Posted on

Are Invoicing Companies Leaving Small Businesses Vulnerable?

For the last 2 years, my main focus as a cyber security consultant was/is getting companies, mostly big companies, ready for GDPR. One pressing concern is the GDPR compliance of invoicing companies.

Maybe GDPR is a buzzword for some, but the logic behind it is great for both privacy and proper data security.

The privacy part is somewhat challenging because the definition of PII (personally identifiable information) and SPI (sensitive personal information) is well defined in GDPR and it is very wide by definition.

It COVERS EVERYONE.

From big companies to small companies, and even micro companies. You are obliged to do your maximum to protect PII and SPI.

Many companies have started the shift of changing their work methods and the way that B2C communication is done. For example, basic “client notifications” are now usually protected.

GDPR is first and foremost a methodology change, not a technological one. You change the way you work first and then which technological tools you use.

This change has already “hit” some industries but other industries are preferring to ignore it, for example I am a client of one the biggest online invoicing companies, along with many other small & medium business owners.

Invoices have PII and SPI in them – they have a lot of the info of my clients (their name & postcode), sometimes even the full address, proper identifiable information.

When I send an invoice to my clients I am sending PII and SPI.

Since the GDPR date, my colleagues and I have started to send invoices in a secure way. Is it more “work”? Yes. We are sending a PDF within an encrypted email, not a link, so that we can make sure that only the recipient gets it and not someone else.

As a client of one of the biggest online invoicing companies, I’m concerned about their GDPR compliance, and I have contacted them and asked very clearly,

“What are you going to do about GDPR? Which encryption method are you going to use and how are you going to guarantee that the PII and SPI that are being sent via your system is secure?”

And …

Nothing really.

I got some generic responses, some links to the privacy/GDPR policy, but no real answer.

Then after some more Q&A, I got a strange response,

“We are sending PII BY FUNCTION... so, nothing is really going to change” So I responded with,

So? GDPR has no “BY FUNCTION” Exclusion” and, of course, since then, it’s been silence.

It seems, at least for that specific company that they are ignoring or excusing not being GDPR compliant by saying that their CORE FUNCTION, and I quote “BY FUNCTION” is … NOT GDPR compliant, I know its sounds crazy but that’s the reality.

So, let’s break it down a bit:

  1. I am using their online invoicing platform – they are my Data Processor
  2. I am storing sensitive client information on their system and I expect them to be GDPR compliant. Which I trust their feedback that it is (regarding the way the store and access information)
  3. But… when I send the invoice to my clients via their system – I am extracting PII and SPI from their system and sending it into the world with no security mechanism at all?!
  4. This specific online invoicing company is sending a link (like many others) – not even a password protected PDF is an option?

Bottom line, you as a user of the system have the option not to send a link, but download the PDF, secure it, and then send it yourself… but why isn’t the invoicing company doing it for you? Why are they putting YOU at risk?

Why? – I don’t know, I presume it’s because it’s easier to ignore the reality than to face it. It’s easier to put everything on your clients than to solve the core issue.

My professional recommendation to you is: Until online invoicing companies GDPR compliance become clear, protect yourself! Don’t send PII and SPI in a non-secure way.

Eli Migdal.

Posted on

Industries Prone to Email GDPR Breaches

Although emails are not specifically referenced within the clauses of the GDPR, the legislation does cover all data contained within emails and attachments. Anyone handling personal information related to citizens of the EU is bound by GDPR, and must make preparations to ensure that they are compliant from the date of adoption, if not sooner.

In this article, we’ll take a closer look at the industries that tend to be prone to data breaches involving emails, the reasons why, and strategies to avoid information becoming compromised.

Why Are Some Industries More Prone Than Others?

Theoretically, all industries have the potential to experience GDPR breaches. However, these are made more likely when organisations manage a disproportionately large amount of personally identifiable information, or PII. This is data that can be used on its own, or in combination with other known variables, to determine an individual’s identity.

