October 4, 2021
GRF Cybersecurity Risk Assessment and Scorecard Blog Series
Securing the privacy of your organization’s employee and customer data is critical for maintaining the trust of members and donors – and is increasingly becoming a legal requirement.
What is information disclosure?
Information disclosure occurs when an application reveals sensitive information about its users. Depending on the type of information your organization keeps on its users, this disclosure could include anything from usernames and passwords to financial information. GRF’s Cybersecurity Risk Assessment and Scorecard will check to see if your organization is potentially disclosing too much information:
- Information disclosure controls: You can check whether the local IPs, email addresses, version number, Whois records, or services are being disclosed.
The European Union enacted General Data Protection Regulation (GDPR) laws in 2018 to require organizations to protect the personal information they collect. It sets the guidelines for both the collection and processing of personal information for individuals in the European Union. If a user from the European Union accesses your website and you store their information, you are liable and need to be compliant with GDPR.
Data Collection Policy: GDPR lists six principles of data protection, indicating how information should be collected and maintained.
- The information must be gathered legally and transparently
- Gathered for specific reasons
- Nothing more than necessary for legal can be gathered
- Accurate information
- Held for a limited time
- Processed in a secure way
To be GDPR compliant, you must disclose how you collect the data, what data is being collected, how the data is stored, how the data is used, data rights, and how you share and disclose information to 3rd parties. All of these items need to be noted within your policy – and they must be followed. If your organization does business in the European Union and does not comply with GDPR, you could face legal liabilities.
Growing U.S. Privacy Legislation
Most recently, Virginia passed the Consumer Data Protection Act (CDPA) that will be effective starting January 1, 2023. While similar to the California Consumer Privacy Act (CCPA) above, there are some key differences.
- The CDPA’s opt-out rights include the right to opt-out of not just sales of personal data but also certain profiling activities and targeted advertising.
- The CDPA’s provisions requiring consent before processing sensitive data (i.e. affirmative opt-in) are significantly broader and more restrictive than the CCPA’s current requirements.
- The CDPA requires that businesses conduct Data Protection Assessments (similar to GDPR’s requirement for data protection impact assessments).
How GRF Can Help
For more information about GRF’s Cybersecurity Risk Assessment and Scorecard, reach out to our Senior IT & Risk Analyst Darren Hulem, CISA, Security +, PCIP, or Risk Analyst Tom Brown, CAPM, through our contact us page.
For further reading, check out our sources: