Posts

What Your Business Needs to Know About How to Comply With the GDPR

Data security is a global problem that crosses all international borders, time zones and currencies. Cyber criminals based in one part of the world can freely target companies or individuals across the globe in a matter of seconds. Therefore, your organization’s cybersecurity posture must be agile and able to monitor, detect and respond to incoming threats regardless of the time of day, your nation’s native language or other considerations.

In response to the fast-changing global cybersecurity landscape, legislators in the European Union recently adopted a unified data security law that is intended to help bolster cybersecurity in that part of the world.

GDPR | Proficio

What is the GDPR?

The European Union General Data Protection Regulation (GDPR) is the most significant change to data privacy in the EU in more than two decades. The new law replaces the Data Protection Directive 95/46/EC, which was adopted in 1995, and is intended to standardize data privacy laws across the EU. 

When it goes into effect, the full text of the GDPR will apply the same data security rules and standards for all companies offering goods and services in the EU, both those based in the EU and those located outside the union, but doing business with EU citizens.

When Does the GDPR Go Into Effect?

The GDPR was approved by the European Union Parliament in April 2016 to go into effect two years after that approval. Therefore, enforcement of the new law is expected to begin in May 2018.  Proficio has expert cybersecurity analysts on staff who can help your company gain compliance with the GDPR or any other compliance regulation, such as HIPAA or PCI DSS. 

What Counts as “Personal Data” Under the GDPR?

The GDPR regulates the collection and storage of “personal data.” Under the law, personal data is defined as any information related to a natural person, or “data subject,” that can be used to directly or indirectly to identify that person. Personal data could be a person’s name, an identification number, location data or an online identifier such as a digital advertising “cookie” or an IP address. Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person might also constitute personal data under the GDPR.

Sensitive personal data is further defined in the law as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning a person’s health or sex life. Data relating to criminal offenses and convictions also are treated by the GDPR as sensitive personal information, which is subject to additional protections and restrictions under the new law.

Which Businesses are Covered by GDPR?

It is important to note that the GDPR governs all companies that offer goods and services and covers more than just business or organizations that are based in the EU. (Tweet This Stat!) The GDPR is far-reaching and will apply to companies that are located outside the EU if they offer goods or services to, or monitor the behavior of, EU residents. Therefore, all companies or organizations that process or hold the personal data of data subjects residing in the EU will be covered by the law, regardless of the company’s physical location.

What are the Primary Changes in the GDPR?

The most significant change to data security in the EU contained in the GDPR is extended jurisdiction of the law. The reach of the GDPR is being expanded to encompass all companies processing personal data of EU residents, even those companies based outside of the EU. Driven by recent court cases that were unclear on whether previous data security laws applied to companies based outside of the EU, legislators expressly stated that the law will apply to any processing of data from EU sources, whether or not the company doing the processing is based in the EU.

The penalties for violating the GDPR also have been beefed up, providing for fines up to four percent of a company’s annual revenue or 20 million euros, whichever is greater. Companies that do not have sufficient customer consent to process consumer data or otherwise violate the terms of the GDPR could face stiff fines.

A third major change that the GDPR imposes that was not part of previous EU data security laws is regarding consent. Under the GDPR, companies will no longer be able to use confusing illegible terms and conditions filled with hard-to-understand legal terms. Instead, the request for consent to collect or store personal data must be intelligible and easy to access, using clear and plain language. Consumers must also be able to withdraw their consent as easily as they gave it.

Breach notifications are another major change in the GDPR and will become mandatory when a data breach is likely to result in a risk for the rights and freedoms of individuals. The breach notification must be issued to customers within 72 hours from when the company first became aware of the breach.

What About Brexit and the GDPR?

With the United Kingdom leaving the EU, many questions are being raised about whether residents of England, Scotland, Wales and Northern Ireland will be covered by the GDPR. While the answer remains in flux, the current posture is that if your company processes data while selling goods or services in other EU countries, then compliance with the law would be required for transactions involving UK residents, even after Brexit.

However, if your business activities are limited to the UK, the answer currently is less clear. The UK government has said it will adopt similar or equal data security to what is in the GDPR, but a decision on how the matter will be governed by the UK in a post-EU world is not yet known.

