Documentation

Fortifying Your Organization with Privileged Account Management

In today’s rapidly evolving digital landscape, privileged account management (PAM) has become a cornerstone of organizational cybersecurity. This powerful approach aims to safeguard privileged accounts that carry elevated permission levels and thus pose a greater risk if compromised. A privileged account can range from administrative accounts, network equipment accounts, to service accounts running background processes. Due to their extended capabilities, these accounts are prime targets for malicious entities. Thus, managing them effectively is of paramount importance.

PAM facilitates the centralization and secure handling of privileged accounts. It offers a structured approach to prevent unauthorized access, mitigate risks, and enhance compliance with regulatory standards. In the past, companies often overlooked the threat that privileged accounts posed. However, as the frequency and sophistication of cyber-attacks have increased, so has the understanding that uncontrolled privileged access is a significant security liability. A compromised privileged account can lead to a domino effect, resulting in substantial financial and reputational damage.

PAM revolves around several fundamental principles. These include the least privileged principle, which recommends granting only the minimum necessary privileges to perform a given task. This approach reduces the potential damage if an account is compromised. Another crucial principle is just-in-time access, where privileged access is granted only when required and is promptly revoked once the task is complete. This method minimizes the window of opportunity for cybercriminals.

Successfully implementing a PAM strategy involves several key steps. The first is conducting an inventory of all privileged accounts, which may be more than expected. Every device, software, or service that needs privileged access for installation, maintenance, or administration should be accounted for. Next, an organization needs to establish a formal policy for privileged access. This policy should outline who can have privileged access, under what conditions, and for how long.

Thirdly, organizations should deploy a PAM solution to automate and streamline the processes related to privileged access. This system should facilitate password management, session recording, and real-time monitoring to promptly detect and respond to any suspicious activity. Lastly, periodic reviews should be conducted to ensure that the PAM strategy is up-to-date and aligned with the changing business environment and threat landscape.

With advancements in machine learning and artificial intelligence, PAM is set to become even more refined. Future systems will be able to predict and prevent breaches by recognizing patterns in user behavior and adapting security measures accordingly. Despite the promising future, it’s crucial to remember that PAM is not a silver bullet solution. It is a significant component of a multi-layered security strategy, supplementing measures like firewalls, intrusion detection systems, and antivirus software.

In conclusion, privileged account management is an essential part of the cybersecurity toolkit. Given the potential damage that compromised privileged accounts can cause, businesses can’t afford to overlook this critical security aspect. By implementing a robust PAM strategy, organizations can not only fortify their security posture, but also instill a culture of cybersecurity awareness and responsibility.

read more

What Does HIPAA Compliance Mean?

In the data privacy landscape, few terms carry as much weight or notoriety as “HIPAA Compliance.” However, for those outside of the healthcare sector or new to its data protection standards, the concept might seem opaque and intimidating. This post aims to demystify HIPAA Compliance, explaining what it is, what attaining it means, and its significance in the healthcare industry.

Firstly, let’s begin with the basics. HIPAA stands for the Health Insurance Portability and Accountability Act, enacted by the U.S. Congress in 1996. The primary objective of this legislation was to ensure that employees that may lose or switch jobs would not have their health insurance coverage affected for it, and so standards were set to safeguard the privacy and security of patients’ health information, especially as it pertains to electronic data communications and interchange. HIPAA Compliance, therefore, refers to the adherence to the regulations established under this Act. Any organization that deals with Protected Health Information (PHI), which includes details about an individual’s physical or mental health, provision of healthcare, or payment for healthcare, must be compliant with HIPAA standards or face an array of penalties. These organizations are broadly categorized into two terms: Covered Entities (CEs) and Business Associates (BAs). CEs include healthcare providers, health plans, and healthcare clearinghouses, while BAs are entities that perform certain functions or activities on behalf of, or provide specific services to, a CE that involve the use or disclosure of PHI.

