Data Privacy Laws Affecting Businesses in California

[vc_row][vc_column][vc_empty_space][vc_column_text]San Diego, CA, February 6, 2019. Athena San Diego hosted a panel of data privacy experts to discuss how changes in privacy, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) affect businesses in the US.

Data privacy experts that shared their knowledge and experience with the audience:

The field of privacy is changing. Consumers are now demanding privacy and noticing how their data is being used, and as a result they are taking back the control over their own data.  In addition, the laws are holding companies more accountable to respect the privacy of their consumers.

The reality is, data privacy laws are going to apply to your business sooner or later, no matter where you are in the world. Therefore, being informed and ready to comply with the laws is crucial for your business to thrive in the future and establish trust with your consumers.

Robert Meyers, Director of Systems Architecture at Managed Solution explained that the number one challenge that companies face is knowing what data they are collecting in the first place: “The challenges arise when you are keeping data that you do not need anymore. Do not be a data pack rat, know what you have and delete what you do not need.”

The debate was very lively as the audience had a lot of questions and examples for the panel, demonstrating that new data privacy laws bring uncertainty. Therefore, every business should make sure they know in what way the privacy laws affect them and the data they collect and store.[/vc_column_text][grve_callout button_text="Apply here" button_link="url:https%3A%2F%2Fmanagedsolut.wpengine.com%2Fcontact-us%2F||target:%20_blank|"]To help you make first steps towards the CCPA, we offer a free 30 min consultation with our data privacy guru Robert Meyers, CISM, CIPP/E.[/grve_callout][/vc_column][/vc_row]

Eight Ways You Can Hide Your Online Identity

[vc_row][vc_column][vc_column_text]

Eight Ways You Can Hide Your Online Identity

By Wendy Boswell as written on websearch.about.com

How to Surf the Web Anonymously and Hide Your Tracks
Would you like to be a little bit more anonymous when surfing the Web? You can be with the following simple tips that will help you hide your identity online.
Why is this important? More people than ever before in history are going online, and with that, there are increasingly more security concerns. It's smart and makes sense to take time to learn more cautious Web browsing habits as we'll talk about in this article, in addition to the information below:
Protect Your Web Privacy: Web privacy is something that should be a top priority for anyone spending time on the Internet. A few common sense tips can make the difference between staying safe and private online....or not.
Hackers - Are They Good or Bad?: The news brings us stories of systems, governments, and corporations being hacked into by highly skilled programmers every day. Are these exploits always hostile? Or are they meant to be for the greater good? About.com shows you the difference between good and bad hackers, as well as a list of famous hackers that have done some pretty amazing (albeit somewhat infamous) things.
How to Keep Your Kids Safe Online: This generation is growing up with the Internet, but there are still plenty of safety risks. Learn how to protect your kids from cyberbullying, sexting, and other inappropriate Web
Anonymous Web Surfing
Be invisible on the Web with anonymous surfing. Learn about anonymous surfing, what anonymous surfing is, why you might be interested in surfing anonymously, how much information is easily learned about you via your Web surfing habits, anonymous proxies and services, and more.
Hide Your Search Habits
Don't want anyone seeing what you're searching for? Search engines (and other people that use your computer) can and do keep records of searches - here's a few ways you can keep your searching history private.
Avoid Intrusive Registrations
Don't want companies to know your information? If you're as tired as I am of sites forcing you to go through registration just to view their content, than BugMeNot is for you. It's easy to use and makes life much simpler, not to mention it's a good guard of your online privacy and enables you to surf anonymously.
Use a Junk Email Account To Handle Signups
For many years now, every time I absolutely have to give my email address online, I've used a fake, temporary, or junk email address that I don't mind being filled up with spam. For instance, say you want to sign up for a contest and don't want your "real" email addy spammed; well, you just get an email address for that contest and that contest only. There are plenty of places you can grab a free email account from on the Web; I've listed a few of my favorites that will help you conceal your online identity.
Use RSS To Hide Your Tracks
Instead of flitting all over the Web to visit your favorite sites, you can hide your tracks a bit better with the anonymous power of RSS technology - you'd be surprised at how much you can do with RSS.
Protect Yourself From Dangerous Malware
One of the easiest ways for you to get tracked online is through malicious software applications (malware) that watch what your computer is doing. You can get rid of these with free spyware removal tools.
Practice Common Sense Web Safety
A lot of the traps that people get caught in online could be avoided with some common sense Web safety. Use my Safe Search Checklist to keep yourself from being tracked online.
Upgrade Your Facebook and Social Media Privacy Settings
Facebook, the world's most popular social networking site, has made a lot of changes to its privacy policy, and most of them are not beneficial to the average user. They're complicated, difficult to understand and even harder to change, and can potentially compromise your safety online. Learn how to change your Facebook privacy settings quickly, easily, and safely.
Online Privacy: You Are In Charge
Never underestimate the power you have to make sure your safety online is not compromised.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row]

Are my documents safe in Office Delve?

