Data Privacy law coming to California in 2020

Data privacy, specifically as it pertains to our lives online, has been a staple topic of discussion particularly since the General Data Protection Regulation (GDPR) went into effect in the European Union in 2018. The United States is now poised to see a similar, albeit different regulation for the state of California. 

What is the California Consumer Privacy Act? 

The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and enforcement for it will begin on January 1st, 2020.

The CCPA applies to all residents of California, providing them with the following:

  • The right to know what personal data is being collected;
  • The right to access their personal data;
  • The right to know whether this data is sold or disclosed, and to whom;
  • The right to opt out of the sale of personal data;
  • The right to equal service and prices, even if they exercise privacy rights.

Essentially, this bill grants the average person more control over the information that companies may collect on them, and it protects them from being denied service if they choose to exercise privacy rights. 

Important to note is the way the CCPA defines “personal information”, which is as follows:

“Information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”

Another significant detail to be aware of is that the CCPA does not consider Publicly Available Information to be personal information that is protected under the bill.

Who does the CCPA apply to?

  • Any business or for-profit entity that collects consumers’ personal data, which does business in California, and meets at least one of the three following thresholds:
    • Has annual gross revenues in excess of 25 million USD;
    • Possesses the personal information of more than 50,000 consumers, households, and devices; or
    • Earns more than half its annual revenue from selling consumer information

The words “digital privacy law” and “California” in the same sentence most likely conjure images of Silicon Valley companies. However, this regulation will most likely not be world changing for giants like Facebook and Google. This is due in part to GDPR-compliance, which makes it easier to comply with regulations like the CCPA. 

Some Similarities & Differences between the CCPA and GDPR

  • Similarities
    • Both regulations only protect natural persons (individuals) and not legal persons
    • Both require companies to demonstrate after a data breach that they took reasonable steps to protect that data from a breach
    • Both apply to organizations that might not have presence in their respective jurisdictions, but offer goods or services in the region 
  • Differences
    • CCPA
      • Requires companies to provide an opt-out to data sharing
      • Penalties are done on a per-violation fine basis
      • Does not cover certain categories of personal data (e.g. health information) because they are already covered under different US regulations, such as HIPAA.
      • Does not require organizations to hire data protection officers or conduct impact assessments
      • Protects a “consumer” who is “a natural person who is a California resident”
      • Obligations apply specifically to “businesses” that are for-profit, collect consumer personal information and meet certain qualifying thresholds as mentioned above
      • Also applies to any entity that controls or is controlled by the business in question. No obligations are directed specifically at “service providers”
    • GDPR
      • Requires companies to provide an opt-in to data sharing
      • Penalties focus on up to 4% of annual global revenue
      • Protects a “data subject” who is “an identified or identifiable natural person” – meaning that an individual does not specifically need EU residency or citizenship if the controller processing their data is located in the EU. If the controller is located outside the EU, the citizenship/residence condition applies
      • Obligations apply to “controllers”, which could be natural or legal persons in addition to business entities, whether the activity is for-profit or not
      • Obligations also apply to processors, which are entities that process personal data on behalf of controllers.

If you have any questions or comments about whether CCPA will impact you or your business, you can always reach out to our team at Centry for help by emailing info@centry.global! 

Google fined €50 million for data privacy violations; what can we learn from it?

On January 21, 2019, Google was fined for €50 million for violating the European Union’s General Data Protection Regulation (GDPR) by the French Supervisory Authority for data protection (CNIL).

GDPR, which went into effect May 25, 2018, was designed to provide EU citizens with greater control of their personal data and rights to what data they choose to share and how that information is retained by organizations. It required organizations that collect data of EU citizens to obtain “clear and affirmative consent” for data collection, have privacy policies in clear and understandable language, inform individuals when their data was compromised, allow them to transfer their data to other organizations, and the “right to be forgotten”, which is the ability to request that their data be deleted.

