The adoption of laws protecting the data of individuals and consumers is becoming a driving force to push organizations to revisit their security around client and personal data. In addition, with the rise of government legislated personal data protection laws such as GDPR, individuals in other jurisdictions are now looking for better personal data protection. In this presentation, we will examine two US laws as well as the ISO/IEC 27001 standard and we will look at commonalities and differences between these three and how data security is driven from each.
The webinar will covered:
• An overview of the state of data security/privacy today
• Current trends driving adoption of stronger data protection standards/laws
• An overview of data protection in ISO/IEC 27001, CCPA, and the NYC Shield Act
• A comparison of ISO/IEC 27001, CCPA and the NYC Shield Act
• Lessons to be applied
Recorded webinar:
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Differences?
1.
2. ISO/IEC27001vs.
CCPAvs.NYShieldAct:
Whatarethe
similaritiesand
differences?
• Overview of current state of data
security/privacy
• Current trends driving adoption of
stronger data protection
standards/laws
• Data Protection in ISO/IEC 27001,
CCPA, and NY Shield Act
• Roundtable: Comparison of ISO/IEC
27001, CCPA and NY Shield Act
• Roundtable: Lessons to be applied
Agenda
3. Currentstateof
data
privacy/security
• Privacy of Personally Identifiable
Information (PII) and Patient Health
Information (PHI) is becoming a focus of
concern for governments, organizations, and
individuals around the globe.
• Cyberattacks are targeting data more than
any other resource.
• Ransomware and data breaches are making
headlines globally and on a recurring and
frequent basis.
4. DataProtectionEvolutions
Underway
• Block Chain driven data authenticity,
integrity, and protection
• Protective measures for cloud-hosted
data
• Fake news and deep fake detections are
being matured
• Artificial Intelligence is being used as
both a weapon and a defensive measure
7. OverviewofData
Protection/Privacyin
ISO/IEC27001
ISO/IEC 27001 is:
• An international standard that “specifies the
requirements for establishing, implementing, maintaining
and continually improving an information security
management system within the context of the
organization”
• Focused on information security overall from governance
of an ISMS to secure development practices and more
• Not a mandatory/legislated standard with which an
organization must comply
• A standard against which an individual or an organization
can be certified
• A baseline for many other standards, frameworks and
even some legislations
ISO/IEC 27001 specifically references privacy and protection
of personally identifiable information in A.18.1.4:
• “Privacy and protection of personally identifiable
information shall be ensured as required in relevant
legislation and regulation where applicable” and
generally covers the topic in section A.18 Compliance
8. Implementing
ISO/IEC27001
• A.18 Compliance
• A.18.1 Compliance with legal
and contractual requirements
• Objective: To avoid breaches
of legal, statutory, regulatory or
contractual obligations related
to information security and of
any security
requirements.
A.18.1.1
Identification of applicable legislation
and contractual requirements
Control
All relevant legislative statutory, regulatory,
contractual require- ments and the
organization’s approach to meet these
requirements shall be explicitly identified,
documented and kept up to date for each
information system and the organization.
A.18.1.2 Intellectual property rights
Control
Appropriate procedures shall be implemented
to ensure compliance with legislative,
regulatory and contractual requirements
related to intellectual property rights and use
of proprietary soft- ware products.
A.18.1.3 Protection of records
Control
Records shall be protected from loss,
destruction, falsification, unauthorized access
and unauthorized release, in accordance with
legislatory, regulatory, contractual and business
requirements.
A.18.1.4
Privacy and protection of personally
identifiable information
Control
Privacy and protection of personally
identifiable information shall be ensured as
required in relevant legislation and regulation
where applicable.
A.18.1.5 Regulation of cryptographic controls
Control
Cryptographic controls shall be used in
compliance with all relevant agreements,
legislation and regulations.
9. Compliance
Requirements
for ISO/IEC
27001
Compliance with ISO/IEC 27001 is typically
voluntary unless otherwise required in
specific instances (e.g., in state lottery and
gaming, compliance with ISO/IEC 27001 is
often required).
Certification of an organization against
ISO/IEC 27001 is possible via a certified
and authorized certification and audit
entity.
10. “Gotchas”for ISO/IEC27001
Although only section A.18.1 specifically mentions privacy and protection of PII, the remainder of
this standard include vital security controls for protecting data in its many states. For example, A.17
covers business continuity, A.16 covers information security incident management, etc.