[vc_row][vc_column][vc_column_text]

Are my documents safe in Office Delve?

Yes, your documents are safe. Delve never changes any permissions. Only you can see your private documents in Delve.
Also, other people can't see your private activities, such as what documents you've read, what emails you've sent and received, or what Lync conversations you've been in. Other people can see that you've modified a document, but only if they have access to the same document.
What you see in Delve is different from what other people see. You can see your private documents and other documents that you have access to. Other people can see their documents and documents that they have access to.

Who can see my documents?

You're always in control. Only you can see your private documents in Delve, unless you decide to share them. Your private documents are marked with a padlock and the text. Only you can see this.
NOTE: The padlock on the card is currently only available if your organization has opted in to the First release program.
You can see who has access to a specific document from within Delve, and you can also share the document with others.
You can also stop sharing a document to prevent people from seeing it.

Who can see attachments?

When you or others share a document as an attachment in email, only people in the email conversation will see that document in Delve.
Attachments are marked with a paper clip on the content card.

Who can see the documents on a board?

Boards are open to everyone in your organization. You and others can see, add documents to, remove documents from, or follow any board in Delve.
However, if a board has documents that you don't have access to, those documents will not show up for you. If you create a board and add documents that only you or a few people have access to, no one else will see the documents, but they can see the board name.
Learn more: Group and share documents in Delve

How can I share documents with others?

To make Delve a great experience for everyone in your network, it's important that you and your colleagues store and share your documents where Delve can get to them: in OneDrive for Business or in Sites in Office 365.
Learn more: Store your documents where Delve can get to them

How can I keep a document private?

If you want to keep a document private, store it in OneDrive for Business and choose not to share it. These documents will not show up in Delve for other users. Your private documents are marked with a padlock and the text Only you can see this.
Documents that aren't shared, are marked with a padlock and the text Only you in the Sharing column in OneDrive for Business.
If you want, you can always share the document with others later.

My private document has 7 views in Delve – does that mean that 7 people viewed it?

No. If your document is stored in OneDrive for Business and you haven’t shared it with other people, or if it's stored in another private location, only you can see the document in Delve. 7 views for a private document means that you opened it 7 times.
NOTE:If your organization has opted in to the First release program, you'll see the padlock icon and no view counts on private documents.

Can other people see what documents I’ve viewed?

No, no-one can see which documents you’ve opened and viewed in Delve.
If you’ve made changes to a document, other people can see that you modified the document, but only if they have access to the same document.

Can I turn off Delve?

If your organization uses Delve, you can’t turn off Delve completely, but you can choose to not share your activity. You will still be able to use Delve to see other users' profile information.

What does it mean to "share my activity"?

The Office Graph – the “brains” behind Delve - collects and analyses signals that you and your colleagues send when you work in Office 365. For example, when you and a colleague modify or view the same document, it’s a signal that you’re likely to be working together. Other signals are who you've shared a document with, which distribution groups you're a member of, who your manager is, and who has the same manager as you. Delve uses the signals to show you and others the documents that are likely to be relevant to you. These signals are what we call public activities, and it's these activities you share with others when you use Delve.
Other activities are private, and are never shared. Examples of private activities are what documents you’ve read, what emails you’ve sent and received, or what Lync conversations you’ve been in.
Remember that Delve never changes any permissions. You and your colleagues only see documents that you already have access to. Only you can see your private documents in Delve.

What happens if I choose to not share my activity?

If you choose to not share your activity, other people will not see any documents when they go to your page in Delve, but they can still see your profile information, such as your name, and contact information.
Your activities will not be used to personalize Delve for others. Your documents can still appear in Delve (in other places than your person page) for people who have permissions to view them, just like these people would find your documents if they searched for them in SharePoint Online.
If you choose to not share your activity, you will not be able to see other people’s activities or documents in Delve, but you can still see their profile information.
To turn off sharing
  1. In Delve, go to Settings
  2. Select Sharing activity > Don’t share my activity.
  3. Click OK to save the changes.
NOTE: It can take up to a week for all changes to take effect.

