Category: Uncategorized

For most companies that have an IT department, the decisions that revolve around technology, including the devices and the platforms/programs that are used, fall squarely on their shoulders. IT professionals do the research and, in most cases, choose the technology (devices, platforms, etc.) that best suit the needs of the company. The problem is that while the IT professionals may know what’s best, the employees may not agree with their findings. Finding a happy medium is not always as easy as it sounds.

Forcing the Tech Issue

Management often gives the IT department strict control over the technology that is used during the day to day operation of the business. Because they have built the network and know what devices will work most efficiently, they may expect employees to merely follow along. For some, this may work. The problem revolves around the fact that not every employee may feel comfortable with the platforms the IT department wants them to use. They may be difficult to use or the employee may simply have another option that they prefer. Forcing employees to conform to IT departments demands can lead to significant issues, including reduced productivity, increased tension in the workplace, and frustration with how the system works as a whole. Needless to say, forcing the issue can have disastrous consequences.

Strictly Managed IT or Enhanced Productivity

Simply put, you can have a strictly managed IT network that doesn’t take into consideration the needs and wants of the employees or you can allow the employees to choose the devices and platforms they want increasing productivity, but possibly causing the system to not work as effectively as it should. The key to finding the best of both worlds is to find a happy medium. Employees don’t necessarily want to dictate where the company invests their technology dollars, they just want a say in how it will affect them and how they are able to do their jobs. It’s more beneficial for everyone involved if both the IT department and the employees work together to create a system that makes it easy for the employees to perform effectively as well as allowing the IT department the ability to invest in the technology that is needed to keep the business moving forward.

Personalization

The key is to maintain the integrity of the company’s IT network while allowing employees to use the platforms, programs, and devices they are most comfortable with. This level of personalization may take some time to accomplish but in the end, will create a network that is both efficient as well as secure. When it comes to investing the company’s money into high-tech systems, taking a dictatorial approach can have disastrous results if the employees aren’t comfortable with the IT department’s choice. While IT will still have the final say, allowing employees to voice their opinion and provide input from their perspective will make it possible to build a personalized network that accomplishes everyone’s goals. This includes creating a system that is both secure and well-structured using devices and platforms that allow employees to be as productive as possible.

Working together to create a personalized network will not only ensure that the company’s investment pays off, but it will also allow employees to feel valued. The more appreciated the employee, the more dedicated they are to the company, which in turn, increases productivity and creates a positive work environment.

Small and mid-sized companies have a tendency to operate under the assumption that hackers target only more extensive operations. There’s a simple logic to that misconception that these criminals instigate cyber breaches that reap the highest possible reward. Nothing could be further from the truth.

Check out what Robert Herjavec and Scott Schober have to say on Cybersecurity.
Click Here

While hacks into the Democratic National Committee and Equifax make big headlines, the majority of cyber attacks are carried out on smaller, vulnerable systems. Most hackers merely look for the low hanging fruit. If your small or mid-sized company has modestly valuable data and lacks top-tier cybersecurity, you are that low hanging fruit.

By 2020, upwards of 6 billion people globally and 283 million Americans are expected to utilize the Internet. That means businesses of every level will be fully engaged and it only takes two miscreants on another continent to breach your security.

Cybercrime has already reportedly outpaced the combined profits of all the major drug cartels in the world at $6 trillion annually. Unlike vast criminal organizations, two computer whizzes with laptops thousands of miles away can extract sensitive information without a company even knowing until it’s too late.

These days, stealing credit card info is not among the highest priorities. Cybercriminals have discovered that personal and personnel information can yield significant paydays. If you still don’t think cybersecurity ranks among the highest priorities for small and mid-sized companies, just listen to this.

Hacks Are Often Inside Jobs

It may seem counterintuitive, but a company’s most significant cyber threat can be found among the most valued employees. Staff members are not generally acting in a nefarious fashion. In fact, loyal employees are often just that, loyal. But a pervasive attitude exists in workplaces that checking in on personal social media, using various non-work related apps and platforms is both allowable and safe.

According to cyber security experts, upwards of 93 of all breaches that are investigated thoroughly trail back to an employee. Although that person is generally not the so-called “inside man” or “inside woman” regarding criminal intent, their nonchalant attitude about checking personal sites exposed the small or mid-sized organization to a massive data breach.

Many are merely duped by phishing scams or inadvertently infest a business system with malware. This could occur by synching an unsecured device, moving data on a USB drive back and forth between home and work, or surfing the Internet among other security missteps. While many business decision-makers believe their data is not at risk, it takes a cybersecurity professional to build a company-specific “human firewall” that reduces internal threats through actionable policies and training.