Some examples of PII may include a full name (particularly if it is uncommon), date of birth, home address, telephone number, email address, passport, driving license, national insurance or social security number, credit card details, or vehicle registration. The more variables that are known, the easier it is to build an image of someone’s identity.

This kind of data is attractive to those who wish to exploit it, which can make some organisations vulnerable to hacking or phishing attacks. Human error can also cause data breaches; although this may be innocuous, the potential damage is just as severe.

It’s important, therefore, for these industries to take additional precautions in the gathering, storage, and processing of sensitive information.

Industries at Risk

Due to the nature of the data they hold the:

  • Financial
  • Legal
  • HR
  • Medical sectors

have a high risk of experiencing GDPR breaches.

The recruitment industry is also very susceptible, as organisations within it hold substantial amounts of personal information, which is passed frequently between internal and external recipients!

Small businesses, entrepreneurs, and virtual assistants can carry an elevated risk of experiencing GDPR breaches, particularly if they are starting out or otherwise unaware of correct data management procedures. 

Emails regarding invoices, bank details, and login information can be especially problematic. Training helps to mitigate this risk, prevent records being compromised, and protect the reputation of data custodians.

What Can Be Done to Minimise Risk?

Take a ‘prevention is better than cure’ approach. In the first instance, use anonymised data as far as possible because, if data is compromised, this makes it far more challenging for unauthorised parties to connect the dots and endanger the security of afflicted individuals.

When communicating via email, take extra precaution and encrypt your emails and attachments at the file level rather than on your computer because it’s much harder to crack and is very GDPR compliant. You can do this by installing software in your business which does this automatically, but if you don’t have the budget for a large-scale solution, you can try something like My Protected Mail which doesn’t involve installing anything and is quick and easy to deal with.

Although we have cited industries prone to email GDPR breaches, it’s best to be responsible no matter your industry. All custodians of sensitive data are responsible for its protection. If you are working within an industry with an elevated risk of email GDPR breaches. Be sure you are prepared! Check out My Protected Mail here for more info and sign up for free to get the extra protection your sensitive emails or attachments need.

Posted on

Why Your Emails Need to Be Compliant Under GDPR

Although emails are not specifically referenced in the GDPR, all data contained within them does come under its jurisdiction. To avoid the risk of a breach, as well as to conform to these regulations, it’s important to stay protected and send GDPR compliant emails. 

In this article, we’ll introduce you to points you should consider when sending GDPR compliant emails.

Safeguarding Personal Information

Personally identifiable information, or PII, is data that can be used—either on its own or in combination with other records—to determine an individual’s identity. It is best practice not to provide PII wherever possible, but to use anonymised data instead.

But, we know this isn’t always the case and sometimes you need to share data that could become identifiable, so it must be sent securely. Protected emails that contain PII should also not be allowed to be forwarded to unauthorised participants and you should ensure that any data you do send has been pre-authorised by the owner because consent is a key part of GDPR, which must be respected at all times.

Preventing Unauthorised Access to Data

A data breach places sensitive information at risk of exploitation by criminal activity or other unauthorised purposes. A data breach can be prevented by sending attachments securely, tracking the receipt of documentation, sending only essential information, and by double-checking that data recipients are authorised.

File level encryption is one of the best ways to do this (find out more about this in our previous article here) and there are simple ways to send protected emails without having to download special programs. Try using something like My Protected Mail for free and see how you can send and receive protected emails. 

If you do find that your organisation has experienced a data breach, you (or your company’s assigned data protection officer) are duty bound under GDPR to notify affected individuals within 72 hours of awareness of the breach. This provides the opportunity to take corrective measures and prevent further compromise of their information. Of course, your organisation has a responsibility to facilitate and support such action, whilst simultaneously commencing an investigation and completing internal and external reporting.

Protecting Your Brand’s Reputation

Personal data is important to every individual. When we entrust organisations with sensitive information, there is an expectation that this will be respected. Any breach or mismanagement of data reflects negatively on a brand.

