. Per the CCPA government, the law applies to for-profit business in California. Additionally, it applies to companies who meet the following criteria: over $25 million in gross annual revenue; buy, receive or sell, over 50,000 California residents personal information; and have over 50% of their annual revenue from California residents. Any business conducting business in California needs to be concerned with this law.
https://oag.ca.gov/privacy/ccpa
All businesses that provide financial services or products are subject to the Gramm-Leach-Bliley Act (GLBA). According to Skyhigh Security, financial services “require these organizations to acquire personal information from their consumers, such as names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.” Noncompliance with the GLBA carries a penalty. Noncompliance might result in a civil penalty of up to $100,000 per violation. GLBA has also specified the companies’ data security and encryption criteria. GLBA requires all businesses to notify their customers if there are any issues that may have impacted their customer data.
Reference:
https://www.skyhighsecurity.com/en-us/about/cloud-compliance/glba-compliance-requirements.html
In comparison to contemporary privacy regulations Gov. Ralph Northam, D-Va., signed the Virginia Consumer Data Protection Act into law on March 2, 2021, following a special session extension into 2021.
Virginia became the second state to implement comprehensive privacy legislation, and the first to do it independently (California Consumer Protection Act, led the way in 2018. but the Legislature moved forward with the bill because they were facing a ballot initiative if they failed to do so).
The scope of the CDPA is also influenced by a few crucial definitions. “A natural person who is a Commonwealth resident functioning only in an individual or household context” is classified as a “consumer.”
Importantly, it expressly excludes anyone who are “operating in a commercial or employment setting” from its definition.
Furthermore, “the exchange of personal data for monetary consideration by the controller to a third party” is characterized as “the sale of personal information.” Unlike the CCPA, which defines a sale as when personal data is traded for “monetary or other valuable consideration,” the CDPA stipulates that the consideration must be monetary.
The New York Privacy Law sets forth provisions for companies to manage personal data responsibly and lawfully. NY data protection laws will obligate companies to acquire consumer’s consent, disclose their de-identification processes, and install controls and safeguards to protect personal information. Consumers will also have more control over their personal data, for example, the right to know details of the companies who hold their data.
Central conditions of this data privacy regulation include:
Right to Notice – Consumers will have the right to be notified of what data is being processed, by whom and for what purpose, amongst other details.
Opt-In Consent – Before collecting or processing any personal data, the data subject must give their consent, via an unambiguous and informed route.
Right to Access, Correct Data – Companies will be obligated to provide easily accessible ways for data subjects to access details of their personal data being held and request corrections.
Right to Delete – Companies will be obligated to provide accessible routes for data subjects to request that companies dispose of their personal data and delete it in its entirety. This will also include ensuring that third parties dispose of it too, under the same restrictions.
The new law will involve annual risk assessments, as well as demand disclosures regarding automated decision making driven by personal data. An annual data deletion is required for data that is no longer needed.’’’
It is yet to be determined in detail but the NY personal privacy protection law will apply to entities conducting business in New York and possibly those handling personal data of New York residents.
Projected criteria for the application of NYPA is said to be:
If your yearly gross revenue is over $25,000,000.
If you control the data of a minimum of 100,000 New Yorkers.
If you control the data of a minimum of 500,000 people in general, with 10,000 that are New York residents.
If you derive 50% or more of your gross revenue from the selling of personal data.
Targeted advertising and data sellers are not the only ones who need to take heed of the upcoming laws and regulations to ensure they won’t be in violation and open to penalties. Any business or company who processes, stores, handles or uses personal information of any kind will need to adhere to these laws.
As the global market becomes more and more interconnected, businesses around the world will need to take into account the NYPA if they want New York’s residents to use their websites or services.
Government bodies who are processing or storing data for reasons other than sales are exempt from the NYPA, as is data maintained for employment purposes, protected health information and data collected to research on human subjects. These exemptions will need to be examined in greater detail when the final version of NYPA is released.
https://www.nysenate.gov/legislation/bills/2021/S6701
What information does it protect,
What controls or limitations does the law specify,
What organizations need to comply with the law, and
In which regions would we need to be concerned with this law?
How does this law represent new risk(s) to the organization?
The European General Data Protection Regulation is an important major privacy law in the European Union that went into effect in May 2018, and it applies to anyone who controls or processes any data on EU citizens, even if located outside of the EU. Noncompliance fines are up to $25 million USD. GDPR specifies applicable companies as either controllers (if they control EU citizen data and decide what to do with it), processors – those who handle EU citizen privacy data for other companies, and it also specifies subjects – users whose data is being collected. While a company can be both a controller and a processor in certain cases, the compliance requirements for each are slightly different. GDPR covers EU citizen personal data, which includes data like names, email addresses, addresses, IP addresses, unsubscribe confirmation URLs that include emails and/or names, etc. Furthermore, GDPR specifies different primary criteria for compliance:
1. .”Data controllers must be able to provide a free copy of an individual’s data if requested. Individuals may find out what personal data of theirs is being processed, where it is being stored and why it is being processed.”
2.Users can request to have their information deleted.
3.User can request all data in a digital format.
4.Customers of data breaches must be notified within 72 hours.
5. Privacy must be included in the design phase along with due care.
6.Processors/ data monitors must appoint someone as a DPO (Data Protection Officer).
https://www.seerinteractive.com/blog/the-gdpr-simplified/
The California Consumer Privacy Rights Acts, Also known as “Proposition 24” was approved by majority vote on November 3rd 2020. The CPRA protects consumer information from being utilized for business purposes. This law permits consumers to prevent California businesses from sharing personal information. It enables consumers to correct inaccurate information and limits the business use of sensitive information such as geolocation; race; ethnicity; religion; genetic data; private communications; sexual orientation; and specified health information. The CPRA applies to businesses that: Have a gross annual revenue of over $25 million in the preceding calendar year, or. Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, Purpose limitation requires you to be specific and intentional when collecting personal information. Personal information must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
https://iapp.org/resources/topics/ccpa-and-cpra/
Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet
Hacktivist group Anonymous announced that they are launching a cyber-war against the pro-Russian group Killnet, which recently attacked European institutions.
The news comes after anonymous hackers recently declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine, including leaking over 360,000 Russian federal agency files in the process.
This is interesting development that underlines the wide variety of motivation that various threat actors have.
https://www.infosecurity-magazine.com/news/anonymous-declares-war-on-killnet/
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was passed in New York state on July 25, 2019, and serves as an expansion of the state’s existing Information Security Breach and Notification Act passed in 2005. The SHIELD Act dictates that companies must provide notice to customers when a variety of private information is breached, something that the 2005 law also required. However, the SHIELD Act expands the types of information that are deemed to be “private” and expands the definition of a breach. Now, the definition of private information includes biometric information and any username or email address in combination with a password, which were previously not covered by law. Furthermore, the definition of a breach has been amended to include any access to private data that has compromised the confidentiality, integrity, or availability of that data.
The SHIELD Act is meant to be broad both in terms of scope and in terms of the kinds of controls that it dictates must be in place to be in compliance. There are a number of “reasonable” safeguards
that are laid out in the law, but the list is not comprehensive and the control definitions are intentionally broad. It includes technical controls like detecting cyber attacks or failures in information systems, and testing system controls; physical controls such as preventing intrusions; and administrative controls like employee security awareness training.
This law applies to any companies that experience a breach in which at least 5,000 residents of New York state are impacted. It poses risks to companies serving such customers because a failure to notify them properly would incur significant financial damages from the state and would negatively impact the company’s reputation in the eyes of consumers.
https://ag.ny.gov/internet/data-breach