Adding ISO/IEC 27701:2019 to ISO/IEC 27001 will add privacy controls to your security compliance
toolkit – highly recommended given today’s privacy regulation landscape.
ISO/IEC 27002:2013 is often confused or conflated with ISO/IEC 27001 but 27002 is a set of best
practice guidance to help an organization implement 27001 and is not a standard against which an
organization can achieve certification (that is achieved against 27001).
12. OverviewofData
Protection/Privacyin
CCPA
• Inspired by the GDPR as a stronger privacy
legislation for residents of California.
• Emphasis on privacy rights for consumers.
• Excludes employee data, “publicly available
information”, de-identified and aggregate
information.
• Consumers may pursue civil action as “a
result of the business’ violation of the duty to
implement and maintain reasonable security
procedures and practices appropriate to the
nature of the information to protect the
personal information.”
13. ImplementingCCPA
Determine what
your organization
is: are you a
business, service
provider, or third
party?
Have a Privacy
Notice that
includes:
Categories of PI
collected, how is
collected and the
purpose of use.
Explains the user’s
rights under CCPA,
OR have separate
page for California
residents.
If selling PI,
provide a notice to
the user about on
the sale.
This must include
an option for the
user to “opt out”
of the sale of their
information.
Set up at least two
methods for users
to contact your
business if they
have privacy
concerns.
At minimum, have
a website or toll-
free number.
Much of CCPA
relies around
recognizing
”categories” of
data. Data
classification is
therefor your
friend.
Train staff: how do
they direct
consumers wishing
to exercising their
rights?
14. Compliance
Requirements
forCCPA
• Update contracts
• Specify organization’s definition under CCPA
• Service provider contracts: must prohibit retention, use and
disclosure of PI outside specific purposes of providing services.
• Web page updates:
• A section on website (Do Not Sell My Personal Information) that
allows users to opt-out of information sales. Section should be easy
to find from home page.
• User rights:
• The right to request a business delete information collected on the
consumer (exemptions may apply)
• The right to request what information is collected, processed, why,
and when PI is shared or disclosed
• The right to request, when PI is sold, the categories of PI sold and
categories to whom it was sold
• The right to request a business not sell their information (the right
to opt-out)
• The right not to be discriminated against for exercising privacy rights
15. “Gotchas”for
CCPA
• ALWAYS verify requests for data, per the law.
Unverified requests are a gold-mine for attackers.
• Very little advice for data protection implementation.
However, makes references to “unencrypted”
information as insecure.
• Exemptions for other laws: if your business is a
“covered entity” or “business associate” that deals
with protected health information under the Health
Insurance Portability and Accountability Act (HIPAA) it
may be exempt.
• Admittedly lots of confusion, even among industry
pros, on implementation.
• CCPA 2.0 is already on the ballot for November, 2020.
• If passed CCPA 2.0 will be in force in 2023.
17. OverviewofData
Protection/Privacy
inNYSHIELDAct
• "Stop Hacks and Improve Electronic Data Security Act
(SHIELD Act)"
• The SHIELD Act requires "any person or business that
owns or licenses computerized data which includes private
information of a resident of New York [state]" to implement
the Act's Data Security Program.
• This applies to companies across the entire world,
regardless of whether they have any presence in New York or
even the United States.
• This bill broadens the scope of information covered under
the notification law and updates the notification
requirements when there has been a breach of data.
• It also broadens the definition of a data breach to include
an unauthorized person gaining access to information. It also
requires reasonable data security and provides standards
tailored to the size of a business.
18. Implementing
NYSHIELDAct
• Reasonable administrative safeguards, such as the following:
• designates one or more employees to coordinate the security program
• identifies reasonably foreseeable internal and external risks
• assesses the sufficiency of safeguards in place to control the identified risks
• trains and manages employees in the security program practices and procedures
• selects service providers capable of maintaining appropriate safeguards and
requires those safeguards by contract; and adjusts the security program in light of
business changes or new circumstances.
• Reasonable technical safeguards, such as the following:
• assesses risks in network and software design
• assesses risks in information processing, transmission, and storage
• detects, prevents, and responds to attacks or system failures
• regularly tests and monitors the effectiveness of key controls, systems, and
procedures.