Small And Mid-Sized Organizations Held Hostage Everyday

No Third World drug cartel can compare to the volume of theft leveled by small-time hackers. Ransomware remains the top malicious software and ranks among the most lucrative type of cyberattack. This variety of malware targets business systems by penetrating them through a camouflage method of encryption. Once inside a business’ network, it quickly encrypts critical data and makes everything inaccessible to the organization.

The name “ransomware” was earned by what comes after. A defiled organization will likely get a notice to pay a certain amount — often in bitcoin — to get an encryption code allowing you to restore access to your own files. This hostage situation often proves fruitful for the cybercriminal because paying them off appears to be in the company’s best financial interest. Sadly, too many business leaders only move forward with advanced cybersecurity after suffering a feeling of helplessness and humiliation.

Underachieving Cybersecurity Protocols Prove Costly

A Verizon Data Breach Report reportedly concluded that upwards of 60 percent of all incursions during 2016 could be attributed to outside forces. These data breaches were considered instances of “hacking” by a third party’s intent to circumvent existing security measures. Hackers tend to seek out a company’s weakest cyber defense points to gain access.

In essence, this follows the adage that a chain is only as strong as its weakest link. Among the more notable instances of a weak-link failure was JP Morgan’s massive breach in 2014. Despite having a top-tier cybersecurity team in place, a single server was missed during a password update. That single under-protected server resulted in what was ranked among the top 10 worst cyber thefts in history. Approximately 83 million household and business accounts were reportedly impacted at a whopping $100 million.

While this level of cyber theft makes mainstream media headlines, hackers tend to have greater success penetrating smaller companies with far less sophisticated cyber security systems. The basic criminal business model relies on volume not occasional massive paydays. Think about it this way. The Brinks Job made bank-robbing history in 1950, but stick-up men knock off liquor stores every day.

Unpatched Security Bugs Attract Cybercrime Infestations

One of the more prevalent methods used by a hacker is to infiltrate your system in plain sight. Cyber thieves often use well-known software deficiencies commonly called bugs as a type of cracked door.

When software companies send out routine fixes such as patches, users have the option of making this repair. But when a system appears to be functioning appropriately, a small or mid-sized business may discard the effort as more of a nuisance than anything else. That could prove to be a fatal data breach mistake.

When systems linger unpatched, hackers may be quick to seize on specific vulnerabilities and infiltrate a company’s network. It’s important to understand that cybersecurity only seems like another time-consuming task that detracts from company goals. Anyone who uses computers, devices, software or accesses the Internet is inherently in the cybersecurity business. Without adequate cybersecurity systems, policies and protocols in place, the entire organization remains at risk.

Data Breaches Threats Represent A Clear And Present Danger

If you remain unconvinced about how crucial cybersecurity is to your business’ integrity, consider these telling facts. The U.S. government has placed the most significant emphasis on increasing only two areas of the military budget — special ops and cybersecurity.

Today, a person’s electronic medical records are more valuable than credit card information on the dark web. And, electronic ransoms are the fastest growing cybercrime and are expected to occur every 14 seconds by 2020. The question is no longer if a sub-par system will be hacked, it’s when

The FBI and Department of Homeland Security (DHS) have issued a vital ransomware alert for the SamSam ransomware also known as MSIL/Samas.A.

The FBI and DHS alert, issued on November 3rd, 2018 describes how hackers armed with SamSam ransomware have targeted multiple industries, including some within critical infrastructure. Those victimized by SamSam have been located predominately in the United States. However, some international attacks also occurred.

This alert comes few days after the Justice Department charged two Iranians as the masterminds behind the recent SamSam ransomware attacks.

Read more about this critical FBI and DHS warning.

Click Here

Stay tuned to our blog for more information.

When you think about the risks to your healthcare business, there are likely a lot of things that come to mind. However, one of the biggest threats to the well-being of a modern-day healthcare business is poor data quality. Data quality is actually a significant concern for leaders in the healthcare industry. Problems with data can hinder business goals, increase costs, and even affect your patients. Take a look at what you need to know about data quality risks as someone in the healthcare business.

Your First Step: Understanding That There Are Risks

One of the most significant problems with data risks in healthcare is not all healthcare business owners understand the risks and how common it is for a business to have problems because of them. Only 60 percent of those in the healthcare industry rank data as a serious matter when this should be listed as a serious matter to everyone. At least 61 percent say integrating clinical and business data is a significant challenge for their healthcare business, which shows how many data fallacies are likely committed.

