CEO’s Guide to

Data Protection
and Compliance
GDPR | CCPA | HIPAA | GLBA | PCI DSS

By 2024, CEOs will be held personally liable for data breaches.

That’s why it’s essential the C-Suite understands the importance
of privacy, data protection - and therefore cybersecurity - and
how these functions support business goals.
Share this report

TESSIAN.COM/RESEARCH →

Why cybersecurity and
compliance matter now
Over the last several years - thanks
largely to data privacy regulations -
cybersecurity has become less siloed
and more integrated with overall
business functions. But in many
organizations, security leaders still
don’t have a seat at the table.
This disconnect with the board can make communicating
risk, opportunity, and cybersecurity ROI pretty difficult and
means compliance can be seen as more of a “box ticking
exercise” than anything that actually supports the
business.
But cybersecurity is more than a means to an end and
remaining compliant is about more than avoiding fines. A
data-first (and therefore human first) security approach
can be a business enabler and competitive differentiator.
And in a few years, it could also keep CEOs out of jail.
A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE
By 2024 - according to Gartner - CEOs will be held personally
liable for data breaches if it is found that the incidents
occurred because the organization did not focus on
cybersecurity or invest sufficiently in it.
The bottom line: Cybersecurity is mission critical. That means
business leaders need to prioritize data protection and
privacy. Step one is understanding the regulatory landscape. “To be successful in implementing
security change, you have to bring the
larger organization along on the
journey. How do you get them to
believe in the mission? How do you
READERS WILL LEARN
communicate the criticality? How do
you win the hearts and minds of the
How compliance standards like the GDPR, CCPA,
people? CISOs no longer live in the
HIPAA, GLBA, and PCI DSS have changed how
back office and address just tech
businesses operate.
aspects. It’s about being a leader and
using security to drive value.”
The benefits of ensuring compliance (beyond just
avoiding fines) and why the C-suite should care.
KEVIN STORLI
The most effective ways to prevent data loss Global CTO and UK CISO at PwC
and satisfy compliance standards.
TESSIAN.COM/RESEARCH → 2
Good privacy is good for In your opinion, what is the biggest consequence of a data breach to an organization?

business: how privacy

creates value
We asked security leaders what they
viewed as the biggest consequence of a
21%
data breach. Nearly a quarter said losing 20%
customer trust. Just 10% said regulatory
fines. Why does this matter? 17%

It proves that compliance standards like GDPR, CCPA, HIPAA,

13%
GLBA, and PCI DSS have fundamentally changed how
11%
businesses across regions and industries operate. Customers, 10%
clients, and employees don’t just care about privacy. They
8%
expect it.

While this means a breach is bad news for everyone involved -

employees, the larger organization, and third parties like
customers, suppliers, or patients - it also means there are
benefits of privacy well beyond simply avoiding multi-million
dollar penalties.
Losing customers Lost data Damaged Lost intellectual Revenue loss Regulatory Fines Losing your job
and/or their trust reputation property

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 3

Percentage who had a data breach
According to Cisco’s global survey of security professionals and business
leaders, 97% of organizations who meet most (or all) the GDPR requirements
GDPR Ready 74%
enjoy one or more of the following benefits:
Least GDPR Ready 89%

1. COMPETITIVE ADVANTAGE 3. BREACH MITIGATION

Whether or not your business operates in a Organizations that fulfill their data privacy

Percentage who had breach losses > $500,000 highly-regulated industry or region (skip to pages 6, 7,
and 8 for a high-level overview of 25 different laws and
standards), a strong privacy program and a track
GDPR Ready 37% record of transparency are competitive
differentiators. Yes, protecting data could help you
obligations have fewer and less costly breaches.
According to one study, GDPR-ready companies
saw fewer records impacted, suffered smaller
losses, and had shorter system downtime than the
least GDPR-ready companies.

Least GDPR Ready 64% attract new customers and clients and help you keep
the ones you already have. Bonus: Only 28% of
4. RICH DATA INSIGHTS
companies are currently fully compliant with the GDPR,
the “gold standard” of compliance. That translates to Businesses typically undergo a “data mapping” or

massive opportunity for those who put data privacy “data discovery” phase as a part of their
Number of records System compliance and data loss prevention program.
and protection first.
impacted downtime Oftentimes, in doing so, they uncover rich insights
into customer behavior and internal processes.
2. INVESTOR APPEAL That means privacy and compliance can actually
79K 212K 6.4 Hrs 9.4 Hrs help drive innovation, improve marketing
Given the number of high-profile data breaches we’ve
GDPR Ready Least GDPR Ready Least efforts, and increase operational efficiency.
GDPR Ready GDPR Ready seen in recent years (and the far-reaching
consequences of a data breach) investors are naturally
more interested in privacy-mature organizations.

