[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* This new web browser wants to solve ad blocking problems with Bitcoin
* Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
* CISOs face cloud GRC challenges as services take off
* Eight Reasons Why You Need to Audit Your Data Security Plan
* Florida privacy law adds breach notification and strengthens compliance
* Modernizing Security
This new web browser wants to solve ad blocking problems with Bitcoin
Brave — a web browser co-created by ex-Mozilla CEO Brendan Eich —launched Brave Payments in beta yesterday.
The Brave browser blocks ads, but it also offers a novel solution that allows publishers to keep generating revenue.
Brave Payments allows users to top up an account with bitcoin, select a monthly budget, and select sites that they would like to pay when they make a visit.
Brave automatically pays these publishers based on the amount of time users of the browser spend on the publishers’ web properties and how much the user is willing to give.
BitGo is providing bitcoin wallets for Brave users and Coinbase is providing the marketplace for bitcoins to be purchased.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8866044de3&e=20056c7556
Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.
While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.
Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee.
Nevada now includes in its definition of “personal information” a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account.
Similarly, Rhode Island now counts as “personal information” any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual’s personal, medical, insurance or financial account.
Nebraska did not go quite as far but now considers a user name or email address in combination with a password or security question and answer that permits access to an online account to be “personal information”.
Nebraska and Rhode Island both decided that data should not be considered “encrypted” if the confidential process or key permitting access to otherwise encrypted data is also acquired in connection with a security breach.
Nebraska and Rhode Island both imposed new obligations around notification to Attorneys General in the event of a security breach.
In Nebraska, a covered entity must now notify the state’s Attorney General of a security breach not later than the time when notice is provided to affected residents.
In Rhode Island, any covered entity notifying more than five hundred (500) residents of a security breach now must also notify the state’s Attorney General.
Both Rhode Island and Tennessee put covered entities on the clock and now require notification to affected residents within forty-five (45) days of discovery of a security breach unless a delay is necessary for law enforcement purposes.
Rhode Island also imposed new requirements for the specific contents of notice to affected residents.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=944b292f16&e=20056c7556
CISOs face cloud GRC challenges as services take off
The biggest challenges CISOs face in these environments have to do with a loss of visibility, a lack of standards for evaluating cloud GRC (governance, risk management and compliance) and a failure by employees to perform due diligence when migrating critical enterprise applications and data to the cloud.
A lot of the cloud adoption in organizations has happened in an organic fashion with little to no IT involvement and even less policy oversight.
So in many cases, the security, policy and governance measures you implement will be somewhat retroactive in nature, notes Chris Pogue, CISO at Nuix, a company that develops software for extracting business value from unstructured data.
Generally, most people are amicable when it comes to security, privacy and compliance obligations and are willing to implement change if they can continue using something they really require.
One of the first steps that organizations can take toward achieving cloud GRC goals is getting a handle on the scope and the nature of services that are being used across their environments.
Enterprises on average use 841 cloud applications, about 20 times more services than estimated by the average IT organization, according to the “First Half 2016 Shadow Data Threat Report,” published by research company Blue Coat Elastica Cloud Threat Labs in July.
It is simply not possible to perform due diligence or to prioritize cloud data governance activity without first discovering all of the sanctioned and unsanctioned cloud applications and services running in your environment, Reavis added.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4249b2122a&e=20056c7556
Eight Reasons Why You Need to Audit Your Data Security Plan
Every healthcare company should have a data security and privacy plan that identifies potential threats and outlines how to deal with them.
You also should review your plan on a regular basis and have the plan audited by an appropriate agent.
While it’s highly unlikely that you’ll ever face a federal audit, a significant breach can trigger an investigation that includes your data and security plans.
Having a plan may not assuage hefty fines if that plan hasn’t been tested through an audit.
The eight reasons you need an audit can be divided into two categories: the bad things that can happen if you don’t do an audit, and the good things that can happen if you do.
– Think about the literal cost to your business, if your data gets into the wrong hands.
In just the first six months of this year, the Office of Civil Rights (OCR) agreed to almost $15 million in settlement payments with covered entities and their business associates.
