NIG California Consumer Data Protection Act (CCPA) Certification Program and Additional Compliance Certification Programs including: GDPR, PCI, and ADA
These NIG programs will offer companies that need to comply with the new CCPA regulation, taking effect in January 2020, a roadmap to compliance and solid legal defense should a company be investigated via a “privacy right of action” complaint filed with the California Attorney General’s office. NIG also offers compliance certification programs for GDPR, PCI, and ADA Regulations.
In an effort to give consumers more control over their data, the European Union enacted a piece of legislation called the General Data Protection Regulation (GDPR) in 2018. The GDPR establishes a set of standards that enforce better processes and procedures regarding the collection and sharing of EU citizens’ data. These standards are to be adopted in the EU but will also extend internationally to all companies that collect or process the data of EU citizens.
While the GDPR affects U.S. companies, there has not yet been similar legislation enacted in the U.S. That changed on January 1, 2020, when The California Consumer Privacy Act of 2018 (CCPA) went into effect. Though similar in intent, the CCPA is not a carbon copy of the GDPR, and will require different measures in order to obtain and maintain compliance.
Who is Liable for California Consumer Privacy Act (CCPA) Compliance?
The CCPA will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) Process more than 150 unique credit card transactions in a month or (c) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (d) derive 50 percent or more of their annual revenues from selling California residents’ personal information. The Act also draws in corporate affiliates of such businesses that share their branding. That means that not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.
The Act’s provisions are designed to put these rights into practice. The Act requires that companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected. For example, businesses need to disclose proactively the existence and nature of consumers’ rights under the Act, the categories of personal information they collect, the purposes for which that personal information is collected, and the categories of personal information that is sold or disclosed in the preceding 12 months. In terms of compliance, these provisions will require companies to determine what personal data they are collecting from individuals and for what purposes and to update their privacy policies every 12 months to make the disclosures the Act requires.
Companies that sell consumer data to third parties will need to disclose that practice and give consumers the ability to opt-out of the sale by supplying a link titled “Do Not Sell My Personal Information” on the business’s home page. This is known as the right to “opt-out.” The Act further provides that a business must not sell the personal information of consumers younger than 16 years of age without that consumer’s affirmative consent (or, for consumers younger than 13 years of age, without the affirmative consent of the consumer’s parent or guardian). This is known as the right to “opt-in.”
Consumers also have the right to request certain information from businesses, including, for example, the sources from which a business collected the consumer’s personal information, the specific pieces of personal information it collected about the consumer, and the third parties with which it shared that information. The Act requires businesses to provide at least two means for consumers to submit requests for disclosure including, at minimum, a toll-free telephone number and Website. Additionally, businesses will have to disclose the requested information free of charge within 45 days of the receipt of a consumer’s request, subject to possible extensions of this time frame. Companies therefore will need to determine how they can monitor their data sharing practices and marshal the requested information within a short period of time pursuant to a data subject’s request.
The Act also forbids businesses from “discriminating” against consumers for exercising their privacy rights under the Act. More specifically, that means businesses cannot deny goods or services, charge different prices for goods or services, or provide a different quality of goods or services to those consumers who exercise their privacy rights. However, the Act does permit businesses to charge a different price, or provide a different level of service, to a customer “if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” How this confusingly-worded loophole will be interpreted remains to be seen.
The NIG CCPA compliance certificate program
NIG can immediately help get your organization in compliance with the CCPA by conducting an CCPA Information Security Audit and Risk Assessment to gather the factual-knowledge required to effectively manage your information risk and bring your organization into CCPA compliance along with our five additional steps designed to fortify your organization against Cyber threats and defend against any “privacy right of action” complaint filed against your organization.
To maximize the value of the NIG Information Security Risk Assessment, NIG will work with your Information Security Management and Leadership Team to carry out an Information Security Audit and Risk Assessment in accordance with NIG’s and your documented procedures that include:
- Criteria for identifying, evaluating, and categorizing identified cybersecurity risks and threats
- Criteria for assessing the adequacy of existing controls in the context of identified risks
- Criteria for deciding how identified risks are to be managed and how the information security management program is to address the risks
As input to the assessment, NIG and your Information Security Management and Leadership Team will learn:
- What information do we have that we are legally required to protect? What documents define how we must protect it?