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 4

“You’re only going to win more work if you’re
reputable. And you’re only going to be reputable if
you demonstrate you have a strong information
security framework.”
MARK PARR
Global Director, HFW

While we take a deeper dive into data requirements under the

GDPR, CCPA, HIPAA, GLBA, and PCI DSS starting on page 9
and detail the breach notification process on page 19, you
can use this checklist as a guide to help you understand what
steps you need to take to ensure general compliance.

Data Discovery

Implementation of Security Controls

Consent Management

Data Minimization

Usage Monitoring

Breach Notification

For more information about each of these steps - including a

Download Compliance Toolkit Now →
checklist - download Tessian’s Compliance Toolkit.

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 5

Data privacy regulation
across the globe
1
7

6
8

❶ CANADA — Personal Information Protection ❺ ARGENTINA — Personal Data Protection Act

3
and Electronic Documents Act (PIPEDA) A comprehensive privacy law that applies to all people and 2
A comprehensive privacy law that applies to all private sector organizations doing business in Argentina.
organizations (unless covered by provincial privacy law).

❻ EUROPEAN UNION — General Data Protection Act

❷ UNITED STATES (CALIFORNIA) — California (GDPR)
Consumer Privacy Act (CCPA) The world’s “gold standard” data protection law, covering all
Covers big businesses and businesses that “sell” personal aspects of personal information processing and privacy rights.
information (this could include you, even if you don’t realize it! 9

Skip to page 11 to learn more.)

❼ UNITED KINGDOM — Data Protection Act
Implements the EU GDPR in the UK, providing some specific
❸ UNITED STATES (NEW YORK) — New York exemptions in areas such as immigration and national security.
SHIELD Act 4

Data breach notification law that ALSO requires businesses to

❽ SWITZERLAND — Federal Act on Data Protection (FDAP)
implement a data security program.
Like the GDPR, but with smaller fines — and it also applies
to “legal persons” (e.g. corporations).
❹ BRAZIL — Brazilian General Data Protection
Law (LGPD) 5

Known as “Brazil’s GDPR,” the LGPD imposes data processing ❾ NIGERIA — Nigerian Data Protection Regulation 2019 (NDPR)
principles on all organizations and provides consumers with A strict data protection law with similar wording to the GDPR,
legal rights. applying to anyone processing personal information in Nigeria.

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 6

 ❿ SOUTH AFRICA — Protection of
Personal Information Act (POPIA)
Another broad, GDPR-inspired privacy
law affecting all organizations operating in
South Africa.
⓫ CHINA — Personal Information
Security Specification
One of several laws covering privacy and
information security in China — aimed
at businesses.

13
11 ⓬ INDIA — Personal Data ⓭ JAPAN — Act on the Protection of
Protection Bill Personal Information (APPI)
A strict and sweeping data protection law Applies to all private sector organizations
working its way through India’s lawmaking and requires consent for the sharing of
12 bodies — due to pass in 2020. personal information.

⓮ AUSTRALIA — Privacy Act 1988 ⓯ NEW ZEALAND — Privacy Act 2020

Imposes the 13 Australian Privacy Principles, Comes into effect on December 1, 2020, with
such as transparency and security, on public new data breach notification rules, bigger
bodies and businesses with a turnover of over fines, and application to foreign businesses.
AUD 3 million.

“Cybersecurity professionals have this absolute obligation to maintain security and

14
respond to threats appropriately, all whilst respecting privacy rights and
10
obligations. That’s a challenge.”

15 EMILY FISHER
Data Privacy Manager, Clifford Chance

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 7


Data privacy by industry
Energy Finance
ISO/IEC TR 27019 → Gramm-Leach-Bliley Act
(GLBA) →
Information security guidelines for US federal law for any business that is
utilities providers. “significantly engaged in providing
financial products or services.”
Retail/eCommerce/
Payment processing
Payment Card Industry Data
Security Standard (PCI DSS) →
Applies to all organizations that accept,
transmit, or store information associated
with payment cards.

App developers
Payment Card Industry Mobile Payment
Acceptance Security Guidelines →
Healthcare
Provides standards for accepting payments over mobile apps. Health Insurance Portability and
Accountability Act (HIPAA) →
Covers healthcare providers, health plans,
health clearinghouses, and their business
associates.

Manufacturers Software developers

Children’s online
services
Children’s Online Privacy
Protection Act (COPPA) →
US federal law applying to anyone
Cloud service
Payment Card Industry PIN Payment Application Data
providers Transaction Security Security Standard (PA-DSS) →
ISO/IEC 27017:2015 → (PCI PTS) →
Helps developers create secure
Helps manufacturers create secure payment apps.
Code of practice providing information
security standards from cloud service
Legal/Forensics payment-processing equipment.

operating a commercial website, online providers.

