Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

Increased Cybersecurity and Data Privacy Requirements

Increased Cybersecurity and Data Privacy Requirements

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect.  GDPR is the legal set of guidelines for the collection and processing of personal information within the European Union (EU.)   GDPR rules impacts organization that offer goods and services to people in the EU or collect and analyze personal data tied to EU residents.  In the United States, several states are implementing laws similar to GDPR.  Among the most aggressive states to establish such laws are New York and California. 

The New York Law, Cybersecurity Requirements for Financial Services Companies, relates to information maintained by organizations that operate in the banking, insurance, or financial services industries.  It was passed in March 2017 and has staggered effective dates for various aspects of the law, ending with all parts needing to be in full effect by March 2019.  The California Law, the California Consumer Privacy Act of 2018, is a broad, sweeping law concerning digital privacy, allowing consumers significant control over their online personal information.  It was passed in June 2018 and has an effective date of January 2020.  While there are different requirements in each law, both laws require policies, processes, and systems to support the secure management of online Personally Identifiable Information (PII) by companies.  Some of the requirements for maintenance of PII include:

  • Documented cybersecurity programs to protect information systems from intrusion
  • Documented cybersecurity policies related to information security, including data governance and classification; asset inventory and device management; access controls and identity management; business continuity and disaster recovery; systems operations and availability concerns; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; risk assessment; and, incident response.
  • Annual penetration testing and bi-annual vulnerability assessments
  • Audit trail of transactions to reconstruct activities and transactions
  • Limited access to data as needed and review of access privileges
  • Documented procedures, guidelines, and standards for secure application development
  • Periodic risk assessments along with documentation on risk mitigation)
  • Documented third-party service provider policies including limitation to nonpublic data
  • Multi-factor authentication to limit unauthorized access to PII
  • Documented policies and procedures for disposal of PII
  • Training on cybersecurity awareness, and risk-based policies, procedures, and controls to monitor authorized user activities and detect unauthorized user access to PII
  • Implementation of controls on PII to protect such data, including encryption
  • Documented incident response plans in the event of a breach
  • Notices to appropriate authorities in the event of cybersecurity breaches
  • Disclosure of PII as well as use of that information to consumer on request
  • Disclosure of PII that is sold by business on consumer request
  • Deletion of PII collected by business on request of consumer along with appropriate methods to do so
  • Consumer opt out of business sale of PII along with appropriate methods to do so

US companies can be assessed financial penalties both by states and consumers for violations.  Therefore, it is critical that your organization’s PII is protected.  Many US companies are already familiar with data privacy, because of Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI,) so the new data privacy laws are not a new concept.  These new PII laws will likely be introduced by other states in the near future.  Trillium has significant experience in privacy and cybersecurity and can perform the analysis on your systems to determine what may be needed to bring your organization into compliance as well as to create the roadmap you will need.     

 

How do you manage GDPR security incidents?

How do you manage GDPR security incidents?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to the management and reporting of security incidents. Specific rules and guidelines for companies include:

  • Establishing documented procedures for handling security breaches
  • Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
  • Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.

While the GDPR has rules related to incident management and reporting as noted above, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. How can your organization put together the processes to properly respond to GDPR breaches? Below are some initial thoughts:

  • Creating a mitigation strategy so that any breach can be handled in a consistent manner
  • Maintaining structured records of your organization’s compliance in the event you must demonstrate it to regulators
  • Ensuring processes are repeatable and defensible in the event of a breach
  • Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.

How do you respond to GDPR security incidents?

How do you respond to GDPR security incidents?

General Data Protection Regulation (GDPR) is the set of legal guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to response and reporting of security incidents. Specific guidelines for organizations include:

  • Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
  • Following your organization’s documented procedures for handling GDPR security breaches
  • Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.
  • Showing proof that you followed the mitigation strategies you previously established
  • Demonstrating that you are establishing new or revised mitigation procedures to counteract for this specific breach

While the GDPR has rules related to incident management and reporting, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. It is critical that you have a strategy in place for response and reporting on GDPR security incidents.

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.

How do you mitigate GDPR security incidents?

How do you mitigate GDPR security incidents?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifying information (PII) by organizations within the European Union (EU.) GDPR also applies if the PII of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. GDPR has rules related to incident management and reporting; therefore, it is critically important to be proactive and have a mitigation strategy in place since failure to report and respond to breaches can have a significant financial impact on the organization. How can your organization establish the proper processes to mitigate the risk of GDPR breaches before they occur? Below are some initial thoughts:

1. Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data

2. Having a repeatable, documented root cause analysis process in place so that the process can be used in the event of a breach

3. Ensuring the requisite controls and processes are in place, as well as repeatable and defensible, in the event of a breach. This includes following the National Institute of Standards and Technology (NIST) framework for cybersecurity to establish security processes. The framework consists of five (5) core functions that are applicable to GDPR, and which are generally addressed concurrently:

  • Identify - Develop an organizational understanding to manage the GDPR risks to systems, people, assets, data, and capabilities to prioritize and focus efforts. Categories within this function include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy, all of which would apply within GDPR response.
  • Protect – Develop and implement safeguards to protect delivery of critical services, to contain the impact of a cybersecurity breach. Categories within this function include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. These categories are critically important in GDPR compliance, and would include activities such as security assessments and action plans related to the outcomes of the assessments so that any gaps can be addressed.
  • Detect – Develop and implement appropriate activities to identify the occurrence of a GDPR cybersecurity breach, to enable timely discovery of a cybersecurity event. Categories within this function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
  • Respond - Develop and implement an action plan regarding a cybersecurity incident, to contain its impact. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Communications and disclosure are specifically required by GDPR.
  • Recover – Develop and implement activities to maintain recovery plans for capabilities that were damaged due to a cybersecurity breach, including timely recovery to normal operations. Categories include Recovery Planning, Improvements, and Communications. Your organization’s ability to be GDPR-compliant rely on planning and continuous improvements to your infrastructure.

4. Maintaining structured records of your organization’s compliance and mitigation to demonstrate it to regulators if necessary

Trillium has significant experience in privacy, cybersecurity, procedure mapping, and implementation, including NIST processes. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.