DHS-CISA is offering insight to our community on how to manage this unprecedented vulnerability 

They’ve dubbed it, “Operation Exchange Marauder,” and this one might cut even deeper than the SolarWinds supply chain compromise that was uncovered in December — leaving some tens of thousands of on-premises Microsoft Exchange accounts open for breaches. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-02, and the Data Connectors Community received clear instructions on how to handle this vulnerability from the agency’s Cybersecurity Advisor Klint Walker. 

“I would love to tell you that I had a great presentation lined up for you today that had big-name actors with explosions and action scenes with car chases, and lots of comedy mixed in, but instead, we have actual danger to discuss. Not flashy or cinematic by any means, but real and persistent,” Walker said. 

For those not in the loop, on March 2, CISA, NSA, Microsoft and Volexity announced four newly discovered vulnerabilities in the Microsoft Exchange on-premises product which opened some 30,000+ organizations to a possible attack. Through these vulnerabilities, an attacker could get persistent access and control of an enterprise network. 

Microsoft quickly released patches to address and rectify these issues, but not before some organizations were breached.

“Within 24 hours though, we (CISA) started noticing that there were already exploitations of those vulnerabilities,” Walker said. “Look at how fast that gap closed; the vulnerabilities were announced and immediately people were exploiting them, or maybe they were even exploiting them before the vulnerabilities were announced. Every moment that you are not patched and you are not taking mitigation efforts is putting you at risk.”

WHO IS RESPONSIBLE

According to the Microsoft Threat Intelligence Center, they’ve attributed this breach to a state-sponsored group out of China called HAFNIUM.

They’ve made this assessment with high confidence, particularly based on the primary targets — namely, infectious disease researchers (particularly, according to Walker, in relation to COVID-19 research), law firms, higher education institutions, defense contractors, think tanks and non-governmental organizations. These targets tend to work particularly close to the federal government in terms of providing research, and as a result, were seen as opportunities for these hackers. 

“This isn’t (HAFNIUM’s) first rodeo; there’s been activity seen from HAFNIUM in the past. Usually, they compromise victims by exploiting vulnerabilities, especially anything that’s internet-facing,” Walker said. “Once they’ve gained access to your network, they’re going to exfiltrate as much data as they possibly can.”

SUCCESSFUL MITIGATION

In this can’t-ignore session, Walker outlined the steps required for successfully ensuring that your network is safe and preserved following these major vulnerabilities. 

Walker discussed the immediate actions that need to take place within your organization, as well as steps to complete a more in-depth forensic analysis on this particular issue. Take a look at his recommendations, as well as review his suggestions for which tools would best serve you. 

Watch the entire presentation for Walker’s CISA-approved, complete action plan for managing these vulnerabilities. Complete the form below to access the video.

How to Survive the Microsoft Exchange Hack: …

Hot Topics in Cybersecurity Posted by Jen Greco on Mar 12, 2021

Cybersecurity professionals are coming up short in their understanding of blockchain and cryptocurrency, according to William Callahan, a retired Special Agent of the United States Drug Enforcement Agency, and one of the Keynote speakers at the Southern California Virtual Cybersecurity Summit on March 10-11.

His presentation is titled “Cryptocurrency and Blockchain Technology in a Public Underground World.”

Callahan, who inspired by watching Miami Vice as a kid growing up in New Jersey, pursued a long career with the Drug Enforcement Agency at various posts across the country, ranging from St. Louis to the D.C. metro and New York. Through his career, he watched the old drug street crime moving out of the dark alleyways and onto the Dark Web. 

THE BRIGHT SIDE OF THE DARK WEB

First Look: Cryptocurrency & Blockchain …

Interviews Posted by Jen Greco on Mar 2, 2021

In the current climate of virtual overload how do you get your voice to be heard above the others? When discussing a topic as important as cybersecurity, how do ensure that the viewer is listening to what you have to say?

