October 4, 2021

GRF Cybersecurity Risk Assessment and Scorecard Blog Series

GRF Cybersecurity Risk Assessment and Scorecard - Privacy

Next post: SSL/TLS Strength

Securing the privacy of your organization’s employee and customer data is critical for maintaining the trust of members and donors – and is increasingly becoming a legal requirement.

What is information disclosure? 

Information disclosure occurs when an application reveals sensitive information about its users. Depending on the type of information your organization keeps on its users, this disclosure could include anything from usernames and passwords to financial information. GRF’s Cybersecurity Risk Assessment and Scorecard will check to see if your organization is potentially disclosing too much information:

  1. Information disclosure controls: You can check whether the local IPs, email addresses, version number, Whois records, or services are being disclosed.
  2. Data collection policy controls: This feature compares the privacy policy that your organization has to EU General Data Protection Regulation (GDPR) and other regulatory requirements. With the increase in data protection, many companies must be GDPR compliant.

Why you need a privacy policy

The European Union enacted General Data Protection Regulation (GDPR) laws in 2018 to require organizations to protect the personal information they collect. It sets the guidelines for both the collection and processing of personal information for individuals in the European Union. If a user from the European Union accesses your website and you store their information, you are liable and need to be compliant with GDPR.

Data Collection Policy: GDPR lists six principles of data protection, indicating how information should be collected and maintained.

  1. The information must be gathered legally and transparently
  2. Gathered for specific reasons
  3. Nothing more than necessary for legal can be gathered
  4. Accurate information
  5. Held for a limited time
  6. Processed in a secure way

To be GDPR compliant, you must disclose how you collect the data, what data is being collected, how the data is stored, how the data is used, data rights, and how you share and disclose information to 3rd parties. All of these items need to be noted within your policy – and they must be followed. If your organization does business in the European Union and does not comply with GDPR, you could face legal liabilities.

Growing U.S. Privacy Legislation

In the U.S., there are many federal and state regulations surrounding the protection of personal data. Some of the more common regulations are HIPPA (protection of personal health information), Children’s Online Privacy Protection Act (COPPA – must be clear in privacy policy about the information collected of users under 13 years of age), and the Gramm-Leach-Billey Act (organizations engaged in financial activities must give clear statements about their information-sharing practices).

States are starting to enact regulations as well. For example, California passed a regulation for online services that collect personal information that they must post a privacy policy and comply with its content, including identifying the personally identifiable information (PII) collected, who the third parties are that the information will be shared with, and more. It also requires a section about how the website responds to “Do not track” within web browsers.

Most recently, Virginia passed the Consumer Data Protection Act (CDPA) that will be effective starting January 1, 2023. While similar to the California Consumer Privacy Act (CCPA) above, there are some key differences.

  • The CDPA’s opt-out rights include the right to opt-out of not just sales of personal data but also certain profiling activities and targeted advertising.
  • The CDPA’s provisions requiring consent before processing sensitive data (i.e. affirmative opt-in) are significantly broader and more restrictive than the CCPA’s current requirements.
  • The CDPA requires that businesses conduct Data Protection Assessments (similar to GDPR’s requirement for data protection impact assessments).

How GRF Can Help

With the increased emphasis on privacy, your organization must evaluate how you are collecting, using, storing, and transmitting data. With more states beginning to pass legislation, your organization may need to comply. At GRF, our Cybersecurity Risk Assessment and Scorecard can help to evaluate your current information disclosure compliance to help prepare you for the changing privacy landscape. GRF also offers privacy policy reviews and support for creating a compliant privacy policy.

For more information about GRF’s Cybersecurity Risk Assessment and Scorecard, reach out to our Senior IT & Risk Analyst Darren Hulem, CISA, Security +, PCIP, or Risk Analyst Tom Brown, CAPM, through our contact us page.

For further reading, check out our sources:
Why You Need a Privacy Policy – Part 2: Avoiding Three Common Fumbles from Snell & Wilmer

Next post: SSL/TLS Strength

GRF Cybersecurity Risk Assessment and Scorecard
The digital transformation happening in the workplace requires heightened awareness of your organization’s cybersecurity posture. Managing the risks has become another full-time job. The GRF Cybersecurity Risk Assessment and Scorecard helps identify possible weaknesses and vulnerabilities by evaluating risk in 20 different categories. The scorecard will evaluate your cyber posture, propose remediation steps, and help eliminate vulnerabilities that your organization is facing.