Stay Informed with Active Cypher

BY ACTIVE CYPHER | FEB 28, 2020 | LEGAL

In Part 3 of our CYA* blog series, we’re focusing on Payment Card Industry (PCI) compliance. PCI Data Security Standards (PCI DSS) were last updated in May 2018 (version 3.2.1) with version 4.0 planned to be released in late 2020. This article will be based on the requirements of version 3.2.1.

Unlike the previous version of our CYA blogs (GDPR/CCPA, HIPAA/HITECH), PCI compliance isn’t the law but it is an industry-standard. Credit card companies (American Express, MasterCard, Visa, Discover, and JCB) had each been setting standards on their own but came together to create the PCI Security Standards Council in 2004. These standards apply “to all entities that store, process or transmit cardholder data and/or sensitive authentication data” [Quick Reference Guide] – and not just in the US. Brick and mortar stores, online retail, or sole proprietors that take major credit cards (or debit cards with a credit option) from those on the PCI Security Standards Council must adhere to them.

For many small businesses, using a basic point of sale system that meets PCI compliance may be all they are doing – quick payments for a cup of coffee or a haircut. In simpler, smaller businesses there shouldn’t be a need to store credit card data. Merchant account providers may offer hosted payment pages or other options that encrypt the customer’s data while making payments online or recurring billing systems.

Even the best-laid plans of security end up failing though – customer support representatives receive emails with a customer’s unasked for credit card number, event booking contracts require credit card details to be written in and sent unsecured via email that gets backed up to the internal drive. An employee might type out a credit card number onto a blank word document while taking a wholesale order over the phone, or working with a 3rd party vendor or software that stores cardholder data or primary account numbers (PAN) as plaintext.

Some of these fall on the shoulders of customers who are unaware of how to handle their own information security but also employees who should be trained in PCI-compliant policies. Throwing away hastily scrawled order information without shredding it or keeping PAN on index cards for recurring charges can result in being non-compliant and risk breaches. These sorts of issues happen to all level companies (table below) from the smallest sole proprietorship yoga studios to the largest international corporations.

To meet the PCI DSS, 12 requirements must be met (table below). Most of them are basic security best practices – install a firewall (#1), don’t use default passwords (#2), test your security systems and processes regularly (#11), and keep an information security policy (#12). Some of those are built into the business’ network, point of sale system, online shopping cart, or credit card processing equipment but not all.

[Source] Requirements 3, 4, 7, 8, 9, and 10 on the other hand are about the storage and movement of credit card data, especially the offhand emails, word documents, spreadsheets, print-outs, files, and databases that are unencrypted or not handled by another system. Not everyone in the business needs to have access to all that information (#7). Bruce force hacking, phishing schemes, or unsecured online storage are all other contributing factors to being non-compliant and more likely to be breached.

But for many less technical business owners, understanding what they must do to be compliant can be overwhelming. There are Quality Certified Assessors around the world [QSA List] to help get your business compliant or self-assessment questionnaires for a variety of different business types (SAQ). As the PCI DSS Quick Reference Guide states:

“There are three ongoing steps for adhering to the PCI DSS:

Assess — identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.

Repair — fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.

Report — documenting assessment and remediation details and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).” – [Source]

Just like meeting CCPA, GDPR, or HIPAA/HITECH regulations, PCI compliance is an ongoing battle as technology changes and breaches become more complex.

Unlike CCPA, GDPR, or HIPAA/HITECH penalties, PCI non-compliance and breach penalties aren’t standardized. From small monthly fees from the merchant account provider to tens of thousands of dollars from the credit card companies themselves, the penalties can hit any business of any size. On top of that, then local laws about breaches come into play, such as the CCPA and GDPR’s penalties.

We here at Active Cypher aren’t PCI DSS specialists, but we do know encryption (#3, #4, #6, #7, #8). Active Cypher’s proprietary encryption algorithm works with over 200 file types to encrypt each one individually. We use Active Directory’s built-in Security Groups to manage what gets encrypted and who can see it. Within the business itself you can keep files on a need-to-know basis (#7). It doesn’t matter if it’s a busy employee who saves a customer’s card information in a .txt on their laptop or an old database spreadsheet from 2013 on an archived server – Active Cypher’s products can encrypt it all, keeping your customers and their credit card data safe and CYA.

*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.

BY ACTIVE CYPHER | JAN 21, 2020 | LEGAL

In part two of our series on how to CYA* from penalties, we’re focusing on HIPAA and HITECH compliance and penalties. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is probably what most people are familiar with when they think of laws governing privacy. More recently, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) has been implemented and often is supporting what HIPAA began as America’s health records get digitized.

If you’re reading this blog to learn about how to make your business completely HIPAA and HITECH, this is not the place. We are not the experts on these laws, please contact your legal counsel instead. But we do know how to help with one little piece! Get your HIPAA Privacy Official in on this – we want to make their job easier too [45 CFR § 164.530].

