Author: Steven

A managed risk approach all across the network will take your business and Mindset to the next level

Today, everyone is afraid, and it seems that the Zero Trust Mindset characterizes all levels of our society, from personal to corporate relationships, from the private to the public sphere.

I don’t know about you, but I’m far from my best version when I’m scared and unsure. hashtag#ZeroTrustMindset

I need to control my potential if I want my business and personal relationships to be as successful as they’re now. hashtag#TrustmyPath

You could say that the cybersecurity business is triumphant everywhere, but those are just the successful numbers. “We won’t get compromised”, everyone says.

What about the millions of startups and large companies that have closed their doors because they were too scared to believe they could win in the digital war?

And it is a Digital War…whether you are aware of it or not. And it’s you against North Korea, Iran, Russia, China, and the officially organized crime gangs.

The Same Mindsets Win Year over Year, Decade over Decade, for Ages.

No matter what world catastrophe is hovering over you, it still holds: you can and will overcome anything life throws at you.

It’s still true that only your mindset determines the outcome.

In any situation, you still have the necessary resources to overcome difficulties.

When times get tough, as they’ve been for all of us, we need to move to a higher level and think strategically.

Don’t panic; solve problems. Move, Action, Direction, Remediate.

The dystopian paradigm has already conquered you if you do not shake up and change your way of thinking.

I always remember the story my mentor told me when I was just starting out and learning the trade tricks.

He was a CISO at a company when building a basic security stack was enough. Whenever there was a major security issue that caused everyone to panic, he would gather his entire team and tell that story.

A CIO Comes to a Therapist

CIO: It doesn’t go away; nothing helps.

THERAPIST: Are you sure you don’t want to give up and find another line of work?

CIO: No. I love my job. There’s just too much bad news and too much negativity around me.

THERAPIST: The stress is overwhelming?

CIO: I can’t take the pressure anymore.

THERAPIST: Everybody complains about it. It’s the number one problem today.

CIO: I feel so mediocre.

THERAPIST: You feel what you know.

CIO: Are you implying that I am mediocre?

THERAPIST: I’m explicitly verifying it.

CIO: I resent that. I am a CIO with 3,000 desktops.

THERAPIST: I would feel very strongly if I were you.

CIO: What about the responsibility? Financial and human?

THERAPIST: All parents handle it well.

CIO: You are not helping me reduce my stress.

THERAPIST: And because you think it’s my fault, you’ll always be mediocre.

CIO: I’m getting angry.

THERAPIST: Are you angry enough to solve your problems?

CIO: How am I supposed to do that?

THERAPIST: I will give you a book about each emotional problem you suffer from, and when you have read them all, you will know how to rise from mediocrity.

…

Knowledge is protection. Learn. Security starts with the basics. Learn for life.

You Don’t Have To Settle for Fear

Do you know what the opposite of fear is? — Freedom.

And this is where technology comes in.

The original reason for technology was freedom.

Technology was not meant to enslave you. Do not buy just any theory.

Instead, use your common sense as a guide.

If the product does not free you from unnecessary actions, you have the wrong product, wasting your resources and staying on the hamster wheel.

Move on. Upgrade. Form better partnerships. Level Up.

Zero Trust Architecture is the next trustworthy step you should take regardless of the size and number of your attack surfaces.

And here are the top reasons, although I could think of many more.

1. The Zero Trust mindset and architecture are revolutionary in cybersecurity.
2. Zero Trust has climbed the ladder in thinking security.
3. To have trust, you need zero trust.
4. Zero Trust is designed to defend against any threat, including human error and accidental data loss.
5. Zero Trust means you have to assume an attack and verify everything explicitly. Identity has become the battleground of security.

Your average firewall is not enough.

Your average email suit is not enough.

You need to implement a Zero Trust framework to have trust in protecting your network and your business.

Have zero trust in the activity that takes place and arrives on your network.

Always assume a security breach and recognize that attacks are inevitable.

For this reason, Zero Trust explicitly verifies every activity.

You will be checked every time you try to enter the network if you are an employee. Every time.

And you will not have access to everything, only conditionally and contextually.

Only what you need to do your job will be available.

Configuration Makes the Difference

Zero Trust is about suits and functions.