• Reasonable physical safeguards, such as the following:
• assesses risks of information storage and disposal
• detects, prevents, and responds to intrusions
• protects against unauthorized access to or use of private information during or
after the collection, transportation, and destruction or disposal of information
within a reasonable amount of time after it is no longer needed for business
purposes by erasing electronic media so that the information cannot be read or
reconstructed.
19. ComplianceRequirements
forNYSHIELDAct
• The SHIELD Act requires organizations to adopt “reasonable” security
practices, policies and procedures to safeguard sensitive data in three
critical ways: administrative safeguards, technical safeguards and physical
safeguards.
• Taking into account differing sizes and resources of businesses, the
SHIELD Act emphasizes that the programs should be reasonable. At a
minimum, requires ongoing monitoring of the implemented policies and
procedures, regular risk assessment of the business’s technical
infrastructure and physical premises, training personnel, reasonable
vendor due diligence, as well as designating an individual responsible for
the required policies, practices, assessment and maintenance.
• Small business exemptions do exist, however, still require a security
program that is modifiable and scaled in accordance with: Size and
complexity of the business, Nature and scope of activities, and the
sensitivity of the personal information collected
• You are automatically considered compliant if your business is
regulated by and compliant with the Health Information Portability and
Accountability Act (HIPAA), Health Information Technology for Economic
and Clinical Health Act (HITECH), the Gramm-Leach Bliley Act, New York’s
Cybersecurity Requirements for Financial Services Companies, and any
other federal or New York cybersecurity legislation.
20. “Gotchas”forNY
SHIELDAct
• Similar to the CCPA and the GDPR, the SHIELD Act
expands liability to any organization that collects private
information of New York residents, regardless of where it
was collected. This means that an organization does not
necessarily have to conduct business in New York in order to
come under the purview of the SHIELD Act
• New York’s data and privacy laws require that in the event
of a breach, the business must notify any and all New York
residents whose private information may have been
compromised. Now, with the expanded definitions of breach
and private information, there is the potential for more
events that will trigger New York’s breach notification
requirements. Further, with these laws applying to any
business that has New York residents’ information regardless
of where the business is located, such breach notifications
will apply to far more businesses and any breaches they may
experience.
• “Private information” is a subset of personal information –
under the SHIELD Act, private information has been
expanded to include any account information, biometric data
(like iris scans, fingerprints, voiceprints, images, etc.) used to
authenticate someone’s identity, and usernames or emails in
combination with passwords, security questions or
passcodes.
22. Commonalities
• Similar to the CCPA and the GDPR, the NY SHIELD Act
expands liability to any organization that collects private
information of New York residents, regardless of where it
was collected. This means that an organization does not
necessarily have to conduct business in New York in order
to come under the purview of the NY SHIELD Act.
• At a minimum, the NY SHIELD Act requires ongoing
monitoring of the implemented policies and procedures,
regular risk assessment of the business’s technical
infrastructure and physical premises, training personnel,
reasonable vendor due diligence, as well as designating an
individual responsible for the required policies, practices,
assessment and maintenance. CCPA is similar in these
requirements and ISO/IEC 27001 would have similar
requirements as well.
23. Differences • Whereas CCPA and the NY SHIELD Act require compliance
from the entities to which they apply, ISO/IEC 27001 is not a
mandatory standard.
• CCPA and NY SHIELD Act focus on protecting the data of the
person while ISO/IEC 27001 focuses on protecting all types
of critical data, infrastructure, applications and the
organization itself.
24. Takeaways
• One standard/legislation can be used to support compliance with another
• When implementing compliance with a standard or legislation, it is
important to maintain evidence of your compliance and to self-audit as well
• No one security standard or legislation should ever be relied upon as your
only elements in your security program
• Designate a Privacy Officer or security team to manage your privacy/data
protection (note that a Privacy Officer is required in many cases!)
• Complete an organizational risk assessment and ensure you have also
classified your data as part of this exercise prior to implementing any security
or privacy controls
25. ISO/IEC 27001
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events
A “business” makes over 25 million in annual revenue, OR processes data for over 50,000 consumers/devices, OR derives 50% of revenue from the sale of customer data.
Data requests must be fulfilled in 45 days.
Discriminated against: ex. charged more or refused services, providing poorer quality of goods