ISO/IEC 27037:2012 →
service, or mobile app aimed at
children under 13.
Guidelines for identification, collection, acquisition,
and preservation of digital evidence.

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 8

 What data is protected What are the requirements under GDPR?
GDPR
■ Personal data (information that relates to ■ Organizations must only process personal data where they have
Overview a lawful basis for doing so. For example: they have the consent
an identifiable individual) including:
of the individual, they are legally obliged to process the
■ Name individual's personal data, and/or it is in their legitimate
What is it?
■ Address interests to process the individual's personal data.
The world’s “gold standard” for data protection laws that covers all
aspects of personal information processing and privacy rights ■ ID card/passport number ■ Organizations must facilitate the data subject’s rights,
including the rights of access, erasure, rectification, and data
■ Credit card information portability
Who enforces it?
The Data Protection Authorities that operate in each country where the ■ Cultural profile ■ Data can (normally) only be processed for the
GDPR applies. In the UK, it’s the Information Commissioner's Office ■ IP address reasons it was collected
(ICO) ■ Data must be accurate and kept up-to-date or
■ Health information
should be erased
When was it enacted? ■ Data must be stored no longer than necessary
May 25, 2018 (specifically when a subject is identifiable)
■ Data must be processed and stored securely and should be
Who is obligated to comply? Special categories of data pseudonymized, encrypted, or anonymized where appropriate
Any organization or person that collects personal data or behavioral
■ Anyone who handles data (full-time staff, third-party
information from someone in the EU ■ Racial or ethnic origin contractors, temporary employees, volunteers) should
■ Sexual orientation be trained in data protection, privacy, and handling
What are the penalties for non-compliance?
■ In most cases, organizations must appoint a
A fine up to €20 million or 4% of a company’s annual revenue, ■ Political opinions Data Protection Officer (DPO)
whichever is higher
■ Religious or philosophical beliefs ■ Organizations must take appropriate technical and
organizational measures to ensure the level of security
■ Trade-union membership is appropriate to risk
"Tessian exceeded the expectations of our GDPR team. You simply cannot
beat seeing for yourself what the product is capable of against your own ■ Genetic, biometric, of health data ■ Data protection authorities (and affected data subjects)
organization's data." must be notified in the event of a data breach
■ Data related to criminal convictions or offenses
MARK ELIAS (not "special category data," but also requires special protection)
IT Infrastructure Manager, Coastal Housing

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 9


GDPR
Biggest Breaches (and Fines) to Date
$124
*
million
What happened
383 million guest records (30 million EU residents) were exposed
after the hotel chain’s guest reservation database was
compromised. PI like guests’ names, addresses, passport
numbers, and payment card information was exposed. Note: The
hack originated in Starwood Group’s reservation system in 2014.
While Marriott acquired Starwood in 2016, the hack wasn’t
detected until September 2018.
How it could have been avoided
The ICO found that Marriott failed to perform adequate due
diligence after acquiring Starwood. They should have done more
to safeguard their systems with a stronger data loss prevention
(DLP) strategy and utilized de-identification methods.
*
Amount proposed by the ICO in July 2019. The fine hasn’t yet been finalized.
A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE
$56.6
million
What happened
In early 2019, french regulator CNIL found that Google wasn’t
sufficiently informing customers about how they collected data to
personalize advertising. That means that there wasn’t actually a
data breach. Instead, Google was fined for a lack of transparency.
How it could have been avoided
To start, Google shouldn’t have “pre-ticked” the option to
personalize ads for new users creating an account. Google also
should have provided more information to users in consent
policies, and should have granted users more control over how
their personal data was processed.
OTHER RESOURCES
GDPR Enforcement Tracker →
10 Biggest GDPR Fines of 2020 (So Far) →
3 Ways GDPR Has Affected Cybersecurity →
$56.6
million
What happened
H&M’s GDPR violations involved the “monitoring of several hundred
employees.” After employees took vacation or sick leave, they were
required to attend a return-to-work meeting. Some of these
meetings were recorded and accessible to over 50 H&M managers
who gained “a broad knowledge of their employees’ private lives”
which was then used to help evaluate employees’ performance and
make decisions about their employment.
How it could have been avoided
H&M shouldn’t have collected - or shared - personal information,
particularly special categories of data about people’s health and
beliefs without doing so for a specific and justifiable purpose.
H&M should also have placed strict access controls on the data and
the company should not have used this data to make decisions
about people’s employment.
TESSIAN.COM/RESEARCH → 10
 What data is protected What are the requirements under CCPA?
CCPA
Overview
■ Personal data (information that relates to an ■ Organizations must uphold the CCPA
identifiable individual) including: Consumer Rights, including:

