Tag: CCPA

27 Nov 2019

Uniform or Patchwork Privacy Laws? How Your Bank Can Mitigate Cyber Risk

As more state privacy laws come into effect in the US, navigating privacy, data residency and jurisdictional requirements is more complicated than ever for banks and financial institutions with national and international reach. Let’s look at what these privacy laws are and how encryption helps banks and financial services institutions mitigate the risk that comes with juggling multiple privacy laws.

Patchwork privacy laws

America is gearing up for the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA is now one of many privacy and data security laws that protect consumers across some states.

Current state privacy laws:

  • California Consumer Privacy Act (CCPA)
  • Nevada Senate Bill 220
  • Act to Protect the Privacy of Online Consumer Information (Maine).

While three privacy laws might not seem like much to handle, that’s not the whole picture. There are also laws governing cybersecurity, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Maryland and Massachusetts.

That’s a lot for any national company to keep up with and with each new law enacted, it becomes easier for companies to fall out of compliance, especially if they don’t implement proper risk management.

National privacy laws

National privacy laws include:

  • The General Data Protection Regulation (GDPR) in Europe.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
  • The Act on Protection of Personal Information (APPI) in Japan.
  • The Health Insurance Portability and Accountability Act (HIPAA) in the USA.
  • The Electronic Communications Privacy Act (ECPA) in the USA, often critcized for being outdated and having no impact.

 

What kind of privacy legislation is best for banks?

Banks and other financial institutions are subject to strict legislation outside of general privacy laws. For example, the Gramm-Leach-Bliley Act (GLBA) governs what kind of information can be shared with third parties and requires financial institutions to disclose how they protect their clients’ private data.

We won’t list the regulations financial services companies are subject to here—suffice to say, banks are already heavily regulated.

The best type of privacy legislation for banking, financial services and insurance companies is legislation they influence to meet their needs (and the needs of their customers).

We’d suggest that one national privacy law would be easier to manage than multiple state laws on top of international privacy laws. Whatever the answer is, banks would be wise to weigh in on the idea of a national privacy law in America—because other businesses sure are.

Why the business community is advocating for an American national privacy law

The CCPA is hailed as “America’s answer to the GDPR” but that doesn’t hold up in terms of reach. The GDPR and the CCPA are similar regulations and both allow for sharp fines for lack of compliance. But the GDPR protects citizens of nations belonging to the European Union—that’s 512 million people. There are 327 million people in the US and 39.5 million people in California.

How many more laws need to be enacted for all 327 million Americans to enjoy the same privacy rights as Californians and Europeans? For many people and businesses, the answer is “too many.”

The complications of patchwork privacy legislation is one reason the Business Roundtable—an association of chief executive officers who promote the U.S. economy through sound public policy—is advocating for a national privacy law for Americans.

Marc Benioff, CEO of Salesforce, writes in a Politico article that a national privacy law is “the right thing for consumers and the industry.”

But this advocacy work hasn’t yet borne fruit so businesses must deal with what is, instead of what could be.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate patchwork privacy laws

Encryption allows organizations to enhance data protection and breach notification practices. It’s an essential risk management tool that supports an organization’s overall cybersecurity strategy.

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banks and financial services organizations navigate patchwork privacy laws.

OneWorld features that help banks stay compliant to multiple privacy laws:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Multiple options for data residency – We have six data centres located in Canada, the US, Mexico, the UK, Ireland and Germany which means our clients can stay compliant to data residency requirements outlined in the GDPR and American privacy legislation. For example, if an organization works in both the EU and US, they can’t have data residency (or third parties) in the US or else they’ll be out of compliance with the GDPR.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, directly to recipient inboxes in an encrypted PDF that’s password protected.
  • Natural extensions for Office Message Encryption (OME) – We work alongside Microsoft to take Office 365 to the next level with flexible use cases, branding, audit and tracking capabilities and certificate encryption. This increases existing encryption capabilities and keeps employees comfortable and confident using their existing communication tools—which makes encryption the path of least resistance.

