Get My Score

Regulatory Compliance


Actions to Take and Verifying Your Readiness

This is part 2 of a two-part series on CCPA readiness.  Read Part 1.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

What action should you take?

The GDPR and now the CCPA seem to be part of a wider trend towards greater individual data privacy and so it would be wise to prepare for further legislation and reassess your strategy with regards to personal data collection.

Begin by fully mapping all the personal data you collect and make sure that you know precisely how it is collected, how it’s used, who it’s shared with, and where it’s stored. Interrogate the reasons behind your data collection. If there’s no clear business benefit, then you may want to reconsider collecting that data in the first place.

Put processes in place so that your systems can securely handle data requests in a timely manner. Remember that you’ll need to provide access to data, delete data when required, and share specific information on the sharing or sale of any personal information. Allowing opt-outs on the sale or sharing of data may also require tweaks to your existing systems and/or end-user agreements.

The law requires that the business provides consumers with two or more designated methods for submitting requests for information.  A minimum requirement is a toll-free telephone number and if the business has an Internet Web Site, a website address.  In addition, the business must update its online privacy policy, and/or any California-specific description of consumer’s privacy rights and these updates must be done at least once every 12 months.  The Business is required to provide a clear and conspicuous link on the Business’ Internet homepage titles “Do Not Sell My Personal Information” that allows the consumer, or a person authorized by the consumer to opt out of the sale of the consumer’s personal information for 12 months (Note: Business can require the consumer to opt out after every 12 months).  The law requires that the request be submitted through a password-protected account maintained by the consumer if the consumer maintains an account with the business or that the business allow information request through the business’ authentication of the consumer’s identity.

Businesses and their data service providers will be required to implement technical safeguards and business processes that prohibit reidentification of the consumer to whom the information may pertain.  This will be a major burden to organizations that do not already have these controls in place.

Verify your readiness

Along with redesigning your data handling rules and systems you should update all policies pertaining to data and be prepared to train any employees who might be responsible for data. It’s not enough to ensure compliance internally, you also need to reach out to third parties and partners to ensure they follow suit.

Expect to update your systems and applications to implement additional data controls and/or monitoring of data access.  Implement new technical safeguards and business processes to prohibit reidentification of the consumer who has opted out.

Greater transparency in how personal data is collected and used is a good thing for consumers, but it also presents security challenges, so make sure you factor that in. With new policies, systems, and training in place, it’s advisable to complete a full audit that encompasses internal and external systems. Test for different scenarios and ensure that you’re in compliance with the new rules well before they come into effect.

If the Business plans to continue maintaining consumer personal information, then it would be best to have all the data encrypted at rest with the ability to de-identity the data if requested.

Expect to move from a compliance validation framework to a continuous security monitoring approach to establish your CyberPosture that can be reported daily.



California Privacy Act

Does the CCPA Apply to You and Consumer Rights

This is part 1 of a two-part series on CCPA readiness.  Read Part 2.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

The dust has barely settled on the GDPR and businesses have new legislation to worry about. The California Consumer Privacy Act (CCPA) stipulates that California residents should have greater access to and control over personal information held by businesses (Note: this excludes financial services, healthcare, and/or other regulated businesses).  The law seems targeted to online social media firms.

Non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or service provider that intentionally violates this law.  Individuals can claim up to $750 per incident in damages (minimum is $100) if the business/service provider transgressor does not rectify any issue after being given 30 days to rectify the issue (the "business" can request additional time to resolve the matter).  Note: All legal actions need to be brought by the California Attorney General and only if there is no action after six months can an "individual" bring their own legal action against the transgressor.

INTERESTING FACT: This law formally places responsibilities and liabilities on the data service processors as well.  This is a major change.  Traditionally, non-regulated data service processors were required to comply based on business contract language while this law codifies their role.  Note: Financial Services data processors do have FFIEC defined responsibilities but does not have defined consumer liabilities.

CCPA is due to come into effect on January 1, 2020, so now is the time to assess exposure and start working towards compliance.

Does the CCPA Apply to you?

The new legislation applies to you if you have a for-profit business (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California and that falls into one of these categories:

  • Annual gross revenue more than $25 million;
  • Process the personal information of 50,000 or more California residents, households, or devices every year (Note: Definition of a device is any physical object that is capable of connecting to the Internet [directly or indirectly] or another device – i.e. think of a USB stick; mobile phone; vehicle diagnosis information; etc.);
  • Derives at least 50 percent of gross revenue by selling personal information; or
  • Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company.

It doesn’t matter where your business is located, but there are some exclusions pertaining to information that’s already covered by other Federal laws such as GLBA (mainly Financial Services firms); HIPAA or CMIA for health data; and/or CA Driver Privacy laws.

The definition of personal information for the CCPA is quite broad and covers anything that “could be reasonably linked, directly or indirectly, with a particular consumer,” so it’s best to take a cautious approach and cover as much data as possible.

This law does not require the business to retain any personal information if there is only a single, one-time transaction, and the information is not sold or retained by the business.

Third parties that purchased consumer data are restricted from selling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

If a business collects consumer data but is unaware of the consumer’s age then the business is considered to know the consumer age and be required to have the consumer to opt-in for usage of the data.

New Consumer Rights

The new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored, and shared within the previous 12-months (Note: This can be done twice in any 12-month period at no cost but after that the "company" can charge for additional requests). Consumers can find out exactly what data a business has collected, they can prevent the sale of that data, and they have the right to delete it (Note: There are defined purposes that allow the company to maintain your data even if you request that it be deleted – example: Data Breach investigation).

The law was very specific of the identifiers included: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, e-mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  The other items that may be new to businesses:

  • Products and/or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies;
  • Biometric information that includes an individual’s physiological, biological, or behavioral characteristics, including an individuals deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity, In addition, Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein pattern, and voice recordings from which an identifier template can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; sleep, health or exercise data that contain identifying information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available personal information per the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

The law also restricts the business from storing personal information a consumer when the consumer is in California then collecting (extracting) that personal information when the consumer and the stored personal information is outside of California.  Examples: Mobile Phone, Tablet, Electronic Reader, etc.

Businesses will also have to inform consumers when they intend to change data collection processes, share details on which categories of third parties have access to data, and elucidate on the business or commercial reasons for collecting it in the first place.   In addition, this law limited the usage of the consumer data to the stated purposes.

The legislation also introduces a strict opt-in requirement for minors, so businesses need to obtain parental consent to sell personal information belonging to anyone aged 16 years or under. There’s also protection against businesses trying to get consumers to sign waivers or otherwise discriminating against consumers who decide to opt out of any future sale of their personal data.

Note: The Business can charge the consumer a different price or rate, or provide a different level of quality good or service if the difference is reasonably related to the value provided by using the consumer’s data.

IMPORTANT: Sales of personal information to or from a consumer reporting agency (i.e. Equifax, Trans Union, Experian, etc.) is excluded from this law.  This is cover under Federal Law (Fair Credit Reporting Act).



A Catch-up Plan for Technical Controls

In under 60 days, the GDPR regulation officially takes effect in the EU, and will impact companies well beyond Europe’s borders.  As a reminder, on May 25 the GDPR will replace the EU’s existing privacy regulation, and in a nutshell, data protection is now by design and by default.  And, data includes both personal and professional information.  A major point is the ‘right to be forgotten,’ and some of the controversies around Google and Facebook is a result of this intent.

By now, organizations should have a well-developed plan in place for implementation, including the assignment of a Data Protection Officer and coordination across all impacted business functions.  An issue is that this planning is not universal, and in fact, many US companies don’t realize their exposure.  In a recent study, less than 25% of US Firms consider themselves to be GDPR-ready.   Not a good place to be in, given that a just-released ESG survey shows GDPR-subject data as the most widely deployed in the cloud.

GDPR ready

Digging further, the GDPR defines three elements of compliance – people, process, and technology.   Cavirin can’t directly address the first two, but we can help with plugging holes in the third.  In a four-phase process that includes discover, manage, protect, and report, the third – protect – closely aligns with Cavirin’s capabilities.  We’ve created a policy framework that helps to automate the following across cloud providers and operating systems: 

  • Auditing Personal Data Processing Systems: Ensuring that all user and admin activities in personal data processing systems are traceable at all times.
  • Monitoring Personal Data Processing Systems: Ensure they are safe from software vulnerabilities
  • Personal Data Access controls: Ensure that access to systems storing or processing personal data is restricted to only users or programs that need it
  • Personal Data Security controls: Monitoring configuration settings for systems storing or processing personal data to prevent breaches and disclosure
  • Personal Data Transfer Security: Monitoring usage of encryption and network configuration to detect and/or prevent unauthorized transfers of personal data

