Author: rory-admin

  • What does the California data breach notification law mean to your business?

    What does the California data breach notification law mean to your business?

    California has long had some of the toughest data breach notification laws in the country and, in 2018, attorney general Xavier Becerra announced a new law to address certain limitations of the original SB 1368 bill that went into force in July 2003.

    The new legislation expands on existing laws to add requirements for organizations to notify their customers if their passports, ID numbers, or biometric data are stolen. It aims to close various loopholes in current legislation, and was partly enacted in response to enormous data breaches such as the Marriot hotel chain breach, in which 383 million records were stolen.

    It shouldn’t come as any surprise that businesses in California are facing constant threats from hackers and other malicious actors. Being home to Silicon Valley, the state has long been a leader in information security legislation. Many states have followed a similar model, but for organizations based in or with branches in California, the new laws place very specific requirements on data breach notification.

    The primary measures companies need to take is to report data breaches within 72 hours of them being identified, verify that personally identifiable information (PII) was adequately encrypted at the time, and provide detailed reports for legal and auditing proceedings. Although the introduction of the law was greeted with some hostility, particularly by technology companies, it will come into effect at the end of 2020.

    What else does the new law stipulate?

    The consumer-focused law aims to make it harder for hackers to get their hands on private data while also forcing organizations to be more transparent about how they collect data and what they do with it. To that end, businesses must disclose precisely which information they will collect and specify why they need it and what they intend to do with it.

    If a business wishes to send the data to third parties, they’re also legally obligated to specify who those third parties are. Furthermore, businesses will have to allow their customers to opt out of their data being sold to third parties, and they cannot retaliate by changing the pricing or level of service. They can, however, offer financial incentives to collect data.

    In many ways, the new data-protection laws mirror those of the General Data Protection Regulation (GDPR), which was introduced in the European Union last year, and enforces strict practices on the collection and use of data. While many businesses struggle to overcome compliance challenges, it’s more important than ever to stay a step ahead.

    Information privacy and security are now some of the biggest concerns of modern times, so it’s only to be expected that the introduction of legislation such as SB 1368 will soon be mirrored across other states and countries. As cyberthreats continue to evolve, compliance is only going to get harder, hence the need for a more proactive approach.

    Why your business needs a compliance strategy

    Overcoming compliance hurdles isn’t easy, but it does help protect both your customers’ data and, consequently, your brand’s reputation. By adopting a culture of continuous improvement with regular security and compliance audits, your business will be better placed to stay ahead of both cyberthreats and legislative changes alike.

    It’s essential to have a compliance strategy; a clearly defined process that incorporates crucial factors like ongoing security awareness training, compliance auditing, and multiple layers of protection. Above all, it requires a culture change; one in which information security and privacy are considered business advantages rather than just a necessary evil.

    Valley Techlogic provides network security services and compliance advice to organizations in Winton, Merced, and Atwater. Call us today for immediate support.

  • The Dirty Loophole That Lets Insurance Companies Refuse to Cover a Cybercrime Theft in Your Business

    The Dirty Loophole That Lets Insurance Companies Refuse to Cover a Cybercrime Theft in Your Business

    As hacking hit the headlines in the last few years — most recently the global hack in May that targeted companies both large and small — insurance policies to protect businesses against damage and lawsuits have become a very lucrative business indeed. Your company may already have cyber insurance, and that’s a good thing. But that doesn’t mean that you don’t have a job to do — or that the insurance will cover you no matter what.

    When you buy a car, you get the warranty. But in order to keep that warranty valid, you have to perform regular maintenance at regularly scheduled times. If you neglect the car, and something fails, the warranty won’t cover it. You didn’t do your job, and the warranty only covers cars that have been taken care of.

    Cyber insurance works the same way. If your company’s IT team isn’t keeping systems patched and up to date, taking active measures to prevent ransomware and other cybercrime attacks, and backing everything up in duplicate, it’s a lot like neglecting to maintain that car. And when something bad happens, like a cyber attack, the cyber insurance policy won’t be able to help you, just as a warranty policy won’t cover a neglected car.

    Check out this real life policy exclusion we recently uncovered, which doesn’t cover damages “arising out of or resulting from the failure to, within a reasonable period of time, install customary software product updates and releases, or apply customary security-related software patches, to computers and other components of computer systems.” If your cyber insurance policy has a clause like that — and we guarantee that it does — then you’re only going to be able to collect if you take reasonable steps to prevent the crime in the first place.

    That doesn’t just mean you will have to pay a ransom out of pocket, by the way. If your security breach leaves client and partner data vulnerable, you could be sued for failing to protect that data. When your cyber insurance policy is voided because of IT security negligence, you won’t be covered against legal damages, either. This is not the kind of position you want to be in.

    All of this is not to say that you shouldn’t have cyber insurance, or that it’s not going to pay out in the case of an unfortunate cyber event. It’s just a reminder that your job doesn’t end when you sign that insurance policy. You still have to make a reasonable effort to keep your systems secure — an effort you should be making anyway.