- What information do we as an organization have that we want to protect?
- What audits are we preparing for? What controls do they expect?
We will conduct your assessment against your current Information Security Management Policies and Standards and address any deficiencies. For each policy statement and each standard, NIG and your Information Security Management and Leadership Team will learn:
- Are you in compliance with the policy?
- How well are we meeting the standards?
- How critical is meeting the standards?
- What is the information risk in not fully meeting the standard?
- What are we going to do about it?
At the conclusion of the assessment step, NIG and you will have a complete evaluation of all your organization’s IT hardware, software, connectivity and security processes. An outline of your organization’s AS-IS IT infrastructure will be developed.
The recommendation step is an evaluation of your organization’s AS-IS IT environment and the development of a roadmap of all of the necessary upgrades to hardware, software, firmware, applications, connectivity, databases, and cybersecurity tools that will be necessary for your organization to be in compliance with the CCPA. Some of your organization's risks being evaluated are:
What are the threats to which your data is exposed?
Who are the threat actors we must defend against? How sophisticated are they likely to be?
How are they likely to attack your organization?
Where are your organization’s major vulnerabilities?
The implementation step is the implementing all of the upgrades as outlined in the NIG recommendations roadmap and an audit that they have been completed. Once the recommendations are implemented, and the audit has been conducted, NIG will issue a certificate documenting that all the steps your organization has taken to be in full compliance with the CCPA have been completed. Your organization will also receive a copy of NIG’s master file documenting all of the actions taken, policies implemented, and procurements that were made to bring the organization into compliance.
The monitoring Step is the creation of a policy and procedures manual for your organization to use on an ongoing basis and for internal training to keep staff current and continuously folling best practices for compliance and using the tools to keep your IT infrastructure secure. Also included in this step is for ongoing monitoring, including an annual audit showing that your organization is staying in full compliance with the requirements of the CCPA.
NIG Offers Compliance Audit Services for GDPR, PCI DSS, HIPAA, and ADA
NIG can immediately help get your organization in compliance with other related data security regulations including the European Union’s General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). Just like the NIG process for the CCPA, NIG’s compliance methodology starts by conducting an Information Security Audit and Risk Assessment to gather the factual-knowledge required to effectively manage your information risk and bring your organization into GDPR and / or PCI DSS compliance along with our five additional steps designed to fortify your organization against Cyber threats.
Who is Liable for Payment Card Industry Data Security Standard (PCI DSS) Compliance?
PCI DSS must be implemented by all entities that process, store or transmit cardholder data from the Major Credit Card Brands (VISA, Master Card, American Express). Businesses that process, store or transmit cardholder data are subject to periodic audits conducted by the Payment Card Industry Security Standards Council. The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives". The six groups are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Under PCI DSS’s requirements, merchants and financial institutions are implored to protect their clients’ sensitive data with strong cryptography. Non-compliant solutions will not pass an official PCI DSS audit conducted by the Payment Card Industry Security Standards Council.
NIG offers a service to facilitate that your organization is PCI DSS compliant
Continuous monitoring and review in a necessary part of the process of reducing PCI DSS cryptography risks. This includes maintenance schedules and predefined escalation and recovery routines when security weaknesses are discovered. NIG has specialists that will work with your IT management team to ensure that your firm is compliant with all of the PCI DSS information security requirements.
Who is Liable for HIPAA Law Compliance?
Before reviewing the law itself, it’s helpful to know what organizations are responsible for implementing the Health Insurance Portability and Accountability Act (HIPAA) standards. Covered entities (CE) under HIPAA include healthcare providers, health plans, and healthcare clearinghouses. Most components of HIPAA also apply to any business associate (BA) of a covered entity, meaning any third party who handles PHI in providing a service for a CE. A BA, for example, could be an external administrator who processes claims or a CPA firm that must access protected data to execute its accounting services.
