How do you balance knowing your customer and GDPR? Are IT departments underestimating the value of their business data? This week's Friday Five answers those questions and more.
1. Amendments to data breach notification law in Colorado impact HIPAA-regulated entities by Julie A. Sullivan and Loreli Wright
A heads up here, either if your business collects sensitive healthcare data in Colorado or if you enjoy following the ebb and flow of data breach notification law. Julie Sullivan and Loreli Wright, attorneys with the firm Greenberg Traurig clarified some recent tweaks to a law that went into effect in September in Denver Business Journal this week. One of the biggest takeaways per the article: “HIPAA-regulated entities must now comply with Colorado’s shorter, 30-day timeframe in which businesses must provide notice of a breach to any affected individual.” In addition, HIPAA-regulated entities must as soon as possible and no later than seven days after discovering a breach, report it to the Colorado attorney general if it affects more than 500 residents.
2. Walking the KYC and data protection tightrope by Jaclyn Jaeger
Financial institutions looking to balance know-your-customer (KYC) procedures and the requirements of the General Data Protection Regulation (GDPR) need to establish requirements in order to do so securely a Compliance Week story said this week. Jaclyn Jaeger says firms need to ensure customer files are kept up to date and accurate, personal data is secured, and audit third parties in charge of compliance. "At a high level, firms should have in place data-driven policies and procedures that comply with the GDPR’s enhanced data-subject rights; make changes in the way they manage and interact with customers on a consent-based level; and implement data security controls and monitoring and auditing procedures..."
3. Incorrect Assessments of Data Value Putting Organizations at Risk by Jai Vijayan
The Achilles heel of organizations isn’t always an external threat - it can often be their own IT department. According to a recent Ponemon Institute study, IT departments typically underestimate the value of their business data by as much as 50 percent. The study surveyed 2,827 professionals across the IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources industry. Some examples showed IT departments overestimating personally identifiable information (PII) but underestimating financial reports and R&D data. Having visibility across an organization can give an organization a more accurate idea of how much and what kind of data it’s overseeing.
4. Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee by Rebecca Hill
Lest you think the UK isn't enforcing the General Data Protection Regulation (GDPR), the ICO, the UK's Information Commissioner's Office, announced this week that its fined 100 organizations across the business services, construction and finance sectors for not paying the annual fee. Companies that process personal data must pay an annual fee to the office unless they're exempt. It's a cyclical process: The money the ICO collects from data protection fee funds get funneled back into the ICO's work to uphold investigations into data breaches. The announcement came a few days after Germany's data protection authority fined a dating service, Knuddels, €20,000 - Germany's first GDPR fine.
5. OPM extends credit monitoring, expects new contract by year's end by Chase Gunter
In cyber years, the Office of Personnel Management data breach feels like it was eons ago. That's why this headline, via FCW's Chase Gunter, caught our eye this week. OPM said this week it plans to re-up its credit-monitoring contract for those affected by the 2015 breach until June 30, 2019. For the uninitiated the hack exposed the records of approximately 21.5 million current and prospective government workers. It's a reminder that there may still be victims out there dealing with the repercussions of the hack - believed to be one of the largest breaches of government data ever. The office is required to provide those affected by the breach coverage through 2026 but as FCW points out the National Treasury Employees Union - of which many members were victims of the hack - is in the middle of suing OPM for lifetime credit monitoring and identity theft protection.