December 13, 2019
Ready or not, the California Consumer Privacy Act (CCPA), the most comprehensive U.S. data privacy law to date, will go into affect on Jan. 1.
While the General Data Protection Regulation (GDPR) protects personal information (PI) that could potentially identify a specific individual, including name, address, telephone number and Social Security number, CCPA goes beyond that to include product purchase history, social media activity, IP addresses and household information.
The California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation, and every individual affected by a violation is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750,000 plus damages of $1 million to $7.5 million to the victims.
BeyondTrust’s Morey Haber
DigiCert’s Mike Nelson
Sophos’s Chet Wisniewski
Businesses are granted a 30-day cure period for most violations, but CCPA, like GDPR, provides for a private right of action in case of certain data breaches, so an individual can directly sue a company.
To learn more about CCPA and implications for the channel, we spoke with Chet Wisniewski, Sophos‘ principal research scientist, Mike Nelson, DigiCert‘s vice president of IoT security, and Morey Haber, BeyondTrust‘s CTO and CISO.
Anyone doing business with California residents that has revenues greater than $25 million, trades in personal information on more than 50,000 people or derives 50% or more of their revenue from selling personal information will need to comply, Wisniewski said. Most small businesses under these rules would be exempt, but it will still impact a huge number of organizations, he said.
“Compliance is big business and most companies will need to revise their privacy policies, procedures and tools that interact with consumers to comply with the legislation,” he said. “Another emerging risk is many new forms of ransomware, like Snatch, that not only lock up data, but steal information before the ransom attack. Companies required to comply with both CCPA and GDPR will now need to report these incidents. This might be a big incentive for companies to look more seriously at outsourcing more of their security to larger more specialized service providers who can stay on top of the latest threats and regulations.”
CCPA requires businesses to change their processes around consumer data collection, Nelson said. The law gives consumers more awareness of what is happening with their data, and allows them to opt in or out of that data sharing. The secure handling of that data is, and always has been, a critical security practice, he said.
“I don’t see this regulation being a big driver for more managed security services,” he said. “However, businesses will need to build automated systems that enable the type of consumer communication required to be compliant with the regulation. Changing processes in any large business is costly. These costs can come in the form of process change, development, legal and compliance.”
Any business that operates only with other businesses is arguably excluded from this act as long as they do not collect an individual’s personal consumer data, Haber…
…said. This is not true for business analytic data, he said.
“Therefore, the impact will not be as big as the hype since [it] only impacts organizations collecting data from B2C and not B2B,” he said. “That is a huge distinction compared to other regulations.”
In addition, harvesting consumer information in order to improve a product with a limited install base, revenue and restricted sale of the data is basically exempt from the regulation, Haber said.
One of the biggest challenges will be staying on top of the rules, Wisniewski said. As of Dec. 6, the rules were still in draft form, leaving only a few weeks to finalize preparations for compliance on Jan. 1, he said.
If an organization is in compliance with GDPR, that doesn’t mean it’s also in compliance with CCPA, he said.
“GDPR is quite different in both scope, definitions regarding what is private information and tools provided to consumers with regard to the sale of personal data,” he said. “Organizations should consult with their attorneys to determine what they need to add to be compliant.”
Haber expects other states and even the federal government to take the lead from California and enact additional standards.
“This could be a potential nightmare if multiple states eventually do enact their own privacy laws that end up being contradictory in any way or supersets of each others’ requirements,” he said. “This would present a complex regulatory problem for any multi-state company and may not be worth the data that is being collected in order to maintain compliance. Companies might just choose not to collect information in the first place in order to be compliant without the regulatory risk.”
Pensacola Latest Municipality Targeted by Ransomware
After a summer of ransomware attacks on U.S. municipalities, the city of Pensacola, Florida, now is fighting a cyberattack that took down most of the city’s network. The attack is being investigated as potential cyber-terrorism, following the shooting at Pensacola’s Naval Air Station last week.
Darktrace’s Marcus Fowler
We spoke with Marcus Fowler, Darktrace‘s director of strategic threat and former CIA executive, to find out more about this particular municipal cyberattack. He’s been tracking this attack.
The publicity around the Pensacola shooting could have generated interest from cybercriminals or hackers and played a role in target selection, he said. Perhaps they were hoping the security teams would be distracted or the city would pay a ransom quickly to avoid additional negative coverage, he said.
“An attacker could have breached Pensacola’s network previously and was already conducting reconnaissance and preparing for an attack,” he said. “Realizing [the shooting] would likely bring additional scrutiny and law enforcement attention, the attacker could have opted to move forwards quickly and carry out the cyberattack.”