Everything is always a question of configuration.

And just like in life, everything is negotiable and flexible. The quality of your configuration determines the quality of your protection.

Don’t blame the software and the different vendors; get competent partners to make your security stack run smoothly.

To make your security stack compliant, you need to invest in the following:

1. Software licensing and renewals
2. Implementation and configuration (updates and reconfiguration)
3. Monitoring and project management

You must do something if you do not want your world to become dystopian.

And if you take all the right steps and follow the best security practices under expert guidance, you will go the last mile and rise without a doubt.

Our expertise is software subscription licensing, renewals, and managed security services.

Our goal is to use this expertise to guide you on the final journey to compliance with NIST and CSF (cybersecurity framework).

When choosing new security software, it’s always best to be guided by regulatory standards.

At TLIC Worldwide, Inc., we follow the NIST 800–207 standard for Zero-Trust.

You should ask yourself what products you have and what products you need to meet the requirements of NIST and CSF.

Once you reach the compliant level, you will not be afraid.

Because you will know what you did to get to the next level, and you will know how to repeat it.

Knowledge is protection.

If the reward is bigger than the risk, always take the risk.

Security is about education, long-term relationships, and a successful last mile for life.

As Jay McBain put it, “In this decade of the ecosystem, no one can do it alone.”

Thanks for Reading!

Hold on a second! You should get my articles sent straight to your newsfeed. Subscribe here to stay updated and ahead in technology with your business.

Book a time to meet with me.

Subscribe to “AI for Security & Productivity

View my LinkedIn Posts to Audit my Security Expertise

The Ultimate Need for Specialized Cybersecurity Expertise Is Rapidly Increasing

How to choose the right cyber partner and successfully drive security technology decisions within the NIST And MITRE Attack Frameworks?

A man enters a network.

– “I want full access,” he demands immediately, not noticing that he has put on different socks that morning.

– “Sure, if you pass the identity test,” the bartender replies with an arrogance our man has not experienced since the state closed all nightclubs after an unknown space virus appeared that only affected clubbers.

— “I pass every test. I look good,” the man was confident after spending two years in the EU.

– “Does that mean you agree?”

– “I agree. Give me your best assessment!”

– “Where have you been, and where are you going?” The bartender wasn’t impressed with this overly confident visitor wearing two different socks.

– “What, my wife won’t ask me that!”

– “Okay. What do you have on?”

– “Well, today I’m wearing my favorite Armani sweater, Calvin Kline underwear, Lewis bootcut, limited edition Air Jordans and a Hilfiger baseball cap,” the man was genuinely impressed with his identity (crisis).

– “I’m only interested in your socks. Where’s your SOC 2?”

The man looks down, and his face turns red as he realizes the problem.

– “My kids! They like to play tricks on me.

– You should educate them”

– “Education costs”

– “Access denied.”

Compliance-based software and regulation-related services have become the new pain point for companies of all sizes. While it’s not hard to understand the critical importance of data privacy and security to the digital society, which is evolving at an unprecedented rate that can only be compared to the controversial tale of the creation of the world in seven days, compliance requirements are still at a stage where they only add more clutter and confusion to your already chaotic and confused security portfolios.

Is there a way around them? No.

Is there a way through them? Oh, yes.

Remember that any deployment in the maturity phase is painful, complex, and needs proper guidance.

Let’s take a look at our shared experience of multifaceted security problems.

Security Is Under Tremendous Pressure

We are afraid of unwanted publicity in the Wall Street Journal, the changing threat landscape, the complexity of the systems we have to deal with, unintentional data breaches due to human error, compliance audits failing, missing out on cyber insurance money, and much more, including war, climate change, and even geomagnetic storms.

Since the pandemic forced everyone to adopt the telecommuting model, digital services have skyrocketed, creating more attack surfaces. I like to remind you in every article that 97% of data breaches are caused by human error, and that’s good news. Because that means they are remediable.

The premise of cybersecurity is that if you are digital and connected, you can and will be attacked.

Yet many companies have spent millions of dollars on cybersecurity and still get attacked.

According to the CyberEdge 2022 Cyberthreat Defense Report (CDR), more than 80% of UK businesses experienced a successful attack in 2021/2022, with the average cost of ransomware attacks being $1.08 million.