The Inherent Risks of Inaccurate and Incomplete Data

Inaccurate or incomplete data can be a massive barrier of healthcare and even cause the demise of your healthcare business. The number one risk associated with incorrect or incomplete data is non-compliance with government regulations with as many as 34 percent of healthcare business owners having faced this issue because of data wrongs. A few of the other most common risks that are associated with inaccurate or incomplete data include:

• A loss of competitive edge due to lacking member retention
• A lack of enough data to drive new service or product developments
• Problems with interoperability that create a lack of support for the health of the population
• Missing real-time insights in clinical or treatment settings
• Significant profit losses due to fraud loss
• Inaccurate metrics and quality scores that lead to increased overhead costs

A Look at Where Problems with Data Originate

Data problems in healthcare can originate from different places. For example, data risks can start with improper input methods and poorly maintained hardware on a facility level. However, the majority of data problems originate in data silos. Data silos are proverbial storage places for data that are under the operation of one entity most of the time. In the healthcare business, the loads of data that is accumulated must be appropriately housed and data silos are the typical solution.

One of the most significant risks healthcare businesses face is not having access to the data in these silos as they should. This can happen because:

• Data gets stuck because it is only accessible by one department
• Data is improperly shared or cannot be shared at all
• Data cannot be leveraged across the entire enterprise
• Data gets lost because it is not adequately backed up outside of the data silo
• Data is compromised because it is improperly secured

Silos can and often are set up by a business owner who is trying to rightfully protect the information they take in, but the improper management of this data can pose a world of problems in both the short and long-term.

Changes to Make to Avoid Data Risks in Healthcare

Once you have armed yourself with knowledge about the data risks in the healthcare business, it is critical that you get proactive so your business can avoid those potential problems. You should first simplify data governance by limiting how many governing entities are in charge of or indirect control over your facility’s data. A few other things to do include:

• Optimize the analytics of your data
• Enable interoperability of your information
• Reduce operational overhead of your data

Working with a company that provides data management solutions and specializes in helping clients in the healthcare industry can usually help with these processes. Therefore, bringing in the help of an outside service to help you combat data risks is a logical business move.

 

Heads up if you’ve stayed or made reservations at a Marriott or Starwood property over the last decade. A major security issue was just announced and the scope of the problem is actually quite astonishing. Here’s what you need to know about the Marriott International data breach.

What is the Marriott Data Breach?

On November 30th, Marriott International announced that the private information of up to 500 million guests became compromised. The breach is one of the largest in history and brings up a variety of concerns regarding consumer privacy safety.

They noted that an internal tool recognized a data breach in September, but wasn’t able to confirm the issue was part of the Starwood database until November. Further investigation revealed that the problem has happened since as far back as 2014 and that the exact breadth of the issue isn’t yet known.

Who is Affected by the Marriott Data Breach?

To be blunt, 500 million people is a lot. If you’ve traveled on business in the past or regularly stay at the hotel chain’s properties, your personal data is likely compromised. Additionally, those who merely made reservations but never actually stayed the night are also included in the breach.

According to NBC News, Marriott also reported that for 327 million of those people, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Encrypted credit card information is also likely stolen, but the company isn’t yet sure if the thieves were able to reveal account numbers.

An additional report also suggested that employee information might have even been compromised, especially in situations where workers took advantage of employee discounts to stay at hotels around the globe.

What is Marriott Doing After the Data Breach?

While the initial statement from the company was vague, they have taken steps to improve the situation by hiring the public relations firm Kroll. Those concerned about being part of the Marriott data breach may check for more information at a website provided by the hotel chain.

Maryland Attorney General Brian Frosh is opening an investigation into the incident, citing the company headquarters in his state as the reasoning for his inquisition. Additionally, New York planned to look into the incident and other states where the company has properties are likely to follow. There is no word yet on how the breach is being reviewed internationally.

Furthermore, within hours of the news, a class action lawsuit for 12 billion dollars was filed by Ben Meiselas of Geragos & Geragos. The suit is on behalf of two plaintiffs who feel duped by the company not immediately admitting there was a security issue. In other cases in the past are any indication, there’s likely to be a settlement out of court soon.

What Can Other Companies Learn from Marriott’s Data Breach?

