The first data breach of 2019 took place less than 24 hours after the new year. The Australian State of Victoria reported an estimated 30,000 civil identities exfiltrated by way of spear phishing (using email to lure its victim to initiate a vulnerability). The agency claims all personal identifiable information (PII) was encrypted, which thankfully renders the data exfiltrated unusable. This security approach was a result of a compliance effort to meet the GDPR requirement for encrypting all PII data.
What you need to know: The very same data encryption requirement of GDPR that saved the State of Victoria from a massive PR nightmare was an important consideration for lawmakers right here in California when creating and adopting the California Data Privacy Bill: AB:375 Privacy: Personal Information: Business.
The bill was passed through California State Legislation and was recently signed by Governor Jerry Brown. This bill goes into effect by the end of 2020 and covers several key areas;
- Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
- Businesses would be required to comply with official consumer requests to delete that data.
- Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
- Businesses can, however, offer “financial incentives” for being allowed to collect data.
- California authorities are empowered to fine companies for violations.
Please visit the California Legislative site for more information.
Recommendation: 2019 will have a heavy focus on readiness assessments and preparation. These engagements will help you understand your risk landscape whereby recommendations and road-mapped strategies can be defined. These recommendations will encompass all areas of your business from people to processes to technology and ultimately help you take action to reduce your attack surface.
Recommended product(s) you need to consider: End to end encryption (E2EE) will be a focus in determining how to be compliant with California’s Data Privacy Bill, the compelling factor being how to render data useless in the event of a data breach leading to exfiltrated data. There will be many opposing views related to circumventing this tactic such as eavesdropping or man-in-the middle attacks. We also strive to lessen or prevent fines by remaining compliant, with a key definition around the privacy of data being at risk. Having a strategy and supporting documentation that shows the data exfiltrated during a breach was in fact encrypted can save a great deal of “face” and “money”.You can learn more about how ePlus helps our customers reduce their attack surface, or mitigate the impacts of disruptive cyber threats here, or call your local ePlus team today.