The Increasing Regulatory Focus on Privacy
The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on U.S. federal-level breach and privacy laws, while individual U.S. states are also looking to strengthen and broaden their privacy laws.
The focus on stronger consumer privacy has already sparked new regulations like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Many customers of U.S. companies are covered by GDPR’s broad privacy protections, which protects the rights of residents of the European Economic Area. As U.S. states increasingly pass their own privacy laws, the legal environment is becoming more fragmented and complex. This has led to an increased focus on potentially creating a U.S. federal privacy law, perhaps along the lines of the GDPR or otherwise protecting individuals’ information more broadly than the sectoral laws now in place. Although it is not clear whether effective national legislation will pass in the immediate future, the continued focus on regulatory solutions to strengthen consumer data privacy appears certain.
Privacy is Important to McAfee
For technology to be effective, individuals and corporations must be able to trust it. McAfee believes that trust in the integrity of systems – whether a corporate firewall or a child’s cell phone – is essential to enabling people to get the most possible out of their technologies. Fundamental to that trust is privacy and the protection of data. McAfee is committed to enabling the protection of customer, consumer and employee data by providing robust security solutions.
Why Privacy Matters to McAfee
Effective Consumer Privacy Also Requires Data Security
Today, electronic systems are commonly used by government, business and consumers. There are many types of electronic systems and connected devices used for a variety of beneficial purposes and entertainment. The use of data is a common element across these systems, some of which may be confidential information, personal data and or sensitive data.
A reliable electronic system must have adequate security to protect the data the system is entrusted to process and use. Data leaks and security breaches threaten the ability of customers to trust businesses and their products. Flawed or inadequate data security to provide robust data protection puts consumers’ privacy at risk.
Too often, privacy and information security are thought of as separate and potentially opposing concerns. However, there are large areas of interdependency between these two important policy areas. Privacy and information security must work in harmony and support each other to achieve the goal of consumer privacy. Privacy requires that consumers have the capacity to decide what data about them is collected and processed, and the data must have safeguards driven by appropriately secure technologies and processes.
Data security is the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Privacy is an individual’s right or desire to be left alone and or to have the ability to control her own data. Data security also enables the effective implementation of protective digital privacy measures to prevent unauthorized access to computers, databases and websites. Data security and privacy must be aligned to effectively implement consumer privacy protections.
An effective risk-based privacy and security framework should apply to all collection of personal data. This does not mean that all frameworks solutions are equal. The risks of collection and processing the personal data must be weighed against the benefits of using the data. Transparency, choice and reasonable notice should always be a part of the way data is collected. The specific solutions of a framework may vary based on the risk and specific types of data. The key is to have in place a proactive evaluation (Privacy and Security by Design principles) to provide the most effective protection for the specific application and data use.
Examples Where Privacy Regulations Require or Enable Robust Data Security
Breach Notification Safe Harbor for Encrypted Data in U.S. State Privacy Laws
Data breach notification laws require organizations to notify affected persons or regulatory authorities when an unauthorized acquisition of personal data occurs as defined by the applicable law or regulation. Many U.S. state laws provide a “safe harbor” for data breach notice obligations if the data was encrypted. A safe harbor may be defined as a “provision of a statute or a regulation that reduces or eliminates a party’s liability under the law, on the condition that the party performed its actions in good faith or in compliance with defined standards.”
Security safe harbor provisions may be used to encourage entities and organizations to proactively protect sensitive or restricted data by employing good security practices. Encrypting data may protect the organization from costly public breach notifications. Encrypted data may be excluded from breach requirements or unauthorized access to encrypted data may not be considered a “breach” as defined in the statute. To be protected by an encryption “safe harbor” exemption, the breached organization must encrypt data in compliance with the state statute. The state-specific statutes may also require control of the encryption keys to claim safe harbor.
GDPR Security Requirements
The General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA) in 2018, enhancing further the privacy rights of residents of the EEA. In addition to allowing EEA residents access to personal data collected about them, the GDPR requires companies interacting with this data to perform risk analyses to determine how to secure the data appropriately. The GDPR lays out basic security requirements in Article 32, GDPR Security of processing, which requires entities to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”
Controllers of personal data must also have appropriate technical and organizational measures to satisfy the GDPR. Business processes that handle personal data must be designed and implemented to meet the GDPR security principles and to provide adequate safeguards to protect personal data.