As the leading provider for virtual cybersecurity summits, Data Connectors has surveyed both their attendees and Vendor Partners to compile a list of presentation best practices. This quick summary of Dos and Don’ts for how to put forth the most informative and engaging presentation can be easily implemented to ensure the best audience participation.

This series will highlight some video best practices, so you can slam-dunk your next on-screen appearance.

Preparing Your Set: Video Quality and Location

Most of us are still working from home and may not have the best set up for our home offices. Often we are at the kitchen table, or bedrooms or evening hiding in a closet to find some small solitude of quiet. Obviously this is not ideal when you need to record a presentation or attend a session live. 

Lose the Virtual Background

However, you don’t need a soundstage in order to put together a good presentation. In fact the home office can often bring a more personal approach and make you more relatable to the audience. We have seen overwhelming stats that people prefer to see a real background to a virtual one. Often virtual backgrounds are loud, obvious and more distracting than what is really behind you. So don’t be afraid to flaunt your personal style! Just ensure that you choose a location where your background is not too busy, as that may be distracting, but don’t be afraid of appearing real in your video. (Everyone loves when a furry animal joins the party for a couple minutes, in fact, bring them into the fun.)

Have an Angle

There are a couple other important features to consider when choosing your recording location. Lighting and camera angle are key elements to elevating your video production quality that are too often overlooked. You could have the best message to share but if no one can see your face, or if they are distracted by looking up your nose because your camera is below eye level, it may all be for nothing. 

Don’t get lost in the dark! Situate yourself to ensure that you have lighting, natural if possible, in front of you (behind the computer / camera). This will guarantee that you are well lit and visible to the audience while presenting. If the video image is too dark, audience members often either spend more time trying to correct your image to see you better or lose interest as they cannot make a personal connection with you on screen. 

Get Framed

Make it all about you. Make sure that you frame your profile within the center to the screen with the camera at eye-level. Properly framing yourself on camera ensures that you are the center of attention, eliminating background distractions. It will also allow for a better link with the audience. When presenting live you have the ability to be animated, emphasize points with your hands or with facial expressions. You want to ensure that you are properly centered on-screen in order for the audience to properly see all this interaction virtually. Having a conversation with the camera is like having a one-on-one discussion with each individual audience member, giving you the ability to really connect with them as if they were in front of you.

At home, connectivity Issues affect us all and we can’t always get around it. Especially when your kids are playing Fornite in the next room and your spouse is watching YouTube videos or catching up on the latest Netflix series. We are at the mercy of our personal wi-fi bandwidth now that we are no longer physically connected to our office LAN. That said there is a quick and easy trick to ensuring the best video quality when you are recording your presentation. Record to Computer – not cloud! Not only is this safer for security reasons but the video product and quality is often much better when recorded directly to your local machine. The default setting on most video recording platforms is set to record to the cloud, you want to go into your setting and change this so that it will record locally. 

Tips and Tricks: Getting Great Video Qualit …

Virtual Events Posted by Jen Greco on Feb 26, 2021

Imagine it: you’re a wide-eyed cybersecurity graduate, feeling like you’ve got the world at your feet. You’ve spent hours pouring over books, completing that capstone project, and finally, with degree-in-hand, you’re ready for the “real world” you’ve been working so hard to join.

But you begin to check out job listings for “entry level” positions in your field of choice, and they’re shockingly hard to come by. An “assistant” role that requires three- to four-years of experience? “Does college count?” you’d wonder.

Unpaid internships are an option, but there are student loan bills that are starting to rack up interest. 

After a few months of getting stood-up after the few interviews you get, working outside your chosen field becomes more and more of a possibility.

It’s not hard to picture, because so many of us have been there. And while it’s often lamented anecdotally, Cybersecurity Expert Naomi Buckwalter put some actual data behind it. It’s now empirically true: entry-level jobs require years of experience that entry-level candidate have not yet gotten.

After a LinkedIn deep-dive on so-called entry-level cybersecurity jobs, Buckwalter was able to shed light on a growing problem in the industry. By pulling 1,000 job listings from the professional networking site, Buckwalter parsed the descriptions for phrases like “years of experience” and found the dirty truth: there are no “true” entry-level jobs. 