■ Name ■ The right to know

What is it?
■ Address ■ The right to delete
Covers big businesses and businesses that “sell” personal information
(this could include you, even if you don’t realize it!) ■ ID card/social security number ■ The right to opt-out
■ Credit card information ■ The right to non-discrimination
Who enforces it?
■ Cultural profile ■ The right to opt-in (for minors)
The California Attorney General
■ IP address
■ Organizations must maintain reasonable security procedures
When was it enacted? ■ Medical information
and practices in order to prevent unauthorized access,
January 1, 2020
■ Biometric data exfiltration, theft, or disclosure
■ Health insurance information
Who is obligated to comply?
■ Organizations must provide notice to consumers including:
If you have a website that attracts visitors from around the world,
chances are you’re obligated to satisfy the CCPA. It applies to any ■ Privacy policy
■ The CCPA’s definition of “personal data” is even broader
for-profit business in the world that has an annual gross revenue in
than the GDPR’s and includes: ■ Notice of collection
excess of $25 million, that buys, sells, or shares the personal
information of more than 50,000 California residents annually, or that ■ IP address ■ Notice of the right to opt-out
earns 50% or more of its annual revenues from selling consumers’ PI. ■ Cookie data ■ Notice of financial incentives
■ Device ID
What are the penalties for non-compliance?
■ Geolocation data ■ Organizations must not “sell” personal information to another
Civil penalties can amount to $7,500 per violation. Statutory damages
business or third-party
related to breaches range from $100 to $750 per consumer, per incident ■ Pixel tags
or actual damages, whichever is greater.
■ The California Attorney General (and affected data subjects)
must be notified in the event of a data breach

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 11


CCPA
Biggest Breaches (and Fines) to Date
$500 million to
$3.75 billion
What happened
According to the case docket and Zoom’s blog post, Zoom shared
user data - including device type, advertising ID, mobile OS type,
and more - with Facebook without notifying users. This appears
to have been the result of Zoom allowing users to “Login with
Facebook”, but even non-Facebook users were affected. So, how
big was the breach? According to the complaint, “millions” of
users could claim statutory damages.
How it could have been avoided
While this may seem like an issue relating to opt-ins, it has more
to do with cybersecurity. Because Zoom is alleged to have “failed
to properly safeguard the personal information of users”, the
potential violation will be classed as a failure to implement
reasonable security.
*
This information is based on class-action complaints brought by consumers that have not yet been resolved. Some occurred
A CEO’S
prior GUIDE
to CCPA
enforcement
- when possible - based on the number of users affected and the CCPA’s penalties for non-compliance.
Undisclosed
amount
What happened
According to the case docket and Marriott’s own
announcement, the PI of 5.2 million people was exposed in a
data breach after the login credentials of two employees were
compromised. Marriott believes the activity started in
mid-January 2020. The login credentials weren’t disabled
until the end of February.
How it could have been avoided
Marriott is being accused of failing to “institute the most basic
cybersecurity policies and procedures”, failing to “exercise
reasonable care” and failing to train employees on policies
and procedures. In a nutshell: Marriott could have avoided the
breach with stronger cybersecurity controls (network security
and email security specifically) and training.
TO DATA
but arePROTECTION AND
(nonetheless) being COMPLIANCE
pursued as CCPA violations. Speculative fines have been calculated
OTHER RESOURCES
CIS’s Guide to CCPA’s Minimum Requirements →
CCPA FAQs: Your Guide to California’s New Privacy Law →
CCPA and GDPR Comparison Chart →
$1 million to
$7.5 million
What happened
According to the case docket and data breach notification, between
September 16, 2019 and November 11, 2019, hackers deployed
malware to the website of children’s retailer Hanna Andersson
(hosted by Salesforce) and scraped customers’ names and payment
information. The PI of over 10,000 California consumers was later
found being sold on the Dark Web. The Office of the Attorney
General and consumers weren’t notified until over a month later.
How it could have been avoided
While Hanna Andersson and Salesforce should have better
protected users’ PI with security controls and more effectively
monitored the website and ecommerce platform for security
vulnerabilities, they’re also being accused of failing to notify
consumers of the breach properly. This shows the importance of
investigation and remediation and seamless reporting processes.
TESSIAN.COM/RESEARCH → 12
 What data is protected What are the requirements under HIPAA?
HIPAA
Overview ■ Public Health Information (PHI) includes any information
that could be used to identify an individual, such as: ■ Organizations must carry out a risk assessment