The fifty-million Euro fine facing Google was the moment the data privacy industry had been waiting for, as GDPR long promised steep costs for those found to be in violation of its data privacy rules.

CNIL reported that Google failed to fully disclose to users how their personal information is collected and what happens to it, in addition to not properly obtaining user consent for displaying personalized ads.

Although Google had made changes to comply with GDPR, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations.” They added that the violations were continuous breaches of the regulation, and “not a one-off, time-limited infringement.”

CNIL began investigating Google on the day of the GDPR deadline in response to concerns raised by to privacy activist groups, None of Your Business and La Quadrature du Net. These groups filed complaints with CNIL, claiming that Google did not have a valid legal basis under GDPR to process personal data for the use of personalized and targeted ads.

These groups have also filed privacy complaints against Facebook and its subsidiaries, including Instagram and WhatsApp.

In the course of their investigation, CNIL found that when users created Google accounts with Android smartphones, the company’s practices violated GDPR in two ways – transparency and legal basis for the ads personalization. CNIL additionally found that the notices Google provided to users about what type of information it sought were not easily accessible.

A key fundament of GDPR is that users are able to easily locate and fully understand the extent of data processing operations carried out by organizations. In this Google was found wanting, where their terms were described as “too generic and vague in manner.” Overall, CNIL concluded that “the information communicated is not clear enough” that the average user could understand that the legal basis of processing operations for the ads personalization is consent. In other words, if you do not provide consent to have your information processed for personalized ads, the company legally cannot do it. Per GDPR, consent for data processing must be “unambiguous” with “clear affirmative action from the user.”  

Google responded to the fine with a statement affirming its commitment to meeting transparency expectations and consent requirements of GDPR, and that it is “studying the decision to determine our next steps.”

Despite the fact that companies were given a two-year time frame to comply with the regulation, many were not compliant by the deadline when it went out on May 25, 2018. Other companies only made limited efforts to become compliant, choosing to wait until the first major fine was released to see how serious the enforcement would be. If some of these companies were hoping to get a pass from another national data protection authority, that decision will most certainly be critically assessed in comparison with CNIL’s approach.

Consent requirements seem to be the greatest obstacle for companies struggling with GDPR’s requirements, especially where it concerns transparency and accessibility. Under GDPR, companies cannot hand out a single consent form with a bundle of data uses. That has long been industry standard practice, and part of the reason that Google was found to in violation of GDPR.  

To avoid facing similar fines in the future, companies can review how they obtain consent to collect personal information of users. Each data set requires its own consent– you have to be able to agree or disagree to each way your information will be used.

This level of transparency is essential and it requires changing from previously accepted business practices.

If you have any questions or comments pertaining to GDPR or this article, feel free to contact us at info@centry.global. Be sure to follow us on Twitter @CentryGlobal an subscribe for more content like this!

This article was written by Kristina Weber, Content Manager of Centry Global.

The Future of AI, Security, & Privacy

Artificial Intelligence is a subject that is not just for researchers and engineers; it is something everyone should be concerned with.

Martin Ford, author of Architects of Intelligence, describes his findings on the future of AI in an interview with Forbes.

The main takeaway from Ford’s research, which included interviews with more than twenty experts in the field, is that everyone agrees that the future of AI is going to be disruptive. Not everyone agrees on whether this will be a positive or negative disruption, but the technology will have a massive impact on society nonetheless.

Most of the experts concluded that the most real and immediate threats are going to be to cyber security, privacy, political systems, and the possibility of weaponizing AI.

AI is a very useful tool for gathering information, owing to its speed, the scale of data it can process, and of course the automation. It’s the most efficient way to process a large volume of information in a short time frame as it can work faster than human analysts. That said, it can come with some detriments. We have started to see that its algorithms are not immune to gender and race bias in areas such as hiring and facial recognition software. Ford suggests that regulation is necessary for the immediate future, which will require continuing conversation concerning AI in the political sphere.  