“I crunched some of the numbers, and it was eye-opening to me,” Buckwalter said. “You can not get experience without getting a job.” 

This is frustrating for someone like Buckwalter, who got her start in cybersecurity and rose through the ranks to her current title of Chief Information Security Officer — the top of the field — while still considered to be very young compared to her colleagues. Her start was as a software developer, who found her passion after taking a course in hacking.

“I had finally found my purpose in life; I fell in love with it,” she said. She continued to focus on learning, and took opportunities as they came, with the help of some open-minded employers who wanted her success as much as she did.  “Name it, I’ve done it. I just keep learning.”

Her passion extends to finding opportunities and offering mentorship for newly minted cybersecurity grads and job hopefuls. The solution to the skills gap, Buckwalter says, is in education and thoughtful mentorship.

“Every person is different. I think I would find a mentor to really make it personal, not try to create a course for everyone, but for that person and what they want to do. Then, create a curriculum just for them,” she said. “[Many organizations] are not seeing people for the human that they are, they’re just seeing them as a means to an end. We’re not just workers and automatons — we’re human beings.”

Social media is Buckwalter’s medium-of-choice for getting the message out, for a focus on training to ensure a successful industry… even if that means ruffling a few feathers from time to time. “Let’s just tell the truth … I need people to be cynical and question things,” she said. “I wish more of us would challenge each other as an industry.”

Gaps in the industry are becoming incredibly pervasive — including with emerging technologies like artificial intelligence, Buckwalter said.

“We need to find a better way to get people into cybersecurity. We need to get the talent in and then train them,” she said. “I’m trying to scream into the void: train up the people!”

Follow Naomi Buckwalter on LinkedIn to see her insights of the cybersecurity industry first-hand.

Interview: Naomi Buckwalter and the “Dirt …

Interviews Posted by Jen Greco on Feb 17, 2021

MINNEAPOLIS, MN. – FEBRUARY 8, 2021 Data Connectors, representing the largest cybersecurity community in North America, continues its industry-leading series of Virtual Summits, arriving in the Upper Midwest this week.

The 2021 Minneapolis and Des Moines Virtual Cybersecurity Summit will take place on Wednesday, February 10, and is slated to allow the local community of cybersecurity professionals to gain insights and education regarding the latest updates and challenges in the industry, despite the continued effects of the COVID-19 crisis.

Headlining this summit is a long-time expert in the world of data privacy, Jay Cline, U.S. Privacy Leader for PricewaterhouseCoopers. Cline has spent three decades advising executives on the nuances of data privacy, with his specialty focus on privacy risk management. His keynote session is titled, “Navigating a Tripolar Data Privacy World.”

“This year could see record levels of privacy regulation and enforcement worldwide with over half of the world’s population covered by basic privacy rights and data-breach notification for the first time in history,” Cline said. “Companies can get ahead of this wave by building privacy defaults into the digital code of their business for every new change they push into production.”

The Summit will also feature industry expert presenters and virtual exhibits from cybersecurity solution providers, as well as live, topical expert panel discussions fielded by leading subject-matter experts. At the Summit, industry experts will dive into topics around the SolarWinds hack, the future of cybersecurity, and user-centered security, and the key trends on which Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should most concern themselves in 2021 in panel discussions. 

Data Connectors, which has conducted physical conferences since 1999, rapidly responded to the COVID-19 crisis, moving its full schedule of planned events online. The cybersecurity community has in turn responded to the opportunity: more than twice as many people have signed up for the virtual regional events than had registered to attend the previously scheduled in-person meetings.