In the U.S., a record 47 percent of Americans were victims of financial identity theft in 2020, according to Aite-Novarica Group.

Currently, approximately 4,000 cybercrime attacks occur in the U.S. every day.

The 2021 Cost of a Data Breach Report, a global study sponsored by IBM Security and conducted by the Ponemon Institute, found that the average cost of data breaches increased from $3.86 million in 2020 to $4.24 million in 2021.

At the same time, the UK imposed fines of 44 million euros under the GDPR. And Amazon received a fine of 746 million euros (i.e., about $831 million) in response to violations of the GDPR, according to the company’s June 30, 2021, SEC report.

I’ve heard from many clients and partners that the legal environment is becoming (or has become?) an adversary in itself.

I also know that law enforcement agencies estimate that the number of unreported cybercrimes by companies is in the millions, which means they don’t know the exact proportions of cyber threats.

The sophistication, variety, and complexity of cyberattacks have also increased. What worked five years ago in cybersecurity no longer works today. Did you know that cyberattacks can be purchased as a service on the dark web?

So the question becomes, how can you protect yourself in today’s world where the stakes are high?

On the bright side, when you fight cybercrime, you can be sure that you are making a valuable contribution to society.

If you want to save the world and make money to save more things you care about, the cybersecurity industry is the industry for you.

Do You Wake Up Every Morning to Technology Not Working Properly?

We are still human, even if our lives are digital. We feel guilty, have limited time in the day, and can not answer some questions without careful consideration, which in turn takes time.

As my Medium friend Atti Riazi, senior vice president and CIO at Memorial Sloan Kettering Cancer Center, has correctly pointed out in her insightful article, many CIOs and IT directors wake up every morning to find that technology does not work, systems do not work, there are project integration issues, security gaps, and customer concerns, along with a lack of tablets, financial commitments, ROI and more.

The main problem is that the products are incompatible or not configured properly, which highlights the problem of the huge shortage of cybersecurity engineers in the highest-paid industry of our time. What an irony.

In the words of Vasu Jakkal, Microsoft Corporate Vice President, Security, Compliance, Identity, and Management CMO, when we lose trust in the technology on which our lives depend, we enter a dystopian society where nothing works, nothing is regulated, and no one can protect us.

The biggest challenge, however, is that cybersecurity remains very complex.

In his great analysis, Jay McBain, Chief Analyst at Canalys acknowledges integration, ongoing management, severe skills shortages, security alert fatigue, and a fragmented vendor ecosystem as key obstacles.

Leading vendors are addressing these obstacles with platform approaches consisting of a portfolio of tightly integrated products that provide greater interoperability and transparency, are modularized to extend functionality via add-on subscriptions, and leverage automation to simplify operations.

This means that any product or service you get should make you freer.

The original reason for technology is freedom.

You waste your resources and stay on the hamster wheel if it does not give you freedom from unnecessary actions.

Moreover, honesty builds trust. Trust is the foundation or framework for collaboration. And to have trust, you need Zero Trust.

Zero trust mentality and architecture mean you must assume an attack and verify everything explicitly. Identity has become the battleground of security.

Technology Is About People and Processes

The success of my SAAS, MSSP, and compliance expertise is precise because TLICis the data and security database EXPERT that gets you on your way until all your configurations become a freedom bubble that allows you to cure your patients and eradicate cancer.

My project managers not only install everything you need to reach the highest security level, the freedom level, but they also configure and manage all installations. I firmly believe in a comprehensive service that’s fully accessible, transparent, and responsive.

Yes, there’s a lot of confusion at the technology plane, and the market is very noisy right now, but I’ve got a hunch that it’ll clear up soon, and we’ll all be able to do our jobs while the technology serves it.

And real change starts with choosing the right partners. Just like in life. And the right partner will stay with you for a long time.

Canalys estimates that by 2025, hyperscalers will rely on partners to lead customers in and press the buy button on their behalf for nearly a third of their marketplace transactions.

The past’s channel system and the present and future ecosystem are comparable to the traditional box theater and the modern interactive multimedia spectacle.

In traditional theater, a centralized figure gives instructions to everyone on and off stage. In interactive multimedia spectacles, all actors must work together in real-time, relying on each other’s experience, knowledge, and high level of performance.