At this time, it is hard to tell what other companies can learn from Marriott International’s data breach since news of the incident is still relatively recent. Other companies have faced similar issues in the past, such as Yahoo’s admission earlier this year that the three billion accounts had information hacked and Under Armour’s data breach of 150 million MyFitnessPal user accounts. Those companies were able to provide customers with free credit monitoring to try to earn back trust, but time will still tell on how it affects each firm’s reputation overall. Both have made attempts to increase application cybersecurity.

In short, if you have made a reservation or stayed at a Marriott Hotel or Starwood property in the last few years, it is wise to invest in some version of identity theft monitoring. Also, consider additional discussion and concerns with your lawyer general and by making a claim on Marriott’s data breach website.

How Marriott Got Caught In A 500-Million Person Data Breach

Were You Affected? (Your Questions Answered)

What Do We Need To Know About The Marriott Breach?

Another big corporation got hooked. This time it was Marriott International. They just revealed that their Starwood reservations database of 500 million customers was hacked and that the personal information of up to 327 million guests was stolen. And, this has been going on since 2014!

How Did This Happen?

• On September 8, 2018, Marriott was alerted about an attempt to access the Starwood guest reservation database.
• They contacted leading security experts to help them determine what occurred. Marriott said that the hacker copied, encrypted and removed their customers’ data.
• On November 19, 2018, Marriott was able to decrypt the data and learned that it was from the Starwood guest reservation database.

Marriott acknowledged that the encryption security keys for this data may have fallen into the hands of hackers. This allowed them to access the massive amount of data. Secure systems lock up data and should store the encryption keys in a location that’s separate from the confidential information.

Some good questions to ask here are:

“How did the criminals get Marriott’s encryption keys?

“Why did it take so long for Marriott to reveal the breach?” They learned about it in September which is over two months ago.

And, this was a 4-year long breach! “Why didn’t Marriott know that their customers’ data was being stolen over this long period?”

Maybe we’ll find out the answers to these questions, and perhaps not. What’s for sure is that you are on your own when it comes to protecting your confidential data.

How Do I Know If My Data Was Stolen?

If you are a Starwood Preferred Guest member and your data was stored in the Starwood property’s database (which includes Sheraton, Westin and St. Regis hotels, among others) you need to be on alert.

As mentioned, this data breach goes all the way back to 2014 and includes names, passport numbers, email addresses and payment information for approximately 327 million travelers – a “big catch” for any hacker. Even your date of birth, gender, reservation dates and communication preferences may be included in the breach.

Should I Contact Marriott?

Marriott set up a website and call center for customers who were impacted by the data breach. Email notifications are also being rolled out.

Marriott is also offering affected customers the option to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert if your personal information is found. If you live in the U.S., you’ll also be offered fraud consulting services

What Else Should I Do?

If your data was stolen, you should observe for incidents of identity theft. Also, watch for phishing emails where hackers try to impersonate someone you trust to take information or money from you.

Arrange For Security Awareness Training For Your Employees

If your business data was involved, make sure that you arrange for Security Awareness Training for your employees to train them to recognize phishing attempts. This includes:

• Baseline Testing to assess the Phish-prone percentage of your employees through a free simulated phishing attack.
• Training For Your Users with content that includes interactive modules, videos, games, posters, and newsletters.
• Simulated Phishing Attacks that utilize best-in-class, fully automated, simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
• Reports with statistics and graphs for both training and phishing for your management to review.

Whether your business was involved in the breach or not, Security Awareness Training for your employees is always a good idea.

Another good idea is to sign up for Dark Web Scanning Services.

Get Dark Web Scanning For Your Confidential Business Data

The Dark Web is a secret internet society that’s only accessible to a select group of criminals. Criminals use it to take stolen data (like the Marriott/Starwood customer information) and dump it on the black market for sale.

Dark Web Scanning is a sophisticated monitoring solution that helps businesses of any size detect cyber threats that expose their stolen business accounts, email addresses, payment information, and other confidential data that’s on the Dark Web. It also does this in real time and detects any of your compromised credentials or information before criminals can use it for profit or other crimes.

Don’t Count On The Marriott’s Of The World To Protect Your Business Data – You Must Do This Yourself

Contact us for information about Data Protection, Security Awareness Training and Dark Web Scanning. We have a Suite of IT Security Solutions to help you keep your business data secure.

 

 

 

No industry is exempt from data breaches that lead to widespread fraud. However, the healthcare industry faces unique challenges since it is not always easy to determine the impact of the breach on patients as well as the healthcare organizations that serve them. The problem starts with isolating where the hack originated in the first place. With so many organizations having access to patient demographic and insurance data, this can be the most time-consuming aspect of the entire fraud investigation process.

