Data Privacy Legislation for Washington Businesses

Ascension Technical Group is hosting an interactive TEAM’S session on April 8th at 10AM-11AM PDT. You can register now and we’ll send you a TEAM request.

The Webinar will provide analysis on the draft Washington Data privacy Act (WPA), its impact on business and detail the associated penalties for data privacy breeches.

This  webinar will help businesses determine potential security vulnerabilities and identify a mitigation strategy. The cyber breech discussion, will review the benefits of an in-depth security assessment that includes reviewing current policies, procedures, technical environments and other security related functions. Details will be provided on applicable standards including, ISO/IEC 27001, NIST 800-53, ISA 62443, COBIT 5, CIS CSC, CCPA, GDPR and PCI DSS.

Topics that will be covered include:

  • Data Security & Privacy
  • Awareness and Training with related policies, procedures, and agreements.
  • Governance, Analysis & Mitigation
  • Information Protection Processes
  • Identity Management, Authentication and Access Control
  • Protective Technology, Anomalies and Events, Detection Processes
  • Response & Recovery Planning
  • Law Enforcement

We look forward to your participation in this interactive TEAM’s Session on  April 8th at 10 AM -11 AM PDT.

How Privacy Legislation affect your business.

There is current legislation and standing law that will affect your firm’s ability to manage Consumer Data. Legislation is now in process that will affect Human Resource Data of your employee’s next year.  Washington State has legislation almost completed today.  If you wish to book a free one-on-one briefing, please select the button below and we can call you to advise you of the current issues relating to privacy and security.

Ascension partnering with Insperity, was scheduling, an Executive Briefing regarding Privacy legislation that affects your business.  We wanted to invite you or members of your team.  Due to the warranted restrictions in preventing the spread of the COVID-19 virus, we are moving the briefing to later this Spring or Summer. However, if you wish to book a free one-on-one briefing, please select the button below and we can call you to advise you of the current issues relating to privacy and security.

Washington State Privacy Law — Senate and House are meeting to hopefully compromise.

After the House of Representatives passed an amended Privacy Bill on the evening of March 6th, the Senate received the Bill and responded ” Senate refuses to concur in House amendments.” The Senate “Asks House to recede from amendments.”

Today, the “House insists on its position and asks Senate for a conference. Conference committee appointed. Representatives Hudgins, Hansen, Dufault.” And the “conference committee request was granted.”

Now, hopefully the committee jointly can work out the details and come to some compromise that helps both the consumer and business.

You can find updated information regarding the bill at https://app.leg.wa.gov/billsummary/?billNumber=6281&year=2020&initiative=False


"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

Finding Humanity in Big Data

At the beginning of Operation Iraqi Freedom in 2003, I was assigned as the Senior Intelligence Officer for the 1st Battlefield Coordination Detachment (1st BCD) at the Combined Air Operations Center on Prince Sultan Air Base in Saudi Arabia.  As the name of our unit implies, our mission was to coordinate ground and air operations for the invasion of Iraq.  This was a monumental task and the amount of information that passed through our desks was almost unfathomable.  It is difficult to paint a complete picture, but we were coordinating the movement of two entire Armies; with hundreds of thousands of ground troops, from multiple nations; hundreds of air assets, ranging from combat, intelligence, refueling, command/control and troop transport aircraft to Army helicopters and drones.  On top of all that, everything was constantly and simultaneously moving.  Talk about big data.

In order to monitor all this activity, we had no less than about 15 separate battlefield operations systems daisy-chained together, but with fewer than that many soldiers on shift to operate all the computers.  Information was flying across the screens faster than the ticker at the New York Stock Exchange.  The Combined Air Force Component Command used a system of kill boxes to coordinate air interdiction targets on the battlefield and it was the 1st BCD’s mission to deconflict fires between the ground and air component commands.  The air and ground components agreed to open a certain kill box north of Baghdad, which meant that everyone agreed there were no friendly forces in the area.  However, out of the thousands of icons representing maneuver forces on the ground, I noticed a small blue blip on the screen.  Fortunately, just before the invasion, the Army fielded the Blue Force Tracking system, which was an emitter to show where units were located.  I did a quick investigation and discovered a U.S. Special Operations Detachment operating well forward of the main battle area (as Green Berets are supposed to do), so I denied opening the kill box.  If the Blue Force Tracking system was not fielded, if one of the battlefield operations systems did not work properly, and if I stepped away from my station for a few minutes, that SOF detachment would likely have been destroyed.  There is perhaps nothing more tragic in war than friendly or civilian casualties.