Fundamentally, cybersecurity companies need to begin thinking differently about defense and security, Fowler said. Instead of focusing on predicting the threat, companies should watch the data – monitoring devices, users and data for the earliest signs of abnormal activity. This technique not only allows business to detect threats that…
…have never been seen before, but also identify threats in their earliest stages, before damage is done, he said.“Ransomware’s efficacy is, by and large, due to its speed – it can simply move faster than security teams can respond,” he said. “To effectively combat ransomware attacks and other machine-speed attacks, municipalities need machine-speed defenses as well. These defenses don’t need to wait for humans to step in and identify a ransomware attack, at the earliest signs of the threat they will step in to stop or slow the attack.”There’s going to be even more attacks on municipalities in 2020, Fowler said.“This is due to a couple factors,” he said. “First, the proliferation and accessibility of sophisticated tools are enabling criminal groups with limited technical expertise, beyond knowing how to buy bitcoin, to conduct attacks. The return on investment on these types of attacks continues to rise, bringing more potential attackers into the market. It is no longer about a company or municipality or public entity being ‘too small to attack’ as attackers can scale now more than ever. It has less do to with the size of a company, industry or market share and all about the size of the vulnerability. This means entities that have historically not prioritized or underfunded cybersecurity are going to get hit.”Bitdefender MSP Partners to Benefit from Datto IntegrationBitdefender has unveiled an integration of its GravityZone MSP security suite with Datto RMM, a cloud remote monitoring and management solution for MSPs.This integration, available now, lets MSPs using Datto RMM to automate and accelerate installation of Bitdefender AV, antimalware and advanced endpoint layers through a unified OS-agnostic kit. MSPs can install on customers’ devices security layers such as antimalware, content control, email security and patch management, as well as advanced technologies such as tunable machine learning, sandbox and EDR. Bitdefender’s layered security lets MSPs prevent, detect and respond to new types of ransomware, unknown threats and fileless attacks, and stop targeted attacks.Bitdefender’s Alina DraganescuAlina Draganescu, Bitdefender‘s senior director of security for MSPs and SMBs, tells us MSPs will be able to adapt their offering to a wide spectrum of business needs.“Once they identify the optimum package for a specific need in GravityZone, they will be able to quickly install the package in a scalable way, across a large number of endpoints,” she said.The new integration between Datto RMM and Bitdefender enables MSPs to autodetect the OS type, whether Windows, Mac or Linux, and then automatically deploy the Bitdefender agent from a single component. It also allows them to monitor the installation status and update status.“With this integration, our MSP partners using Datto RMM are now able to quickly deploy the Bitdefender Cloud Security agent and view the security status of an endpoint from within their Datto RMM interface, eliminating the need to transition from platform to platform,” said Aaron Dun, Datto’s vice president of product and growth marketing. “We’re dedicated to ensuring our MSP partners have seamless integrations with……the products they use every day to create efficiencies, and we welcome Bitdefender to our Datto Developer Program.”Netskope, Dell Partner for Cloud, Endpoint SecurityNetskope is joining forces with Dell to provide customers with security both in the cloud and on the endpoint.Netskope now is part of Dell’s endpoint security portfolio. Netskope’s Security Cloud platform unifies and replaces many point solutions, including secure web gateways, cloud access security brokers (CASBs) and data
loss prevention (DLP) tools, the company said.Netskope’s Dave RogersDave Rogers, Netskope’s vice president of alliances and global channel sales, tells us the new relationship with Dell will create a “win/win relationship for many of our partners.” All existing Dell partners will be able to add Netskope to their partners matrix through Dell, he said.“Dell does a great job of positioning security solutions with their endpoint buyers,” he said. “Many of these relationships go beyond the hardware that most people would assume and include solutions like Netskope to solve challenges in a cloud-first world.”Netskope’s platform is cloud-native and cloud-delivered, according to the company. Netskope is backed by Dell’s global ProSupport team, which streamlines the customer experience.Blockchain-Related Hacks MountAccording to data gathered by PreciseSecurity.com, nearly $8.5 billion has been lost in blockchain and crypto-related hacks. This shows that the crypto industry still needs to improve its security standards and offer better solutions to clients, it said.The report shows that there are nearly two attacks every three days, making it very difficult for companies to expand and users to feel protected in the market. In general, investors and traders handle large amounts of money that seems not to be as protected as it should, according to the report.This is also not good for larger and traditional investors that want to know their funds are safe at all times.The EOS network has been the most affected blockchain in the market with 114 hack events. Cryptocurrency exchanges also have been severely affected with 59 attacks experienced in the last few years. Tron TRX decentralized applications also have been attacked and affected.
Read more about:MSPs
About the Author(s)
You May Also Like