What happens if others have Delve and I don’t?

Delve users in your organization who already have access to your documents in Office 365, can see your documents in their Delve, even if you don't have Delve yourself.
If you want to prevent your documents from showing up on your person page in Delve for other Delve users, you can choose to not share your activity. If you don't have Delve, you can do this from your Profile page in Office 365:
  1. To go to your Profile page, select your picture in the Office 365 header, and then select About me.
  2. On your profile page, select Settings.
  3. Select Sharing activity > Don’t share my activity.
  4. Click OK to save the changes.
NOTE:It can take up to a week for all changes to take effect.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

[/vc_column_text][/vc_column][/vc_row]

Making mobile phones the authentication hubs for smart homes

smarthomeauthentication managed solution

Making mobile phones the authentication hubs for smart homes

By Derek Major as written on gcn.com
Each year, the National Institute of Standards and Technology funds pilot projects to advance the National Strategy for Trusted Identities in Cyberspace. The pilots address barriers to the identity ecosystem and seed the marketplace with “NSTIC-aligned” solutions to enhance privacy, security and convenience in online transactions.
This year, Galois, a computer science research and development company, received a $1.86 million grant to build a user-centric personal data storage system that enables next-generation IoT capabilities without sacrificing privacy. As part of the pilot, Galois will work with partners to integrate its secure system into an Internet of Things-enabled smart home and develop just-in-time transit ticketing on smart phones.
Galois’ authentication and mobile security subsidiary, Tozny, serves as the technical lead for the pilot programs and will build the data storage and sharing platform by tackling one of the weakest links in cybersecurity today: the password. Tozny’s solution replaces the username and password with something people use for almost everything: the smartphone, or wearable device.
Tozny is working with IOTAS, a developer of a home automation platform that integrates preinstalled hardware (light switches, outlets and sensors) with software to create a unique experience in which users learn from and interact with their homes.
Together, the companies are working to help users to log in to the IoT management console installed in their apartments without a password. Tozny is providing cryptographic authentication that is based on mobile phones.
“This is actually a really good idea because people who have tried to deploy authentication devices for smart homes have had a lot of trouble getting them to work, and they’re kind of expensive,” said Isaac Potoczny-Jones, computer security research lead at Galois.“Since a mobile phone can do cryptography, and because we can build beautiful and easy-to-use interfaces on mobile phones, we decided that that would be a much better way to log into a lot of systems -- and it’s easier to use than passwords,” Potoczny-Jones said.
IOTAS is already operating a smart-home pilot in apartment units in Portland, Ore., and San Francisco. IOTAS and Tozny will work to add transparent but privacy-preserving authentication and encryption to this pilot.

Secure mobile transit ticketing

GlobeSherpa, an Oregon-based company that provides a secure mobile ticketing platform for transit systems, is working with Tozny to develop a password-free authentication system that allows users to buy and display tickets on their mobile phones.
“With this you can use your phone to both buy and display tickets, and you don’t have to interface with these often-broken vending machines,” Potoczny-Jones said.
SRI International is also contributing to this project with a biometric authentication solution that will use a person’s walking gait as the biometric. This technology will work with the bus platform to ensure that the person holding the phone and showing the ticket is who he says he is.
“You’re walking up to the bus platform, get your phone, buy your ticket, and the phone has already has a pretty high confidence that you are who you claim to be because it was just observing your walking pattern,” Potoczny-Jones said. “It’s passive, it’s behind the scenes and it’s extremely fast and accurate as well.”
“Anything that you collect that’s behind the scenes or passive needs to have really strong privacy controls built into it,” Potoczny-Jones said. “So we’re very happy with the way these technologies are coming together to provide secure login, privacy controls and really advanced biometric technology.”

EU Model Clauses and HIPAA BAA update now available for all Yammer customers

yammer-logo-ps3

EU Model Clauses and HIPAA BAA update now available for all Yammer customers

Post was written by Juliet Wei, senior product marketing manager for the Yammer team.
Yammer’s mission is to enable open team collaboration, and we recognize that sharing goes hand in hand with the right levels of privacy, security and compliance. With more than 85 percent of the Fortune 500 using Yammer to collaborate, our goal is to provide customers with industry-leading privacy and security commitments.
Today I’m thrilled to announce that Yammer has achieved a major compliance milestone to enhance its commitment to the protection of personal data for European customers. Effective immediately, all customers can obtain a Data Processing Agreement with the European Commission’s standard contractual clauses for data processors, known commonly as the “EU Model Clauses (EUMC).” This provides customers with an alternative to transfer personal data from the European Union to the United States.
Additionally, the standard HIPAA Business Associate Agreement (HIPAA BAA) for Microsoft enterprise online services is now available for Yammer customers.
Organizations want a collaboration platform that gives them the right levels of privacy, security, and compliance. The EUMC and use of the standard HIPAA BAA for Microsoft enterprise online services are part of Yammer’s ongoing investments to deliver the protection customers need to collaborate with confidence.
—Juliet Wei

