Writing Policies For Data Protection Compliance

"If you’re covered by HIPAA and the information surrounding your #HIPAA authorization is deceptive or misleading (such as by implying that to receive treatment, the consumer must agree to have their data used for advertising purposes), that’s a violation of the FTC Act." - says Federal Trade Commission in new health information guidance. Additional points: - If you claim that you’ll delete personal information upon request, but in fact fail to deliver on that promise, that’s a violation of the FTC Act - Failing to take reasonable steps to protect and secure health information from unauthorized use or disclosure may be an unfair practice. What to do: FTC Act: (1) Review your data policies, procedures, and practices - The first step is understanding your data flows - The second step is ensuring you are implementing robust safeguards to protect the privacy and security of the health information, such as a written program, training and supervision, data retention, purpose, and use limitations; and (where appropriate) mechanisms to obtain the consumer’s affirmative express consent. You also need to make sure that your representations to consumers are clear and conspicuous and consistent with your practices. - The third step is periodically reviewing your practices (2) Review your entire user interface, including any claims you make, from the consumer’s point of view - Don’t make false or misleading claims that you are “HIPAA Compliant,” “HIPAA Secure,” “HIPAA Certified” or the like. - Don’t bury key facts in a privacy policy, a Terms of Use section, or other places where consumers aren’t likely to read and understand them. - Keep it simple for consumers so that where you ask for consent, that consent is meaningful. - Evaluate the size, color, and graphics of all of your statements to consumers to ensure they are clear and conspicuous. FTC data breach notification rule: - The FTC’s Health Breach Notification Rule requires companies that experience a breach of security of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media - Applies if your business or organization has a mobile app, website, Internet-connected device, or similar technology that holds consumers’ electronic health information in a personal health record; You provide products or services or send or receive data to or from that kind of product; you deal with health information while providing services to companies that offer those products. #dataprotection #dataprivacy #healthdata #privacyFOMO https://lnkd.in/dcEf98hX

If you missed Colorado's new biometric #privacy law that takes effect next July, here's a brief summary and checklist to comply. ⤵️ Data controller obligations include:   🔹Consent before biometric data can be collected/processed 🔹Written policies with: (1) retention schedules for biometric identifiers and data; (2) biometric #DataSecurity incident response protocols; and (3) guidelines requiring deletion of biometric identifiers in-line with the law's requirements 🔹Public disclosure of the written policies (if no exception applies) 🔹Informing consumers that biometric identifiers are being collected, the specific purpose for which they are collected, and the length of time they will be retained 🔹Informing consumers if biometric identifiers will be disclosed to a processor and the specific purpose for doing so 🔹Not disclosing biometric identifiers to entities other than processors unless an exception applies 🔹Not selling, leasing, or trading biometric identifiers 🔹Generally not: requiring biometric identifiers to provide goods/services, charging different prices for consumers who exercise rights or withhold biometric identifiers, or purchasing biometric identifiers unless specific conditions are met 🔹Compliance with all other requirements under the #Colorado Privacy Act for the biometric data they process, whether or not they are otherwise subject to the law.   #Employers also have obligations regarding consents for processing employee biometric data, and some written policy and deletion requirements above may also apply to employee biometric data processing.   Some controllers will have to offer and fulfill a new type of consumer access right, including to describe of the biometric data processed, where it was collected, why it is processed, and the third parties it is disclosed to. Here are some steps to comply if your organization is in-scope for this law: 🔸Identify where consumer and employee biometric data is collected and processed in your organization 🔸Determine whether processors or third parties receive or process biometric identifiers 🔸Plan to stop disclosures that are sales, leases, or trading of consumer biometric identifiers by July 2025 🔸Assess consent processes before biometric identifiers are collected or processed 🔸Check that any practices that require consumers to provide biometric identifiers are consistent with the law's restrictions 🔸Validate retention periods and compliant deletion processes for biometric data are defined and followed 🔸Review and revise consumer disclosures to include the required details about #biometrics processing, purposes, retention periods, and disclosures 🔸Confirm incident response policies address incidents for biometric data 🔸Update or draft publicly available policies to address new requirements, and 🔸Consider whether annual reviews are required under the law for retained biometric identifiers (this may be required if identifiers are kept for longer than a year).