If the matter is not sorted out by May 2018 when the GDPR goes into effect, the old adage of “better to be safe than sorry” would apply and companies would be advised to meet the GDPR requirements for collecting and storing personal information, even for UK residents, at least until a clearer path forward is defined.

What Your Organization Can Do Now to Prepare for the GDPR

The new GDPR rules and regulations don’t go into effect until May 2018, but there are steps that can be taken before then to help prepare your organization to comply with the changes.

  1. Review your current data collection and processing procedures and determine whether your organization is handling data that falls under the GDPR’s expanded definitions for personal data. In particular, be aware of what can be included as an “identifiable natural person” as it relates to the definition of personal data.
  2. If your company or organization relies on consent for gathering personal data, review your current consent mechanisms to ensure they meet the stronger requirements in the GDPR.
  3. Review the data protection language your organization currently uses in HR, IT and other department policies and update them as necessary to reflect the coming changes from the GDPR.

Strategic Relationships Help Australian Businesses Stay Compliant & Secure

The Australian Federal Government has passed The Privacy Amendment (Notifiable Data Breaches) Bill 2017, which will go into affect on February 23, 2018. This amendment will require organizations with an annual turnover of $3 million who suffer a data breach to report it to the Privacy Commissioner. They must also notify each individual to whom the personal information relates, or the individuals who are at risk from the eligible data breach.

Which Australian Businesses Will Be Affected:

While this bill doesn’t apply to all organizations, it does include:
· Businesses that sell / purchase personal information
· Private sector health services providers including private hospitals, medical practices and pharmacies
· Private schools (from pre-K through graduate level), including child care centers
· Individuals who handle personal information such as tax preparers, credit reporters or health records

Data breaches that fall under this amendment include any unauthorized access to, unauthorized disclosure, or loss of personal information that a reasonable person would conclude is likely to result in serious harm to the individuals to whom the personal information relates.

After suffering a breach of such information, organizations are legally required to report them as soon as possible and must provide:
· Description of the data breach
· Information of what type of data was compromised
· Recommendations on what individuals should do in response to the breach

How Does This Regulation Impact The Cybersecurity Landscape?

Cybersecurity has been a major concern not only in Australia, but throughout the APAC region. Countries are pressed to ensure that not only are they keeping their government information safe from breaches, but also that they are safeguarding their citizens’ information. It’s likely that there will be an uptick in other countries looking at how to best protect their citizens private information. But just like their local businesses, governments also must plan for the inevitable breach and have a clear understanding of what they can handle internally if a possible breach does occur.

For most organizations, breaches aren’t just a business matter – they’re also a personal matter. And it’s not a question of “if” a breach will occur but rather “when” one will occur. If an organization suffers a breach and it is not reported in a timely manner, there are steep repercussions and penalties (including fines in the millions of dollars) not to mention a loss of trust by customers. For example, a breach could result in an organization being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $1.8 million.

While the regulations may sound new, they aren’t worth panicking about. They have been in the making for quite some time and should not be a surprise or shock to companies conducting business in Australia.

What Relationships Can Businesses Leverage To Help?

Australian and APAC organizations need to understand that being compliant isn’t enough, they must also have an action plan in place in the event that a breach does occur. Organizations that do experience a breach can become inundated with action items that need immediate attention and they won’t have the time, bandwidth or resources to conduct the indepth research needed into how and why the breach occurred in the first place.

For those companies that don’t have internal resources to handle a breach, having a strategic relationship with a managed security services provider (MSSP) could be very helpful. This partnership not only provides companies with critical assistance during a breach but also allows for the deployment of a tactical incident response plan. By utilizing an MSSP, Australian businesses are able to leverage the MSSP’s 24×7 alerting and monitoring support and the SOC analysts’ expertise to offload some of the workload.

“Security log collection and SIEM technologies are a critical part of an organization’s ability to detect potential security breaches along with providing valuable data during the investigation of a potential incident,” said Jeremy Vance, Vice President of Security Operations at Proficio. “Doing so requires having access to resources that know how to search and interpret those security logs effectively to provide insight into the timeline and scope and of the incident.”