■ Names
■ Organizations must implement administrative, physical, and
■ Dates directly related to an individual technical safeguards, including training to ensure
What is it?
■ Phone numbers compliance by their employees
Healthcare-specific federal law that protects
sensitive patient health information ■ Email addresses
■ Organizations must ensure the confidentiality, integrity,
■ Social Security numbers and availability of electronic PHI (e-PHI) they create,
Who enforces it?
■ Medical records/medical record numbers receive, maintain, or transmit
The US Department of Health & Human Services,
and other agencies such as Centers for Medicare ■ Health insurance information
■ Organizations must identify and protect against reasonably
and Medicaid
■ Account numbers anticipated threats to the security or integrity of e-PHI and
protect against impermissible uses or disclosures
When was it enacted? ■ Vehicle identifiers
August 21, 1996 ■ Device identifiers and serial numbers
■ Organizations must modify and review their security
■ IP numbers measures to continue protecting e-PHI in a changing
Who is obligated to comply?
environment (internal and external)
Most health care providers (including doctors, clinics, ■ Biometric identifiers
hospitals, nursing homes, pharmacies), health plans, ■ Full photographic images ■ Organizations must notify relevant parties (patients, the
healthcare clearinghouses, and their business associates
■ Geographical identifiers HHS, etc.) in the event of a data breach

What are the penalties for non-compliance?

Fines of up to $50,000 per violation, with an annual
maximum of $1.5 million per violation and/or prison terms
of up to 10 years
“The added value of Tessian is that it influences behavior. That really resonated
with the board and helped me make a strong business case. While I can’t show how
cybersecurity creates revenue, I can show the potential fines we could avoid
because of our investment in Tessian.”

CAS DE BIE
CIO at Cordaan

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 13


HIPAA
Biggest Breaches (and Fines) to Date
$16
million
What happened
After Anthem Blue Cross’ computer system was hacked, the data
of around 78.8 million people was stolen, including names,
birthdays, addresses, medical IDs, social security numbers, and
employment information. The insurance company settled with
affected patients for $115 million in 2017 before shelling out $16
million in the HIPAA settlement.
How it could have been avoided
While Anthem denies liability, specialists say Anthem didn't take
steps to protect data in its computers through encryption and
other controls, policies, and procedures that would prevent
hackers from gaining access to employee login credentials and
other systems and data. Bonus: Did you know that credentials
are the most frequently compromised “type” of data in
phishing attacks?
A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE
$6.85
million
What happened
In May 2014, Premera Blue Cross was targeted by a spear
phishing attack which installed malware on the healthcare
provider’s network, giving them access to their IT system. After
going undetected for nine months, the PI of more than 10.4
million people was exposed, including health plans, clinical
information, names, addresses, and social security numbers.
How it could have been avoided
The OCR found “systemic non-compliance” with the HIPAA
Rules which means Premera Blue Cross should have invested
more money, time, and resources into privacy and
cybersecurity, conducted an enterprise-wide risk analysis, and
implemented risk management and audit controls. In particular,
though, they should have invested more in inbound email
security to prevent the spear phishing attack.
OTHER RESOURCES
At A Glance: Data Loss Prevention in Healthcare →
HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules →
US Data Privacy Laws: What You Need to Know →
Undisclosed
amount
What happened
After multiple health insurers (including Anthem and Premera Blue
Cross) were breached, Excellus proactively hired a cybersecurity
firm to conduct a forensic assessment of its IT systems. They found
that hackers had gained access to administrative controls and
therefore data (financial account information, claims information,
names, dates of birth, social security numbers, etc.) related to 10.5
million people. According to financial filings from 2015, the breach
cost Excellus $17.3 million in the 4.5 months following its discovery.
How it could have been avoided
While it appears the HIPAA investigation is (still) ongoing - and they
claim the data was encrypted - any pending violations will be
related to a failure to protect sensitive data with administrative,
physical, and technical controls.
TESSIAN.COM/RESEARCH → 14
 What data is protected What are the requirements under GLBA?
GLBA
Overview ■ Financial privacy rule:
■ Names
■ Provide a privacy policy explaining how personal
■ Addresses information is collected
■ Phone numbers ■ Allow customers to opt out of the disclosure of their non-public
What is it?
personal information to non-affiliated third parties
US federal law requiring financial institutions to explain how they use, ■ Bank account numbers
share, and protect customers’ personal information ■ Pretexting rule:
■ Credit card numbers
■ Income and credit histories ■ Safeguard against the obtaining of financial information
Who enforces it?
via false, fictitious, or fraudulent statements
Various agencies, including the Federal Trade Commission (FTC) and ■ Social Security numbers
federal banking authorities, and state-level insurance regulators ■ Safeguards rule:

■ Designate one or more employees to coordinate an

When was it enacted?
information security program
November 1999
■ Identify and assess risks to personal information in
all operational areas
Who is obligated to comply?
Any business that is “significantly engaged in providing financial ■ Evaluate the effectiveness of current safeguards
products or services,” including banks, securities firms, insurance ■ Design and implement a safeguards program
companies, financial advisers, and other financial service providers
■ Only use service providers that can maintain

What are the penalties for non-compliance?