Implementing a robust security framework to meet the GDPR requirements means the organization should proactively evaluate its data security policies, business practices and security technologies, and the organization must develop security strategies that adequately protect personal data.
Federal policymakers need to pass uniform privacy legislation into law. A key part of this effort must include sufficiently strong cybersecurity provisions, which are imperative to protecting data, as evidenced by GDPR and thoughtful state breach notification laws. Instead of relying on hard regulations to incent organizations to implement strong security, policymakers should include a liability incentive – a rebuttable presumption or a safe harbor – in privacy legislation. Such an approach, ideally aligned to NIST’s flexible Cybersecurity Framework, would enable policy makers to promote the adoption of strong security measures without resorting to a “check the box” compliance model that has the potential to burden customers and discourage innovation in cyber security markets.
Source: McAfee Blog
Evaluate your SIEM requirements and expect more for advanced threat detection and responseSecurity information and event management (SIEM) technology is evolving to keep pace with the growing threat landscape. The Gartner Technology Insight for the Modern SIEM report breaks down myths and provides insights into the latest SIEM capabilities and key considerations for security practitioners grappling with whether to embrace, replace, or augment their SIEM platform.
We believe this report from Gartner will help you gain these insights:
*Technology Insight for the Modern SIEM, Toby Bussa, Kelly Kavanagh, Gorka Sadowski, 24 October 2018.
Despite a 31% decline in new malware, this quarter we saw bad actors striving to do what they do better—evolving their technologies and using new tactics to outmaneuver their targets' defenses.
Our latest findings include:
All politics aside, the United States Department of Justice on Friday unsealed a judicial indictmentagainst a number of individuals alleged to be from Russia’s intelligence services engaged in activities in 2016.
Stepping outside of the context of this party or that party, and politics as a whole – McAfee’s CTO, Steve Grobman noted, “Attribution is amongst the most complex aspects of cyberwar and the US government is in a unique position to make this attribution assessment. Technical forensics combined with information from trusted intelligence or law enforcement agencies are needed to provide confidence behind identifying actors in an attack or campaign. These indictments clearly show the US has reason to believe Russia interfered with the election process. “
The iPhone and many of the apps designed to live on the device have the ability to track our location. Whenever they set up these apps, however, users get the option to opt in or out of location tracking services. But what happens when a malicious campaign doesn’t give users the option to opt of having their location tracked by cybercriminals? In fact, just this week, it has been discovered that iPhone users may be faced with that very possibility, as a sophisticated mobile malware campaign is gaining access to devices by tricking users into downloading an open-source mobile device management (MDM) software package.
The closest many of us get to the dark web is watching hackers surf it in television shows or movies. However, it is a very real place that contains lots of stolen data. This data, along with compromised systems, devices, and more are often sold in underground marketplaces that exist on the dark web. One type of marketplace is called a remote desktop protocol (RDP) shop, which provides access to stolen systems for a small fee. Found in one of these RDP shops by McAfee’s ATR team: a major international airport’s security and building automation systems, which could be purchased for only $10 USD.
Security operations (SecOps) teams have some of the hardest jobs around. They are faced with growing volumes of security data: 77% of enterprises add one terabtye of security data a month.
Could you separate the signal from all that noise? Well, now you can put yourself in the place of a security analyst and find out. Introducing the “Separating the Signal from the Noise” interactive demo from McAfee.
“50% of organizations use more than one public cloud infrastructure vendor, choosing between Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform and a series of others”
In this blog post, we explore the history of cloud computing and security that has led us to our multi-cloud reality. Read it here.
In the post, we explore:
Per cloud security’s shared responsibility model, Office 365 customers are responsible for actions users take within the platform that compromise data, and Skyhigh has found the average enterprise experiences 2.7 such threats in the platform each month. This number includes compromised accounts, insider threats, and privileged user threats.