Healthcare: A Unique Form of Identity Theft

Most patients are aware that their healthcare provider and their insurance company have access to their personal medical data. Providers need the information to diagnose and treat the patient while insurers require it to pay the patient’s claims. What many fail to realize is that a large number of third-party organizations could have access to the data as well. Pharmacies, medical equipment providers, home healthcare organizations, and supplemental insurance providers are just some examples of companies with access to patient data.

The problem in healthcare is that a cybercriminal intent on stealing the medical data of another person can piece it together from a variety of sources that the victim of identity theft does not even know to exist. Some in the healthcare IT industry refer to this as synthetic identity theft. By taking small pieces of information obtained from a healthcare report and combining it with information stolen elsewhere, hackers can easily scam the healthcare system. In fact, the problem is so widespread that millions of cases of fraud take place every quarter.

What Healthcare Providers Can Do

No healthcare administrators like to admit that a security breach took place on their watch. It may look to them like hackers gained access to private patient data and then did not use it. Unfortunately, that is rarely the case. Healthcare fraud differs from financial fraud because most criminals go on to use stolen credit, debit, and other banking information right away. With healthcare fraud, they need more time to piece together a forged identity before they start inflicting real damage. The CEOs of healthcare organizations are often too quick to claim that no one used the stolen information in a nefarious manner.

Obviously, it is better for healthcare IT departments to be proactive rather than reactive. This starts with knowing every location of a patient’s healthcare data. For example, a single patient could have an electronic medical record, a paper medical record, new test results not yet transferred to the medical record, and old information stored in boxes or machines that have not been used in years. To prevent medical fraud, healthcare providers must make it a priority to know the locations of all data about a patient and take adequate steps to protect it.

Sometimes health organizations are unaware a breach has taken place until a patient complains that someone used their information to obtain numerous prescriptions or to commit insurance fraud. Once alerted to it, they need to take immediate action to stop the current fraud and prevent it from happening again. This includes taking measures such as strong encryption with medical records and guarded access to paper records.

Besides a lack of inventory, part of the problem is the current patchwork approach to healthcare privacy laws. Organizations should push the federal and state governments to create uniform standards for improved patient protection.

How to Help Patients Protect Personal Health Data

Healthcare providers must work hard to gain patients’ trust in the current climate. One way they can facilitate this relationship is to provide patients with reminders about safeguarding their own information. Here are some typical examples:

• Request a new medical card with a different identification number if the original has been lost or stolen
• Submit a police report after the theft of a wallet or purse
• Report any information on the explanation of benefits forms that appears suspicious such as services the patient does not remember receiving
• Check medical records at least once a year to ensure accuracy
• Always have the most current copy of medical records available

Providers should also consider publishing an annual notice to members outlining their privacy policy and the steps they take to prevent theft of patient data. Holding open meetings and taking questions from patients is another way to assure them that the organization is serious about protecting them from identity theft in a healthcare setting.

Guide To Ensure Your Cloud Data Is Properly Backed Up

Cloud storage is a relatively new technology that provides access to data on multiple devices any time and anywhere. Many businesses turning to cloud storage to boost the productivity of their employees. While cloud storage is both convenient and secure, it is not infallible. Therefore, it is important that you take the time to ensure your cloud data is properly backed up. Whether you’re running Google Apps or Office 365, this guide will help you make sure you’re properly securing and backing up the data you have stored on the cloud.

How to Back Up Office 365 Data

To back up your data on Office 365, you need to specify the backup settings in a new profile or in an already existing profile. This profile should have Cloud Apps enabled. Once you’ve done this, inSync will begin backing up the user data in Office 365 according to the backup schedule you specified in the profile. In your profile, you can specify how many times in a day or week inSync should perform automatic backups.

The inSync cloud administrator is also able to back up Office 365 data at any time when needed. The procedure for performing an unscheduled backup of data on Office 365 is as follows:

1. Go to the menu bar for the inSync Management Console and click Availability > Backup. The Backup Overview page will appear.
2. Go to the All Data Sources tab and click on the Office 365 device you want to back up.
3. Click on the button Backup Now.

inSync will then begin the backup of the device you selected. There are multiple pages where you an view the details of the backup. You can see the backup details on the inSync Management Console, the inSync mobile app, and the inSync Client.

How to Backup Google Apps Data

If your organization uses Gmail, Docs, Spreadsheets, and Calendar, chances are you have a lot of important information stored on Google’s servers. Unless you take the time to back up your Google Apps data locally, your organization will be in major trouble if Google loses your data or denies you access to it for whatever reason. Therefore, it is essential that you back up your Google-hosted data on a regular basis.

