In June 2018, privacy and data security standards in the United States were fundamentally overhauled. On January 1st 2020, when the California Consumer Privacy Act (CCPA) becomes law, Californian citizens and businesses (and all businesses dealing with California) will have a very different relationship to data. The CCPA will allow all residents of California to know what personal information is being collected about them by for-profit companies operating in the state, whether it is sold, disclosed or simply held. Although the CCPA will only directly apply to California, its implementation will affect any organization doing business in California and which satisfies one of the following credentials: • Annual revenues of more than $25m • Possesses personal information of more than 50,000 consumers, households or devices • Generates over half its annual revenue from selling personal information When the CCPA comes into effect in January 2020, actions will need to be taken in order for organizations to remain compliant. For example, the CCPA will require companies to create a channel such as a toll-free number that can allow consumers to request information regarding how their data is being used. Parallels have been drawn between the CCPA and GDPR, with the CCPA requiring data privacy protections similar to those imposed by the European Union. Financial fines for data breaches under the CCPA will be less severe than the penalties under GDPR, capping at $7,500 per violation compared to the maximum cap of 4% of revenue / €20m (whichever is higher) for the most severe GDPR breaches. With the CCPA and GDPR in place, organizations will have their data management practices under the spotlight more than ever. Luckily, technological solutions exist that can mitigate the risk of data loss and the associated negative consequences for enterprises. Tessian’s Enforcer and Constructor filters help organizations manage the ways data moves on email. Enforcer’s and Constructor’s machine learning allows organizations to prevent data from being transferred to the wrong place, ensuring that enterprises can comply with evolving regulations. The general emphasis on tightening data security worldwide means that organizations will have to prioritize security in order to stay compliant and to uphold new privacy and security standards. To learn more about how Tessian can help you become CCPA-compliant, contact us here.

Up until now, the consequences for GDPR non-compliance have been gossiped about but perhaps not been taken particularly seriously. That all changed after the ICO imposed staggering fines of £183 million on British Airways and £99 million on Marriott, following data breaches that compromised the personal data of thousands of customers. The news clearly shocked the business world; this is the first time the ICO has bared its teeth since GDPR came into force last year and the EU regulators have made it very clear that failure to comply with the rules will result in genuinely significant penalties. At a number of customer events we hosted this week, the blockbuster fines were on everyone’s minds. In particular, people were keen to discuss why the ICO fines were so high, with many agreeing it was because there was a lack of “demonstrating diligence” around the risk prior to the breaches. Indeed, the ICO said in its investigations that Marriott should have “done more to secure its systems”, while BA reportedly lacked “appropriate technical and organizational measures to prevent such an attack”. The message from the ICO is clear – businesses have a legal duty to ensure the security of data else face fines of up to 4% of the company’s annual turnover. While BA’s imposed fine stands at 1.5% of its annual revenue, it is still a significant blow (though it could have been much worse). We must also remember that in addition to the eye-watering fines, BA and Marriott will now also face damaging long-term effects on customer trust, company reputation and its share price. With so much at stake, the news will have sparked discussions in boardrooms across the world, with companies urgently taking stock of the security measures they have in place and evaluating whether they are properly protecting the data they process and hold. Any ‘gaps’ will need addressing quickly, looking to cybersecurity solutions that protect networks, devices and people. I am certain this won’t be the last time we hear about ‘record-breaking’ fines from the ICO this year. Each will serve a reminder to companies that they cannot be complacent when it comes to compliance; protecting data must be a priority.

At Infosecurity Europe 2019, Tessian’s Head of Legal Growth Aisha Tummon joined Michael Hill, editor at Infosecurity Magazine to discuss GDPR, a year after it came into effect. She joined speakers Joe Carson, Codery and Jonathan Armstrong, Thycotic to share her thoughts about the impact the regulation has made over the past 12 months.

The General Data Protection Regulation – or GDPR – sprang into life 12 months ago, on May 25th 2018. To mark GDPR’s anniversary, we sat down with Tessian’s Head of Legal and Compliance, to see what’s changed in the last year and discuss what’s still to come.

I’m sure you’re celebrating GDPR’s first birthday this week. In general, do you think it’s been a positive step? My general opinion is that GDPR’s been a very positive step in relation to the promotion of data subject rights. I certainly think that data protection legislation was ripe for change – developments in this field were long overdue. Importantly, our clients also see GDPR in a positive light, despite the potential for an increased administrative and compliance burden. So what do you think the biggest benefits of GDPR have been? In the last 12 months the GDPR has provided much-needed consistency when it comes to the protection of data across the continent (and beyond). Organizations used GDPR as an opportunity to “spring clean”, critically assessing their information security systems and processes and identifying opportunities for continued improvements. In my experience, organizations are taking these changes very seriously, as are regulatory bodies. We have seen more reports of breaches to the ICO in the UK, and the EU has started to levy some blockbuster fines. Looking ahead, I see no reason why this trend would stop. I also think that GDPR’s onset has been helpful in starting widespread debate in relation to data protection and privacy. Almost everyone now has at least some understanding of what GDPR does and what it means for people and business. Increased data literacy is enormously helpful, and this may have helped bump data protection and security up the priority list at board level. What were the biggest challenges for Tessian in the build-up to GDPR? As a relatively young company, Tessian was fairly fortunate in the run-up to GDPR as we didn’t have a huge archive of legacy data and systems. Mobilization and project management in larger organizations would likely have been much more difficult! That being said, businesses of all sizes can still find it challenging to understand every piece of data that they hold: where data is located, whether it’s compliant with each of the major GDPR principles, and so on. The difference now with GDPR is that the penalties are potentially much more severe if you get it wrong. To stay on the right side of GDPR, it’s so important to spend the time doing diligence on data flows and data mapping – understanding how data moves in and out of the organization, how it’s protected, and making sure that there are individuals taking responsibility and ownership of the issue internally. Even a year on, this requirement is still absolutely necessary. So is this it now as far as GDPR goes? Or is there more still to be done? It’s been fascinating to see the global impact that GDPR has had. So far, we’re still yet to see the true extent of regulators’ “teeth” when it comes to fines. While there’s still more to come, the progress made in a year has been really encouraging.