Source: https://blogs.office.com

Kardashian Website Security Issue Exposes Names, Emails Of Over Half A Million Subscribers, Payment Info Safe

tech crunch kardashian security issue managed solution

Kardashian Website Security Issue Exposes Names, Emails Of Over Half A Million Subscribers, Payment Info Safe

by Sarah Perez (@sarahintampa) as written on TechCrunch.com
Alongside the launch of the Kardashian and Jenner mobile apps, which are now dominating the App Store after seeing hundreds of thousands of downloads apiece in their first days on the market, the celeb sisters also released new websites designed to help them better connect with their fans while offering a more personal look inside their lives.
However, one enterprising young developer dug around those websites and immediately found an issue. Due to a misconfiguration, he was able to access the full names and email addresses of over 600,000 users who signed up for Kylie Jenner’s website as well as pull similar user data from the other websites.
In addition, the developer said he had the ability to create and destroy users, photos, videos and more, though we understand he didn’t actually take those actions.
The developer in question, 19-year-old Alaxic Smith, had some interest in the celebrity biz already. As the co-founder of Communly, he’s been working on a mobile app that lets users connect with others who share their interests, including tracking new information about favorite celebs, for example.
On blogging site Medium, Smith explained how he was able to access the user data from Kylie Jenner’s website. He also noted that his explorations initially began as idle curiosity about what was powering the new sites under the hood, rather than being some malicious hack or even a more focused attempt at uncovering security vulnerabilities.
Writes Smith: I’ll admit I downloaded Kylie’s app just to check it out. I also checked out the website, and just like most developers, I decided to take a look around to see what was powering the site. After I started digging a little bit deeper, I found a JavaScript file namedkylie.min.75c4ceae105ad8689f88270895e77cb0_gz.js. Just for fun, I decided to un-minify this file to see what kind of data they were collecting from users and other metrics they may be tracking. I saw several calls to an API, which of course made sense. I popped one of those endpoints into my browser, and got an error just liked I expected.
Smith then logged into the website with his own user name and password and was directed to a web page that contained the first and last names and email addresses of the 663,270 people who had signed up for the site, he says.
Following this discovery, Smith realized he could perform the same API call across each of the other sisters’ websites and return the same data. Besides being able to access this user data, Smith says he found he was also able to create and destroy users, photos and videos.
Source: http://techcrunch.com

Snapchat, less ghostly than ever, now lets you pay to replay snaps

SNAPCHAT managed solution

Snapchat, less ghostly than ever, now lets you pay to replay snaps

by John Zorabedian as written on https://nakedsecurity.sophos.com
Snapchat has just released version 9.15 of the popular messaging app, and for the first time it includes a feature that users can purchase in-app.
It's called Replay, and for 99 cents you can replay an additional three snaps per day - additional because users already have the ability to replay one snap per day for free.
The ability to buy additional replays is new (currently only available to US users), but Replay as a feature has actually been around for almost two years.
The paid replay option only allows you to replay any given snap once, but that's still one more time than you might expect for an image that's supposed to be automatically deleted after it's viewed.
When Snapchat debuted in 2012, the company marketed its app as a way to send "fleeting messages" that would "disappear forever" after they were viewed - once - by the recipient.
Well, that turned out to be a blatantly false claim - one so misleading that the US Federal Trade Commission (FTC) stepped in to sanction Snapchat for unfairly deceiving users.
Snapchat settled with the FTC in May 2014, and since then, the company's privacy policy has explained just how un-fleeting the supposedly fleeting messages are (you have read the privacy policy, Snapchatters, haven't you?).
Snaps - the photos and videos users send to one another with written messages, drawings, and so forth - can be retrieved after sending in several ways:
With Replay, you'll get a notification whenever a recipient replays your snap.
But as GigaOm reported in 2013, when Replay first became available, you only have control over Replay on your own device, and you can't prevent recipients from replaying your snap.
That's right - there's no way to opt out.
In a post on the Snapchat blog announcing paid replays, the company said its users were "frustrated" without the ability to replay more than one snap per day:
We've provided one Replay per Snapchatter per day, sometimes frustrating the millions of Snapchatters who receive many daily Snaps deserving of a Replay. But then we realized - a Replay is like a compliment! So why stop at just one?
Here's another question for Snapchat: now that you've done away with the ruse that snaps are "fleeting" messages, isn't it time to change the ghost on your logo to something a little more permanent?
Source: https://nakedsecurity.sophos.com/2015/09/17/snapchat-less-ghostly-than-ever-now-lets-you-pay-to-replay-snaps/