Failing to understand or properly implement HIPAA standards doesn’t absolve your company of the consequences. In fact, under HIPAA, institutions can be fined up to $50,000 per offense for a “Tier 1” violation, meaning the non-compliant organization was “unaware of the HIPAA violation and by exercising due diligence would not have known HIPAA Rules had been violated.” The Tiers increase in proportion to the severity—and the willfulness—of the violation. A Tier 4 offense bears a penalty of $50,000 per violation with a maximum of $1.5 million per year. There are two important IT-related aspects of HIPAA privacy and security standards that you will need to dissect: HIPAA Privacy Rule and HIPAA Security Rule.
Basics of the HIPAA Privacy Rule
According to the HHS, the Privacy Rule requires that “individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect the public’s health and wellbeing.” This rule suggests there is a balance between protecting the information and using the information for necessary reasons.
What is the HIPAA Security Rule?
A logical corollary to the Privacy Rule, the Security Rule establishes standards for how organizations should protect electronic personal health information (ePHI). To secure ePHI, organizations must institute three types of protective measures as specifically outlined by HIPAA: administrative safeguards, physical safeguards, and technical safeguards.
NIG offers a service to facilitate that your organization is HIPAA compliant
Every organization required to comply with HIPAA needs to take these regulations seriously. NIG can help implement and execute a compliance strategy that effectively safeguards ePHI, everyone from business administrators to general employees, to the entire IT department need to understand their role in upholding HIPAA standards. For the IT department, investing in the right hardware, software, and solutions partner is a cost-effective way to ensure you’re doing as much as possible to stay in compliance.
Who is Liable for The Americans with Disabilities Act (ADA) Website Compliance?
- Title III of the Americans with Disabilities Act (ADA) is being interpreted to include websites as “places of public accommodation”
- Websites with significant inaccessible components can be seen as discriminatory against persons with disabilities, in violation of Title III of the ADA
- The ADA is a strict liability law which means there are no excuses/defenses for violations (e.g. ignorance, web developer is working on it, etc.)
- No current legal prescription exists for web accessibility for private entities in the U.S. but WCAG 2.0 AA is frequently referenced by courts
- Multiple authoritative sources state that you have flexibility in how you approach accessibility
- Plaintiff’s lawyers will continue to file ADA lawsuits as fast as they can in 2020
- U.S. courts and the Department of Justice (DOJ) have continually referenced the Web Content Accessibility Guidelines (WCAG) 2.0 Level AA success criteria as the standard to gauge whether websites are accessible. The WCAG 2.0 AA success criteria are comprised of 38 requirements (including level A), individually referred to as success criterion.
- If you read through any lawsuits or past DOJ Title III website actions, you know that the best practice is to bring your website in conformance with WCAG 2.0 AA.
NIG offers a service to facilitate that your Website is ADA compliant
Accessible sites present information through multiple sensory channels, such as sound and sight, and they allow for additional means of site navigation and interactivity beyond the typical point-and-click-interface: keyboard-based control and voice-based navigation. The combination of a multi-sensory approach and a multi-interactivity approach allows disabled users to access the same information as non-disabled users. Many sites that are built to be accessible lose their level of compliance as soon as the first update is implemented. After just one-year, entire sections of the site become non-compliant. This happens as software on your site is updated for feature enhancements, bug fixes, and security updates. These changes and additions do not undergo accessibility adjustments, which, in turn, create “accessibility gaps” on the site.
WordPress updates happen usually twice a month on average, and the plugins that are used to add functionality to the site are also regularly updated. The more updates that occur, the more gaps the website has. This results in the site becoming non-compliant in about 6 -12 months.
We see this happen every day on websites that have paid thousands of dollars to be compliant, and because our clients hold us responsible, we needed to find a way to address the issue. As a result, we did not frequently offer ADA compliance unless specifically requested by a client.
We have worked with our partners to provide a solution that doesn't need NIG to audit and analyze your website constantly, that cost would become prohibitive. So, NIG now offers a solution that uses Artificial Intelligence (AI) and machine learning technologies to do exactly that.
These AI technologies, scan, analyze, and decipher your website every 48 hours, thereby assuring you that your site is compliant and accessible at all times, regardless of any updates you may post, or that we may make to the WordPress software used to build your site.