Category Archives: Compliance & Regulation

NYDFS Cybersecurity Regulation in Plain English

nydfs cybersecurity regulation title and logo for

In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. Unusual at the state level, this new regulation includes strict requirements for breach reporting and limiting data retention. Like the GDPR, the New York regulation has rules for basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program. Unlike the…

How Varonis Helps with the California Consumer Privacy Act (CCPA)

How Varonis Helps with the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020. It not only gives ownership and control of personal data back to the consumer but holds companies accountable for protecting that data. The CCPA gives California residents four basic rights in relation to how companies collect and store their personal information: Transparency: the right to know what personal information a company is collecting about them, where that data came…

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information. NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines. NIST itself is a non-regulatory Federal agency responsible…

The Average Reading Level of a Privacy Policy

privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data. While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for…

EU NIS Directive (NISD) Holds Surprises for US Online Companies

EU NIS Directive (NISD) Holds Surprises for US Online Companies

Last month, a major data security law went into effect that will impact businesses both in the EU and the US. No, I’m not talking about the General Data Protection Regulation (GDPR), which we’ve mentioned more than a few times on the IOS blog. While more narrowly focused on EU “critical infrastructure”, the NIS Directive or NISD also has some surprising implications for non-EU companies not remotely in the business of running hydroelectric plants or…

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

In reviewing the transcript of my interview with Sara Jodka, I realize again how much great information she freely dispensed. Thanks Sara! The employee-employer relationship under the GDPR is a confusing area. It might be helpful to clarify a few points Sara made in our conversation about the legitimate interest exception to consent, and the threshold for Data Protection Impact Assessments (DPIAs). The core problem is that to process personal data under the GDPR you…

[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

In the second part of my interview with Dickinson Wright’s Sara Jodka, we go deeper into some of the consequences of internal employee data. Under the GDPR, companies will likely have to take an additional step before they can process this data: employers will have to perform a Data Protection Impact Assessment (DPIA). As Sara explained in the first podcast, internal employee data is covered by the GDPR — all of the new law’s requirements…

NIST 800-53: Definition and Tips for Compliance

nist 800-53

NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day. The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing…

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

In this first part of my interview with Dickinson Wright attorney Sara Jodka, we start a discussion of how the EU General Data Protection Regulation (GDPR) treats employee data. Surprisingly, this turns out to be a tricky area of the new law. I can sum up my talk with her, which is based heavily on Jodka’s very readable legal article on this overlooked topic, as follows: darnit, employees are people too! It may come as…

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the word, has a broad consumer data security and privacy law, which is known as the Personal Information Protection and Electronic Documents Act (PIPEDA). For nitpickers, there are also overriding data laws at the provincial level — Alberta and British Columbia’s PIPA — that effectively mirror…

Another GDPR Gotcha: HR and Employee Data

Another GDPR Gotcha: HR and Employee Data

Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t have to expend much effort to comply with the General Data Protection Regulation (GDPR)? I still stand by this claim. Sure there are some GDPR requirements, such as the 72-hour breach notification, which will require special technology sauce. There’s also plenty of fine print that…