Cybersecurity and Data Privacy

                               

Summary: Cybersecurity, or information security, refers to the measures taken to protect a computer or computer system against unauthorized access from a hacker. On its most basic level, data privacy is a consumer’s understanding of their rights as to how their personal information is collected, used, stored and shared.


Data breaches can take place on both a large and small scale, but most people are probably more familiar with the bigger incidents. Every employer faces the reality that they could be the target of a network security breach. A cybersecurity breach can jeopardize credibility and cost small businesses without cyber liability insurance thousands of dollars (or more) in damages, impacting customer service, productivity and reputation.

Data breaches are cybersecurity attacks that impact personal data and privacy. It might seem like cybersecurity or information security and data privacy are interchangeable terms, but let’s take a look at the main differences.

What is Cybersecurity or Information Security?

Cybersecurity, or information security, refers to the measures taken to protect a computer or computer system against unauthorized access from a hacker. A robust cybersecurity policy protects secure, critical or sensitive data and prevents it from falling in to the hands of malicious third parties. The most common forms of cyber attacks are phishing, spear phishing and injecting malware code into a computer system.

What is Data Privacy?

Varonis defines data privacy as a type of “information security that deals with the proper handling of data concerning consent, notice, sensitivity and regulatory concerns.” On its most basic level, data privacy is a consumer’s understanding of their rights as to how their personal information is collected, used, stored and shared. The use of personal information must be explained to consumers in a simple and transparent manner and in most cases, consumers must give their consent before their personal information is provided.

Worldwide Data Privacy Regulations

GDPR

The protection of data privacy has come to the forefront with the launch of the General Data Protection Regulation (GDPR) by the European Union (EU) in 2018. The GDPR updated an older data law to reflect today’s ever-changing technology. The GDPR places more requirements on organizations that process and collect personal data, emphasizing accountability and evidencing compliance while strengthening the individual’s rights.

The GDPR applies to all data directly or indirectly related to an identifiable person in the EU that is processed by an individual, company or organization. Any small business that processes people's personal data within the EU is subject to the GDPR, no matter where in the world the business is based. It is important to note that the GDPR pertains to people within the EU, but not necessarily to EU citizens. This means that any company using the data of EU subjects, even if this company is stationed outside the EU, will need to comply with new ways of protecting data related to identifying information, IP address, cookies, health, genetic or biometric data, racial or ethnic data and sexual orientation.

California Consumer Privacy Act

 The California Consumer Privacy Act A.B. 375 (CCPA) gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected.

The CCPA gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:

  • Request the deletion of personal information
  • Opt out of the sale of personal information
  • Access the personal information in a “readily useable format” that enables the easy transfer of the data to third parties

The law technically is relevant only to California residents; however, businesses that are impacted by the law do not need to have a physical presence in California. A business should be concerned with the CCPA if they fall under one of the following stipulations: they must have a gross revenue over $25 million, receive and share the personal information of over 50,000 Californians annually or get at least 50% of its annual revenue by selling the personal information of California residents. Nonprofit businesses or companies that do not meet the above requirements do not have to comply with the CCPA.

Insurance and Privacy Legislation

The GDPR and California privacy regulations spotlight the importance of data privacy. This privacy extends to the systems that collect, store, process and transmit data. Cyber privacy can include both personally identifying information (PII) or non-identifying information which when aggregated can be used to identify - like a user’s behavior on a website and cookie information.

The GDPR requires that an organization notify data protection regulators and affected individuals about any data breach which is likely to result in a privacy risk to those affected. Notification significantly increases the costs of responding to a data breach, as well as the chances that affected individuals will make claims against the controller.

The CCPA strengthens an individual’s rights to access and protect their personal data. These include a right for the individual to request that their data be deleted (the right to erasure), a right to object to processing and the right to data portability – in electronic form. This means that a policyholder could request a copy of all data that their insurer holds about them in a commonly used and machine-readable format so they can provide it to their new insurer. Also, individuals must be informed about any automated decision-making processes in the insurer’s privacy notice. Individuals will also have the right to object to automated decision-making, meaning that the insurer must have a non-automated alternative.

Protecting Your Company from a Cybersecurity Attack

Ultimately, cybersecurity attacks are trying to get at a person’s or company’s data, and the risk for a data breach at an organization of any size has become increasingly higher. However, there’s been a distinct focus on cyber security, as companies have grown more aware of the various types of data breaches and the impact they can have on their brand, reputation and customer loyalty, not to mention the costs involved to properly notify all parties of the breach.

Companies are making it a priority to protect their organizations from data breaches by offering data security training, creating a company-wide data breach policy with a response plan ready to implement when/if it is needed. Small businesses can also help prevent data breaches by:

  • Keeping Data Safe: Because many data breaches happen because of employee error, staff should only have access to the information vital to their particular role within the company. Additionally, consider records retention programs that require employees to purge files both on their computers and any hard copies they keep (according to the program), destroying the information in the proper manner. Old data should be properly archived or deleted based on local and federal laws, and company policies. A data breach can result in litigation.
  • Password Protection Program: To stay protected from a data breach, small businesses and their employees should use strong passwords for every site accessed on a daily basis. Also, passwords should never be shared between employees or written down where others can see it.
  •  Update Security Software: Companies should utilize firewalls, anti-virus software and anti-spyware programs to help ensure sensitive data cannot be easily accessed by hackers. These security programs also require regular updates to keep them free from vulnerabilities, so make sure to check any software vendors’ websites to learn about upcoming security patches and other updates.
  • Employee Training: All employees should be trained on the importance and methods of data security. Both physical and digital records should be safeguarded at all times, and confidential information about clients, employees or corporate affairs should always remain secured.
  • Data Encryption: All data, whether on a personal device, computer, or server should be protected by proper encryption. Companies in many states can benefit from safe harbor exemptions that only apply if the company can prove the data was encrypted before a breach.

Common Warning Signs of a Cybersecurity Attack

Another way to stay protected from a data breach is to understand their common warning signs and the things your organization can do to remain secure. These include:

  • Monitor Unusual Behavior: If a program acts up, it could simply be a software or hardware malfunction, but it could be something much worse. Check the system for other irregularities.
  • Investigate Suspicious Files: If malware is detected, or a user reports opening a suspicious file, don't take any chances. Assume that the malware has infected something, and don't stop investigating until you find out what, if anything, was breached.
  • Review System Communication: Regularly review communication patterns on the network. If an employee’s computer is accessing other workstations or transmitting large amounts of data to somewhere outside of the network, this could be a sign of a compromise.
  • Run Scans: Keep anti-virus and anti-malware programs up-to-date. Also, run vulnerability programs to look for missing patches and other security risks.
  • Check Your Credit: Customer information isn’t the only confidential data on the server. Chances are, there's plenty of information about your company on there, too. Changes in your credit rating could be an indication of fraud.

Courtesy of AmTrust