That said, if a data-related incident does occur, it is best to be honest about the situation from the start. Not only does the GDPR explicitly require this, but taking swift action helps to protect your brand’s reputation. People understand that even highly secure structures can be compromised, and if your organisation responds quickly, this can help to mitigate the damage. Conversely, a delay or cover-up would be completely unacceptable.

Generating positive PR

If your organisation is shown to be consistently compliant with data protection laws—including GDPR—this gives a positive impression of your information safeguarding processes. It also demonstrates a wider sense of reliability and security and strengthens your brand’s reputation, encouraging potential customers and stakeholders to put their trust in you.

Consider getting help in making you compliant by using My Protected Mail, it works with your exisiting systems and doesn’t require setup or installation! To find out more, visit www.MyProtectedMail.com

Posted on

The True Cost of a Data Breach to Your Business

GDPR has placed renewed focus on the issue of information security, and the potential impact and cost of a data breach on involved organisations.

Obviously, a data breach can have substantial financial consequences. Depending on the severity of the GDPR infringement, administrative fines can reach up to €20 million, or 4% of annual global turnover, whichever is higher. Plus, it also leaves you liable to pay damages to individuals or businesses as a result of the breach. 

However, fines are not the only cost to a business; reputational damage can be devastating to long-term viability.

In this article, we’ll take a closer look at the wide-ranging costs that can be incurred in response to a data breach.

Bad PR

It is said that all PR is good PR, but it’s not always the case. Data security is intrinsically linked with an individual’s sense of personal safety, and any infringement of that will prompt a fiercely negative response from affected individuals. A business’ reputation can be destroyed by a data breach incident.

Trust is the foundation of customer loyalty. If that trust is compromised, your business may not be able to recover its former standing.

Loss of Revenue & Company Value

Reputational damage as a result of a GDPR breach will almost inevitably lead to a dip in sales. For service providers, such as lawyers or accountants, a breach can result in a loss of retainers or diminished customer loyalty. Larger corporations may find that their company value takes a hit.

In 2013 and 2014, Yahoo experienced several data breaches, which affected large swathes of customer accounts. At the time, they were in the process of being bought out by Verizon. After the breaches took place, Yahoo’s value was slashed by $300 million, which had a significant impact on its shareholders.

Even a giant like Yahoo is susceptible to the effects of a data breach. For smaller companies, this can be catastrophic.

The Pareto Principle

In business management theory, the Pareto Principle states that 80% of a company’s revenue comes from 20% of its customers. These tend to be long-term client relationships, allowing an organisation to take advantage of regular, repeat business.

If a data breach were to damage the trust of this crucial 20% of customers, which is feasible in such circumstances, it could jeopardise 80% of revenue. This can have a devastating impact on long-term business survival.

Future Business

Small businesses are particularly vulnerable to the long-lasting negative effects of a GDPR breach. They tend to rely on referrals, recommendations, and word-of-mouth marketing. After a data breach, the reputational damage may prove insurmountable.

Don’t forget; if a customer has a positive experience, they will probably tell a handful of people. If they have a negative experience, they will tell everyone they can.

The true cost

Ultimately, the true cost of a data breach to your business may be the business itself. That’s why it’s important to be well-trained in the best practices to protect the personal data you handle. 

Have any questions on how you can avoid a data breach? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

5 Ways Your Emails Could Breach GDPR

There’s a lot of confusion in the air currently for small businesses surrounding GDPR!

So let us set the record straight when it comes to sending emails.

If you are sending emails with personally identifiable information (PII) (here’s the ICO’s guide on what actually counts as personal data.) you need to take adequate lengths to protect it.

It’s that simple.

So let’s look at some of the ways your emails could be putting your business at risk when the GDPR regulations come into effect on the 25th May 2018. 

Edit: for the answers to commonly asked GDPR email questions scroll to the bottom of this article. 

*This post may contain affiliate links* 

1. Failing to use BCC (Blind Carbon Copy)

When sending to multiple recipients, unless emailing internally, you’ll need to use the BCC function.