To be HIPAA-compliant means an organization must meet several requirements stipulated over a number of rules and related acts. Let’s explore some of the key ones:

  • Privacy Rule – The Privacy Rule requires the protection of all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or oral. This rule gives the patient rights over their health information, such as rights to examine and obtain a copy of their health records or to request corrections. Additionally, the rule provides guidance over when PHI may be disclosed and requires safeguards to be implemented to protect PHI such as designating a privacy officer and conducting user training.
  • Security Rule – The Security Rule specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI). These safeguards are designed to be flexible and scalable, allowing a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to consumers’ e-PHI. Of these safeguards, some are labeled as mandatory for direct implementation, and others are considered addressable where they may be adopted by alternate measures where appropriate.
  • Breach Notification Rule – This rule requires covered entities and business associates to provide notification to affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media following a breach of unsecured PHI. These notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach to affected individuals, and this notification should be concurrently extended to the HHS if the breach involves over 500 individuals, along with the media if 500 or more residents of a specific state are involved.
  • Enforcement Rule – The Enforcement Rule contains provisions relating to HHS’ enforcement of the HIPAA Rules, and includes procedures for investigations, determination of violations, hearing rights, and the imposition of civil money penalties for violations of the HIPAA Rules. These penalties can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.
  • HITECH Act Although not technically a “HIPAA” rule, the HITECH Act is closely aligned with HIPAA and enhances it. The HITECH Act widens the scope of privacy and security protections available under HIPAA, and it increases the potential legal liability for non-compliance and provides for more enforcement.
  • Omnibus Rule – Enacted in 2013, the Omnibus Rule is a set of final regulations modifying HIPAA in accordance with guidelines set in 2009 by the HITECH Act. It holds business associates to the same standards for protecting PHI as covered entities. It also expands patients’ rights, including the right to receive electronic copies of health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

To maintain compliance, an organization needs to maintain awareness of and compliance with these rules diligently. But the question of how exactly to comply can be complex, and finding a place to start is often challenging. Below are some critical areas that an organization should consider first as a starting point to ensure HIPAA compliance:

  • Risk Analysis and Management – Conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. This process should be systematic and ongoing, periodically reassessed to address changes in the organization’s practices or advancements in technology.
  • Policies and Procedures – Develop and implement HIPAA compliant policies and procedures. This includes guidelines on handling, accessing, and disclosing PHI. Policies should cover areas like the use and disclosure of PHI, rights of individuals, administrative responsibilities, and breach notification processes.
  • Training and Awareness – All workforce members, including employees, volunteers, and trainees, should be trained and aware of the HIPAA Rules and the organization’s policies and procedures. Additionally, a major goal is to foster a culture of compliance where employees understand the importance of protecting PHI and feel comfortable reporting potential issues without fear of retaliation.
  • Regular Audits – Audits are essential to ensure that the organization is adhering to its policies and the HIPAA rules. These audits can help identify any gaps or areas of non-compliance and provide an opportunity to address these issues proactively. Regular audits can also serve as a way to monitor the effectiveness of the organization’s training and awareness programs.
  • Incident Response – Even with thorough precautions taken, breaches can still occur. Hence, it is essential to have a robust incident response plan in place. This plan should outline the steps to be taken in the event of a breach, including identifying and containing the breach, assessing the impact, notifying the affected individuals and authorities, and taking steps to prevent future breaches. The plan should be reviewed and tested regularly to ensure its effectiveness.

Although the path to full HIPAA compliance can seem like an imposing process in terms of time and resources, it’s important to remember that the effort fulfills more than just meeting a regulatory requirement – it’s also about building trust with patients and clients. When an organization maintains compliance with exacting standards like HIPAA, it sends a message that it values and protects patients’ privacy and personal information. This trust can translate into stronger relationships with patients, improved reputation, and ultimately, better business outcomes.