Section 164.312 covers the technical safeguards that HIPAA-compliant organizations should meet – access control, unique user identification, emergency access procedure, automatic logoff, encryption and decryption, audit controls, authentication to corroborate PHI (protected health information) hasn’t been tampered with or destroyed incorrectly, protection with integrity, person/entity authentication, and transmission (“in motion”) security.

A few are policy-based – audits and emergency access procedures – while others are now built easily into so many systems like automatic log-off systems and individual logins. With a competent IT person, legal counsel, and the HIPAA Privacy Official, the rest aren’t hard to do either.

The Health & Human Services website summarizes that “covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.” [HHS] Notification is only required if the data is unsecured. For physical data, there are many proper ways to destroy it but for digital data, it requires encryption.

Our little slice of the pie is to help with meeting the National Institute of Standards and Technology’s (NIST) requirements for encryption of PHI, both when stored (“at-rest”) and when being sent over the internet (“in motion”). Active Cypher Cloud Fortress uses Active Directory’s Security Groups to easily set what files get encrypted. It’s each individual file, everything in every folder, not just the big server in the closet.

It used to be simpler – civil violations of HIPAA could be up to $25,000 at $100 per violation but since HITECH’s implementation in 2009, it has changed with penalties now tiered based on what sort of non-compliance it is – unknowing, reasonable cause, willful neglect but corrected within a required time period, or willful neglect and not corrected within a required time period – each with an annual limit of $1.5 million. In April 2019, these were again reviewed and annual limits adjusted as the table below explains:

Criminal penalties are separately handled by the Department of Justice and can be monetary fines and/or prison time. Individuals, like hackers or an employee, can be prosecuted if they are (1) those who knowingly obtain or disclose individually private health information (PHI), (2) commit an offense under false pretenses, or (3) commit an offense with the intent to sell, transfer, or use individually identifiable PHI for commercial, personal gain, or malicious harm.

So CYA, easily. Encrypt each file and make it harder for hackers, lax IT policies, or disgruntled employees to cause your business to deal with HIPAA and HITECH penalties. Active Cypher Cloud Fortress, our quantum-resistant encryption, can render your files unreadable to those trying the do your business and patients harm. With penalties like these, detection is too late.

*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.

BY ACTIVE CYPHER | JAN 8, 2020 | LEGAL

We all have been getting privacy policy update emails and new banners when logging into our regular go-to websites for the last year and a half, and even the more blatant reminders that California residents can opt-out of data collection since the first of the year. With the GDPR (General Data Protection Regulation) and CCPA (California Consumer Protection Act) now both enforceable, it’s time to look at what must be done and how to C.Y.A.*

The GDPR applies to entities or organizations within the EU (European Union) or EEA (European Economic Area) and non-EU/EEA entities or organizations that offer goods or services to data subjects within the EU or EEA. The CCPA applies to any company “doing business in California” which meets certain other requirements [read our other blog post for more details]. It’s a vague statement in regards to where the business is based – many lawyers and journalists are leaning towards it meaning any businesses with California residents as consumers, even those residents who are temporarily outside the state. That means businesses across the United States and the world are have to comply. At the time of writing (early January 2020), the EU has 28 member states plus the EEA’s 3 member states total an estimated 519.2 million residents under the GDPR and California has about 39.5 million residents. That’s more than 558.7 million people worldwide covered under these two laws!

It’s a long road for some businesses to get compliant with either or both – thousands of employees to train, new policies to update as amendments are made to the laws, notifying consumers of their rights, and following up with consumer data requests. Other businesses are small enough that they may be able to skirt some of these requirements – at least for now. The GDPR has a bit of a head start with a year and a half of implementation more than the CCPA, having been in effect since May of 2018. As each gets more updates and amendments, lawsuits against it, and legal discussion, more will become clear as to which businesses must comply and what is an infraction of either of these laws.

Penalties can and will be levied for a variety of infractions – conditions for consent, consent for children ages 13-16, the rights of the consumer/data subject, data processing, and disclosing breaches and hacks. Under the CCPA, data breached, hacked, or stolen that is unencrypted or non-redacted may result in monetary penalties but encrypted data lost or exposed in the same way will be considered still in compliance [Cal. Civ. Code § 1798.150.a.1]. Whether or not any notification needs to happen of properly encrypted or redacted information is up for debate. Similarly, Article 33 of the GDPR outlines that breaches mean notifying a supervisory authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” [GDPR, Article 33] but if the “appropriate technical and organizational protection measures […] render the personal data unintelligible to any person who is not authorized to access it, such as encryption” then the data subject is not required to be notified [GDPR, Article 34].

C.Y.A. in the most basic way. Encrypt your data. Encrypt the consumer’s data. It’s the first step on this long road to compliance under increasingly complex, and yet vague, laws across the globe that filter into every facet of our tech-infused lives.

Active Cypher wants to make it easier for your business. With Active Cypher Cloud Fortress, easily encrypt files on an individual file-level based on Active Directory Security Groups because detection is too late.

*If you aren’t sure what C.Y.A. stands for, Wikipedia can help you.