How To Reach the Compliance Maturity

Compliance is critical, but it does not have to be painful and complicated. Yes, you have to deal with multiple requirements, some of which overlap, and sometimes you must duplicate your work.

And then, you have to figure out how to meet the requirements and capture and validate the security controls.

You have hundreds of evidence requests to respond to, and you are still capturing, describing, and organizing many of them manually, jumping out of your products from time to time.

Depending on your organization’s stage, you will experience different levels of compliance maturity.

1. If you are just starting, you probably do not have a team of compliance experts, there is no formal process, and there may not even be controls.
2. In the second phase, your company meets some requirements and has a small compliance team, basic governance and risk management processes, and a limited number of documented controls.
3. In the third phase, compliance is better addressed, and your compliance team has defined roles and responsibilities, formal validation and measurement processes. Your controls are monitored and measured, but with limited automation.
4. As the company moves through this entire process, the fourth phase is optimizing it. Your company culture supports ongoing compliance, which includes ongoing training. Comprehensive processes are risk-based and quantified. Security controls are widely implemented, automated, and continuous.

In the first phase, when launching your compliance program, you need products and services to help you define your compliance program.

In the second phase, you need tools and expertise to perform the readiness assessment.

The third phase is about validation and continuous monitoring.

And finally, the fourth phase is about automation and automated evidence collection that will bring maximum efficiency. You will reclaim your time.

Technology was invented to improve your quality of life and give you time and freedom. You do not have the right tools if it does not do that.

As Jay McBain put it, “In this decade of the ecosystem, no one can do it alone.”

Partnerships are a must in business today. The technology alliances, the strategic alliances, the business alliances.

We must start doing things with the customer, not for the customer.

It’s about education, long-term relationships, and a successful last mile for life.

Thanks for Reading!

Hold on a second! You should get my articles sent straight to your newsfeed. Subscribe here to stay updated and ahead in technology with your business.

Book a time to meet with me.

Subscribe to “AI for Security & Productivity

View my LinkedIn Posts to Audit my Security Expertise

The Expert Road To Compliance & Cyber Protection Within The NIST And MITRE Attack Framework

Your security solutions should only follow best practices from Microsoft, Google, M365, Desktop AV, Email Security Stack, SAT Security Awareness Training, 2FA, and Identity Management if your organization needs to achieve compliance now or in the near future.

Every phase of digital interaction should be fully monitored if you want to avoid hostile intrusion and thus a successful cyberattack.

Similarly, every phase of digital interaction must comply with NIST and MITRE regulations.

Meanwhile, the software market is flooded with new products vying for your attention. But at the end of the day, only the best product will actually work and get you to pass audits.

If you are a financial institution, an investment company, a technology company, a healthcare organization, or work with a city or state government, you need to start using security best practices today at the latest.

Configuration Is Compliance

To ensure adequate information security and support your risk management process, you need to pay very close attention to how you configure, manage, and network your system components.

When you make system changes in response to new security threats, corrected or updated hardware and software, and patches to fix bugs, you must always align them with the system configuration.

This is the main reason why most security solutions do not work and why you have given up on implementing them. Because you didn’t have the necessary expertise and knowledge. And maybe you also lacked time and money.

The requirements for companies in our time are not getting less, but more stringent.

The only way for you to stay in business is to become competent, compliant, and play by the rules, because if you don’t:

1. Violations of compliance and privacy laws will demand more money than you have and put you out of business.
2. Cyber gangs will grab all your data and extort you for more money than you have and ruin your business.

The cyber market is becoming highly regulated, and if you want to stay in business, you’ve to obey the regulations. At the very least, you need to get cyber insurance, which you can get if you meet 20% of all compliance and certification requirements.

Just 20%.

Compliance-Based Software Licensing For Every SMB

In addition to ensuring data and cyber protection, more and more companies must comply with dozens of cybersecurity standards and requirements if they want to do business at all.

Every SMB should start by getting cyber insurance based on SOC 2 and CMMC 2.0, both from NIST and MITRE. The minimum cyber insurance requirements are 20% of the requirements of SOC 2 and CMMC 2.0

As your business grows, you’ll need to obtain SOC 2 and CMMC 2.0. By doing so, you’ll automatically meet 80% of the requirements of NIST and MITRE.