Could you use additional guidance or steps to attain HIPAA Compliance? The analysts at CyberData Pros have extensive experience guiding organizations through the intricacies of HIPAA Compliance, including conducting comprehensive risk analyzes, auditing compliance status, training and more. Contact us today for a free consultation and to learn more about our services. 

read more

How AI is Helping and Hurting Cybersecurity

AI is transforming the arena of cybersecurity by providing new tools and techniques for identifying and mitigating threats. AI uses machine learning and deep learning techniques to analyze network behavior and identify deviations or security incidents from the norm. This allows for immediate response and enhances future security measures by blocking potential threats with similar traits. AI’s constant learning process also makes it challenging for hackers to outsmart its intelligence. Machine learning and AI algorithms can detect patterns and anomalies in data that may indicate a cyber-attack. Employing AI-based security solutions alone is not enough though. Cybersecurity teams must carefully evaluate potential limitations within these solutions, such as the risk of false positives or negatives, and account for these issues in their approach.

Moreover, with the increasing deployment of AI in cybersecurity, there is a concern about the potential misuse of AI by attackers. Adversarial attacks, where attackers attempt to fool AI algorithms by feeding them misleading data, can be difficult to detect and mitigate. Therefore, it is essential to ensure that AI is designed to be robust against adversarial attacks.As AI in cybersecurity continues to advance, organizations need to implement AI-based security measures while also considering the complexities and risks associated with its deployment. By doing so, they can enhance their security posture, stay ahead of cyber threats and can analyze massive amounts of data far more quickly and accurately than human analysts. This enables security teams to respond to threats more quickly and proactively.

However, AI can also be used by cybercriminals to launch more sophisticated and targeted attacks. Malware can be designed to evade traditional security measures by leveraging machine learning algorithms to learn and adapt to new defenses. Bots are one of those growing threats in cybersecurity, used for malicious activities like for spreading malware and stealing data for companies and businesses. AI can recognize and block bots by identifying their patterns, creating more secure captchas, and deploying honeypots to trap them.

So, while AI can enhance cybersecurity, it also raises new challenges and risks that must be managed. Organizations need to stay up-to-date on the latest AI-powered threats and aim to implement multilayered security strategies that incorporate AI alongside other security measures. It is important to recognize that AI is not a cure all by any means and should be used in combination with other security measures such as regular security audits, employee training, and maintaining up-to-date software and hardware. Furthermore, AI technology is not immune to vulnerabilities and can be targeted by cybercriminals. Therefore, it is crucial to have contingency plans in place to mitigate the risks associated with AI-based cybersecurity measures.

Overall, organizations should embrace AI in cybersecurity as a valuable tool but also approach its deployment with caution to ensure the protection of data and networks. The key is to strike a balance between leveraging the benefits of AI while also managing the risks associated with its implementation.

read more

2023 State Data Privacy Laws Series: UCPA

The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments  should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.

The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.

Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors  are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.

One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.

With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.

read more

Outsourcing HIPAA Compliance

If your organization deals with any sort of healthcare-related data, chances are that you have heard of HIPAA at some point, and for good reason. HIPAA is a cornerstone US law that governs the protection and privacy of health information, and non-compliance can entail notoriously eye-watering penalties enough to warrant close attention. One catch with HIPAA compliance, however, is that the standards for compliance aren’t necessarily as cut-and-dry as other compliance frameworks, based more on the reasonability and appropriateness of measures rather than their existence or lack-thereof. This goes to make HIPAA compliance a strong option to outsource, for a number of reasons we’ll run through shortly.

Before we dive too deep into HIPAA’s minutiae, let’s quickly refresh ourselves on what constitutes HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a law in the US that aims to protect the health information of individuals (hereby known as PHI, or Protected Health Information) when said information is used by organizations. In terms of protection HIPAA generally looks to ensure that appropriate security measures are in place to avoid unintended disclosures, appropriate privacy considerations are in place to define what a fair disclosure is by patient standards, and appropriate planning and notification structures are in place to ensure a timely and effective response if privacy or security standards do get breached.  

