Category Archives: Compliance & Regulation

[Online Conference] Varonis Coffee Series: Unique Insights Into Data Securi...

[Online Conference] Varonis Coffee Series: Unique Insights Into Data Security and Privacy

Looking for a different take on the data security landscape? Join our multi-disciplinary team of experts as they discuss the laws, ethics, and defensive techniques behind data protection and privacy. Over four Tuesdays starting March 12, you’ll be briefed on the intersection of red team thinking and diversity, how basic pen testing ideas can change your security practices, the secret Privacy by Design ingredient in GDPR compliance, and how to bring professional ethics into the data security lifecycle.  And there will be coffee: we’re…

Right to be Forgotten: Explained

right to be forgotten hero

The “Right to be Forgotten” (RTBF) is a key element of the new EU General Data Protection Regulation (GDPR), but the concept pre-dates the latest legislation by at least five years.  It encompasses the consumers’ rights to request that all personal data held by the company —or “controller” in GDPR-speak — be removed on request.  But it goes further: the GDPR rules (see its article 17 ) says that search engines (like Google) have to…

What is PCI Compliance: Requirements and Penalties

PCI compliance

PCI compliance is a set of standards and guidelines for companies to manage and secure credit card related personal data. The major credit card companies – Visa, Mastercard, and American Express – established Payment Card Industry Data Security Standards (PCI DSS) guidelines in 2006 in an effort to protect credit card data from theft. Experts say credit card fraud costs businesses billions of dollars each year in the United States. It should be obvious that…

Wyden’s Consumer Data Protection Act: How to Be Compliant

Wyden’s Consumer Data Protection Act: How to Be Compliant

Will 2019 be the year the US gets its own GDPR-like privacy law? Since my last post in this series, privacy legislation is becoming more certain to pass. Leaders from both parties are now saying they will focus on privacy in 2019. Consider yourself warned! I’ll continue my journey from last time into the Wyden legislation since it’s a good baseline. Sure there are other bills, but they share some common elements. I’ve already discussed Wyden’s…

Wyden’s Consumer Data Protection Act: Preview of US Privacy Law

Wyden’s Consumer Data Protection Act: Preview of US Privacy Law

The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and it’s happening here in the US. There is now a very good chance that significant data privacy legislation will come to the US soon. I’ll go out on a limb, and say in 2019. But if not next year, then certainly in 2020. Yes, we’ll…

NYDFS Cybersecurity Regulation in Plain English

nydfs cybersecurity regulation title and logo for

In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. Unusual at the state level, this new regulation includes strict requirements for breach reporting and limiting data retention. Like the GDPR, the New York regulation has rules for basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program. Unlike the…

How Varonis Helps with the California Consumer Privacy Act (CCPA)

How Varonis Helps with the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020. It not only gives ownership and control of personal data back to the consumer but holds companies accountable for protecting that data. The CCPA gives California residents four basic rights in relation to how companies collect and store their personal information: Transparency: the right to know what personal information a company is collecting about them, where that data came…

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information. NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines. NIST itself is a non-regulatory Federal agency responsible…

The Average Reading Level of a Privacy Policy

privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data. While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for…

EU NIS Directive (NISD) Holds Surprises for US Online Companies

EU NIS Directive (NISD) Holds Surprises for US Online Companies

Last month, a major data security law went into effect that will impact businesses both in the EU and the US. No, I’m not talking about the General Data Protection Regulation (GDPR), which we’ve mentioned more than a few times on the IOS blog. While more narrowly focused on EU “critical infrastructure”, the NIS Directive or NISD also has some surprising implications for non-EU companies not remotely in the business of running hydroelectric plants or…

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

[Transcript] Attorney Sara Jodka on the GDPR and HR Data

In reviewing the transcript of my interview with Sara Jodka, I realize again how much great information she freely dispensed. Thanks Sara! The employee-employer relationship under the GDPR is a confusing area. It might be helpful to clarify a few points Sara made in our conversation about the legitimate interest exception to consent, and the threshold for Data Protection Impact Assessments (DPIAs). The core problem is that to process personal data under the GDPR you…