This means that any given recipient will only see their own email address, the sender’s, and any recipients in the carbon copy (CC) section. All other recipients are anonymised. 

Failure to do this means that the name and email address (both PII information) are shared with other recipients without their prior consent! This is a breach of GDPR regulations.

2. Sending Sensitive Data to the Wrong Recipient

So many people are getting in hot water for this one! Not only is the distribution of sensitive data to an unintended recipient contravening the consent element of the GDPR. It is also likely to have a detrimental effect on the trust held between two parties, which can devastate a working relationship.

And, the ICO aren’t allowing the human error defence!

With the likes of UK law firm WilmerHale unintentionally sending details of  whistleblowing investigations at PepsiCo to a Wall Street Journal reporter. The information came from the US Securities and Exchange Commission, as well as internal investigators. This mishandled data had the potential to cause significant damage to PepsiCo’s reputation, and its leak certainly did no favours for Wilmer et al.

Be careful, therefore, to double-check both the data being sent and the email addresses of recipients, to ensure that sensitive information does not fall into the wrong hands, or you could be in a world of trouble. 

3. Un-Protected/Encrypted Attachments

It’s essential to encrypt critical information when sending it by email. This prevents interception, either by malicious or accidental means, and ensures that sensitive data is delivered securely.

This also includes making sure that you retain control over how the personal information is used once you have sent it too, by making sure the recipient can’t just copy, forward or blast out the sensitive information after you’ve sent it. You do this by encrypting the file rather than your computer or email system itself (we’ve written a handy guide on disk vs file encryption for small businesses here.)

My Protected Mail, for example, encrypts the file to make sure that it can’t be sent on to someone other than the intended recipient (you can’t even screen share the file via Skype, you just get a blank page!)



4. Preventing Opt-Outs/Automatic Opt-Ins

Under GDPR, people have the right to erasure, otherwise known as the right to be forgotten. If any recipient asks for their email address to be removed from a mailing list, you need to do it immediately. Also, if an individual requests that any data stored about them is deleted, you are legally bound to do so.

It’s also important to confirm active consent from the outset, you can no longer ask people to “opt-out” with an automatic opt-in box checked. As well as requesting manual entry of an individual’s email address, provide information about how their data will be stored, and ask them to check a box to confirm they understand and acknowledge this. 

5. Including PII Without Taking Precautions

This isn’t just related to encrypting your one email, be careful with chains, “reply all” and forwarding emails that may contain the original PII on to those without permission. If you add additional recipients to a discussion, perform a check of the email content beforehand, and remove PII if it is present.

Taking the proper precautions beforehand ensures that your business is safe from fines but also that you are taking the responsibility of your clients or customer’s data.

Data Breach Report Blueprint & Template

CLICK HERE TO GET THE TEMPLATE

Common GDPR Email Questions Answered:

We’ve been contacted with many GDPR email related questions so we thought we would share for you the most common ones:

Is sharing an email address a breach of GDPR?

This depends on two things:

Firstly, Is the email a personal one, like your personal Gmail? If no, does your company email address have your full name? e.g. [email protected]? If you’ve answered no, then it’s not a GDPR breach. If yes, answer then next question.

Do they (you) have permission or reasonable reasons to share your email. For example, to perform a service you’ve signed up to where sharing your email address is absolutely necessary? Have you given express consent and forgotten about it?

If someone has shared your email and is now marketing to you without your consent, it IS a GDPR breach and you can respond to them asking for an erasure request (request to get your data deleted).

When is my business allowed to share email addresses?

The short answer is that you’re not. Unless you get express permission from the customer (not automatically opting them in.) The only time you are allowed to share emails is when it is vital to the service you are providing. For example, sending email addresses to a courier for confirmation of delivery.

But even then, you must ensure that any third parties do not market or contact those personal addresses outside of the business need they are providing! Or you could also be liable.

When forwarding emails what do I need to consider with GDPR?

You should always air on the side of caution when forwarding private or sensitive information, even internally. Ask yourself, does the recipient need to see this information or should I remove sensitive PII from the email before I forward? And don’t forget to remove personal email addresses in the replies if they are not needed.

Can I use BCC and be GDPR compliant?

Yes, if you’re sending a mass email, BCC makes sure no-one else sees each other’s emails and therefore reduces the risk of a breach. Of course, if this happens regularly there is more chance of human error being made so it’s always best to use a mailing program.

Are you being GDPR compliant in your marketing? Check out this article on that HERE.

My employer shared my personal email address in the company. Is this a GDPR breach?

It can be. But the likelihood is, it’s more of a privacy issue that you should first discuss with HR. Internal company communications, particularly if you’ve provided your private email to be contacted on is a GDPR grey area and if you’re uncomfortable with this information being shared, you should first contact your HR or legal department to discuss.

I accidentally shared personal email addresses with our sporting group, is this a GDPR breach?

If your sporting (or any other social group) is classed as an organisation, rather than an informal group, then yes, it’s technically a GDPR breach. However, the practicality is that everyone who is part of that team or group has consented to being contacted and know the other members anyway.

If you’re concerned about your privacy, in that case, you should contact the head of the group and request them to use BCC in the future. If you were added to the list and didn’t give your permission, or know the group, then yes it’s a GDPR breach that you can report. But, again, this is a grey area.

Posted on

Case Study of GDPR Cyber Security Vulnerabilities in the Hospitality Industry

Everyone has recently come out of the woodwork to discuss how they can help keep you safe from GDPR cyber security vulnerabilities and threats due to the looming deadline.

But, for most of them, it’s just theory.

After all, GDPR doesn’t become enforceable until May which leaves some room for them to figure it out as they go. With this in mind, we wanted to set ourselves apart and show we know EXACTLY what we are talking about because we have ALREADY DONE IT. By already implementing several successful projects to protect our clients, not just for the sake of GDPR, but for the increasing amount of cyber security threats.

Our Case Study

But don’t take our word for it. That’s why we have created a case study to look specifically at the GDPR cyber security vulnerabilities we have detected in the hospitality industry while implementing IT solutions and GDPR protections. We look at two different cases, a small-to-medium and medium sized organisation and the solution for protecting from internal and external cyber security threats in line with GDPR. Are we giving away our secret formula? No. But, it should give you an indicator of the vulnerabilities to look for to see if you have the protection you think you do.

CLICK HERE TO READ OUR CASE STUDY

Posted on

Everything You Need To Know About GDPR & How It Will Affect Your Business

In the world of technology, you may have heard a big buzz recently about GDPR with intimidating phrases like cyber security, penalties, business costs and hackers being thrown around. It’s not as scary as all that but as a business owner you will need to pay attention because if you house any sensitive data at all, you are leaving yourself liable if you aren’t making changes. Here is the low-down on GDPR, what it means for you and your business and how you can get ahead of it to ensure you are protected.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new European legislation coming into effect that aims to protect user data to enhance data protection in line with the digital age and increasing technological capabilities.

Simply put, it’s a new EU regulation that means if you aren’t protecting personal data effectively, you are liable to be fined.

The European Commission had this to say about the implementation of the GDPR regulation:

“The Regulation updates and modernises the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on:

  • reinforcing individuals’ rights;
  • strengthening the EU internal market;
  • ensuring stronger enforcement of the rules;
  • streamlining international transfers of personal data and;
  • setting global data protection standards.

The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.”

What Counts As Personal Data Under GDPR?

Any information that will allow you to identify a person or that relates to an identifiable person is considered personal data. Examples of identifiers include:

  • Names
  • Identity that can be defined by physical, genetic, cultural or economic factors
  • Location data
  • ID numbers
  • Biometric information (e.g. fingerprints, retinal scans)
  • IP addresses
  • Consumer preferences
  • Pseudonyms – data that has been adapted to try and hide personal data by attributing other elements for example encryptions etc. However, businesses that exercise pseudonyms as part of a way to encrypt personal information will have more lenient fines because it is seen as lower risk for the users and complies with GDPR.

What Does GDPR Now Require?

  • Data is fairly, lawfully and securely handled, stored and exported to meet data protection.
  • That digital data that was once not included e.g. IP addresses or mobile device identification is now subject to the same privacy rights as other personal data.
  • Accuracy and integrity of data

Who Are The ICO?

The ICO are representing the UK as part of the data protection working party for the EU’s Article 29.

Dates of GDPR Implementation

The main date you need to be aware of is the 25th May 2018 when the changes are officially actionable and will come into force. That doesn’t mean that you have an excuse to wait however, because GDPR was approved on April 14th 2016 and introduced in 2017 to give businesses fair warning before the actionable dates.

5 Ways GDPR Is Going To Affect Your Business

  1. Check Current Data – Data that you have collected previously will become umbrella’d under GDPR which means you need to ensure that you have full permission from your users and if you are unsure, contact them.
  2. Train Staff – It is important that staff know how to handle sensitive information going forward, not just your IT staff but also any departments that access personal data e.g. HR, finance etc.
  3. Review Procedures – Check your data collection adheres with GDPR guidelines and has active agreement settings rather than passive.
  4. Security Audit – Who has access to the personal data and should they? How they are able to export the data and whether each employee has business NEEDS to be accessing it. If not, remove them. *Don’t forget employees who no longer work for your organisation or third parties.
  5. Check 3rd Party Software – It is your business’ responsibility to ensure that any software you use to store data is GDPR compliant so you will need to contact 3rd party suppliers and get assurances or proof they are actioning this as well. In the event of a breach, you would also be liable.

Are There Any Benefits To My Business?

It sounds like a lot of doom and gloom for your business that could turn out quite costly but there are some plus points to the new regulations.

Consistent Legislation – It is no longer a confusing “grey area” that it has been for many years so it is easier to understand what is and isn’t needed and how to implement this.

Universal Standards – Some may feel that larger companies can do whatever they want with data (e.g. selling it on without permission) because the previous fine was more affordable. With GDPR everyone is held to the same standards.

What Sort of Fines Could I Be Facing Under GDPR?

It’s ultimately up to ICO as to the fine amount of breaches and this can depend on how the breach is dealt with, the level of protection that was in place as well as if the business followed GDPR protocols post breach. Here are some fine examples:

  • Failure to notify users of a breach within 72-hours – up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)
  • Failure to gain consent – up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)
  • Transferring personal data internationally without adhering to GDPR – up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)
  • Failure to consider long-term data privacy within project planning – up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)
  • Ignoring data processing principles (i.e. GDPR guidelines)- up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)

Things you need to know:

  • The GDPR is citizen specific not business specific. This means that it doesn’t matter where your company is based, if you are handling the data of an EU citizen you need to be compliant.
  • GDPR consent needs to be deliberate. For example, consumers need to actively give you consent rather than a “pre-selected” or “opt-out” feature.
  • Withdrawal of permission can be done by an individual at any time under the GDPR regulation and this means that the business must erase the data pertaining to the individual as well as tell relevant third parties to delete any copies.
  • Breaches of information need to be notified to users within 72 hours, even before reporting to the data protection authority. If not, you could face fines of up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)

Brexit and GDPR

Some UK businesses may feel that as the UK is leaving the EU, GDPR practices won’t apply to them and while technically true, the UK have been putting forward data protection legislation of its own. This legislation mirrors the GDPR regulations and highlights that any businesses not handling data (in virtually the same way as the GDPR regulations state) will be subject to a fine of 4% of revenue worldwide or £17 million (whichever is closest.) Which is a far cry from the £500,000 limit set by the 1998 Data Protection Act. Plus, if you have any European customers, you are still liable to follow GDPR rules anyway!

How We Can Help

We offer GDPR training and workshops so that your employees and IT department can become GDPR compliant and avoid those massive fines. For more information contact us on:

UK Office: +44-203-637-2404

Israel Office: 972 (0) 74-7036680