As to why HIPAA is so critical to pay attention to, there are two major reasons. One is that non-compliance comes with a heavy price – this can range from civil penalties like suspension of processing activities, corrective action plan mandates, or per-record-violation fines of up to $50,000, all the way to criminal penalties leading to separate, higher fines or even prison time. This makes HIPAA compliance a serious concern for finances, reputation, and legal liability. The second major aspect to pay attention to is how broad the scope of who is considered to be a processor (or in HIPAA’s terminology, “covered entity”) under HIPAA, being healthcare providers, plan-handlers, clearinghouses, and as of the 2013 Omnibus rule, any subcontractors of the aforementioned parties. This can make applicability more common than many organizations would think, so if healthcare data is touched at all caution is advised.

Given the nature and criticality of HIPAA compliance, it’s clear that in most every case where applicable the process of attaining compliance is worthy of investment and high prioritization. And while a good option in this case would be hiring, training, and tasking internal staff/resources toward HIPAA compliance specialization, oftentimes companies find outsourcing these compliance checks to be a more cost-effective solution. This trend is due to a number of factors, such as:

  • Specialization – Full HIPAA compliance can be complex to identify and implement, thus making staff training a slower and more error-prone process than hiring a company that specializes in said compliance implementations. Additionally, compliance firms generally hold a keener awareness of other relevant compliance requirements that may be special to your organization.
  • Objectivity – It can be tough for internal staff to fully gauge the reasonability and appropriateness of HIPAA controls when only viewing their company’s environment in isolation, be it for lack of extra-organizational context for determining effectiveness or a reluctance to report major issues to management. A compliance firm can view your company in context of the many others that have aimed for the same controls to best make fitted-decisions and as a business-best interest are known to be straightforward and detailed in reporting.
  • Cost – When pushing toward a new compliance effort many companies underestimate the cost involved with getting internal resources ready to handle the process – between additional training, labor-hour requirements, compliance software, and the inherent risk cost for expensive HIPAA errors, the price for internal compliance checks can add up fast. An external compliance firm, on the other hand, comes with all the training, software, and experience required, and will only need to be staffed for whatever hours are required for your audit interval. For many companies, this only amounts to a handful of hours a year, making outsourcing relatively cheap in contrast to internal training in many instances.

Altogether it’s fair to say that if there’s a chance HIPAA applies to your company then there’s a guarantee that you want to get it right. And if you’re looking to ensure a quick, efficacious, and cost-effective compliance process then outsourcing HIPAA compliance is an option worth due consideration. 

Looking for an expert in HIPAA compliance to outsource to? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros’ analysts have audited systems, remediated errors, and trained staff for HIPAA compliance many times over. Contact us now for a free consultation and to learn more about our services.

read more

What is A Compliance Calendar and Why You Need One

In today’s digital age, cybersecurity is more important than ever before! With the growing number of cyber threats, it’s important to stay on top of your security measures to protect the personal information and sensitive data within your company. There are multiple ways to ensure that you are keeping up with your security and properly protecting sensitive information from cyber attacks, such as keeping up to date with quarterly vulnerability scans, annual penetration tests, risk assessments, internal security audits and more. One challenge that comes with implementing all of these services, however, is that they all require some form of time and scheduling. This scheduling element can sometimes present an obstacle for a business getting started, so in this blog we will be discussing some of the more important projects for cybersecurity and explore how your schedule may look once we begin.

Having a cybersecurity expert on your team will likely change your schedule in a few ways!

