Information Security for SMBs Newsletter Volume 1, Issue 4

California Consumer Privacy Act of 2018
On June 28, 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act, the most comprehensive privacy legislation to date in the United States. While not as broad as the European Union’s General Data Protection Regulation (GDPR), this act also aims to protect the privacy of citizens’ information. SMBs who have proactively addressed the GDPR may be well-positioned to meet the requirements of this act.

Specifically, according to the California Consumer Privacy Act website, the act grants to consumers:

  • the right to know all data collected by a business on you,
  • the right to say no to the sale of your information,
  • the right to delete your data,
  • the right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection,
  • the right to know the categories of third parties with whom your data is shared,
  • the right to know the categories of sources of information from whom your data was acquired, and
  • the right to know the business or commercial purpose of collecting your information.

As the regulation was fast-tracked from its introduction to signing (seven days), it is reasonable to expect future adjustments. However, SMBs should pay attention to this law even if not affected directly (with a California presence) or indirectly (processing California citizen information), as other states (and the federal government) may enact similar measures.

The regulation takes effect in 2020. NetDiligence’s Junto blog breaks down the act further.

Treating the Risk – Cybersecurity Insurance
Last month’s newsletter discussed approaching information security as a risk management issue. Once information security risks are identified, generally there are four options to address the risks: transfer, mitigate, avoid, or accept. Ignoring a risk is not an acceptable choice; to do so is at the very least a poor business practice and may lead to legal and monetary repercussions.

Transferring the risk usually refers to obtaining cybersecurity insurance. It is a reactive control in that cyber insurance mitigates economic risks following a breach. While the better option is to prevent a breach, incursions do happen despite layered application of protective controls.

How much cybersecurity insurance coverage is adequate for the business? According to a 2017 Kaspersky report, the average cost of an SMB breach was $117,000. The actual cost is business-dependent; a health clinic breach may be far costlier than one suffered by a cleaning company based on the type and quantity of information involved.

Ensuring an effective information security program is in place can reduce the chance of a breach. An information security maturity and risk assessment helps SMBs locate the areas of highest risk to prioritize mitigation actions. Next month’s newsletter will discuss in more detail mitigation strategies and actions.

ISAC Spotlight – MS-ISAC
According to the Multi-State Information Sharing and Analysis Center (MS-ISAC) website, “the mission of the MS-ISAC is to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial MS-ISACgovernments through focused cyber threat prevention, protection, response, and recovery.” Membership is not limited to state governments. For example, the local government page presents a lengthy list of city, town, and county members.

One very useful service that can be utilized by members and non-members alike is the monthly MS-ISAC newsletter. For example, the June 2018 newsletter provides tips to spot phishing emails. Organizations are permitted to download, rebrand, and distribute newsletters to promote information security awareness.

The Center for Internet Security (CIS), home to both the MS-ISAC and the Elections Infrastructure ISAC, is a “non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.” They provide many resources including the CIS Top 20 Controls (formerly SANS Top 20).

Upcoming Events

  • September 7, 2018: Infosec Nashville – Music City Center, Nashville, TN
  • October 15-16, 2018: Tennessee Summit on Administrative Computing Technologies – Middle Tennessee State University, Murfreesboro, TN

See for details.

Sign Up
Subscribe to our monthly newsletter at

favicon v4.1


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s