“We were looking for the right data loss appropriate safeguards

Financial institutions can face fines of up to $500,000, 5 years prevention solution for two years. We
imprisonment, or both loved the machine learning-powered
approach Tessian offered.”
CHRIS TUREK
CIO at Evercore
■ Implement a contract with service providers ensuring
that they will maintain safeguards
■ Oversee service providers’ processing of personal information
■ Evaluate and adjust the safeguards program in light of
relevant circumstances, operational changes, and the
results of security testing

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 15

 OTHER RESOURCES

GLBA Ultimate Guide to Data Protection and Compliance in Financial Services →

How to Comply With the GLBA →
Biggest Breaches (and Fines) to Date* FDIC’s Compliance Manual for GLBA →

$575 Undisclosed Undisclosed

million amount amount

What happened What happened What happened

Between May and July 2017, hackers exploited a vulnerability in
Equifax’s unpatched software and gained access to the private
records of over 147 million customers. In January 2020, the
company agreed to a global settlement with the Federal Trade
Commission (FTC), the Consumer Financial Protection Bureau,
and 50 U.S. States and Territories. The settlement also included a
$425 million payout to customers who were affected by the
breach.
How it could have been avoided
Equifax “failed to undertake numerous basic security measures”
and, according to a House Oversight Committee report, the
breach was “entirely preventable”, had the credit agency
patched a vulnerability they were warned about months prior.
This one isn’t a breach in the sense that customer data was In 2018, the FTC filed a complaint against PayPal - which acquired
exposed. It’s simply a breach of the GLBA’s Safeguards Rule. In a Venmo in 2014 - for failing to satisfy data requirements contained in
nationwide sweep monitoring compliance with federal privacy laws, both the GLBA and FTC Act and for misleading customers.
Nationwide was found to have failed to comply with a number of
data requirements (see below). In the end, the company was
ordered to retain an independent professional to certify its security How it could have been avoided
program on an ongoing basis. No fine was issued. According to the FTC, Venmo didn’t have a written information
security program until August 2014 and, until 2015, hadn’t
implemented basic safeguards to protect data or created processes
How it could have been avoided for customer support. Step one? Data discovery.
Again, it comes down to DLP. Nationwide should have assessed
risks to sensitive customer information, implemented safeguards to
control these risks, trained employees on information security
issues, maintained clearer oversight of how loan holders’ handle
customer information, and better monitored its computer network
for vulnerabilities.

*
Breaches of GLBA tend to be mixed up with breaches of other laws, the settlement almost always involves remedial action
A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 16
rather than penalties, and, because there is no private right of action under the GLBA, there are no lawsuits.
 What data is protected What are the requirements under PCI DSS?
PCI DSS
Overview Cardholder data
■ Installing and maintaining a firewall
■ The full primary account number (PAN)
(long card number) ■ Changing vendor-supplied default passwords and security
■ Full PAN in combination with: parameters
What is it?
Information security standard protecting credit card data ■ Cardholder name ■ Protecting stored cardholder data via encryption, hashing, and
■ Expiry date other methods
Who enforces it?
■ Service code (CVV2/security code) ■ Encrypting cardholder data whenever transmitting over public
Credit card companies that are members of the PCI Security Standards
networks
Council: American Express, Discover, JCB International, MasterCard
and Visa Inc. ■ Protecting systems against malware

When was it enacted?
December 2004
Who is obligated to comply?
People and organizations working with and associated with payment
cards, including: merchants, financial institutions, point-of-sale
vendors, hardware and software developers
What are the penalties for non-compliance?
While penalties are rarely made public (and vary depending on the
contract between the credit card company and the card-issuing bank,
and between the bank and the merchant or financial institution)
organizations can be fined up to $100,000 a month. See Resources on
the next page for more information.
■ Developing and maintaining secure systems and applications
TESSIAN RESEARCH
■ Restricting access to cardholder data to authorized personnel
Cashing in: How hackers target retailers on a “need to know” basis
with phishing attacks
■ Identifying and authenticating access to networks, servers, and
applications, including by assigning a unique ID to personnel
■ Restricting physical access to cardholder data
■ Logging and monitoring access to cardholder data and network
resources
■ Testing security systems and processes regularly
■ Maintaining an information security policy, including staff
LEARN MORE → training

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 17

 OTHER RESOURCES

PCI DSS Payment Card Industry Standards: Compliance Burden or Opportunity →

Cashing In: How Hackers Target Retailers with Phishing Attacks →
Biggest Breaches (and Fines*) to Date PCI DSS Quick Reference Guide →

