A common question topic posed to me, the VP of Compliance, from both non-IT and IT professionals alike revolve around the concept of RPO and RTO with regards to Business Continuity Management. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a sound disaster recovery plan.
This month, I explain everything you need to know about RPO and RTO!
Happy Birthday GDPR! On May 25th, internationally we will be “celebrating” the first anniversary of the EU’s General Data Protection Regulation (GDPR). Nearly one year later, have the stricter rules really made a difference? Consumers are definitely seeing more pop-up privacy notices online, thanks to GDPR, but for now the astronomical fines the new regulations threatened have not yet surfaced.
Vendor Management Requirements in Cybersecurity Standards
Are you in control of third-party risk? Do you have a sound vendor management department? Do you audit your suppliers?
And this is just the start.
What Cyber Laws Apply to Me?
It is becoming ever so clear that compliance isn't an easy task handled by the IT department, but that it's a team effort from all the departments. This makes it more difficult in regards to what's applicable so our VP of Compliance has broken down all the laws into simpler terms to be able to distinguish which law you must abide!
One method of ensuring greater cybersecurity protection in a world of hacks and breaches: to undertake regular and programed cybersecurity audits and assessments.
The thought of an audit may strike fear in many individuals at all levels in an organization. Mostly, audits are routine and serve to ensure there is at the minimum a check-and-balance to satisfy whichever regulatory body requires it. When there are non-conformities found, it shouldn't be looked upon as a negative thing.
This month, our VP of Compliance speaks to the benefits of non-conformities.
2019: The Year of the Data Breach, Again…
“Magic 8 ball, will 2019 be the Year of the Data Breach…again?”
Our VP of Compliance says: All signs point to YES.
With the passing of laws like GDPR and PIPEDA, the Marriott Breach, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, and increase in data breach lawsuits, by the time last December ended, there is no doubt that all industry specialists could not wait to label 2018 as the Year of the Data Breach. However, as we sit in the dawn of 2019, it is becoming ever increasingly clear, that 2019 will in fact be, the Year of the Data Breach, Again.
The New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective on March 1st, 2017, with a two-year implementation period. The regulation requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cybersecurity program. The final effective date for the regulation will be March 1, 2019, by which time, under section 500.11, DFS regulated entities are required to have written policies and procedures that are based on a risk assessment to ensure the security of nonpublic information and information systems that are accessed or held by third party service providers.
DFS has come out with the dates all regulated entities and licensed persons must files various notices to the Superintendent. The final one being next month, February 15th 2019.
IT Compliance vs. IT Security : “What’s the difference?”
It is without a doubt that 2018 has become the year of IT Compliance. With so many new laws becoming effective, including EU’S GDPR, California’s Data Privacy Law, and Canada’s PIPEDA, the line between security and compliance may seem easily blurred for IT professionals. So, the question becomes: How do we produce a comprehensive security program, while ensuring that we meet compliance obligations? However, there is one problem that surfaces repeatedly, regardless of which regulatory standard (e.g., PCI, HIPAA, etc.) your company must meet, and that is failing to understand the difference between compliance and security. Sometimes organizations think that these are one and the same to the point that they become so consumed by complicated regulations that they stop focusing on security altogether. This month's edition of Ask Our VP of Compliance will address the differences between IT Compliance and IT Security:
This November, a new Canadian Data Privacy Law went into effect, called PIPEDA. (The Personal Information Protection and Electronic Documents Act).
PIPEDA is similar to other privacy laws in that organizations "must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy." Personal information—including identifiers such as name and age, medical records, financial data and even opinions and evaluations—that is collected under a commercial activity (business transactions, fundraising activities or memberships, for example) falls under PIPEDA protection. Personal information collected for government or by an employer are not covered.
Penalties are much lighter for PIPEDA than other privacy regulations. Data breaches are to be reported to the Office of the Privacy Commissioner (OPC). Failure to report a breach to both the OPC and to the affected customers or no record of total data breaches is kept can cost organizations fines as much as $100,000. One thing that makes PIPEDA stand out from other privacy regulations with a national or global scope is that it may not cover all of Canada.
It is important to note, that organizations that already meet the standards of GDPR and any U.S. laws are considered to be compliant with PIPEDA.
For more information, click here!