The Virtual Summit will also feature a live, interactive panel discussion, with some of the top CISOs and CIOs from organizations throughout the Upper Midwest. This week’s panelists include:

• Matt Ireland, Chief Information Security Officer – NTT Research
• Patrick Joyce, VP – Global Information Technology & CISO – Medtronic
• Tony Taylor, CISO – Land O’Lakes, Inc.
• William Scandrett, CISO – Allina Health
• Milinda Rambel Stone, Vice President & CISO – Provation Medical

Attendees will ask questions and interact online with the CISOs, as well as each other and the organizations who will feature their solutions at the event. Featured solutions providers at this summit include Auth0, Ordr, Proofpoint, and many more.

The Summit will take place on Wednesday, February 10 at 8:00 a.m. CT. Registration is free for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation. 

Data Connectors Virtual Summits continue to focus on the local and regional requirements for cities and regions across North America, with upcoming Summits taking place for Ohio, Boston, and Southern California, New York City, Texas and more.

More information can be found at dataconnectors.com/attend.

About Data Connectors
Since 1999, Data Connectors (dataconnectors.com) has facilitated collaboration between senior cybersecurity professionals, government/law enforcement agencies, industry luminaries, and solution providers. Today, the community comprises over 650,000 members and 250 active vendor partners across North America. Members enjoy informative education, networking and support via our award-winning Virtual Summits, live conferences, Web Briefings, and regular communications.

Data Protection and Privacy Tops Agenda at …

Press Releases Posted by Jen Greco on Feb 8, 2021

RCMP, Toronto Police C3 Look Toward 2021 Cybersecurity Trends, Alongside Expert Panels Covering AI, Defense-In-Depth, and the Current Threat Landscape 

TORONTO, ONTARIO, CANADA – JANUARY 18, 2021 Data Connectors, representing the largest cybersecurity community in North America, continues its industry-leading series of Virtual Summits, as the first major cybersecurity event in Canada for 2021.

The 2021 Canada-East Virtual Cybersecurity Summit will take place on Wednesday and Thursday, January 20-21, and is slated to allow the local community of cybersecurity professionals to gain insights and education regarding the latest updates and challenges in the industry, despite the continued effects of the COVID-19 crisis.

Headlining this two-day summit are three keynotes, from the heart of the nation’s cybersecurity law enforcement operation. Detective Constable Kenrick Bagnall of the Toronto Police Service’s Coordinated Cyber Centre, Director General Chris Lynam of the Royal Canadian Mounted Police’s National Cyber Crime Coordination (C3) Unit, and guest keynote Victoria Granova , President of the (ISC)² Toronto Chapter Board.

“It’s already a particularly interesting year, especially when you look at the SolarWinds supply chain compromise that’s having an impact on organizations around the world, but particularly in North America,” Bagnall said. “Our goal is to provide the support that our local community will need in order to stay secure and thrive in the given environment.”

The Summit will also feature industry expert presenters and virtual exhibits from cybersecurity solution providers, as well as live, topical expert panel discussions fielded by leading subject-matter experts. At the Summit, industry experts will dive into topics around identity and access management amid the rush to work from home in 2020, and the key trends on which Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should most concern themselves in 2021 in panel discussions. 

Data Connectors, which has conducted physical conferences since 1999, rapidly responded to the COVID-19 crisis, moving its full schedule of planned events online. The cybersecurity community has in turn responded to the opportunity: more than twice as many people have signed up for the virtual regional events than had registered to attend the previously scheduled in-person meetings.

The Virtual Summit will also feature a live, interactive panel discussion, with some of the top CISOs and CIOs from organizations throughout the provinces of Eastern Canada. This week’s panelists include:

• Andrew Vezina – Vice President and Chief Information Security Officer for Equitable Bank
• Tony English – VP IT Risk, Butterfield Group
• Michael Ball – Chairman Of The Board for the International Association of Virtual CISOs
• Robert L. Godbout -CDO/CIO of Canada School of Public Service
• Rachel Guinto – AVP of Global Information Security Risk Management, Manulife

Attendees will ask questions and interact online with the CISOs, as well as each other and the organizations who will feature their solutions at the event. Featured solutions providers at this summit include Auth0, Attivo Networks, Ordr, Proofpoint, and many more.