Undisclosed Undisclosed Undisclosed

amount amount amount

What happened What happened What happened

While Heartland was actually deemed PCI DSS compliant at the
time, they nonetheless suffered a breach after five men - who
were involved in a worldwide hacking and data breach scheme -
targeted them. 160 million customers had their credit card
numbers stolen, resulting in hundreds of millions of dollars in
losses. Heartland settled with Visa, Mastercard, and Amex, lost
their PCI DSS compliance for 4 months, were forced to pay
out/lost a total of $200 million, and, within a few months, their
stock price had fallen by over 77%.
How it could have been avoided
The payment processing provider was hacked by a successful SQL
injection attack. So, how do you prevent one? Strong network
security, strict access controls, and patch management.
In 2007 - and over the course of 18 months - 94 million
credit cards were compromised. Hackers allegedly planted
unauthorized software on the retail giants computer
network, enabling them to steal hundreds of files containing
data on millions of accounts. Hackers also cracked TJX’s
data encryption system, allowing them to access
unencrypted data during the checkout/payment process.
How it could have been avoided
There were multiple points of attack in this breach, but
better data encryption methods, firewalls, data monitoring,
and training would all help safeguard TJX’s sensitive
customer information.
Between April and September 2014, 56 million credit cards and 52
million email addresses were compromised after hackers accessed
Home Depot’s network with a vendor’s username and password and
installed malware on self-checkout registers.
How it could have been avoided
According to the SANS institute, “the implementation of P2P
encryption and proper network segregation would have prevented
the Home Depot data breach”. But, since credentials are frequently
stolen in phishing and spear phishing attacks, strong inbound email
security across the supply chain is also essential.

*
Because card companies don’t reveal any information about the fines that they have issued on acquiring banks and,
A CEO’S
likewise, GUIDE
banks don’tTO DATA
reveal PROTECTION
any information AND
about how theyCOMPLIANCE
have recovered such fines from merchants, we can only TESSIAN.COM/RESEARCH → 18
provide information about the size of the breach and settlement costs, not the fines issued.

What needs to
happen immediately
after a breach is
discovered?
We talked about the long-term consequences
of a breach, including cost, lost customer
trust, and damaged reputation on page 3. But
what about the immediate aftermath? The
breach notification process is painful,
labor-intensive, and generally involves
several teams, including the C-suite.
On average, it takes companies
197 days to identify and 69 days
to contain a breach.
This list of to-dos should help you understand
your regulatory obligations and what the
minimum requirements are post-breach under
compliance standards like the GDPR.
A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE
Step 2: Notification
Breaches generally have to be reported “as soon as possible”. In the case of GDPR, though,
Step 1: Investigation
it’s within 72 hours. Within that period you must draft a notification letter explaining the nature
of the breach, who has been affected, and what steps are being taken to mitigate the breach.
■ Assemble a team of experts and identify a data forensics team
Who has to be notified? The enforcement agency (under the GDPR, it’s the lead Data
Protection Authority), any individuals affected, and, under most US data breach laws, the
■ Consult with legal counsel state Attorney-General and consumer reporting agencies must also be notified.
■ Interview people who discovered the breach
Beyond just the mandatory notifications, most companies must also invest in crisis
■ Follow internal reporting process
communications campaigns to control the narrative from a PR perspective and protect brand
■ Containment
reputation. These campaigns cost an average of $400,000 and involve strategic counsel
■ Secure physical areas from either external agencies or in-house PR teams who will prepare spokespeople for media
■ Take systems offline interview sand press conferences, craft public statements, and field inbound media requests.
■ Remotely disable endpoints
Note: Some US laws also require companies to offer paid credit monitoring services to individuals affected
■ Reset passwords for a period of time following the breach. Organizing this can be very resource-intensive.
■ Change access rights
■ Risk assessment:
■ Who was affected?
■ What data was compromised?
■ What caused the breach?
■ Who needs to know (including service providers who may have Step 3: Evaluation
been affected)?
■ Do you need to hire external support? After a breach, companies need to show regulators that they are being proactive in trying to
■ How severe is the breach? prevent further data loss. That means updating policies, implementing new solutions, training
employees, and adopting a stronger security culture. Fast. This will also generally involve
hiring new security professionals and onboarding external security/IT support. Don’t forget,
The bottom line: There’s a lot to do in the immediate aftermath of a breach
you’ll need to report any changes to the regulators which requires even more time.
and employees will have to drop tools on existing initiatives and
revenue-generating projects. This will impact productivity and cause
You can avoid this arduous process and save valuable time and money by investing in
operational disruption. And that’s only step one.
cybersecurity solutions that prevent breaches from happening in the first place. It’s worth it.
According to a recent report, the cost of non-compliance is 2.71 times higher than the cost of
compliance.
TESSIAN.COM/RESEARCH → 19
How can Tessian help ensure compliance?