If you do 20% of all basic things, you have the 80% of data and network protection.

In reality, most organizations only do 20% of those 20% basic things, which means they need to do five times more to avoid cyber risk.

What do all SMBs have in common? They need help to become compliant and get cyber insurance, if not SOC 2 and CMMC 2.0 as well.

And the path to complianceis through software subscription licensing and configuration best practices. Following this scheme, you will achieve 80% certification.

License Your Way To Compliance

Do you already own CMMC 2.0? SOC 2? ITSM Audit? And what about cyber insurance compliance? If not, do you know how to get them and make your business compliant and profitable?

And are your SaaS configurations compliant?

Do you know the legal implications of a standard licensing configuration in terms of CIS -22/18 controls and all forms of compliance?

It really comes down to who is managing your software licenses and whether your security team is capable of implementing and managing your security solutions, i.e., configuring and monitoring them.

And then those solutions should only follow best practices from Microsoft, Google, M365, Desktop AV, Email Security Stack, SAT Security Awareness Training, 2FA, and Identity Management if your organization needs to achieve compliance now or in the near future.

There are 138 hashtag#CMMC2.0 controls, 99 for a SOC2 audit, and 38 for most cyber security insurance policies.

The easiest and the best path to compliance is to license all assets in the CIS -1&2 category, followed by best practices related to asset policies, controls, and configurations.

Yes, your path to compliance is through your SaaS licensing.

What We Can Do For You

At TLIC Worldwide, Inc. we specialize in software licensing, have a Security Only MSP, and offer MSSP services.

We always ensure compliance with industry-standard security controls. And we only use best practices that match the NIST and MITRE attack framework.

We are experts in taking care of your license subscriptions and making sure you get your compliance, certification, and cyber insurance this year.

Data compliance and certifications are our specialties.

If you need any of the certifications or cyber insurance in the next one to twelve months, talk to us and boost your security confidence.

If you already have cyber insurance but need to meet the appropriate standards in the next year, we know how to do that.

And if you need configuration services that help you meet your compliance and security goals, we are proven, reliable, and trusted experts with a strong track record.

Our business grows every day as we share the security and compliance burden on your back.

It takes time, it takes work, it takes expertise, and it takes knowledge and experience.

We are happy to provide you with our best project managers because we know you need it done. We are your first-choice partner for data compliance and cyber security.

Your Data Expert,

Thanks for Reading!

Hold on a second! You should get my articles sent straight to your newsfeed. Subscribe here to stay updated and ahead in technology with your business.

Book a time to meet with me.

Subscribe to “AI for Security & Productivity

View my LinkedIn Posts to Audit my Security Expertise

A Comprehensive Guide To The Existing Data Laws

Since the General Data Protection Regulation (GDPR) went into effect in the EU in May 2018, EU companies that have invested in data protection have, on average, recovered 2.7 times their initial investment. Yes, companies that know how to comply are getting rich.

This means only one thing, the data protection industry is on the rise, and here is your chance to become successful, competitive, and sustainable.

But you can not open up a new market if you do not have the knowledge. And as is always the case with power, regulators have made things as complicated and scary as possible.

We were all horrified when Amazon was fined 746 million euros ($831 million!) for violations of the GDPR.

Amazon Paid $831 Million Fine For GDPR Non-Compliance!

Do not worry, they could afford it once, and they will not repeat the same gamble. A gamble is when you do something even though you are not sure what you are doing and cannot predict the long-term outcome.

Companies with 7+ numbers never act from a position of uncertainty because they know that things are only presented to appear complicated, when in reality they are manageable, to their own advantage.

For this reason, Mark Zuckerberg, CEO of Facebook Inc, has announced that Metaverse will have high privacy standards, parental controls, and data use disclosure that Facebook alone never had.

Knowledge! Information! Education! And only then action.

Translated into the language of data protection, this means serving and protecting.

As one of the pioneers in the data privacy and cyber protection industry, I can confirm that with every political attempt to reap (oops I was going to say regulate) the market, the challenges do get bigger and tougher.

