OneTrust and Cloud Security Alliance Partner to Launch Free Vendor Risk Tool for CSA Members

By Gabrielle Ferree, Public Relations and Marketing Manager, OneTrust

CSA OneTrust Vendor Risk Management toolOneTrust is excited to announce that we have partnered with Cloud Security Alliance to launch a free Vendor Risk Management (VRM) tool.

The tool, available to CSA members today, automates the vendor risk lifecycle for compliance with the GDPR, CCPA and other global privacy frameworks.

Get started today with the CSA-OneTrust VRM tool.

As the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, CSA has 90,000 individual members, 80 chapters globally and 400 corporate members. CSA members can access the VRM tool today and automate vendor risk management at no cost.

[Related: Ovum Radar Report: OneTrust Focused on Identifying and Managing Risk in Vendor Management]

The CSA-OneTrust VRM tool is pre-populated with templates reproducing the CSA’s best practices for cloud security and privacy assurance and compliance, including the Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ) and GDPR Code of Conduct. Privacy and security tea­­ms can also build upon existing templates or create custom vendor assessments based on their business-specific needs.

The CSA-OneTrust VRM tool automates the entire vendor management lifecycle, including:

  • onboarding and offboarding vendors
  • triaging vendors
  • populating vendor information and monitoring the vendor risk lifecycle
  • maintaining records for accountability and compliance purposes.

The tool is powered by Vendorpedia™ by OneTrust, a database of privacy and security details of more than 4,000 vendors that automatically populates vendor assessments based on the most up-to-date vendor information.

Our goal is to provide privacy and security professionals the power to automate and simplify what can be an overwhelming task of managing and monitoring vendor risk. We’re proud to work alongside leaders in the industry like CSA and look forward to providing vendor risk assessment and compliance automation for its more than 90,000 members.

To learn more, read our press release. For additional news and updates visit our LinkedIn, Twitter and Facebook.

Get started with the CSA-OneTrust VRM tool or request a demo today.

California’s CCPA Brings EU Data Privacy to the US

By Rich Campagna, Chief Marketing Officer, Bitglass

California state flagOver the summer a new data privacy law, the California Consumer Privacy Act of 2018 (CCPA), was passed. Assembly Bill 375 is scheduled to go into effect on Jan 1, 2020, which means there will likely be a lot of change before we see the final, enforced version of the bill.

The net for now?

The US’s most stringent data privacy law, CCPA, looks a lot like GDPR, and will likely have impact far beyond the State of California. It also means that companies in all industries are now what we used to refer to as “regulated.” That means more focus on data protection tools like data leakage prevention, cloud access security brokers (CASB), encryption, and more.

CCPA: The US’s most stringent data privacy law

According to the Bill, the following will be covered by the CCPA:

  • Grants consumers the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
  • Requires businesses to make disclosures about the information and the purposes for which it is used.
  • Grants consumers the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
  • Grants consumers the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
  • Requires businesses to provide this information in response to a verifiable consumer request.
  • Authorizes consumers to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • Authorize businesses to offer financial incentives for collection of personal information.
  • Prohibits businesses from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to “opt in.”

The first half of the list reads very similar to similar provisions in the EU GDPR. The second half includes some interesting new twists.

GDPR … with a twist

The prohibition on discriminating against consumers that exercise their right to privacy, unless “the difference is reasonably related to value provided by the consumer’s data,” is a departure from GDPR regulations. That said, this clause seems far too vague to make it through to 2020 in its current form and will likely be heavily debated by lawmakers and lobbyists alike over the next 18 months.

Additionally, the authorization to offer financial incentives for collection of personal information is quite interesting as well, and it will be interesting to see how businesses make use of this. How does, “free 2-day shipping if we can sell your personal data to a third party” sound?

The cost of non-compliance? “Not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” To put that into context, last year’s Equifax breach of 145.5 million records would have amounted in a fine somewhere between $34 billion and $255 billion. Yikes!

All told, the scope of CCPA’s protections look very similar to EU GDPR. For organizations that have applied GDPR globally, that’ll make the path to CCPA compliance much easier. And keep in mind that, like the GDPR, CCPA applies to any business handling California resident data, so even if you don’t have a physical presence in California, doing business in CA is enough to make you subject to the law.

Now what other states (and countries) do with their own privacy laws is a totally different story. It’s wishful thinking to think that others will follow California and the EU without changes of their own. The result will be either amazingly complicated enforcement, or the restriction of services in markets that aren’t nearly as large as California and the EU. If Congress were to step up and enact a national data privacy law it could go a long way towards simplifying this grim future picture. Bueller?

Good and Bad News on Safe Harbour: Take a Life Ring or Hold Out for a New Agreement?

By Susan Richardson, Manager/Content Strategy, Code42

liferingIf your organization relied on the now-invalid Safe Harbour agreement to legally transfer data between the U.S. and the EU, there’s good news and bad news.

The good news? The European Commission just threw you some life rings. The governing body issued a guidance Nov. 6 that outlines alternative mechanisms for legally continuing transatlantic data transfers:

Standard contractual clauses
Sometimes referred to as model clauses, standard contractual clauses are boilerplate provisions for specific types of data transfers, such as between a company and a vendor. They’re often the least costly on a short-term basis.

Binding corporate rules for intra-group transfers
These allow personal data to move freely among the different branches of a worldwide corporation. Sounds easy, but the process can be time-consuming and expensive, depending on the scope of the company. That’s because the rules have to be approved by the Data Protection Authority (DPA) in each member state from which you want to transfer data.

Derogation where contractually necessary
This exception allows for data transfers that are required to fulfill a contractual obligation. For example, when a travel agent sends details of a flight booking to an airline.

Derogation for legal claims
This exception allows for data transfers that are required to process a legal claim.

Derogation based on individual consent
Legal folks say this option isn’t a slam dunk. Many DPAs have ruled that it’s not possible to obtain meaningful consent from employees, given the lopsided nature of the employer-employee relationship. On the consumer side, it may be difficult to demonstrate that consumers provided meaningful consent if the relevant notice is embedded in a lengthy privacy policy they may never read. Data privacy experts at law firm BakerHostetler recommend a click-through privacy policy with an “I agree” checkbox, as opposed to a browsewrap privacy policy that implies consent by virtue of the consumer simply using the website, app or service.

The bad news? You only have until the end of January 2016 to get the new mechanisms in place before DPAs start investigating and enforcing transfer violations. Or you could hedge your bets and hold out for U.S. and EU negotiators to hammer out a Safe Harbour 2.0 agreement by then, as they’ve committed to do.

After all, the U.S. House of Representatives did surprise everyone by quickly passing the baseline requirement for moving forward on October 20th: the Judicial Redress Act would give EU citizens some rights to file suit in the States for U.S. government misuse of their data. It was received in the Senate and referred to the Committee on the Judiciary on October 21.