General Data Protection California Consumer Privacy Act Health Insurance Portability & Gramm–Leach–Bliley Act Payment Card Industry Data
Regulation (GDPR) (CCPA) Accountability Act of 1996 (GLBA) Security Standard (PCI DSS)
(HIPAA)
INDUSTRY INDUSTRY INDUSTRY INDUSTRY

All organizations that process personal data
of EU residents.
WHAT TYPE OF DATA
Personal data of EU residents.
MANDATES
Protect against unauthorized or unlawful
processing and accidental loss, destruction
or damage of personal data.
PENALTIES
Fines of up to 4% of the company’s annual
worldwide turnover or €20 million,
whichever is higher.
HOW TESSIAN HELPS CUSTOMERS
STAY COMPLIANT?
Tessian Guardian automatically prevents
accidental sharing of personal data with
unintended recipients.
Tessian Enforcer tracks and blocks personal
data from being sent to unauthorized
business accounts.
All businesses in California that meets at least one
of the three criteria: Annual gross revenue of $25 M;
derive 50% of annual revenue from selling
customer’s personal information; and buy / sell /
receive / share personal information of >50,000
customers
WHAT TYPE OF DATA
All end-user data collected by company websites
using cookies and other tracking technology.
MANDATES
Empower users with new data rights
(the first in the US), such as the right to opt-out, the
right to disclosure of what data has been collected,
and the right to deletion of that data.
PENALTIES
■ $7,500 per intentional violation or $750 per
affected user
■ $2,500 for violations lacking intent
HOW TESSIAN HELPS CUSTOMERS
STAY COMPLIANT?
Tessian Guardian automatically prevents accidental
sharing of personal data with unintended recipients.
Tessian Enforcer tracks and blocks personal data
from being sent to unauthorized business accounts.
INDUSTRY Organizations that provide financial products / Any industry that deals with cardholder data such as
services to customers. Retail, FSI.
Healthcare
WHAT TYPE OF DATA WHAT TYPE OF DATA
WHAT TYPE OF DATA
■ Nonpublic personal information (NPI) Payment card data in paper and electronic form
Personally identifiable electronic health
■ Personally identifiable information (PII) during both storage and transmission.
information (ePHI)
MANDATES MANDATES
MANDATES
■ Ensure the secure collection, disclosure and ■ Implement strong access control programs around
■ Ensure the confidentiality, integrity and
protection of consumers’ NPI and PII cardholder data.
availability of all ePHI data through its lifecycle
■ Develop a written information security plan to ■ Maintain a comprehensive
(created, received, maintained or transmitted)
protect customers’ NPI and PII vulnerability program.
■ Identify and protect against threats and
impermissible uses
PENALTIES PENALTIES
PENALTIES ■ $100,000 fine per violation for the organization ■ Non-compliance fines of up to
■ Fines of up to $50,000 per violation, with an ■ $10,000 fine per violation or up to 5 years in $100,000 / month
annual maximum of $1.5 million prison for personally liable officers ■ Suspension of card acceptance
■ Prison terms of up to 10 years.
HOW TESSIAN HELPS CUSTOMERS HOW TESSIAN HELPS CUSTOMERS
HOW TESSIAN HELPS CUSTOMERS
STAY COMPLIANT? STAY COMPLIANT?
STAY COMPLIANT?
Customers use Tessian Constructor to track and Tessian can identify payment card data such as
Tessian Guardian prevents accidental data loss of
block PII such as social security and passport credit or debit card numbers and, if it appears it’s
sensitive patient data through misdirected emails.
numbers from being sent externally. being sent to an incorrect or unauthorized recipient,
Tessian Enforcer tracks and blocks confidential it will be blocked.
health information such as health insurance or social
security numbers from being shared externally.

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH → 20

 Learn more about how Tessian
prevents data loss on email. REQUEST A DEMO →

Powered by machine learning, Tessian’s Human Layer Security technology

understands human behavior and relationships.

Certifications

Automatically detects and

prevents misdirected emails

CYBER ESSENTIALS CYBER ESSENTIALS ISO 27001 UKAS GARTNER COOL

CERTIFIED CERTIFIED PLUS VENDOR 2020

Automatically detects and Customers

prevents data exfiltration attempts

Automatically detects and

prevents spear phishing attacks
Share this report

A CEO’S GUIDE TO DATA PROTECTION AND COMPLIANCE TESSIAN.COM/RESEARCH →

TESSIAN.COM/RESEARCH →