AI-based consumer products are vulnerable to data exploitation, and the risk of that has only risen as we have become more dependant on digital technology in our day to day lives. AI can be used to identity and monitor user habits across multiple devices, even if your personal data is anonymized when it becomes part of a larger data set. Anonymized data can be sold to anyone for any purpose. The idea is that since the data has been scrubbed, it cannot be used to identify individuals and is therefore safe to use for analysis or sale.

However, between open source information and increasingly powerful computing, it is now possible to re-identify anonymized data. The reality is that you don’t need that much information about a person to be able to identify them. For example, much of the population of the United States can be identified by the combination of their date of birth, gender, and zip code alone.

With consent-based regulations such as GDPR concerning the right to digital privacy, it is clear that people want to know how their information is used, why, and how it can affect their lives. Furthermore, that they want control over how their information is used.

This article was written by Kristina Weber, Content Supervisor of Centry Ltd. For more content like this, be sure to subscribe to our blog, which updates every other Friday with articles related to the security industry!

Security Predictions for 2019

The predictions for 2018 that we shared last year seemed to land on the points of data protection and cyber security, while it strayed from others – most notably on the front of cryptocurrencies. BitCoin was a hot topic in 2017, surging to values that had people everywhere kicking themselves for not investing sooner. What unfolded after was an epidemic of articles predicting a global acceptance of cryptocurrencies. That balloon popped when the cryptocurrency market crashed in early 2018, and it seems that many have quietly reneged their cryptocurrency hype since.

Continuing the tradition, here are a few insights into the forecast for 2019:

Supply Chain Attacks. While these threats can occur in every sector of the economy as it pertains to supply chains, the industries that most commonly experience these attacks include pharmaceuticals, biotechnology, hospitality, entertainment, and media. Manufacturing operations are attractive targets to adversaries, due in part to having such a broad potential surface of attack. With increasing reliance on the supply chain, there is a wealth of information that could be obtained if organizations have not taken appropriate steps to secure themselves. For more information on cyber security in the supply chain, read our article here.

Further development of consumer privacy laws. Last year we saw the launch of the European Union’s GDPR, which marked the first big regulatory move toward protecting consumer information. Soon after, California passed a bill (Consumer Privacy Act of 2018) that seems to be the state’s version of GDPR – it is slated to go into effect at the end of 2019. A draft for a federal privacy bill for the United States may arrive early in 2019 after concerns over a number of privacy breaches.

Continuing adoption of artificial intelligence across wider society. From Alexa to politics, AI will continue to spread across industries and uses. Chinese companies have announced intentions to develop AI processing chips to avoid reliance on US-manufactured Intel and Nvidia. There is rising concern that AI technology could be increasingly used by authoritarian regimes for the purpose of restricting personal freedoms. As AI continues to spread its proverbial wings, we could see a move toward “transparent AI”, that is, an effort to gain consumer trust in the use of AI by being clear in how it uses human data and why. Of course there is always the worry that the rise of AI will create a jobless future for people, however Gartner suggests the opposite, that artificial intelligence will create more jobs than it will eliminate.

Big data breaches will push companies to tighten login security. We might see a concerted effort of the security industry to replace username/passwords altogether, pushing toward an alternative solution as an industry standard. Biometrics – for example facial recognition or fingerprint logins – are certainly on the rise.

Digital skimming will become more prevalent. The trick of card skimming has moved to the digital world, where attackers are going after websites that process payments. The growth of online shopping has made checkout pages attractive targets. British Airways and Ticketmaster were two high profile cases of this. The British Airways case was particularly alarming, as airlines in general have access to a wide breadth of information ranging from birthdates, passport details, payment information and more. Although the airline was able to confirm that no travel data was stolen in the attack, it nonetheless remains as a cautionary tale.

This article was written by Kristina Weber. For more content like this, be sure to subscribe to Centry Blog for bi-weekly articles related to the security industry. Follow us on Twitter @CentryLTD and @CentryCyber!