When a breach does occur, Proficio supports their worldwide clients by performing log searches, investigations, cross-device correlation, analysis of existing data, incident response and forensic services to provide as much insight as possible into why and where the breach occurred and how to prevent another one from happening. “Our team of expert security analysts are able to conduct deep dives into client logs to gather as much information as possible for our clients or legal entities that may be requesting data to support their breach investigations,” Vance stated.

By forming close relationships with organizations in Australia, Proficio is helping them send a message that cybersecurity is a prime concern and being prepared for a potential breach is critical. This message resonates strongly with our clients, and supports their reputation as a trustworthy vendor who tailors solutions for each organization’s cybersecurity needs.

Interested in learning how Proficio can help your enterprise maintain compliance? View our services which can help your organization meet compliance requirements.

Using SIEM Technology to Streamline HIPAA Compliance

There are 154 separate risks underlying the HIPAA compliance security standard. Addressing and continually monitoring each of these risks individually can be an enormous task for a security officer. SIEM technology allows most of these risks to be identified, addressed and monitored.

SIEM technology allows for the collection of security events across devices, with automated cross-correlation of activity. HIPAA specific use cases built into a SIEM tool allow ePHI risks to be displayed in dashboards, channels, or reports.

For example, the login events from a Windows Active Directory server can be correlated against access events from a badge reader system. Where a login of an employee with credentials to a system containing ePHI does not match the recent access logs from the badge reader system, an alert is sent to the Security Officer. This alert contains actionable information to allow for fast remediation of a potential compliance issue. If the Security Officer wishes to look deeper into the issue, they can then open a web based portal to the SIEM, verify both login and badge reader activity and quickly resolve a potential breach of Access control and Validation procedures – Physical Safeguard §164.310(a)(2)(iii).

Use cases such as the above example can be created for the majority of the Security Standards.

The framework for ePHI compliance can be built into the structure of SIEM content, allowing for compliance to be reviewed by the individual security standards.Reviewing the reports, dashboards, and channels by Security Standard allows a Security Officer to identify compliance gaps, and monitor their remediation. Should the Security Officer face a HIPAA audit, they can pull up reports by Security Standards all from a single interface.

Proficio’s ProView web portal provides reports and dashboards tailored to specific HIPAA requirements allowing security and compliance officers to quickly visualize their compliance posture.

The Importance of Controls for MSSPs

Should Your MSSP be SOC 2 Compliant?

SOC stands for Service Organization Controls and falls under the Statement on Standards for Attestation Engagements (SSAE) No. 16. SSAE 16 was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations like MSSPs.

SOC 1, SOC 2, and SOC 3 Audits

There are 3 categories of reports on control at service organizations:

SOC 1: Audit report that focuses on examining internal controls relevant to financial reporting to help ensure compliance with laws and regulations such as the Sarbanes-Oxley.

SOC 2: Audit report that focuses on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2 Type 1 reports cover the management’s description of internal controls; SOC 2 Type 2 independently examine the effectiveness of these controls.

SOC 3: Similar to SOC 2, SOC 3 focuses on controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 3 reports are designed to be made public for audiences that do not need to understand the details of the tests performed by the service auditor and results of those tests.

Do Audits Matter?

Customers count on their security service providers to identify threats and protect their infrastructure, applications and confidential information from cyber attacks. Delivering such a service requires powerful technology, security experts, and effective processes. It also requires the internal processes to ensure that customer data is secure and a provider’s service platform is protected from attacks. An independent audit of internal controls is important to give customers confidence that policies and controls are in place and are operating effectively.

So yes… Audits do matter.

Audits Also Save Time and Money

Security teams and Compliance Officers can spend weeks creating and evaluating vendor surveys that review the internal controls of potential vendors. Independent audits save time and money plus provide a higher level of confidence than available through vendor responses.

Proficio is SOC 2 Type 2 Compliant

Proficio undergoes annual SOC 2 auditing against the trust principles of Security, Availability, and Confidentiality. These audits review our controls against the AICPA’s “Common Criteria” and test those controls. Our auditor’s reports, available upon request, show that our controls are in full compliance with the standards, and when tested, passed without exception.

HOW TO ACHIEVE HIPAA COMPLIANCE