Data Privacy and the Law
Keeping customer data and away from prying eyes
Compliance, compliance, compliance!
The GDPR
The General Data Protection Regulation (GDPR) was implemented May 25th 2018. The compliance document outlines regulations that businesses holding information of EU citizens have to follow. To ensure that you are following the GDPR, make sure that:
You consider privacy by design. This clause states that only the personal information critical to the company functioning can be kept, and that this data should only be accessible to those in the company that need it.
Second, it is important for companies to follow the ‘right to be forgotten’. This outlines the fact that data that is no longer being used for its original purpose or a user no longer consents to its use, then it must be deleted.
Third, data must be deleted by the company when a customer revokes their consent to it being stored. Furthermore, companies must provide clear
Finally, GDPR states that in the case of a data breach, companies must notify all the parties that are affected. Affected clients must be notified immediately after the compromise, and regulators within a 72 hour window.
The Canadian data privacy act
On November 1st 2018, Canada implemented their own Data Privacy Act. This regulation outlines who must be notified when a data breach occurs. In the act, it states that organizations can face fines of up to $100 000 if they fail to notify the privacy commissioner of Canada or the customers affected by the breach.
The report for the privacy commissioner needs to contain as much information on the breach as possible. It must describe the cause and scope of the damage, as well as the estimate number of people that are affected. Additionally, this report must include the strategy that the company plans to mitigate the damages and repair the breach.
No organization is immune to data breaches
Organizations will always be under threat of data breaches. In the past few years alone, Multinational companies including American Express, Yahoo, Capital One, and Retrieval-Masters Creditors Bureau have all been victims of data breaches.
In the Capital One data breach alone, personal data of over 106 million of its customers were illegally accessed, with addresses, credit scores, dates of births, and reported incomes among the data that was leaked. Capital One reported the cost of the attack to be between $100 million to $150 million.
How should you keep your data safe?
In order to protect yourself from external data breaches, it is important to keep your network secured with a firewall and to keep your machines up-to-date with the latest software updates. While this can help protect your company from external threats, it is also essential to keep your employees informed on signs of phishing and suspicious emails in order to reduce the chance of a malicious link being clicked.
Ransomware often comes with Data Theft
Ransomware is a type of malware that locks data behind a ransomwall in order to extort money out of victims. However, it has been found that oftentimes ransomware is accompanied by data theft, even if cyberattackers do not explicitly say that data is being stolen. In many cases, only if victims refuse to fold to the pressure of the ransomwall that the attackers threaten to release sensitive stolen information to the public.