The Summit will take place over two days, on Wednesday and Thursday, January 20-21, 2021 at 8:00 a.m. ET. Registration is free for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation. 

Data Connectors Virtual Summits continue to focus on the local and regional requirements for cities and regions across North America, with upcoming Summits taking place for Detroit and Indianapolis, Minneapolis and Des Moines, Ohio, Boston, and Southern California, and more.

More information can be found at dataconnectors.com/attend.

Canada’s Top Cyber Cops Help Business …

Press Releases Posted by Jen Greco on Jan 18, 2021

Department of Homeland Security, Industry Experts Comment on 2021 Trends, Directions, Continued Revelations on Government and Private Network Breaches Stemming from Russian Cyberattack

DENVER, CO. – JANUARY 6, 2021 Data Connectors, representing the largest cybersecurity community in North America, continues its industry-leading series of Virtual Summits, with over 15 past annual gatherings in the Salt Lake City and Denver areas.

The 2021 Salt Lake City and Denver Virtual Cybersecurity Summit will take place on Wednesday, January 13, and is slated to allow the local community of cybersecurity professionals to gain insights and education regarding the latest updates and challenges in the industry, despite the continued effects of the COVID-19 crisis.

Headlining this summit is Region VIII Cybersecurity Advisor David Sonheim from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). He will provide an overview of the active exploitation of the SolarWinds Orion software and how those events resulted in the establishment of a Cyber Unified Coordination Group (UCG) as a Government response. As well, he will discuss its extensive and lasting impact on both private industry and government agencies.

Sonheim, a Colorado native, will deliver his remarks, “Overview of the SolarWinds Supply Chain Compromise,” during the Summit’s main keynote on Wednesday.

“The key now is to build on our public and private partnerships by sharing information to assist the community in understanding their risk exposure while taking steps to identify and mitigate any further compromise,” Sonheim said. “For the keynote we’re going to step back and take a look at previous supply chain compromises, and review the timeline of the response efforts leading to the activation of the UCG as part of the National Cyber Incident Response Plan. By understanding the risk factors that drove these chain of events we can better work together across industry and Government to find a collaborative path forward as we respond to future events. So much of our nation’s critical infrastructure is in the hands of private industry partners which is why a collective approach is vital to its protection. CISA stands ready to help and provide advice to organizations, in partnership with numerous government agencies,” he added.

The Summit will also feature industry expert presenters and virtual exhibits from cybersecurity solution providers, as well as live, topical expert panel discussions fielded by leading subject-matter experts. At the Summit, industry experts will dive into topics around identity and access management amid the rush to work from home in 2020, and the key trends on which Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should most concern themselves in 2021 in panel discussions. 

Data Connectors, which has conducted physical conferences since 1999, rapidly responded to the COVID-19 crisis, moving its full schedule of planned events online. The cybersecurity community has in turn responded to the opportunity: more than twice as many people have signed up for the virtual regional events than had registered to attend the previously scheduled in-person meetings.

The Virtual Summit will also feature a live, interactive panel discussion, with some of the top CISOs and CIOs from organizations throughout the Rocky Mountain region. This week’s panelists include:

• Dan Anderson, CISO and Privacy Officer, Lifescan
• Eric Sorenson, Chief Information Security Officer, doTERRA
• Steve Winterfeld, Advisory CISO, Akamai Technologies
• Dr. Ken Knapton, Senior Vice President & Chief Information Officer, Merrick Bank
• Niel Nickolaisen, Chief Information Officer, OC Tanner
• Navpreet Jatana, Deputy CISO, Zions Bancorporation
• Nathaniel “Peter” Walton, Chief Information Officer / Director of Communications, 76th Operational Response Command (OR)

Attendees will ask questions and interact online with the CISOs, as well as each other and the organizations who will feature their solutions at the event. Featured solutions providers at this summit include Attivo Networks, Cloudflare, Avanan, Capsule 8 and more.