In business, it is hard to detect the human element in big data.  We tend to focus on processing massive amounts of information as quickly as possible.  However, as leaders we must look at our systems from the customers’ perspective.  Customers have a lot of online choices these days, but a human touch goes a long way to earning lasting loyalty.  An occasional personal note or phone call to a customer following an online transaction adds humanity to big data; especially if there is a negative experience.  People see that and know the company values them as a person, rather than just a transaction or anonymous account number.

Ascension has the expertise to assist your company in customer relationship management.  We can help your company with the transformation between technology and cultural changes.

By John Winters, Colonel U.S. Army {Retired}

Sharks are in the water for our data! Are you worried?

Earlier this year, I attended a Security Summit here in Seattle. There was a statistic sited that placed Cyber Security and Privacy Policy into the top three concerns for CEOs in America. PWC, sited this statistic in a recent 2019 CEO Survey (2) Also, only 38% of CEO’s surveyed, felt comfortable with their respective Cyber Security posture.

I know when I formed my first Security Program Office in the early 2000’s, I never observed security and/or privacy on the list of my peers and top leaders of the organizations. However, today security has become top of mind. Many leaders are now worried about their respective jobs as well as their companies’ reputation.

Unforunately, at Ascension, we have leaders calling us, after such a breach or security incident has happen. It is difficult to watch CxO’s asking themselves, “What happened? Why did I get targeted?” Assessment is the first step to preventing this situation.

Feel free to comment: “Are you worried about CyberSecurity?

Please do not give company or personal specifics, unless you wish to call me.

Have a great day! Paul Scott

CItations:

(2) Price Waterhouse Cooper (2019 Published). US CEO agenda 2019. Retrieved from https://www.pwc.com/us/en/library/ceo-agenda/ceo-survey.html

Seattle employee at the center of major Data Breach

Copy of Compliant Header filed July 27, 2019

This morning over a cup of coffee, I gazing at the front page of my Wall Street Journal. Casually scanning the stories. Something caught my eye; the Wall Street Journal stated that a Seattleite is at the center of a Major Data Breach. Here from Seattle, a former Amazon employee has been arrested, in connection with the Capital One Breach affecting 106 Million Card Applicants. Wow

Estimating the cost to the company is typically, at least $100 to $150 per user, it would be easy to estimate the initial cost to Capital One will be well over $100M, and most likely upward of $200M, when you factor in all the internal remediations and legel cost that are never recovered by any company.

CyberSecurity seems like an impossible task. I will grant you that it is not an easy task; but I will say that focus and diligence is our best tactic so far. We cannot hide our faces in the sand anymore. We must confront these issues and do our best to protect both our companies information as well as our customer’s data. I believe we should all ponder how to become more secure and act accordingly in an expeditious fashion. This wordgram may help you ponder and reflect on this issue.

At Ascension, we are working to insure ourselves and our clients are protecting both corporate and individual data. Again, I think we need to ask ourselves, are we doing enough to protect customer and/or business information? Ponder this question and free free to comment. Thank you

CyberSecurity – The next 9/11?

We see many new clients that have to deal with cybersecurity breaches and/or issues of non-compliance with security standards. Today, I was reading about CEO’s concerns over cybersecurity may be the “biggest Threat to the world’s economy.” I believe they are correct. CNBC article: Cybersecurity is the biggest threat to the world economy over the next decade, CEOs say

Unforunately, many firms still have not realized the benefits of CyberSecurity Standards. These standards are not a fullproof remedy for breaches; however, it is the best defense for companies to protect themselves. To summarize, companies need to consider standards and procedures for:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk Management
  • Identity Management, Authentication and Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes
  • Response & Analysis
  • Mitigation
  • Improvements
  • Recovery Planning
  • Improvements
  • Communications

Paul Scott, CEO Ascension

Infrastructure

Now that the 2018 elections are over (well except Florida), leaders in both political parties are looking for legislation they can pass to show their constituents positive accomplishments.  Setting aside rancor between Democrats and Republicans, the two topics where both sides agree something can and must be done are infrastructure and the opioid crisis.  Improving our nation’s infrastructure is sorely needed.  The American Society of Civil Engineers (ASCE) 2017 Report Card gives the United States an overall grade of D+.  Repairing transportation, water systems, and schools should be at the top of the list, but upgrading our infrastructure is also an investment in the future.  The Dwight D. Eisenhower National System of Interstate and Defense Highways (AKA Interstate Highway System) is the most famous example of this type of infrastructure investment project.

What type of project can we invest our infrastructure dollars to improve connectivity in the United States, like the Interstate Highway System?

