Duo Provides Technical Controls for Compliance With Privacy Laws
You might recall this time last year when it seemed like every app and website began sending messages asking users to opt-in to updated privacy policies. The rush to get user permissions was not prompted by a sudden concern for end-user privacy. It was an actual mandate found in the European General Data Protection Regulation (GDPR). That regulation requires all companies collecting or processing personal data of EU residents to give such users more control over their digital privacy.
Sweeping data privacy laws mirroring GDPR are now making their way to the United States. Shortly after GDPR went into effect, the California legislature passed the California Consumer Privacy Act (CCPA), which mimics many of GDPR’s principles. This law goes into effect on January 1, 2020.
The CCPA requires that organizations implement and maintain “reasonable security procedures and practices” to prevent “unauthorized access and exfiltration, theft, or disclosure” of users’ personal information. Failing to enact such safeguards could result in users seeking damages of up to $750 per incident of unauthorized access, exfiltration, theft, or disclosure. And, unlike GDPR, the CCPA grants regulators authority to levy fines up to $7,500 per violation. Such a penalty may prove significant considering that, in just one year, the International Association of Privacy Professionals reported over 100,000 complaints about companies violating GDPR. Failing to implement technical controls to verify users and health of devices accessing critical applications storing sensitive data may mean paying millions of dollars in damages, fines, and litigations costs.
How Can Businesses Reduce Their Risk Surface?
To prepare for the CCPA, businesses should implement focused technical controls as a part of their security practice. For example, such tools can:
Confirm the identity of users and the health of their devices before granting access to personal data
Gain visibility into managed and unmanaged devices
Know the security posture of unmanaged devices accessing sensitive information
Enforce policies to prevent access to critical applications and data from unauthorized sources
Restrict access to applications with access policies
Control what a remote contactor/device can access to protect your network
Log all access attempts to applications for audit and reporting
How Can Duo Help?
Multi-Factor Authentication - Duo verifies users’ identities with strong two-factor authentication before granting access to applications that may contain personal information. This protects user identities and ensures that only authorized users are able to access PI/sensitive data.
Device Visibility - Duo provides IT teams with visibility into which corporate-managed and unmanaged devices are accessing company applications and data. This provides organizations with the ability to set security policies to protect their sensitive resources.
Trusted Endpoints - Duo checks the security hygiene of devices before granting access, giving complete control over what and who has access to PI/sensitive data. By leveraging Trusted Endpoints, organizations can augment their security posture and ensure that only healthy, trusted devices gain access to sensitive resources, blocking unauthorized devices.
Access Policies - Enforcement of strong policies ensures only trusted, authorized users and healthy devices access critical business applications and the data they store while blocking unauthorized access. By enabling enforcement of access policies at an app level, organizations can differentiate critical corporate apps (ex: ERP) from generic work apps (say, a cafe menu).
Reporting/Audit - Duo helps businesses demonstrate compliance during audits with automated system reporting of users and devices accessing applications.
The Future of Privacy Legislation
A recent study by nCipher Security noted that data protection and privacy is becoming top-of-mind for many U.S. citizens. More than half of Americans said data privacy is important to them. Forty-one percent said that protecting their personal information is their top concern. And thirty-two percent said that safeguarding their personal data is as important to them as their own physical protection. While California is at the forefront of passing state restrictions, many other states have passed or are attempting to pass similar laws. One thing is for sure: data protection and privacy laws are proliferating at an unprecedented rate.
Organizations must start looking today at their existing security policies and consider implementing a zero trust security approach to protect their workforce. This may future-proof their environment to ensure compliance with evolving data protection laws.
Learn more about how our Zero Trust approach for the Workforce can help your organization get ahead of privacy legislation and protect your sensitive data. Start your free trial.