Elevate

2023 State Data Privacy Laws

US Data Privacy Laws 2023

2022 brought a flurry of legislative activity regarding state data privacy with very little effective action being taken. Looking toward the new year – 2023 is kicking off with five laws set to go in to effect in California, Colorado, Connecticut, Utah, and Virginia.   As there is currently no federal privacy law from which to draw inspiration, the Washington Privacy Act of 2021 is being hailed as the preferred model for state privacy legislation. Following in the footsteps of these five states, an established model law would significantly streamline privacy legislation in other states by providing much needed continuity and mitigating the threat of interstate compliancy nightmares.   There are minor, but notable, differences between these new laws as outlined in the chart below:  Does your organization need to comply? California Privacy Rights Act (CPRA)  Virginia Consumer Data Protection Act (VCDPA)  Colorado Privacy Act (CPA)  Utah Consumer Privacy Act (UCPA)  Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA)  How to Prepare  Ideally at this point in the year, preparation for these new changes should simply boil down to “review and update”. Depending on your current infrastructure, executing the necessary processes required to align with these new state privacy laws may include anything from implementation of a full compliance program to amendments or improvements to existing policies and procedures.  Time is of the essence as we approach the end of 2022, and it is imperative to begin the process of preparation as soon as possible. Not only will this ensure compliance – but will act as a catalyst for establishing core values and best practices by incorporating the principles of data privacy, security, and information governance into every facet of your organizational culture.  Remaining Compliant in the New Year  The details from law to law may vary, but the overall foundation of compliance remains the same: establish a data inventory of personal information you collect, show how you use it, explain why you collect it, and be transparent about who you share it with.  Not sure where to start? Seek out a trusted third party that specializes in managing compliance for companies that are subject to a data privacy regulation. Schedule a consultation with Elevate today to find out how we can get your organization fully prepared and compliant with both the upcoming changes, and currently effective state privacy laws. 

The OWASP Top 10 has a new look for 2021

OWASP top 10

Since the Open Security Summit in 2017, the OWASP Top 10 has provided an established data-collection process. In 2021, the OWASP 10 has a new look. After several months of analyzing Common Weakness Enumeration (“CWE”) datasets in conjunction with re-categorizing software weaknesses and vulnerabilities, the updated roll-out is presenting a refurbished design and a more data-driven approach. The new Top 10 takes into account both historical blueprints and new intelligence on how to identify possible vulnerabilities. Specifically, the 2021 list considered both validated historical data from 2017 as well as solicited survey feedback from industry leaders that are noticing new threat trends and current challenges that are not covered by the current framework.   2021 Change in Approach Historically, data collection efforts by OWASP were limited to a subset of 30 CWEs.  The 2021 iteration had no restrictions on CWEs and merely asked for data (e.g. number of applications tested for any given year, applications with at least one CWE, etc.).  The unrestricted approach allowed OWASP to track how prevalent each CWE is within any given population of applications.  As result, the analysis expanded from 30 to over 400 CWEs.  Over several months of grouping and categorizing each CWE, OWASP decided to focus more on the root cause weaknesses (e.g. Cryptographic Failure as oppose to Sensitive Data Exposure).   Supporting data for the newest adaptation has been derived from various sources: HaT (Human-Assisted Tooling), TaH (Tool-assisted Human), and raw tooling. All three processes were utilized to identify weaknesses and vulnerabilities. The results included incidence rates for each CWE category, identifying eight for inclusion from the top of that result list and relying on input from an industry audit to provide the final two categories to form the Top 10.  For a more complete explanation of how OWASP derived the top 10 2021 list, we encourage you to read OWASP Top 10:2021 (DRAFT FOR PEER REVIEW).  We summarized the changes between the 2017 and 2021 top 10 lists as shown in the table below. 

New Federal Cyber Security Standards – Executive Order to Improve the Nation’s Cyber Security

New Federal Cybersecurity Standards

On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cyber Security in efforts to protect the federal government’s networks.  The Executive Order mandates new Federal Cyber Security Standards for both federal agencies and the software vendors that supply them.  The Executive Order is in response to the recent uptick in destructive cyberattacks that have occurred, affecting major U.S. operations. Most notable events include the cyber-attack on Solarwinds software company, a foreign cyberespionage campaign involving several federal agencies, and the recent shutdown of the Colonial Pipeline, causing gas shortages throughout the South-East.  Several months in the making, the Executive Order is a specific call to action for securing federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the Government’s ability to respond to incidents when they occur.  Specifically, the Executive Order focuses on: All of these facets are to be consolidated into a federal ‘playbook’ by CISA Director Brandon Wales, working along with the Secretary of Homeland Security, and in consultation with other high-level security officials. The playbook will outline all Cyber Security standards, name intended users of the standards, and continually update progress regarding incident response results.