A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

Banks are already doing business in a patchwork of conflicting privacy environments. Why not make it easier with our user-friendly encryption solution?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 

11 Nov 2019

California’s CCPA – What Banks Need to Know

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and enforcement measures are scheduled to start six months later. Banks that do business with the state of California and its residents need to protect themselves and get compliant with the CCPA, hailed as “America’s answer to the GDPR.”

A quick view of the CCPA

The CCPA establishes data privacy rights for Californians and, starting soon, this law applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—and receive it in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).

 

This act means Californians can opt out of many secondary uses of their personal information including sales to data brokers, tracking and other uses not directly related to service delivery.

Defining personal information under the CCPA

Section 1798.140, subdivision (o) of the CCPA defines personal information and it’s a long list that includes—but isn’t limited to—identifiers, categories listed in subdivision (e) of Section 1798.80, characteristics of protected classifications, commercial information, biometric information, internet and other electronic network activity, geolocation data, audio, electronic, visual, thermal, olfactory information, professional, employment and education information (that’s not already publicly available) and inferences drawn from information collected.

Call your privacy lawyers and experts because this list is exhaustive; staying in compliance will be complicated and being out of compliance will be costly.

Penalites and fees associated with the CCPA

Like the GDPR, the CCPA has teeth when it comes to penalites. PWC reports that the private right of action damages will be between $100 and $750 per consumer, per breach. And the regulator enforcement penalities will be “up to $2,500 per unintentional violation and $7,500 per intentional violation.”[i]

The impact of the CCPA on banking institutions

As more states institute their own consumer privacy laws, it becomes increasingly complicated for national banks to remain compliant across state borders. Today we’re talking about California but Vermont and South Carolina just passed laws about data collection and breach notification respectively.

Banks must understand privacy laws in all states and countries they do business in and have the processes and products in place to stay compliant with these regulations. They should also expect this trend of patchwork privacy laws to continue and be prepared to adapt to ever-evolving privacy laws.

Any banks that have Eurpean clients are (or should be) GDPR compliant so there’s less work for them to do now as the GDPR and the CCPA have many overlapping requirements. Part of that work includes analyzing data flows, implementing processes to meet the needs of the new regulation and clearly documenting all data and data policies.

Encrypted communications are part of the solution because encryption keeps protected personal information safe at rest and in transit. The Echoworx OneWorld encryption platform makes encryption the path of least resistance which is essential in highly-regulated industries such as banking, financial services and insurance.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate the CCPA

Encryption is a tool that allows organizations to enhance data protection and breach notification practices.

Encryption is considered[ii]:

  • An appropriate technical and organizational measure for securing personal data when implemented with other appropriate controls to protect the encryption process.
  • An appropriate safeguard for processing personal data for a different purpose than the one it was collected for.

 

But encryption only works when it’s used. And, in a recent survey of IT professionals and IT decision-makers, we found that although encryption is a priority for most organizations, less than half the organizations with encryption software use it extensively.

That’s because many encryption solutions are difficult for employees and clients to use where encryption becomes an extra step; when security is outside of the regular workflow, people are less likely to use it.

At Echoworx, we built our OneWorld encryption platform to seamlessly integrate into existing workflows and make encryption and secure communications the path of least resistance.

OneWorld features that help banks navigate privacy regulations, including the GDPR and CCPA:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is set up during implementation—based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, direct to recipient inboxes in encrypted PDF format, that’s also password protected.
  • Breach notifications – Senders can leverage OneWorld to deliver encrypted and protected communications and notifications to their customers in the instance of a breach.

 

Besides making encryption the path of least resistance, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

The clock is ticking on the California Consumer Privacy Act. Why wait to make our user-friendly encryption solution part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 


Source:

[i] https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html

[ii] https://www.echoworx.com/project/encryption-in-the-gdpr/