Depending on the scope of the services your business requires, your calendar may include regular meetings with the analyst to discuss ongoing security issues, project deadlines for implementing new security measures or updates, and occasional emergency meetings to respond to security incidents. For example, if your business would like to implement vulnerability scans as a service, there are multiple factors to consider for scheduling. Meetings with the analyst will be needed with some regularity, the frequency depending on scope of the vulnerability assessment. Past those meetings come performing the scans themselves – typically, vulnerability scans should be conducted every quarter, meaning you’ll need to schedule that block of time accordingly. Finally, vulnerability scans can help identify potential security weaknesses or gaps. These weaknesses may include weak passwords, outdated software and any other issues that would be easy for hackers to get into. These scan findings are important to address, so post-scan it’s best to leave some time available for the analyst to discuss the risks and remediation options.

Another service that should be added to your calendar is a ISO 27001 preparation and certification process. The frequency of these meetings can depend on a variety of factors including specific needs and goals. To achieve and maintain an ISO certification, your business may need to have regular meetings scheduled to implement and review security policies and procedures, including items like a business continuity plan, disaster recovery plan, and incident response plan. Additionally, a large part of the ISO process is the internal security audit, which typically requires walkthroughs from various business stakeholders – these can be tricky to coordinate and find time for depending what other projects are going on, which makes them important considerations for the ISO schedule. Past that, when it comes to maintaining an ISO certification, your business needs to have quarterly information risk council (IRC) meetings. IRC meetings are meant to help ensure that your business is at its best practices and ensure that your risk management strategies are up to date and often the party is expected to ultimately approve/review policies by auditors, so these routine meets are critical items to coordinate and account for. The ISO process can sound like a lot on paper, but with attentive scheduling and prioritization the process can often be accomplished fairly smoothly.

Overall, your calendar may become more structured and planned out as you work with a cybersecurity analyst to implement and maintain your security measures. It’s important to prioritize cybersecurity and set aside enough time and resources to ensure your systems and data are properly protected. All in all, there are several reasons why a business should maintain cybersecurity services. A business stores a lot of sensitive data such as financial information, customer data, employee records, and confidential business plans. A successful cyberattack can interrupt business operations, and most importantly, initiate loss of revenue. Therefore, by establishing and maintaining cybersecurity services on your calendar, you will help protect your business from cyber threats, maintain compliance, and most importantly build trust with customers.

To find out how to set up a compliance calendar and for a free consultation, please contact us. We assist hundreds of clients with their compliance calendar and perform other data privacy and cybersecurity services.

read more

How to Prepare for CMMC 2.0

In 2020 the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) to enforce the protection of sensitive unclassified information that’s shared with DoD contractors and subcontractors. However, in 2021 DoD reviewed the CMMC framework and overhauled it after input from industry leaders. After completing the overhaul, CMMC 2.0 was announced and is the current version of CMMC that will apply to all contractors and subcontractors of the Defense Industrial Base (DIB) that handle sensitive unclassified information in their work for the DoD once the rulemaking phase is complete.

When people talk about CMMC, they’re usually referring to the Level 2 certification that requires an assessment by a Certified Third Party Assessment Organization (C3PAO). CMMC Level 2 is based on NIST SP 800-171, which encapsulates the basic security requirements of FAR 52.204-21 that make up Level 1 and provides its own security controls derived from those basic security requirements. CMMC Level 3 is based on NIST SP 800-172 but is out of scope for most organizations and is not a subject for discussion in this article. CMMC Level 2 has 110 practices that an organization must implement. While that can sound like a heavy lift, current DoD contractors may already be legally required to implement these practices even before CMMC. CMMC is an enforcement mechanism for security practices already required under federal law. Many DoD contracts already require the implementation of NIST SP 800-171 under DFARS 252.204-7012. CMMC attempts to verify that these practices are being implemented through third party assessments. If you are a DoD contractor with contracts subject to DFARS 7012, 7019, or 7020 you should be implementing these CMMC practices already. If you’re not already implementing the 110 practices outlined by NIST SP 800-171, the time to implement them isn’t when CMMC begins to show up in solicitations– its now, whether to prepare for the inevitable rollout of CMMC or to bring your organization in line with the commitments its made under DFARS 7012.

