[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* This new web browser wants to solve ad blocking problems with Bitcoin
\n* Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
\n* CISOs face cloud GRC challenges as services take off
\n* Eight Reasons Why You Need to Audit Your Data Security Plan
\n* Florida privacy law adds breach notification and strengthens compliance
\n* Modernizing Security<\/p>\n
This new web browser wants to solve ad blocking problems with Bitcoin
\nBrave \u2014 a web browser co-created by ex-Mozilla CEO Brendan Eich \u2014launched Brave Payments in beta yesterday.
\nThe Brave browser blocks ads, but it also offers a novel solution that allows publishers to keep generating revenue.
\nBrave Payments allows users to top up an account with bitcoin, select a monthly budget, and select sites that they would like to pay when they make a visit.
\nBrave automatically pays these publishers based on the amount of time users of the browser spend on the publishers’ web properties and how much the user is willing to give.
\nBitGo is providing bitcoin wallets for Brave users and Coinbase is providing the marketplace for bitcoins to be purchased.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8866044de3&e=20056c7556<\/p>\n
Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
\nAccording to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.
\nWhile much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.
\nHere is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee.<\/p>\n
Nevada now includes in its definition of \u201cpersonal information\u201d a medical identification number, a health insurance identification number, and a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that permits access to an online account.<\/p>\n
Similarly, Rhode Island now counts as \u201cpersonal information\u201d any medical information, health insurance information, and an email address in combination with any required security code, access code or password that allows access to an individual\u2019s personal, medical, insurance or financial account.<\/p>\n
Nebraska did not go quite as far but now considers a user name or email address in combination with a password or security question and answer that permits access to an online account to be \u201cpersonal information\u201d.<\/p>\n
Nebraska and Rhode Island both decided that data should not be considered \u201cencrypted\u201d if the confidential process or key permitting access to otherwise encrypted data is also acquired in connection with a security breach.<\/p>\n
Nebraska and Rhode Island both imposed new obligations around notification to Attorneys General in the event of a security breach.
\nIn Nebraska, a covered entity must now notify the state\u2019s Attorney General of a security breach not later than the time when notice is provided to affected residents.
\nIn Rhode Island, any covered entity notifying more than five hundred (500) residents of a security breach now must also notify the state\u2019s Attorney General.<\/p>\n
Both Rhode Island and Tennessee put covered entities on the clock and now require notification to affected residents within forty-five (45) days of discovery of a security breach unless a delay is necessary for law enforcement purposes.
\nRhode Island also imposed new requirements for the specific contents of notice to affected residents.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=944b292f16&e=20056c7556<\/p>\n
CISOs face cloud GRC challenges as services take off
\nThe biggest challenges CISOs face in these environments have to do with a loss of visibility, a lack of standards for evaluating cloud GRC (governance, risk management and compliance) and a failure by employees to perform due diligence when migrating critical enterprise applications and data to the cloud.
\nA lot of the cloud adoption in organizations has happened in an organic fashion with little to no IT involvement and even less policy oversight.
\nSo in many cases, the security, policy and governance measures you implement will be somewhat retroactive in nature, notes Chris Pogue, CISO at Nuix, a company that develops software for extracting business value from unstructured data.
\nGenerally, most people are amicable when it comes to security, privacy and compliance obligations and are willing to implement change if they can continue using something they really require.
\nOne of the first steps that organizations can take toward achieving cloud GRC goals is getting a handle on the scope and the nature of services that are being used across their environments.
\nEnterprises on average use 841 cloud applications, about 20 times more services than estimated by the average IT organization, according to the “First Half 2016 Shadow Data Threat Report,” published by research company Blue Coat Elastica Cloud Threat Labs in July.
\nIt is simply not possible to perform due diligence or to prioritize cloud data governance activity without first discovering all of the sanctioned and unsanctioned cloud applications and services running in your environment, Reavis added.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4249b2122a&e=20056c7556<\/p>\n
Eight Reasons Why You Need to Audit Your Data Security Plan
\n\ufeffEvery healthcare company should have a data security and privacy plan that identifies potential threats and outlines how to deal with them.
\nYou also should review your plan on a regular basis and have the plan audited by an appropriate agent.
\nWhile it\u2019s highly unlikely that you\u2019ll ever face a federal audit, a significant breach can trigger an investigation that includes your data and security plans.
\nHaving a plan may not assuage hefty fines if that plan hasn\u2019t been tested through an audit.
\nThe eight reasons you need an audit can be divided into two categories: the bad things that can happen if you don\u2019t do an audit, and the good things that can happen if you do.
\n– Think about the literal cost to your business, if your data gets into the wrong hands.
\nIn just the first six months of this year, the Office of Civil Rights (OCR) agreed to almost $15 million in settlement payments with covered entities and their business associates.
\n– The chance of a data breach is greater than you think.