2018 Year in Review

As 2018 comes to a close, we reflect on those moments throughout the year that defined the times yet to come. For Centry, 2018 was a year that brought us great joys like the opening of our new branch in Mexico City and establishment of the ASIS Ukraine chapter, but also times of mourning after our colleague, Mr. Rachid Boukhari, passed away in June. Above all, it has been a journey, and one we are grateful to undertake for the mark we make on this world.

From our Centry family to yours, we wish our readers love and joy over the holidays, and a happy new year!

In keeping with the tradition of our year’s end articles on Centry Blog, we put together a list of some of our most-read stories from 2018 below.

January

Centry’s GDPR Guide

Our GDPR guide breaks down exactly what the EU’s General Data Protection Regulation was all about. This article was highlighted on TWiT live in an interview with our CTO Dave Ehman!

February

The Next Gold Rush: Renewable Energy

The Renewable Energy industry just might be the next gold rush for businesses and investors alike. This time, we aren’t hiking into the Klondike for gold; individuals and organizations alike are turning their eyes toward the broader world, looking out for opportunities to make good on this booming initiative.

March

Hidden Sanctions Risk: North Korean ties to Africa

The connection between Namibia and North Korea stands as but one example among many similar stories. It began in the 1960s, when several African countries started the struggle for independence from colonialism. During this vulnerable time period, North Korea invested time and money in these revolutions, where the political ties eventually grew into commercial relationships.

April

Human Trafficking in the European Union

Over the course of the past two decades, the European Union has been making an increased effort to understand and address the heinous crime of human trafficking. The most recent publication of statistics from Eurostat concerning registered victims and suspected traffickers revealed that a number of non-EU nationals are trafficked into member states, primarily from Nigeria.

This week’s article on Centry Blog examines just a facet of this deep and complex issue through analyzing Nigerian campus cults, the international response, and global business reponses.

May

Fake Social Media Profiles and What To Do If You Are Being Impersonated Online

False accounts are prevalent across social media, mainly used for phishing purposes. Whether it’s a bot or malicious actor threatening your account, we put together an instructional guide for those moments that you notice you have a seemingly second profile, not of your own making.

June

Supply Chain Security Introductory Guide

Having a secure logistics supply chain can save your company millions in terms of assets and reputation, and here at Centry, we have the know-how to help you. This article serves as an introductory guide to security in the supply chain.

July

Typosquatters

Sometimes fat-finger errors can lead to more than just an autocorrect goof. Some scammers have figured out how to lay traps surrounding these common mistakes.

August

Common Security Dos and Don’ts

Our article on Common Security Dos and Don’ts covers what you and your business can do to prevent costly breaches of data and trust.

September

Golden Visa for sale! Now on special offer for the 1%

In some countries, you can buy your way to citizenship. European passports and Schengen visas are the most desired traveling documents in the world. Not only do they grant the most traveling freedom, they give access to a safe and stable living environment, with free speech, in a market that can fulfill all your needs. Many EU countries have taken advantage of this by offering entry in exchange for investment. This kind of activity is commonly referred to as a Golden Visa Program.

October

5 Basic Digital Privacy Tips for the Average Person

Digital privacy is for everyone. But it’s also a massive topic that can be very easy to get lost in, especially if you’re new to to it. However, you don’t need to be a security expert nor do you need any particular reason to want to bolster your privacy on the internet.

November

What is Social Engineering?

Social engineering is a growing threat to individuals and businesses alike. In this article, we look into what social engineering is, the ways it can manifest, and what you can do to protect yourself.

December

Cyber Security in the Supply Chain

Your company might have a rigorous Cyber Security policy, and thorough training on all its personnel. But what happens when the security vulnerability comes from a trusted source in the Supply Chain?

