Category: Cybersecurity

Lingering Cloud Fear And Adaptation

Blog+Image+#9+website

.

Lingering Cloud Fear and Adaptation

.

Nephophobia is the fear of clouds. It’s thankfully rare: clouds are tough to avoid. The ancient Greeks were talking about storm clouds. Fear of cloud computing is a more recent development; a by-product of forced adaptation. In 2021, 94% of the internet’s workload is processed by cloud data centers. Just two years ago, this figure was 60%. How did cloud use become ubiquitous so quickly?

.

A little bit of history puts the revolution in perspective. The appearance of “The Cloud” in our lexicon is recent. The earliest usage was in 1996 when a Compaq public-relations piece used “cloud computing” to describe enhanced utility of the world wide web. The men who co-authored the piece both claim to have coined the term. (One of them even attempted to copyright “cloud computing” in 1997, but to no avail.) In 2006, Google and Amazon started describing the new paradigm where users access software and files over the internet (instead of their desktop) as “cloud computing.” Right then it became the hot new buzzword.

.

The marketing guys from Compaq in the ‘90s had it right. The Cloud is not new; it is what the web was designed to do since it was created in the 1960s. It’s a simple re-branding of the internet; a fitting metaphor for a changed system to where everything is accessed and stored remotely.

.

Skepticism and suspicion have been mostly quelled by how rapidly the world migrated. Cloud computing is globally pervasive: 85% of businesses worldwide use cloud-based data storage. 77% of companies have an application running on a cloud-based server. It’s the new normal.

.

The remaining objections to cloud computing.

.

The upside is undeniable – reduced cost of operation, greater flexibility, and improved collaboration. The benefits far exceed those of older-generation physical servers. Years ago, objections to cloud migration were often related to human readiness or organizational support. Too new and unknown. Today, we are through the looking glass on such fears. The remaining objections for migrating to the cloud are mainly two: cost concerns and privacy concerns.

.

Though commonly used as an objection, saving money is the most popular reason businesses migrate to the cloud: 61% of businesses say “cost” is their primary reason for adopting cloud use versus just 30% who migrate for the “additional storage.” The storage aspect saves money, too: cloud hosts charge you for the just the space you use. Think of how this contrasts with the IT specialists of yesterday purchasing equipment with tomorrow’s storage needs in mind. No more wasted storage space or hardware growing obsolete. In a recent study, 82% of businesses that migrated to cloud systems reported cost savings that covered any initial up-front migration fees within six months of the switch.

.

The privacy concerns might be more about control. Knowing where the data was physically housed was of a certain comfort; moreover, we knew the guys on the IT team. They know their stuff, right?

.

Not to say they didn’t, but in 2021 the three largest providers of cloud services are Amazon, Microsoft, and Google. Each has security knowledge, intel, and experience that dwarfs almost every organization’s. It’s what they do. The proof is in the pudding: 94% of organizations report fewer security incidents after migrating to cloud-based alternatives. Less resources devoted to maintaining system security means more savings.

.

MRS: cloud-based solutions for providers and 3rd party administrators.

.

Management Research Services (MRS) operates their no-code insurance services platform on Microsoft Azure, a top-tier cloud solution for SaaS (software as a service) applications. Data encryption combined with Microsoft’s dedication to robust security means the sensitive data managed within our application is always secure. Using Microsoft Azure to host the MRS platform and e-App allows us to focus on what we do best: designing state-of-the-art insurance service interfaces that best serve our clients and their customers.

.

Contact the staff at MRS to learn about trying a demo of our latest products. We are ready to put our cloud-based solutions to work for you. Request a demo here, or email us at: sales@mrsreps.com.

.

Locke Lord QuickStudy: Ready or Not, Here It Comes: Litigation and Enforcement Issues Under The California ‎Privacy Rights Act

Locke Lord

Locke Lord 

Originally Published February, 2021

 

The passage of the California Privacy Rights Act (“CPRA”) on November 3, 2020 will result in ‎increased litigation and enforcement actions for companies doing business in California. Indeed, ‎only months after the California Consumer Privacy Act (“CCPA”) became effective, California ‎voters expanded on the CCPA’s already groundbreaking data privacy protections by passing the ‎CPRA. Now, the creation of the California Privacy Protection Agency (the “Agency”) and the ‎elimination of some of the more business-friendly provisions of the CCPA make clear that ‎companies will suffer significant and costly consequences for data breaches and privacy ‎violations in California.‎

 

The substantive provisions of the newly enacted CPRA go into effect January 1, 2023, but the ‎regulatory implications may be felt much sooner. While many businesses are still navigating the ‎emerging litigation and enforcement landscape created by the CCPA, they should also ramp up ‎efforts to comply with the CPRA in order to avoid additional liability issues down the road.‎

 