As you prepare for CMMC, it is important to determine what Level certification you will likely require and what information is in scope of CMMC. CMMC Level 1 revolves around Federal Contract Information (FCI), while CMMC Level 2 revolves around Controlled Unclassified Information. The Defense Counterintelligence and Security Agency (DCSA) has a good FAQ discussing FCI and CUI and how they differ from one another. In short, FCI is “information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.” And CUI is unclassified information that may still require “safeguarding and may also be subject to dissemination controls.” Once you’ve determined what information you currently process and what information you’re likely to process in future contracts, you can prepare for the correct level of CMMC. To begin, you’ll want to map what information is within the scope of CUI and FCI and where within your organization that information is stored and processed. CMMC does not require that all controls apply to the entire organization, just the enclave in which CUI and FCI are stored or processed. For smaller organizations this is likely irrelevant as it will be negligible to implement the appropriate CMMC practices across the entire organization versus the subset within the scope of CMMC, but for larger organizations making sure the in-scope information is only found within the necessary enclave can significantly reduce the burden of CMMC.

Once you’ve assessed where CUI and FCI are stored or processed and potentially contained within an enclave in your organization, you should begin a gap assessment to determine what controls to implement in order to satisfy the appropriate practices for your organization’s Level of CMMC. Level 1 maps to FAR 52.204-21, while Level 2 maps to NIST SP 800-171 rev 2. Both are publicly available, but DoD has provided a CMMC Assessment Guide for each Level. Each CMMC Assessment Guide gives additional discussion and considerations that are useful when considering your current controls and when implementing new controls to meet the required CMMC practices. If you are a contractor currently subject to DFARS 7019, you are required to conduct self assessments against NIST SP 800-171 and submit your score to the Supplier Performance Risk System (SPRS). In this case, you may not need to conduct an additional gap assessment as you should already understand where your organization’s shortcomings are if you’ve taken these statutory and contractual requirements seriously. 

When conducting an SPRS self-assessment, you start with a score of 110 and can go down to -203 as you subtract points for missing or insufficient controls. Each practice is worth either 1, 3, or 5 points, and there is no partial credit except for two of the 5-point practices. While we are still in the final rulemaking phase of CMMC 2.0, and some minor details could change, it’s important to note that it’s currently being discussed that to receive your CMMC certification, you’ll need to have met 80% of the practices and have met all of the 5 points SPRS practices. If you fail to meet 80% of those practices along with all the 5-point SPRS practices for your CMMC Level, you will not be able to achieve your certification even with the appropriate POAMs (Plan of Action and Milestones). Once you have completed a gap or self-assessment, you should begin working on completing the Security System Plan (SSP) and a Plan of Action and Milestones. Having those documents prepared and continuously updating them as you implement more controls to meet the practices required by the Level of certification you want or need to achieve will ensure your organization is not scrambling when CMMC requirements begin to appear in DoD contracts after the final rulemaking phase has ended.

Curious if CMMC is the right path for your business? Or could you use some assistance preparing for your CMMC Certification? Either way, CyberData Pros provides you with the guidance to prepare and achieve certification. We maintain a 100% audit success rate! Contact us now for a free consultation and to learn more about our services.

read more

2023 Data Privacy State Laws Series: CTDPA

The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA  comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.

The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”

Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.

read more

Data Privacy State Laws Series: What 2023 Means for CPRA

Next up in our 2023 data privacy laws series is the California Privacy Rights Act or CPRA. CPRA amends the California Consumer Privacy Act (CCPA) to add protection for consumers. It was passed as a ballot initiative in November 2020 and took effect on January 1st, 2023. Enforcement is said to begin on July 1st of this year, but recent modifications to the draft regulations show that there may be some flexibility with early enforcement. The California Consumer Privacy Agency (CPPA), the body responsible for enforcing the CPRA, may take into account the time between the publication of the final regulations and the enforcement date, as well as “good faith efforts to comply with those requirements.”