Unfortunately, it is not as easy to back up data on Google Apps. There are many third-party apps available for backing up data on Google Apps. For example, you can use POP access with a desktop email client to back up the Gmail accounts of your employees. Thunderbird is an example of a third-party application that you can use to back up Gmail accounts. You can use Google Docs Download scripts to back up your documents and spreadsheets on Google’s servers locally.

Backups are essential even if you’re storing your data on the cloud. For more information about how to ensure your cloud data is properly backed up, don’t hesitate to contact us.

California’s recently passed privacy law, coming on the heels of similar regulations issued by the European Union, makes it imperative that businesses have clear policies and procedures for collecting, storing and using personal information.

The California Consumer Privacy Act (CCPA), passed in May 2018, is a far-reaching law that covers not only the data itself but also how businesses manage relationships with consumers and third parties. It is similar to but more stringent than, the EU’s General Data Protection Regulation (GDPR), also enacted in 2018.

What Businesses Does the CCPA Affect?

The CCPA applies to any business or non-profit organization (or entity that controls or is controlled by such a business and shares branding) that meets one of the following criteria:

• Exceeds $25 million in annual gross revenue
• Has personal information on 50,000 or more consumers, devices or households
• Earns more than half its annual revenue by selling personal information to a third party

How Is ‘Personal Information’ Defined?

The CCPA takes a broad approach to personal information, including some data that are not typically included in such definitions. Under the act, personal information includes:

• Account name
• Unique identifier, including cookies
• IP address
• Email address
• Commercial information, such as property records
• Biometric data
• Internet activity, including browsing history, search history and interactions with websites, ads or applications
• Professional and employment-related information

.A provision also covers inferences that could be drawn from any of the other information to create consumer profiles. The law does not include publicly available information.

What Rights Do Consumers Have Under the CCPA?

Consumer rights under the CCPA include:

• Data Access. Consumers can request in which categories a company has collected information, the categories of sources of that information and the specific information itself. Businesses also need to divulge the purpose of obtaining or selling personal information. Companies receiving a request must promptly deliver said information via email or mail free of charge. Businesses are required to share information no more than twice annually.
• Deletion. If requested, businesses must delete any information the firm has collected and order its service providers to do the same. Data need not be removed in some instances, such as to complete a transaction, detect fraud or use for reasonable internal purposes.
• Data Transactions. Businesses must reveal the categories of information sold to a third party and how those match up with the third parties’ information categories.
• Opting Out. Consumers can opt out of selling their information to third parties. Those that sell information to third parties must notify consumers and provide them an opportunity to opt out. If a consumer is under 16, the business must receive affirmative consent (e.g., opting in) from the consumer or, if under 13, a parent or guardian.
• Non-Discrimination. Businesses may not discriminate against a consumer who exercises these rights, including refusing to sell goods or services, charging different prices or delivering a different quality of products or services.

Does the CCPA Address Data Breaches?

In the event of a data breach, the CCPA provides consumers with a private right of action. That means consumers can pursue statutory damages and injunctive relief if data is accessed or stolen by an unauthorized party. It also allows consumers to take action if the business failed to maintain reasonable security measures.

What Other Obligations Do Businesses Have?

Businesses must post California-specific privacy rights on websites. Those sites must also disclose how consumers can request information and the categories of personal information collected or sold in the previous 12 months. There must also be a conspicuous link titled ‘Do Not Sell My Personal Information.’

Businesses must train employees on the act and consumers’ privacy rights.

How Is the CCPA Different from the GDPR?

The European Union adopted the General Data Protection Regulation that applies to nearly all companies that collect private consumer data on EU citizens. It requires companies to comply with robust data security and management protocols.

While the compliance categories are nearly the same as those under the CCPA, the guidelines are not as well defined, and enforcement is weaker. Unlike the CCPA, the GDPR applies to small and large companies and will likely evolve over time.

What Should My Business Do to Address GDPR and CCPA?

What can your company do to comply with these acts? Here are a few tips:

• Create an internal privacy team, responsible for developing and reviewing privacy policies and managing consumer requests
• Develop a consumer information policy and processes that include how data is collected, categorized, stored and accessed. Consider deleting private consumer data that is not needed for the business relationship.
• Update your website with the required notices, links, and policies that are updated annually.
• Evaluate data security, including security policies, backups, encryption and access.