The Creation of the Agency

The CPRA amends and expands the enforcement mechanism of the CCPA through the creation ‎of the Agency, a newly formed California state government agency whose sole purpose is the ‎regulation of consumer data privacy. Cal. Civ. Code § 1798.199.10 et seq. The CPRA describes ‎the Agency as an “independent watchdog whose mission is to protect consumer privacy” to ‎‎“ensure that businesses and consumers are well‐informed about their rights and obligations” and ‎to “vigorously enforce the law against businesses that violate consumers’ privacy rights.” See ‎CPRA SEC. 2, Findings and Declarations L. The Agency will replace the California Attorney ‎General as enforcer of the CCPA no later than July 1, 2021 and will oversee enforcement of the ‎CPRA effective July 1, 2023. ‎

 

The creation of the Agency will undoubtedly result in increased attention and investigations into ‎data breaches and ‎privacy violations involving California residents. First, the sole responsibility ‎of the Agency is to investigate these ‎issues, and that hyper-focus is likely to lead to more intense ‎scrutiny. Second, the Agency is funded through the ‎Consumer Privacy Fund, which is made up ‎of fines that the Agency collects in its enforcement actions, thus creating an incentive to enforce ‎the provisions of the CPRA. ‎Consequently, businesses should expect aggressive enforcement ‎actions by the Agency.‎

 

Agency Enforcement under the CPRA

Not only does the CPRA change who is responsible for its enforcement, but it also eliminates the ‎ability to cure a violation before any action is taken. The CCPA specifically allows companies to ‎avoid an enforcement action and/or administrative fines by curing the violation within 30 days. ‎Conversely, under the CPRA, the Agency is permitted to order substantial administrative fines ‎‎(from $2,500 to $7,500 per violation) at the time that it issues a cease and desist letter, though it ‎will look to the “good faith cooperation of the business” in determining the amount if any ‎administrative fine.‎ Because this change makes it more likely that businesses will be assessed fines, it is important to ‎be in compliance. Notably, the CPRA has a “look back” provision to January 2022 for ‎enforcement purposes. Thus, to avoid costly enforcement actions in the future, companies should ‎review their procedures for compliance with the CPRA and take steps to remedy any issues as ‎soon as possible. ‎

 

Civil Liability under the CPRA

The CPRA may also result in increased litigation by California residents by expanding the narrow ‎list of personal information giving rise to a private right of action. Under the CCPA, a consumer ‎may bring an action if four elements are met: (1) the plaintiff is a consumer (defined as a ‎California resident), (2) there was unauthorized access and exfiltration, theft, or disclosure of, (3) ‎nonencrypted and nonredacted personal information, and (4) the disclosure was due to the ‎business’s alleged failure to maintain reasonable security procedures and practices. Cal. Civ. ‎Code ‎§ 1798.150(a)(1). Importantly, though, the types of personal information that were ‎misappropriated is limited to a combination of the consumer’s name (first name or initial and last ‎name) and a social security number, driver’s license number or identification card number, ‎financial account number and security/access code or password, medical information, health ‎insurance information, or biometric information. See Cal. Civ. Code § 1798.150(a)(1) (citing ‎‎“personal information” defined under ‎Cal. Civ. Code § 1798.81.5(d)(1)(A)).‎ The CPRA ‎expands this narrow list to include consumer login credentials (such as email addresses and ‎passwords). See Cal. Civ. Code § 1798.150‎. Given the number of online transactions that ‎require consumers to disclose their email addresses and passwords, this addition may result in ‎increased litigation in the event of a breach. ‎

 

Unlike enforcement actions based on compliance violations, the CPRA did not eliminate the 30 ‎day cure provision with respect to consumer claims brought under the private right of action ‎provision. This means that a business can still avoid statutory damages if it cures the violation ‎upon 30 days’ written notice from the consumer – assuming a cure is possible. See Cal. Civ. ‎Code § 1798.150‎(b). However, the CPRA clarifies that “the implementation and maintenance of ‎reasonable security and practices…following a breach does not constitute a cure of that breach.” ‎Id. Thus, a business cannot avoid civil liability under the CPRA simply by adopting reasonable ‎security standards after the fact. Further, the notice and opportunity to cure provision does not ‎apply if the consumer is just seeking actual pecuniary damages, and not statutory damages. See ‎Cal. Civ. Code § 1798.150‎(b).‎

 

Conclusion

The enactment of the CPRA further muddies the privacy waters in California as many businesses ‎are still waiting for guidance from the courts and/or the Attorney General ‎regarding enforcement ‎of the CCPA. The creation of the Agency makes increased attention and enforcement actions a ‎near certainty. Particularly in light of the one-year look back provision included in the CPRA, it ‎is important for companies to promptly begin reviewing their policies and practices for ‎compliance with both the CCPA and CPRA in order to avoid liability issues in the future.‎