California previously had a recent data privacy law known as CCPA, but CPRA expands the volume of data that falls within its scope. CPRA also expanded upon the data privacy rights that were in the CCPA. In addition to the right to know, the right to access, the right to deletion, the right to portability, and the right to opt-out of sale, CPRA will add the right to rectification and the right to opt-out of targeted advertising. A change that may catch some off-guard is that CPRA clarifies that a cookie banner is not an acceptable mechanism for handling opt-out requests for targeted advertising or data sales. Other meaningful changes made by CPRA are the significantly increased fines for data breaches of children’s data and breach liability for disclosure of credentials that could compromise a consumer’s account.

An addendum that CPRA brings to California’s data privacy landscape is the creation of a new privacy regulator in the California Privacy Protection Agency (CPPA). The CPPA will begin enforcement on July 1st and the sole mission will be to protect consumer privacy in accordance with California data privacy laws. However, they will have the additional charge of preparing new rules and regulations in the consumer data privacy space. The CPPA will be a well-funded and well-resourced agency for enforcing data privacy laws while taking some of the burdens off the office of the California Attorney General.

Comparatively, this means that CPRA will likely be the most comprehensive data privacy law in the US and will have teeth to back it up. Businesses that are subject to CPRA should already be preparing for enforcement to begin. An essential part of preparing for CPRA should be creating a data map and understanding what data you actually process. From there, you should conduct a gap analysis to find where to make changes to comply with CPRA data privacy mandates. Those subject to CCPA should already be familiar with the ability to opt out of the sale of personal information; However, they should now prepare to provide the ability to opt out of targeted advertising by sharing personal information with third parties. While it can be a heavy lift getting compliant with CPRA, doing so should bring businesses in compliance with other state data privacy laws and will be a solid foundation for future state or national data privacy laws.

read more

Data Privacy State Laws Series: What 2023 Means for VCDPA

First in our 2023 data privacy laws series is the Virginia Consumer Data Protection Act (VCDPA). The VCDPA effective date was January 1st, 2023, with enforcement beginning the same day. VCDPA, sometimes referred to as just CDPA, is somewhat of a mixture of the EU’s GDPR (General Data Protection Regulation) and California’s CPRA (California Consumer Privacy Rights Act). While it shares similarities with each, it is sufficiently dissimilar as it likely will require its own compliance considerations. Much like CPRA, VCDPA will apply to any business that processes the data of over 100,000 of the state’s residents or processes the personal data of over 25,000 and derives 50% of their gross revenue from the sale of personal data.

Much like GDPR and CPRA, VCDPA introduces numerous consumer data privacy rights. These rights include the right to access personal data, the right to know personal data is being processed, the right to data portability, the right to deletion, the right to rectification, and the right to opt out of targeted advertising or the sale of personal data.

One of the most substantial differences between CPRA and VCDPA is how VCDPA treats the processing of sensitive data. While CPRA allows consumers to opt out of processing their sensitive data, VCDPA requires a data process to get opt-in consent to process a consumer’s sensitive data. Additionally, VCDPA defines sensitive data as any data that includes demographic information, geolocation data, or data from a known child. Another difference is in how VCDPA treats employee and business contact data. VCDPA does not classify employees as consumers, nor does it consider personal data processed in a business-to-business context in scope. VCDPA also has blanket exemptions for government agencies, businesses subject to HIPAA, institutions of higher education, and Gramm-Leach-Bliley subject financial institutions, while CPRA does not.

Outside of CPRA, other state laws going into effect in 2023 are modeled after VCDPA, and thus understanding VCDPA and what goes into a compliance strategy for it will go a long way in reaching compliance with the other laws. When building a compliance strategy for VCDPA, you should first map what data you store or process. Additionally, it would be helpful to conduct a readiness assessment to identify where the gaps in compliance are. Once you’ve located the gaps, you can prepare a remediation plan and develop controls to bring the business into compliance before sanctions incur.

read more