So how to get started?  In under 30 minutes (really), you can deploy the solution on-premise or within your public cloud provider.  The deep discovery of the critical workloads, you identified in the steps above, then commences, and in a short amount of time, you’ll have actionable reports that identify your top risks.  The assessment delivers remediation guidance, and even for the largest of infrastructures, you’ll have plenty of time to take action before the deadline.  But don’t stop there!  Configure the platform for continuous assessment, so if the configuration of any of your servers changes, or new ones are added, you’ll be immediately notified and can then take action.

Download the linked infographic for more on the above!  And listen to the on-demand webinar for further information on putting your own plan in place for GDPR enforcement day, May 25th, 2018.




This last week, the US Centers for Medicare & Medicaid Services (CMS) announced MyHealthEData, a federal initiative that for the first time will provide patients with full and secure control over their healthcare data, no longer locking it to a single healthcare system or provider.

When announcing the program, CMS Administrator Verma related an experience where her husband was in the hospital for a week due to heart failure. Upon discharge, Verma asked for her husband’s records, and was presented with a CD-ROM, itself incomplete. This brought up memories of my wife’s experience in Taos where she came down with a bad case of pneumonia and upon discharge was presented with a large folder containing X-Rays. Very useful. Verma then went on to question the $30 billion spent to-date by the US government on EHR implementation, and whether the patient experience has improved.

Key stakeholders in MyHealthEData include the White House, the NHS, the VA, and the NIH. The intent is to completely revamp the way patients interact with the healthcare system, making them the center of control and permitting them to better compare providers based on cost and capabilities. Other impacts of greater data sharing should be better diagnosis and less duplication of care, outcomes that will hopefully drive down the cost and raise the quality of care for everyone.

Note that the data ‘ownership’ aspect of MyHealthEData is much like the intent of GDPR within the EU, placing people and privacy first. It reflects a growing trend given the pervasiveness of personal data hosted across the Internet and especially within healthcare. And paralleling the EU, we’ll see the rise of the Data Protection Officer (DPO) within US enterprises and other organizations, a role integral to privacy.

But with portability comes additional requirements for security. No longer confined to the network of a single provider, records will be ‘borderless,’ accessible by almost every healthcare provider and across multiple devices including smartphones. To encourage security, MyHealthEData will leverage the Merit-based Incentive Payment System (MIPS) which includes penalties for security breaches. This is where Cavirin can help.

With data spread across a much larger and interconnected threat, there are many more chances for breach, both intentional and non-intentional. The workload and cloud account protection provided by Cavirin will be even more critical, and since security is a function of its weakest link, the ease of implementation and automation we provide will permit the adoption of best practices by anyone within the healthcare value chain.

Cavirin as a company is not new to healthcare, with customer use cases spanning the OS hardening of servers used in medical device manufacturing, HIPAA compliance on-premise and within AWS, including the application of the AWS HIPAA Quickstart, and use of our open APIs to connect to other security platforms within a genomic research environment.  We also have multiple deployments within the largest dental benefits provider in the United States.  Learn more at

cloud computing and hipaa compliance

As we get ready to head east next week to Boston and the HIMMS Cybersecurity Forum, download our new infographic covering the less than excellent state of HIPAA in America.   From multiple analysts and interviews, the key takeaway is that the healthcare rates a ‘C’ in security.   The industry must improve today’s state of affairs where the sector has had more incidents of breaches than any other sector critical to the economy, the personal health data (ePHI) of almost half of US residents have been compromised, and the resulting non-covered impact to these victims is $30B or more.  Looking back, the implementation of electronic health records was to help streamline care, but in fact interconnectivity and poor practices have helped the hackers are well.   The theft of ePHI also opens the door to persistent identity theft, since a social security number can’t be replaced as easy as a credit card.  On a larger scale, the total cost of a breach isn’t limited to the impact on the patient alone.  Once revealed, the organization is subject to fines, increased oversight, and damage to its brand.



ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls

You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting enterprise.  After all, Information Security is defined by the the C-I-A triad, the most well-known model for security policy development.  Who can resist a tried and true C-I-A triad?


© 2019 Cavirin Systems, Inc. All rights reserved.