Harsh truth: Most cybersecurity policies are terrible. After reading hundreds, here are the top 3 mistakes I see (and how you can avoid them): 1️⃣ Stale and static PDF policies kept in a share drive are often compliance "check the box" artifacts to satisfy auditors. No one reads or uses them during day-to-day operations. Write them using: - Google Docs/Sheets - Confluence - Notion to make sure they don't go out of date quickly. This also builds in version control and auditing capabilities. 2️⃣ No accountability If there isn't a single person in charge of making sure something gets done...it won't. I see stuff like this all the time: - "Vulnerabilities should be patched." - "Devices shall be inventoried" - "Incidents shall be reported." If your policy uses the passive voice, it's falling short. Go active instead. This forces you to put someone in charge: - "The engineering lead shall ensure remediation..." - "The director of IT shall inventory all devices..." - "All employees must report incidents..." 3️⃣ Vague or no references Along the same lines, sometimes policies talk about individuals or groups. But it's not even clear who these are! For example: - "The risk committee shall approve policy exceptions." - "Management is responsible for authorizing vendors." - "Data owners shall authorize release of information." If you are using terms like this, make sure: - Membership and voting of the risk committee is clear - Employees know who "management" is - Everyone can look up the data owners TL;DR - cybersecurity policies often: 1/ Are stale and static 2/ Provide no accountability 3/ Have unclear or no references What are the biggest mistakes you've seen?

✳ Integrating AI, Privacy, and Information Security Governance ✳ Your approach to implementation should: 1. Define Your Strategic Context Begin by mapping out the internal and external factors impacting AI ethics, security, and privacy. Identify key regulations, stakeholder concerns, and organizational risks (ISO42001, Clause 4; ISO27001, Clause 4; ISO27701, Clause 5.2.1). Your goal should be to create unified objectives that address AI’s ethical impacts while maintaining data protection and privacy. 2. Establish a Multi-Faceted Policy Structure Policies need to reflect ethical AI use, secure data handling, and privacy safeguards. Ensure that policies clarify responsibilities for AI ethics, data security, and privacy management (ISO42001, Clause 5.2; ISO27001, Clause 5.2; ISO27701, Clause 5.3.2). Your top management must lead this effort, setting a clear tone that prioritizes both compliance and integrity across all systems (ISO42001, Clause 5.1; ISO27001, Clause 5.1; ISO27701, Clause 5.3.1). 3. Create an Integrated Risk Assessment Process Risk assessments should cover AI-specific threats (e.g., bias), security vulnerabilities (e.g., breaches), and privacy risks (e.g., PII exposure) simultaneously (ISO42001, Clause 6.1.2; ISO27001, Clause 6.1; ISO27701, Clause 5.4.1.2). By addressing these risks together, you can ensure a more comprehensive risk management plan that aligns with organizational priorities. 4. Develop Unified Controls and Documentation Documentation and controls must cover AI lifecycle management, data security, and privacy protection. Procedures must address ethical concerns and compliance requirements (ISO42001, Clause 7.5; ISO27001, Clause 7.5; ISO27701, Clause 5.5.5). Ensure that controls overlap, such as limiting access to AI systems to authorized users only, ensuring both security and ethical transparency (ISO27001, Annex A.9; ISO42001, Clause 8.1; ISO27701, Clause 5.6.3). 5. Coordinate Integrated Audits and Reviews Plan audits that evaluate compliance with AI ethics, data protection, and privacy principles together (ISO42001, Clause 9.2; ISO27001, Clause 9.2; ISO27701, Clause 5.7.2). During management reviews, analyze the performance of all integrated systems and identify improvements (ISO42001, Clause 9.3; ISO27001, Clause 9.3; ISO27701, Clause 5.7.3). 6. Leverage Technology to Support Integration Use GRC tools to manage risks across AI, information security, and privacy. Integrate AI for anomaly detection, breach prevention, and privacy safeguards (ISO42001, Clause 8.1; ISO27001, Annex A.14; ISO27701, Clause 5.6). 7. Foster an Organizational Culture of Ethics, Security, and Privacy Training programs must address ethical AI use, secure data handling, and privacy rights simultaneously (ISO42001, Clause 7.3; ISO27001, Clause 7.2; ISO27701, Clause 5.5.3). Encourage a mindset where employees actively integrate ethics, security, and privacy into their roles (ISO27701, Clause 5.5.4).