But if you work with the right team, you can take back control and increase revenue at the same time.

Let me show you what I mean by analyzing the mess with current state data privacy laws, and you will understand why it is literally impossible to overpay your data security team. These professionals should be at the top of your list if you want to stay in the game. You will thank me later.

Data Privacy Laws In The U.S.

In anticipation of the first federal data privacy law, it is wise to look back at what we are leaving behind and try to understand how we can make the transition like winners.

Historically, there has been a jungle of disparate federal and state laws in the United States.

In only three states – California, Virginia, and Colorado – do you find comprehensive data privacy laws, while otherwise, you face a federal hodgepodge of consumer privacy laws with acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA that affect only certain types of data, such as credit data or health information, in certain, often outdated, circumstances.

Federal Data Laws

The Health Insurance Portability and Accountability Act (HIPAA) does not cover all health data, only communications between you and “covered entities,” which include doctors, hospitals, pharmacies, insurers, and other similar entities. Your Fitbit data is not protected, nor does the law limit who can ask about your COVID -19 immunization status.

The Fair Credit Reporting Act (FCRA) regulates your credit report data by limiting who can view your credit report, what the credit bureaus can collect, and how the information is obtained.

The Family Educational Rights and Privacy Act (FERPA) gives parents, eligible students, and other schools the right to inspect education records maintained by a school.

The Gramm-Leach-Bliley Act (GLBA) requires consumer financial products, such as credit or investment advisory services, to explain how they share data and that the customer has the right to opt out. It does not restrict how companies use the data they collect, as long as they disclose that use beforehand.

The Electronic Communications Privacy Act (ECPA), passed in 1986, restricts government eavesdropping on telephone conversations and other electronic signals and sets broad rules for employer monitoring of employee communications.

The Children’s Online Privacy Protection Rule (COPPA) sets some limits on companies’ data collection from children under 13.

The Video Privacy Protection Act (VPPA) prevents the sharing of VHS rental data but is not enforced against streaming providers.

The Federal Trade Commission Act (FTC Act) takes action against an app or website that violates its own privacy policies and investigates marketing language violations related to privacy.

State Data Laws

The California Consumer Privacy Act (CCPA) became effective January 1, 2020, and applies to for-profit entities that collect personal information from California residents and meet any of the following criteria:

1. They must have gross annual revenue of at least $25 million,
2. Buy, sell, or receive personal information about at least 50,000 California consumers, households, or devices for commercial purposes; or,
3. Generate more than 50% of their annual revenue from the sale of personal information.

In addition, the CCPA gives California residents the right to know, the right to delete, the right to opt out of the sale, and the like.

The California Privacy Rights Act (CPRA) is the 2nd version of the CCPA and will take effect on January 1, 2023, adding the following:

1. Application of thresholds for organizations that collect personal information from California residents,
2. New consumer rights such as the right to rectification or the right to restrict the use and disclosure of sensitive information,
3. Definition of a “contractor”,
4. Definitions of data sale and disclosure,
5. Automatic $7,500 fine for violations related to personal data of minors,
6. Annual cybersecurity review for companies whose processing poses a significant risk to consumer privacy or security,
7. Establishment of a California Privacy Protection Agency (CPPA) to enforce compliance with the CPRA,
8. Companies whose processing poses a significant risk to consumer privacy or security must periodically submit a risk assessment to the CPPA.

The CPRA contains a 12-month retroactivity clause, which means that beginning January 1, 2022, companies must ensure that their data collection practices are compliant with the CPRA. Note that enforcement of the CPRA has gone into effect and enforcement actions will increase as the California Privacy Protection Agency (CPPA) structures its team and operations.

The Virginia Consumer Data Protection Act (CDPA) will take effect on January 1, 2023. Although it is heavily inspired by the CPRA, these are the following key differences:

1. Consumers must consent to the collection and use of their sensitive data for processing.
2. The CDPA requires privacy impact assessments for any processing that involves targeted advertising, data sales, profiling, sensitive data; or any data processing that presents a “risk of harm.”
3. The CDPA does not require that a “Do Not Sell My Personal Information” link be included on websites.
4. Enforcement of the CDPA is through the Virginia Attorney General’s Office.

The Colorado Privacy Act (CPA) passed unanimously and will take effect July 1, 2023.