The Summit will take place on Wednesday, January 13, 2021 at 8:00 a.m. MT. Registration is free for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation. 

Data Connectors Virtual Summits continue to focus on the local and regional requirements for cities and regions across North America, with upcoming Summits taking place for Eastern Canada, Detroit and Indianapolis, Minneapolis and Des Moines, Ohio, Boston, and more.

More information can be found at dataconnectors.com/attend.

About Data Connectors

Since 1999, Data Connectors (dataconnectors.com) has facilitated the collaboration between cybersecurity professionals and solution providers. Today, the community comprises over 650,000 members and 250 active vendor partners. Members enjoy informative education from industry luminaries, innovative solution providers and government agencies such as the FBI, InfraGard, US Secret Service and the Department of Homeland Security. Data Connectors brings live conferences to cities across North America each year, and also provides interactions with the community via Virtual Summits, Web Briefings, and regular communications.

SolarWinds Hack, Ransomware, Regulations Fi …

Industry News Posted by Jen Greco on Jan 6, 2021

Several members of the Data Connectors community, including companies like Security Scorecard, Rapid7 and Cybereason, are teaming up with industry leaders across government, academia, non-profit organizations and other private-sector organizations to form a Ransomware Task Force.

This group was organized by the Institute for Security and Technology (IST), who plans to convene the task force and begin work in January 2021. At that point, the organization will launch a website highlighting the leadership roles and complete list of members.

IST convened this group with the understanding that one organization or industry can’t face the ever-growing threat of ransomware attacks happening throughout the world. Such a task requires collaboration between public and private sectors, plus legal and academic scholars, insurance professionals and international organizations. 

“Ransomware incidents have been growing unchecked, and this economically destructive cybercrime has increasingly led to dangerous, physical consequences. Hospitals, school districts, city governments, and others have found their networks held hostage by malicious actors seeking payouts,” IST wrote in its blog, which announced the task force. “This crime transcends sectors and requires bringing all affected stakeholders to the table to synthesize a clear framework of actionable solutions, which is why IST and our coalition of partners are launching this Task Force for a two-to-three month sprint.”

The Institute cited its list of founding members to include the following:

Aspen Digital
Citrix
The Cyber Threat Alliance
Cybereason
The CyberPeace Institute
The Cybersecurity Coalition
The Global Cyber Alliance
McAfee
Microsoft
Rapid7
Resilience
SecurityScorecard
Shadowserver Foundation
Stratigos Security
Team Cymru
Third Way
UT Austin Strauss Center

Concerns surrounding ransomware are nothing new, but the threat has grown in the last year. The incidence and prevalence of ransomware attacks prompted the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to publish a new set of guidelines in September 2020. 

You can meet with any of our ransomware subject matter experts during one of the 2021 virtual summits. Click on the button below to join us for an upcoming summit.

Data Connectors Partners Join Multi-Sector …

Hot Topics in Cybersecurity Posted by Jen Greco on Jan 1, 2021

Regardless of your political take on those $600 stimulus checks (that may already be in some people’s accounts, per Treasury Secretary Steve Mnuchin), there’s one thing everyone can agree on: hackers will stop at nothing to get their hands on that cash.

Fraud-finding firm Bolster issued a report back in spring that found nearly 61,000 fake banking websites popped up following the promise of stimulus checks. Pair that with the 145,000 newly registered domains carrying some version of the phrase “stimulus check,” and you have an extremely unfortunate number of people getting drained of a much-needed lifeline. 

Check Point Software Technologies, a vital member of the Data Connectors community, also did some research on the topic. They published some examples of the phishing scams that were tricking unsuspecting people our of their stimulus and relief checks, and to grab their bank account information via phishing.

The research team with Check Point highlighted in their April 20th blog post on the topic:

These scam websites use the news of the coronavirus (Covid-19) financial incentives, and fears about Coronavirus to try and trick people into using the websites or clicking on links.  Users that visit these malicious domains instead of the official Government websites risk having their personal information stolen and exposed, or payment theft and fraud.