The program that immediately comes to mind is Connected Cities (AKA Smart Cities).  The parallels between the Interstate Highway System and Connected Cities are obvious, which makes this an ideal infrastructure project.  The Interstate Highway System brought together a disparate and inefficient road system and built an interconnected network.  This is exactly the same goal as Connected Cities, bringing together disparate and inefficient networks to function together.  The highway system also brought people together by facilitating travel across the country, which is the purpose of Connected Cities, to connect people.

How can Connected Cities infrastructure projects improve safety, commerce, and quality of life?

Another parallel between the two projects are public safety and security.  The Interstate Highway System was also designed as a Strategic Highway Network to facilitate troop mobility to air and sea ports.  Connected Cities contributes to public safety and security by providing early warning for disasters.  The California Department of Forestry and Fire Protection determined at least 17 of the 21 recent major fire in Northern California were caused by power lines, poles and other equipment.  (CAL FIRE)  One of the features of Connected Cities is placing sensors on light fixtures to detect fires and seismic activity, which would immediately alert firefighters and enabled them to suppress forest fires much quicker and easier.

Connected Cities can also make everyday life easier by tying networks together.  Before the Interstate Highway System, navigating roads in the United States was difficult, every state had a different numbering system.  Today, navigating through the various municipal and state government networks is very difficult.  You must have a different accounts and logins in for the DMV, voter registration, taxes, etc.  The concept of Information City, which is part of Connected Cities, will develop technology and communications to bring together social, economic, and governments networks.

We are at a precipice for emerging transportation technology, which means municipalities will soon have to develop revolutionary solutions to control traffic.  Autonomous automobiles are on the horizon and the proliferation of drones makes this a three-dimensional problem.  Connected Cities will have a great advantage by integrating sensors to control traffic and communicate with autonomous vehicles.

The United States will have to address our infrastructure challenges.  This is a great opportunity to not only repair our roads and bridges, but also make fundamental improvements on public safety, commerce, and quality of life for the future.  Ascension Technology Group is a leader in technology solutions for municipalities to help their citizens navigate through a complex network of services.  The fundamental concept of Connected Cities is knowledge-based urban development.  Now is the time to integrate infrastructure investments with the development of Smart Cities.

 

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was passed on June 28, 2018.  The CCPA grants consumers the right to request businesses disclose the personal information, sources, and purposes businesses collect about consumers.  It also enables consumers to learn what information is shared with and sold to third parties.  The California legislature passed the bill in a relatively short period of time, largely because of an impending resolution that would have placed the issue on the ballot in the upcoming election on November 6, 2018.  The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR), which took effect earlier this year.  One major difference in the two laws is the GDPR has an opt in clause, while the CCPA has an opt out clause, which means companies doing business in the EU must give citizens the option of allowing personal information to be collected, whereas citizens in California must request businesses delete personal information.  Regardless of the differences, these privacy laws are going to profoundly impact the way businesses handle information about consumers.

The clock is now ticking for the CCPA as the law takes effect on January 1, 2020.  One of the lessons learned from the GDPR is once the ball drops on New Year’s Eve 2020, there will be advocates waiting to pounce on businesses that do no comply with the CCPA.  The European Center For Digital Rights filed lawsuits against Google and Facebook (as well as Facebook subsidiaries:  WhatsApp & Instagram) on the first day the GDPR became law.  The potential fines could total 7€ Billion.  NOYB  Although the California law does not place a fine on businesses based on a percentage of total annual global revenue (like the GDPR) , it can fine a company up to $750 per incident, so a company with millions of customers could potentially face fines in the hundreds of millions of dollars.

The CCPA requires businesses to establish at least two communications methods (most likely website and telephone) for consumers to contact the company to request what personal information the company has about them and how to opt out.  Interestingly, the law does not require a consumer to establish an account with the company before opting out.  Therefore, even if a business does not have an account with a consumer, they are still responsible for protecting the privacy of citizens who are not customers.  So, if a customer signs onto a company website to shop, but never buys anything and company collects personal information, they must comply with the CCPA.

The CCPA does give businesses some leeway in collecting personal information.  After all, companies must collect personal information to conduct business transactions and maintain security.  Businesses still have a need to collect consumer information for marketing and research.  The CCPA allows businesses to collect and retain consumer data by pseudonymizing or de-identify personal information.  In other words, privacy is maintained because the consumers’ data is not identifiable to a specific person.  However, pseudonymization and de-identification must be a one-way process.  This is a very important point, companies cannot have the ability to collect information, put it into an anonymizing database and then be able to reconstruct the personal information.

The CCPA presents new challenges for businesses to protect personal information.  This law of course does not stop at the California border; it impacts commerce across the United States.  Ascension Technical Group has experience in maintaining privacy and security for businesses and consumers and we would like to help your company prepare for the new privacy law standards that are long overdue.