Security professionals must now consider not only the possible vulnerabilities of their own network, but their supplier’s network, and their supplier’s supplier network, and so on.

We hope you have enjoyed Centry Blog this year. For more content like this, be sure to subscribe and follow us on Twitter @CentryLTD! We will see you in 2019!

Cyber Security in the Supply Chain

Cyber Security is generally accepted to encompass the protection of our interconnected information systems and assets including hardware, software, applications and data.  In that range of topics, one of the most important areas of concern for Cyber Security professionals is Vulnerability and Patch Management within the realm of Security Operations.

Vulnerability and Patch Management is the ongoing practice of ensuring that your systems and applications are kept up to date, scanned for known and unknown vulnerabilities.  The conventional wisdom is simple – when a software vendor provides security updates for critical application, these should be installed as soon as possible. Right?

Microsoft issues security patches for Windows and Office applications on the second Tuesday of each month. Apple issues security updates a handful of times per year.  Other vendors have similar programs.

When a vendor issues security updates, they usually disclose the particular security vulnerabilities that it was intended to fix.  So, as soon as a security update is released, the vulnerability becomes “public”. Now that the vulnerability is available (to bad actors) it is even more crucial that the fixes be applied in a timely manner.

All of this assumes that the vendor (the “Supplier” of this particular “Supply Chain”) has not already been compromised.  Imagine if a hacker could get in to the systems of our software supplier, make changes to released software that add malware.  Diligent users would unknowingly, and quite reliably continue to install updates, that now include malware.

If this sounds like a nightmare scenario, it is.  And it has already happened.

Examine the case of the Not Petya worm.  This started at a small company in Ukraine that supplies a piece of software called M.E.Doc.   You probably don’t use M.E.Doc. so you are not worried, right? M.E.Doc. is accounting software, used in Ukraine (think Quicken/TurboTax) and is required for filing national taxes.  So a large number of Ukraine based companies use it. In the spring of 2017, outside forces (likely Russian) hijacked the company’s update servers, injecting malware that included a small, but critical backdoor into the software.  As users updated their systems, they were infected with a backdoor, which laid latent for a month or two.

Then, the attack was launched.  The attack leveraged other vulnerabilities in Windows known as Eternal Blue and Mimikatz. These vulnerabilities rely on being “inside” the network of a company, behind the firewall, and once there, were able to spread globally encrypting data and asking for ransom.  Large multinational companies were affected, including banks, large shipping interests, manufacturing and more. If your company had an office in Ukraine, you may have been affected. If one of your suppliers, to whom you connect has offices in Ukraine, or is connected to someone who does, you might have been affected.

The upshot is this: Supply Chain security in Cyber Security is a now multi level concern.  Security professionals must now consider not only who might get in to their own network, but who might get in to their supplier’s network and who might get in to their suppliers’ supplier’s networks, and so on.

As is the case in other areas of Supply Chain security, we must concern ourselves with not only preventing bad things from happening, but assuming that they can, and trying to limit what can be done when bad things happen anyway.

And there is no simple answer.  Keep systems up to date to protect from know vulnerabilities.  But know that these updates can themselves introduce other vulnerabilities.

This article was written by Dave Ehman and edited by Kristina Weber. For more content like this, be sure to subscribe to Centry Blog for new articles every other week on topics relevant to the security industry. Follow us on Twitter @CentryCyber and @CentryLTD!

5 Basic Digital Privacy Tips for the Average Person

As interconnectedness and personalized browsing experiences have become the norm in today’s society, our lives – increasingly impacted by our digital footprint – have become less private.

The right to digital privacy has been a slow growing movement, and its biggest marker was the General Data Protection Regulation that affected the EU. It was a legislation that marked digital privacy as a right, not a privilege, and companies all over the world scrambled to make sure they met compliance requirements. Now, for users in the EU, the internet has become a more transparent place for how information can be used or accessed. But, of course, it is still a work in progress.