China hacked into the federal gov network, compromising 4 million employees' info. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information.

By Ellen Nakashima as written on The Washington Post - June 2015.
China hacked into the federal government’s network, compromising four million current and former employees' information. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information. (Alice Li/The Washington Post)
Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S., and the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.
The hack was the largest breach of federal employee data in recent years. It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months.Last year, Russia compromised White House and State Department e-mail systems in a campaign of cyber­espionage.
The OPM, using new tools, discovered the breach in April, according to officials at the agency who declined to discuss who was behind the hack.
Other U.S. officials, who spoke on the condition of anonymity, citing the ongoing investigation, identified the hackers as being state-sponsored.
One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyber­espionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said.
The intruders in the OPM case gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information, agency officials said. OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-
deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.
“Certainly, OPM is a high-value target,” Donna Seymour, the agency’s chief information officer, said in an interview. “We have a lot of information about people, and that is something that our adversaries want.”
The personal information exposed could be useful in crafting “spear-phishing” e-mails, which are designed to fool recipients into opening a link or an attachment so that the hacker can gain access to computer systems. Using the stolen OPM data, for instance, a hacker might send a fake e-mail purporting to be from a colleague at work.
After the earlier breach discovered in March 2014, the OPM undertook “an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks,” Seymour said. “As a result of adding these tools, we were able to detect this intrusion into our networks.”
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,” Director Katherine Archuleta said in a statement.
In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clear­ances, officials said.
By contrast, in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said. OPM officials declined to comment on whether the data affected in this incident was encrypted or had sensitive details masked. They said it appeared that the intruders are no longer in the system.
“There is no current activity,” an official said. But Chinese hackers frequently try repeat intrusions.
Seymour said the agency is working to better protect the data stored in its servers throughout the government, including by using data masking or redaction. “We’ve purchased tools to be able to implement that capability for all” the data, she said.
Among the steps taken to protect the network, the OPM restricted remote access to the network by system administrators, officials said. When the OPM discovered the breach, it notified the FBI and the Department of Homeland Security.
A senior DHS official, who spoke on the condition of anonymity because of the ongoing investigation, said the “good news” is that the OPM discovered the breach using the new tools. “These things are going to keep happening, and we’re going to see more and more because our detection techniques are improving,” the official said.
FBI spokesman Josh Campbell said his agency is working with DHS and OPM officials to investigate the incident. “We take all potential threats to public- and private-sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace,” he said.
The intruders used a “zero-day” — a previously unknown cyber-tool — to take advantage of a vulnerability that allowed the intruders to gain access into the system.
[Why the Internet’s massive flaws may never get fixed]
China is one of the most aggressive nations targeting U.S. and other Western states’ networks. In May 2014, the United States announced the indictments of five Chinese military officials for economic cyber­espionage — hacking into the computers of major steel and other companies and stealing plans, sensitive negotiating details and other information.
“China is everywhere,” said Austin Berglas, head of cyber investigations at K2 Intelligence and a former top cyber official at the FBI’s New York field office. “They’re looking to gain social and economic and political advantage over the United States in any way they can. The easiest way to do that is through theft of intellectual property and theft of sensitive information.”
Rep. Adam B. Schiff (Calif.), ranking Democrat on the House Intelligence Committee, said the past few months have seen a massive series of data breaches affecting millions of Americans.
“This latest intrusion . . . is among the most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses,” he said. “The cyberthreat from hackers, criminals, terrorists and state actors is one of the greatest challenges we face on a daily basis, and it’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”
Colleen M. Kelley, president of the nation’s ­second-largest federal worker union, the National Treasury Employees Union, said her organization “is very concerned” about the breach. “Data security, particularly in an era of rising incidence of identity theft, is a critically important matter,” she said.
“It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks,” she said.
Lisa Rein contributed to this report.
Source: WashingtonPost.com