Unlike the first two comprehensive data privacy regimes, the CPA does not specify a monetary value in its application criteria, leaving it up to each entity to monitor the Colorado residents and households it acquires. The CPA also requires eligible companies to implement a means by which consumers can object to the processing of their personal information for profiling purposes.

What About My State?

Serious, comprehensive consumer data privacy proposals are currently in committee in at least four other states, Massachusetts, New York, North Carolina, and Pennsylvania. In other states, various bills are in the early stages.

If you’d like to track the status of all these proposals, the International Association of Privacy Professionals has created a tracker that shows all privacy bills in the works and in progress in each state.

Missouri has regulated ebook privacy. The Illinois Biometric Information Privacy Act (BIPA) gives you the right to privacy regarding your biometric information, such as fingerprints or facial scans.

The hardest part is knowing your rights on data breach notification, as there are at least 54 different laws that vary by region.

In The Contrast, GDPR

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, but there have been years of preparation. IAPP has created a fairly detailed timeline of the developments in data protection that led to the adoption of the GDPR.

The main goal of the GDPR is to strengthen individuals’ control and rights over their personal data and to simplify the regulatory environment for international companies.

The GDPR introduced consumer rights for all EU residents, mandated data protection and privacy impact assessments, and added opt-in consent, which should be “freely given, specific, informed, and unambiguous” through a “clear affirmative act.”

The regulation is based on 7 key principles:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Minimization of the amount of data
4. Accuracy
5. Limitation of storage
6. Integrity and confidentiality
7. Accountability.

Funnily enough, the GDPR applies not only to non-EU organizations that have locations or employees in the EU, but also to those that do not have locations or employees in the EU, including U.S. companies, nonprofits, and universities.

Article 3.2 of the GDPR states that the law applies to organizations outside the EU if they:

1. Provide goods or services to people in the EU, or
2. Monitor the online behavior of people in the EU.

In determining whether a U.S. company is offering goods and services to data subjects in the EU for purposes of the GDPR, EU regulators will look into whether the company is targeting EU customers by advertising in the EU, offering online menus in European languages, or quoting prices in euros.

In determining whether U.S. organizations are monitoring the online behavior of people in the EU, EU regulators will look at whether the organization is using web tools that allow it to track cookies or the IP addresses of Europeans who visit its website(s).

The penalties for violating the GDPR are huge. The most serious violations can result in fines of up to €20 million or 4% of a company’s annual global turnover from the previous fiscal year, whichever is greater.

The American Data Privacy and Protection Act

The ADPPAseeks to establish basic consumer data rights, impose certain obligations (known as “duties of loyalty”) on all organizations that process personal data, and create additional requirements for large data holders (defined as organizations with sensitive personal data of 100,000 or more individuals or non-sensitive data of 5 million or more individuals) and third-party service providers that process data.

The law would apply to all organizations, including nonprofits and telecommunications companies, and establish a new division within the Federal Trade Commission (FTC) charged with enforcing the law.

The ADPPA overrides state privacy laws, except for a long list of laws and topics that are exempt, including the Illinois Biometrics Information Privacy Act, part of the California Privacy Rights Act, and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more.

The list of exceptions isn’t only long, but also negates the purpose of state primacy and excludes other states that have recently adopted privacy laws, such as Virginia, Utah, Colorado, and Connecticut.

In addition, ADPPA restricts the private right of action while providing strong enforcement measures that allow the FTC and state attorneys general to take action against any data owner who doesn’t comply.

An individual may bring a civil action for damages or injunctive relief against data holders four years after the law’s effective date. But to prevent duplicative enforcement of the law, individuals must first notify their attorney general and the FTC of their intent to sue.

If either of these agencies decides to file a lawsuit, individuals cannot file their own lawsuit.

There’s also a limited right to cure; if data holders successfully remedy a perceived problem within 45 days, they may seek dismissal of an injunction action.

I’ll go into more detail in the next article.

Now you can thank me.

And if you want to know more about how to protect your data and avoid fines and cyberattacks, TLIC Worldwide, Inc. is the place to be.

Steven Palange, Your Data Expert

Call Me at 401-214-5557 or steven_palange@tlic.com