– The chance of a data breach is greater than you think.
– A breach won’t just cost you money.
It’ll cost you your reputation and the confidence of the people who do business with you.
– Because even the smallest healthcare providers are using electronic health records systems, issuing prescriptions through digital apps and sharing data electronically with other care partners, a data breach can happen at any place where data is handled or transmitted within your organization.
On the other hand, there are four compelling reasons why an audit can be a good thing.
– An audit is like life insurance for your business
– our data plan, which you can strengthen and validate by the voluntary audit you commission, can be so comprehensive that nothing is left to chance.
– Setting your own audit in motion will help you uncover any data system flaws or breaches that exist before they might come to the attention of the OCR, or the public.
In fact, most data breaches (58 percent) are uncovered during audits and assessments.
– If you need in-depth auditing and accreditation services to protect your data and attest that it hasn’t been compromised, organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC) and other third-party organizations can furnish them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9306fe7f96&e=20056c7556
Florida privacy law adds breach notification and strengthens compliance
The Florida Information Protection Act.
Each state has its own flavor of data privacy law if it has one at all.
FIPA says, “An act relating to security of confidential personal information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security concerning confidential personal information in third-party possession; creating s. 501.171, F.S.; providing definitions; requiring specified entities to take reasonable measures to protect and secure data containing personal information in electronic form; requiring specified entities to notify the Department of Legal Affairs of data security breaches; requiring notice to individuals of data security breaches under certain circumstances…”
Florida’s expanded law places even more emphasis on organizations to safeguard data.
Before, the definition of breach meant it was unlawful and unauthorized.
Now it’s just unauthorized.
The statute now requires a notification to the Attorney General for breaches, which is a big change.
It requires consultation with local law enforcement; before, it was optional.
A great way to look at the differences between US law and Europe is to use Safe Harbor as an example.
The United States takes a sectoral approach to information privacy.
So specific laws protect privacy rights for a given industry or sector.
There are many laws at the state level that regulate the collection and use of personal data, and the number grows each year.
We know from our legal primer that federal laws preempt state laws.
Most states have enacted some form of privacy legislation, however California leads the way in the privacy arena, having enacted multiple privacy laws, some of which have far-reaching effects at a national level.
As an IT auditor in security and compliance this is very good news.
The best example of a preventative-type of law is the Massachusetts Regulation (201 CMR 17.00), which prescribes in considerable detail an extensive list of technical, physical and administrative security protocols aimed at protecting personal information that affected companies must implement into their security architecture, and describe in a comprehensive written information security policy.
The U.S. has state laws vs a broad national law in Europe to cover privacy for all industries.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fc5e979100&e=20056c7556
Modernizing Security
According to Breach Level Index, 4,762,376,968 data records have been lost or stolen since 2013.
That’s 4 Trillion, with a “T.” You know the old saying: A trillion here, a trillion there, and pretty soon we’re talking about a lot of records.
And data.
And… liability.
Be aware that data security is not the sole-province of IT.
It is the province of the organization.
Who owns the data.
The organization does.
IT most definitely can help to select, size, maintain and progress security systems – in the technical sense.
IT can also train people for security awareness and best practices; IT can to modify and sustain the appropriate behaviors.
But it really needs to be the organization and the business stakeholders that secures business, as they oversee all staff, users and IT alike.
They do this by helping to measure and approve budgets, policies, and staff readiness.
And, the organization must be intelligent enough and informed enough to oversee IT and the related security measures.
After all, keep in mind that most breaches are due to human error.
Any organization will get it soon enough: preparedness and prevention guards against damage to the organization’s number one asset: Its reputation.
As a lasting thought, remember this: In the realm of risk, unmanaged possibilities become probabilities.
Start thinking about risk and liabilities, speak with your subordinates and supervisory chain, and get security on the agenda in a serious way before something dire happens in your organization.
Research and educate yourself for all manner of data breaches and how they occurred – then survey your job, your activities, and your place of work for risk.
Make suggestions and inspire or take appropriate action depending on your place in the organization.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ba82c919a0&e=20056c7556
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b33f69152b)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
============================================================
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()