The words you use in your policies, might get you in trouble and they can make or break an audit... Words matter. I’ve seen it happen soooo many times. A policy written in a rush or borrowed-stolen-liberated from a template, comes back to bite the organization during an audit. Why? Because words matter. In my world of security, compliance, and risk management, language isn’t just semantics...it’s liability. Policies aren’t just guidance. They are commitments. And certain words carry weight, both legally and in audit scrutiny. Take "shall," "must," and "will." These are absolute terms. If your policy says, "all employees shall use MFA on all systems," then an auditor will expect 100% compliance with no exceptions. If there’s even one system without MFA, that’s a finding. If your policy says, "employees must complete security training annually," and someone missed the deadline, you’re out of compliance. Contrast that with "should" or "may." Ahh...these words introduce discretion and some wiggle room. They suggest best efforts rather than mandates. From my experience, (good) auditors pick up on this & sometimes to your advantage, sometimes not so much. If a policy states, "critical vulnerabilities should be patched within 30 days," expect an auditor to question why you’re not enforcing it like a true requirement. And then there’s the classic "we will." In contracts, "will" often implies an obligation, but in policies, it's a soft commitment. It's ambiguous. Does "we will monitor for security incidents" mean continuous monitoring? What’s the cadence? How is it enforced? IMO ambiguity creates audit risk. So, what’s the fix? -Be deliberate/intentional. Know the difference between a requirement and a recommendation and use words that reflect intent. -Align policy with reality. If your organization isn’t resourced to enforce an absolute rule, don’t write one. Instead of "all endpoints shall be encrypted," consider "all endpoints handling sensitive data shall be encrypted." -Think like an auditor. If you had to prove compliance with every sentence of your policy, could you? If not, rethink the language. -BALANCE risk and flexibility. Policies should be enforceable but not so rigid they create unnecessary findings or operational roadblocks. This is the difference between a policy that protects your organization and one that exposes it. Choose your words wisely. #ciso #dpo #compliance #policy #msp

Information Handling Policies, Procedures, and Standards 1. Information Handling Policies These policies establish the overarching principles and guidelines that govern how an organization should handle its data. Objectives Data Classification: Information handling policies classify data based on sensitivity, defining how different types of data should be treated. Access Control: Policies outline who has access to specific data and under what conditions, ensuring that data is only available to authorized personnel. Data Encryption: Policies specify when and how data should be encrypted to protect it from unauthorized access. User Responsibilities: They define the responsibilities of employees and other stakeholders in safeguarding data and maintaining cybersecurity best practices. Incident Response: Information handling policies establish procedures for handling data breaches or security incidents, ensuring a swift and coordinated response. 2. Information Handling Procedures While information handling policies set the rules, procedures operationalize them. Procedures are detailed, step-by-step instructions that provide guidance on how to implement the policies in practice. Key components Data Access: Procedures detail how employees can access data based on their roles, authentication mechanisms, and access control measures. Data Transfer: They specify how data should be securely transferred within and outside the organization, including encryption and secure channels. Data Backup and Recovery: Procedures outline how data should be regularly backed up and the steps to recover data in case of loss or corruption. Incident Response: Procedures provide guidance on what actions to take when a security incident occurs, ensuring a coordinated and effective response. Data Destruction: Proper procedures for securely disposing of data, ensuring it cannot be retrieved after disposal. 3. Information Handling Standards Information handling standards, on the other hand, provide a detailed technical blueprint for implementing the policies and procedures. They establish the specific technologies, configurations, and practices that ensure compliance with the policies and successful execution of procedures. Key aspects Encryption Standards: Specifying encryption algorithms, key management, and encryption protocols to protect data in transit and at rest. Access Control Standards: Defining authentication methods, authorization mechanisms, and user privileges that ensure data access is restricted to authorized users. Data Backup Standards: Outlining how data backups should be performed, frequency, retention policies, and data restoration standards. Network Security Standards: Defining best practices for network security, firewall configurations, intrusion detection systems and network segmentation. Data Retention Standards: Determining how long data should be retained and when it should be securely disposed of.

Policy Writing Projects: A large percentage of my projects this past year have been cybersecurity policy writing projects. Here are a few lessons I have learned: 1) Policies in a Box SUCK - You can't just buy a set of policies and swap your company name for [Organization]. If you have tried this, I'd love to hear from you. If you haven't - great decision so far! 2) Start with policy requirements. I call these policy source documents and they include any source of policy requirements such as NIST 800-53, 171, PCI DSS, HIPAA, CJIS, or customer contracts. Pick one of these source documents as a framework and map the rest of them into that framework for organization (see diagram). 3) Allocate your requirements to policy documents to be developed according to audience and topic (e.g., Acceptable Use Policy, Incident Response Policy) 4) Keep a reference of the requirement source in your final policy. This is VERY useful for policy maintenance and supporting audits. For more cybersecurity policy recommendations see: https://buff.ly/3JY23RI