They found that there were 3.5 times more domains registered after Congress announced the first stimulus. So, how can you keep yourself safe from these scams?

One important thing to note is that the Treasury Department has made it clear that any communication about this pay-out will call it an Economic Impact Payment — the term “stimulus” or anything like it would not be used in any official capacity. 

Another tip: the IRS will never (ever, ever, ever) email, call or text you. Your check will be issued via direct deposit, or by the U.S. Post Office. That said, if you do get a random check in the mail with a suspicious amount (as well as instructions to call a number to get the money), don’t fall for it. Per the current bill, the checks include $600 payments for each individual that was claimed on your most recent tax return. Certain income brackets will receive different payments, but it’s very unlikely that these checks will contain cents.

What are some of the craziest scams you’ve heard of regarding the economic relief payments? Let us know in the comments below.

Hackers Want Your Stimulus Check. Here̵ …

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 30, 2020

Finally — 2020 is almost over. But before you breathe that sigh of relief, ask yourself: Am I prepared for the impending changes to privacy compliance laws? Whether you’re a PI-pro, or wishing we were talking pie instead — stick around. Our team has a huge pile of resources for you to ring in the New Year with a stress-free compliance plan.

Let’s take a quick dive into the world of the complex world of California consumer protection laws.

Basics, Please. What are these acronyms?

CCPA is the California Consumer Privacy Act. CPRA is the California Privacy Rights Act.

Good start. What is CCPA?
CPRA was adopted in 2018, and chances are, you’re already compliant within your organization (particularly if you do a lot of business in California). But for the uninitiated, and per the Golden State’s Department of Justice, CCPA includes:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Fair enough. So what’s the deal with CPRA?
The citizens of California voted for CPRA via a ballot measure on Nov. 3, 2020. It takes CCPA and, basically, bolsters it quite a bit. For you, this means taking a look at your current compliance in terms of protecting your clients’ privacy. CPRA is way more specific. 

Does CPRA replace CCPA?
Nope. It serves more to augment the initial law, rather than replace it. What’s the best way to break down the differences? Attend our upcoming Web Briefing — here’s a sneak preview of this session. Hear a conversation between Data Connectors Chief Strategy Officer Michael Hiskey and Spirion’s Scott Giordano from the Atlanta Virtual Cybersecurity Summit in the video below:

There are 49 other states aside from California, and I’m in one of them. Does this apply to me?

You have to meet one of three standards to fall under the law. 

1. Your business pulls at least half of your annual revenue from sharing or selling the personal information of California customers.
2. Your business has a gross revenue greater than $25 million
3. Your business buys/sells/shares the personal information of greater than 100,000 California customers or households. 

Remember — all you need is ONE of those three. That makes this legislation fairly far-reaching, much like many of the state’s consumer protection laws. 

For instance, anyone who has ever manufactured and sold a product to anyone in the U.S. knows that California laws strong-arm the entire industry into posting CA Prop. 65 warnings on, well, basically everything (we’re talking aloe vera, parking garages, and coffee). That means that even if you roast your coffee beans in Oregon, but sell it over state lines, you need to carry a Prop. 65 warning on your packaging. 

So, if you meet the criteria, welcome to the wild West Coast. You’re expected to comply with CPRA as well as its predecessor, CCPA. And, if your goal is customer happiness and good business practice, then it makes sense to adhere to these guidelines — even if you have a very small number of customers or clients from California.

The challenge is in preparing your business for CPRA compliance — and, in a hurry. The measure that passed in November is going into law on January 1, 2021. 

This is bigger than me. How do I learn more?
Fortunately, you don’t need a degree from a prestigious California law school to navigate these laws, because Spirion’s Scott Giordano already did that for you. Hop onto our Web Briefing on Dec. 17th at 2PM ET, and hear from Scott and a full panel of CISOs on how to help your business handle these changes and protect your customers’ data.

CCPA and CPRA 2.0: Navigate the California …

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 8, 2020