Digital privacy is a massive topic that can be very easy to get lost in, especially if you’re new to to it. However, you don’t need to be a security expert nor do you need any particular reason to bolster your privacy on the internet. So, here are some simple security pointers for the average web user:

1. Keep your OS updated

The first thing you will want to do on any device is to make sure that it’s updated. As annoying as the notifications can be, they’re there for a reason– updating is important, and not staying on top of them could mean your device has a critical security vulnerability. So whether it’s installing the new macOS update, iOS 12, or Windows update, etc. just make sure that you take the time to do it, or set up your device to update automatically (usually configurable in settings).

2. Be mindful of Public WiFi networks

Public WiFi and open networks are notorious for security vulnerabilities, and connecting to one could pose a risk to your information. While it’s better to avoid connecting to them at all, sometimes you need to, so if you do, here’s some steps you can take. First, you’ll want to make sure that you turn off network sharing (usually preferences can be found in wifi settings on your computer). On Windows devices, you can also make sure you have Windows Firewall enabled.

When browsing connected to a public network, it’s best to avoid anything sensitive, such as banking. You should check to make sure that what websites you navigate begin their web address with HTTPS, as well.

3. Use a secure web browser

Make sure that you are using a secure web browser. Mozilla Firefox and Google Chrome are some good choices depending on what you want. If your priority is maintaining as much privacy as possible online, Firefox is better as it has more options for privacy and security. It is also the more lightweight program of the two, which would run more smoothly on computers with less RAM.

Google Chrome is also a comparatively secure option in terms of protecting you from malicious websites, however it is less private as a lot of data about your internet usage goes to Google. That may be a positive or a drawback to you depending on your priorities – if you want privacy, it’s not so great, but if that’s not extremely important to you and your computer is equipped to handle Chrome’s resource demands, then it’s a solid choice as well for speed and reliability.

In either browser, make sure you take the time to navigate to the Privacy and Security settings and adjust them to your preference. Some of the settings you can choose are to clear your browsing data/history, unselect the option to send usage statistics to the company, enable Do Not Track requests, etc.

Additionally, you can install an ad blocker extension/addon, such as uBlock Origin, in both browsers that serve as an additional line of defense against unwanted scripts running on websites that you visit. This can be easily obtained for free through the Chrome Web Store or Firefox Addons.

4. Secure your social media profiles

One common mistake that people make on social media platforms like Facebook and Instagram is that they have their profiles set to public. This means that anyone, anywhere can view your profile and all the content on it. This is great for a business page, but maybe not so much for your personal profile.

Every big social platform has privacy and security options. These can usually be found in the settings menu, where you can navigate to the relevant sections to adjust what you want to be seen. On Facebook, you have full control over who can see your posts and friends lists, as well as whether you can be searched by your email address or phone number.

Location settings – especially in mobile apps – are important to adjust as well. Snapchat is a big one for this, as people on your friends list can observe your location in real time through the Discover function unless you have disabled this feature and turned on “Ghost Mode.”

5. Consider using a VPN

Finally, if you want to take your security one step further, you can look into getting a VPN — that is, a virtual private network. VPNs have significant privacy advantages by encrypting your connection and acting basically as an intermediary between your device and the internet. They mask your IP address, which is basically as telling in the digital world as your home address is otherwise. The VPN works by routing your traffic through its own servers, and gives you the option to appear to be from any location of your choosing.

But since you are relying on the VPN in this way, it’s important that you get a trustworthy one, such as F-Secure Freedome. Most free VPNs are unreliable at best or actively malicious at worst.

Overall, online security and privacy is what you make of it. But these simple steps will at least ensure that you’re going in the right direction. For more in-depth information on the topic, be sure to follow @CentryCyber on Twitter.

This article was written by Kristina Weber of Centry Global. If you would like help or have questions, feel free to contact us via email at info@centry.global! Be sure to subscribe to Centry Blog for original bi-weekly articles relevant to the security industry.