Posts Tagged ‘Data breaches’

New York State SHIELD Act is Here

Posted on: November 26th, 2019 by jiml | No Comments

In August, New York State signed into law the SHIELD Act or the “Stop Hacks and Improve Electronic Data Security” Act. This is an enhancement to New York States previous law and has several keys points that anyone doing business in New York should take note of. This law goes into effect on March 21, 2020 with a notable exception noted below.

Expanded jurisdiction:  The SHIELD Act now pertains to any business, inside New York or outside of New York that stores private information on New York residents. This is an expansion of the jurisdiction from the previous statute.

Expanded definition of private data: New York has expanded the definition of private data to include biometric data and any combination of username, email address and access codes that could lead to the compromise of electronic accounts.  Interestingly, New York did not take the additional step of covering DNA as some other states have.

Increased reporting requirements: In past, HIPAA covered organization could get by with reporting a suspected breach to the Department of Human Services.  The SHIELD Act requires the New York State Attorney General also be notified of a data breach. In addition, the definition of a breach has been expanded to viewed data, not just downloaded data as was previously the case. This part of the act goes into effect October 23, 2019 before the remainder of the Act. Fines for non-compliance have increased as well.

As a business, you have a responsibility to know and comply with this law. Not knowing the law is never an excuse for violation.  The act requires businesses to comply in three different areas:  Administrative, Technical and Physical. While the individual safeguards are too numerous to put in this post, Colden Company can assist your business within each area of the Act and set your company on a path to compliance. Please feel free to reach out to us at (888) 600-4560 by phone, or via email.

Not Your Father’s Phishing Scam

Posted on: July 30th, 2018 by jiml | No Comments

According to a recent FBI study, the weak link in security is us! (People) Specifically, people who click on things they should not or give out information they should not. Cyber Criminals have put a high emphasis on targeting the human element of businesses. The easy way to bypass technology security measures is to trick someone into letting you in! Once the hackers have valid credentials into a network, they will have the same access rights as the person they hacked and give themselves a platform to try and escalate those privileges even further.

Social engineering and phishing scams have evolved greatly in the last few years. Gone are the days when phishing emails were poorly spelled emails from a supposed Nigerian Prince looking to get your bank account information so he can deposit a million dollars in it. Today’s scams are much more difficult to detect and often specifically arranged to try and fool employees of your company. One technique is called email spoofing, where the hacker pretends to be an influential person in your organization. This is an incredibly easy hack to pull off as most businesses have information about their management teams on their web site. In addition to these phishing emails becoming more sophisticated and more common (one recent study by a prominent anti-phishing platform estimates 91% of data breaches come from phishing attacks), the damage done by hackers is also on the rise. Some strains of ransomware will infect your Master Boot Record and essentially turn your computer into a brick if the ransom is not paid. In cases like this, hackers are not after your information, they are purely going after your money. No ulterior motive in play here.

**Remember** : When your business get hacked it doesn’t just affect your business. Once a hackers compromises your email, as an example, they now can see who you communicate with and they will start attacking your customers, your vendors and your partners. A hack at your place of business can cost you business relationships!

Employee awareness is a key component to a comprehensive security plan. What can be done to combat the kinds of sophisticated phishing attacks that are on the rise? Colden Company has a service that will generate phishing emails (without the dangerous results if users click on them) so that you can identify who needs more training and awareness of these types of scams. Every business has them. You could send an email with skull and crossbones, with a note that says “Do Not Click” and someone in your organization will click it. After-all, somebody was falling for the Nigerian Prince scams or they would not have continued for so long. These are the people that put your business at risk! These are the people that specifically need targeted training. Our phishing tests will do just that by sending out sample emails and identifying who is clicking and providing training and feedback immediately.

Today’s cyber world calls for increased security and increased employee awareness. To find out who your “clickers” are, call us at 888-600-4560, email us, or visit us on Facebook or Twitter.

Top Ten Myths of PCI Compliance

Posted on: September 27th, 2017 by jiml | No Comments

Hackers WANT your credit card data. They WANT your customer’s credit card data. They will try hard to get it. They will NOT stop. These are unfortunate truths.

In 2006, MasterCard, Visa, JCB, American Express, and Discover established the PCI Security Standards Council, a 3rd party entity, to manage the Payment Card Industry security standards and to promote the standard’s implementation by all companies (i.e. merchants) that accept credit/debit cards including all:
Retail merchants: Any business that operates in a storefront location, where the customers’ debit and credit cards are physically swiped through the payment terminal.
Internet merchants: Any business being run online. It allows businesses to collect and process credit and debit card information from their e-commerce website.
MOTO (mail or telephone order) merchants: Any business that operates by taking payments via the telephone and/or direct mail

Even if you process one credit card per year, your business must be PCI compliant. If you process through a third party, that does not absolve your business from PCI compliance. Many businesses do not take this seriously….until a breach occurs. As many of you know already, the credit card companies and banks have made a concerted effort to shift liability for the massive amount of credit card fraud taking place from their business to yours. If your business is not using chip readers, you are at risk. If your business is not PCI compliant, you are at risk.

PCI Compliance is not solved through a single vendor or product. There are many requirements and some of them are business process related and some are technology related. Below is a list of the top ten myths surrounding PCI requirements from the PCI Security Standards Council.

Top Ten Myths of PCI Compliance

1. One product will make us compliant.
2. Outsourcing card processing makes us compliant.
3. PCI DDS compliance is an IT project.
4. PCI DSS will make us secure.
5. PCI DDS is unreasonable, requiring too much effort and expense.
6. PCI DDS require us to hire a Qualified Security Assessor.
7. We don’t take enough credit cards to necessitate compliance.
8. We completed a SAQ so we’re compliant.
9. PCI DDS makes us store card holder data.
10. PCI DDS is too hard.

Is your business PCI compliant? Are you aware of the penalties for being out of compliance? Given the current data security climate, have you given this enough attention? If you answered “no” to any of the above questions, give Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.

Have Private Information on Your Network? Learn How to Avoid Fines!

Posted on: February 23rd, 2017 by jiml | No Comments

Businesses have a responsibility to protect “private” information that belong to employees and customers. Social security numbers, credit card numbers, and health information are among the information that falls under these legal protections. If you are storing this type of information and your network is breached, your business has a legal responsibility to report that to the appropriate authority.

The nightly news is filled with example of corporations receiving large fines for breaches, such as AT&T’s $25 million fine and Morgan Stanley’s $1 million fine. What is lesser known is that small business is far more often the victim of breaches and those small businesses are subject to fines, and the cost of credit monitoring for each person whose information was breached. With the massive increase in malware, the threat of a data breach is higher than ever. How do you avoid being the victim and avoid those costly fines?

Cybersecurity is a topic we could blog on all year and still not cover every angle. For the purposes of this discussion, we will focus on a proactive measure that your business can take which is to identify your areas of risk. That identification process is accomplished by scanning computers for the type of information that your business has a legal obligation to protect. Our scans find and report on the location of that data so remediation can take place. With this information, a decision can be made to either discard the private data if not needed or protect that data if needed.

The scan results have often been startling to the business owner. We have found information that would have led to as much as six figure fines. Don’t get taken by surprise, let Colden Company help you avoid the fines! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.