\n– A breach won\u2019t just cost you money.
\nIt\u2019ll cost you your reputation and the confidence of the people who do business with you.
\n– Because even the smallest healthcare providers are using electronic health records systems, issuing prescriptions through digital apps and sharing data electronically with other care partners, a data breach can happen at any place where data is handled or transmitted within your organization.
\nOn the other hand, there are four compelling reasons why an audit can be a good thing.
\n– An audit is like life insurance for your business
\n– our data plan, which you can strengthen and validate by the voluntary audit you commission, can be so comprehensive that nothing is left to chance.
\n– Setting your own audit in motion will help you uncover any data system flaws or breaches that exist before they might come to the attention of the OCR, or the public.
\nIn fact, most data breaches (58 percent) are uncovered during audits and assessments.
\n– If you need in-depth auditing and accreditation services to protect your data and attest that it hasn\u2019t been compromised, organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC) and other third-party organizations can furnish them.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9306fe7f96&e=20056c7556<\/p>\n
Florida privacy law adds breach notification and strengthens compliance
\nThe Florida Information Protection Act.
\nEach state has its own flavor of data privacy law if it has one at all.
\nFIPA says, “An act relating to security of confidential personal information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security concerning confidential personal information in third-party possession; creating s. 501.171, F.S.; providing definitions; requiring specified entities to take reasonable measures to protect and secure data containing personal information in electronic form; requiring specified entities to notify the Department of Legal Affairs of data security breaches; requiring notice to individuals of data security breaches under certain circumstances…”
\nFlorida’s expanded law places even more emphasis on organizations to safeguard data.
\nBefore, the definition of breach meant it was unlawful and unauthorized.
\nNow it’s just unauthorized.
\nThe statute now requires a notification to the Attorney General for breaches, which is a big change.
\nIt requires consultation with local law enforcement; before, it was optional.
\nA great way to look at the differences between US law and Europe is to use Safe Harbor as an example.
\nThe United States takes a sectoral approach to information privacy.
\nSo specific laws protect privacy rights for a given industry or sector.
\nThere are many laws at the state level that regulate the collection and use of personal data, and the number grows each year.
\nWe know from our legal primer that federal laws preempt state laws.
\nMost states have enacted some form of privacy legislation, however California leads the way in the privacy arena, having enacted multiple privacy laws, some of which have far-reaching effects at a national level.
\nAs an IT auditor in security and compliance this is very good news.
\nThe best example of a preventative-type of law is the Massachusetts Regulation (201 CMR 17.00), which prescribes in considerable detail an extensive list of technical, physical and administrative security protocols aimed at protecting personal information that affected companies must implement into their security architecture, and describe in a comprehensive written information security policy.
\nThe U.S. has state laws vs a broad national law in Europe to cover privacy for all industries.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fc5e979100&e=20056c7556<\/p>\n
Modernizing Security
\nAccording to Breach Level Index, 4,762,376,968 data records have been lost or stolen since 2013.
\nThat\u2019s 4 Trillion, with a \u201cT.\u201d You know the old saying: A trillion here, a trillion there, and pretty soon we\u2019re talking about a lot of records.
\nAnd data.
\nAnd\u2026 liability.
\nBe aware that data security is not the sole-province of IT.
\nIt is the province of the organization.
\nWho owns the data.
\nThe organization does.
\nIT most definitely can help to select, size, maintain and progress security systems \u2013 in the technical sense.
\nIT can also train people for security awareness and best practices; IT can to modify and sustain the appropriate behaviors.
\nBut it really needs to be the organization and the business stakeholders that secures business, as they oversee all staff, users and IT alike.
\nThey do this by helping to measure and approve budgets, policies, and staff readiness.
\nAnd, the organization must be intelligent enough and informed enough to oversee IT and the related security measures.
\nAfter all, keep in mind that most breaches are due to human error.
\nAny organization will get it soon enough: preparedness and prevention guards against damage to the organization\u2019s number one asset: Its reputation.
\nAs a lasting thought, remember this: In the realm of risk, unmanaged possibilities become probabilities.
\nStart thinking about risk and liabilities, speak with your subordinates and supervisory chain, and get security on the agenda in a serious way before something dire happens in your organization.
\nResearch and educate yourself for all manner of data breaches and how they occurred \u2013 then survey your job, your activities, and your place of work for risk.
\nMake suggestions and inspire or take appropriate action depending on your place in the organization.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ba82c919a0&e=20056c7556<\/p>\n
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage1.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage2.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b33f69152b)
\nUpdate subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
\n============================================================<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * This new web browser wants to solve ad blocking problems with Bitcoin * Summer Round-Up: Four States Bolster Data Breach Notification Laws…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1258","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1258"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1258\/revisions"}],"predecessor-version":[{"id":3745,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1258\/revisions\/3745"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}