The California Consumer Privacy Act (CCPA) Could Set a New Standard for Privacy and Data Security in the US
16 September 2019
In June 2018, privacy and data security standards in the United States were fundamentally overhauled. On January 1st 2020, when the California Consumer Privacy Act (CCPA) becomes law, Californian citizens and businesses (and all businesses dealing with California) will have a very different relationship to data. The CCPA will allow all residents of California to know what personal information is being collected about them by for-profit companies operating in the state, whether it is sold, disclosed or simply held. Although the CCPA will only directly apply to California, its implementation will affect any organization doing business in California and which satisfies one of the following credentials: • Annual revenues of more than $25m • Possesses personal information of more than 50,000 consumers, households or devices • Generates over half its annual revenue from selling personal information When the CCPA comes into effect in January 2020, actions will need to be taken in order for organizations to remain compliant. For example, the CCPA will require companies to create a channel such as a toll-free number that can allow consumers to request information regarding how their data is being used. Parallels have been drawn between the CCPA and GDPR, with the CCPA requiring data privacy protections similar to those imposed by the European Union. Financial fines for data breaches under the CCPA will be less severe than the penalties under GDPR, capping at $7,500 per violation compared to the maximum cap of 4% of revenue / €20m (whichever is higher) for the most severe GDPR breaches. With the CCPA and GDPR in place, organizations will have their data management practices under the spotlight more than ever. Luckily, technological solutions exist that can mitigate the risk of data loss and the associated negative consequences for enterprises. Tessian’s Enforcer and Constructor filters help organizations manage the ways data moves on email. Enforcer’s and Constructor’s machine learning allows organizations to prevent data from being transferred to the wrong place, ensuring that enterprises can comply with evolving regulations. The general emphasis on tightening data security worldwide means that organizations will have to prioritize security in order to stay compliant and to uphold new privacy and security standards. To learn more about how Tessian can help you become CCPA-compliant, contact us here.
The Week the ICO Bared Its Teeth
12 July 2019
Up until now, the consequences for GDPR non-compliance have been gossiped about but perhaps not been taken particularly seriously. That all changed after the ICO imposed staggering fines of £183 million on British Airways and £99 million on Marriott, following data breaches that compromised the personal data of thousands of customers. The news clearly shocked the business world; this is the first time the ICO has bared its teeth since GDPR came into force last year and the EU regulators have made it very clear that failure to comply with the rules will result in genuinely significant penalties. At a number of customer events we hosted this week, the blockbuster fines were on everyone’s minds. In particular, people were keen to discuss why the ICO fines were so high, with many agreeing it was because there was a lack of “demonstrating diligence” around the risk prior to the breaches. Indeed, the ICO said in its investigations that Marriott should have “done more to secure its systems”, while BA reportedly lacked “appropriate technical and organizational measures to prevent such an attack”. The message from the ICO is clear – businesses have a legal duty to ensure the security of data else face fines of up to 4% of the company’s annual turnover. While BA’s imposed fine stands at 1.5% of its annual revenue, it is still a significant blow (though it could have been much worse). We must also remember that in addition to the eye-watering fines, BA and Marriott will now also face damaging long-term effects on customer trust, company reputation and its share price. With so much at stake, the news will have sparked discussions in boardrooms across the world, with companies urgently taking stock of the security measures they have in place and evaluating whether they are properly protecting the data they process and hold. Any ‘gaps’ will need addressing quickly, looking to cybersecurity solutions that protect networks, devices and people. I am certain this won’t be the last time we hear about ‘record-breaking’ fines from the ICO this year. Each will serve a reminder to companies that they cannot be complacent when it comes to compliance; protecting data must be a priority.
GDPR’s Anniversary: What We’ve Learned and What’s Next
23 May 2019
The General Data Protection Regulation – or GDPR – sprang into life 12 months ago, on May 25th 2018. To mark GDPR’s one-year anniversary, we sat down with Eva Camus-Smith, Tessian’s Head of Legal and Compliance, to see what’s changed in the last year and think about what’s still to do.
I’m sure you’re celebrating GDPR’s first birthday this week. In general, do you think it’s been a positive step? My general opinion is that GDPR’s been a very positive step in relation to the promotion of data subject rights. I certainly think that data protection legislation was ripe for change – developments in this field were long overdue. Importantly, our clients also see GDPR in a positive light, despite the potential for an increased administrative and compliance burden. So what do you think the biggest benefits of GDPR have been? In the last 12 months the GDPR has provided much-needed consistency when it comes to the protection of data across the continent (and beyond). Organizations used GDPR as an opportunity to “spring clean”, critically assessing their information security systems and processes and identifying opportunities for continued improvements. In my experience, organizations are taking these changes very seriously, as are regulatory bodies. We have seen more reports of breaches to the ICO in the UK, and the EU has started to levy some blockbuster fines. Looking ahead, I see no reason why this trend would stop. I also think that GDPR’s onset has been helpful in starting widespread debate in relation to data protection and privacy. Almost everyone now has at least some understanding of what GDPR does and what it means for people and business. Increased data literacy is enormously helpful, and this may have helped bump data protection and security up the priority list at board level. What were the biggest challenges for Tessian in the build-up to GDPR? As a relatively young company, Tessian was fairly fortunate in the run-up to GDPR as we didn’t have a huge archive of legacy data and systems. Mobilization and project management in larger organizations would likely have been much more difficult! That being said, businesses of all sizes can still find it challenging to understand every piece of data that they hold: where data is located, whether it’s compliant with each of the major GDPR principles, and so on. The difference now with GDPR is that the penalties are potentially much more severe if you get it wrong. To stay on the right side of GDPR, it’s so important to spend the time doing diligence on data flows and data mapping – understanding how data moves in and out of the organization, how it’s protected, and making sure that there are individuals taking responsibility and ownership of the issue internally. Even a year on, this requirement is still absolutely necessary. So is this it now as far as GDPR goes? Or is there more still to be done? It’s been fascinating to see the global impact that GDPR has had. So far, we’re still yet to see the true extent of regulators’ “teeth” when it comes to fines. While there’s still more to come, the progress made in a year has been really encouraging.  
GDPR: 13 Most Asked Questions + Answers
15 March 2019
1. Who’s enforcing GDPR? In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement. 28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade. 2. What are the penalties for non-compliance with GDPR? Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level. 3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach. 4. How does the GDPR handle this? GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so. 5. What documentation do we need to prove that we’re GDPR compliant? GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”. It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions. 6. What are the data requirements for GDPR? Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management? Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers. 8. Does GDPR compliance differ based on the number of employees a company has? GDPR doesn’t differentiate between the size of organizations. 9. What type of language should be included in a consent policy? Check out the Tessian privacy policy, which shows you how detailed consent needs to be. 10. Is appointing a DPO mandatory? GDPR requires appointing a DPO when an organisation performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process. 11. What happens if some data is processed outside the EU? The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules. 12. Does GDPR affect US-based companies? Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. 13. If we are based in the US, have EU citizen data and experience a breach, who do we notify? There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs. How can Tessian make you GDPR Compliant? Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public. GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misaddressed emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR. Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown. The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32). Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.