Veriato Cerebral adds a whole new dimension to employee monitoring, letting you record and review anything or everything that your employees do on their PCs, Macs and Android devices. Cerebral offers simple implementation with cloud and on-premise options. You can deploy and manage the recorders from the Cerebral dashboard, so that you never have to physically visit the employees’ machines.
The Payment Card Industry Data Security Standard, effective since September 7, 2006, is a security standard to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI Security Standards Counsel (SSC) which is an independent entity created by the major payment card brands (Visa, MasterCard, American Express, Discover and Japan Credit Bureau.). These payment brands and acquirers enforce PCI DSS compliance and can fine acquiring banks $5,000 to $100,000 per month for PCI compliance violations. PCI DSS Requirement 10 (Track and monitor all access to network resources and cardholder data) in particular mandates that audit trails of user activity around any payment card data be created so that suspicious activity can be traced to a specific user.
The Health Insurance Portability and Accountability Act of 1996 was created to protect Personally Identifiable Information (PII) and other healthcare information maintained by the healthcare and healthcare insurance industries from fraud and theft. Organizations subject to HIPAA compliance oversight must consider many Administrative and Technical safeguards outlined in the Final Rule on Security Standards with regard to how medical personnel handle sensitive information including:
Failure to adhere to HIPAA security specifications can result in fines ranging from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
The General Data Protection Regulation (GDPR) enacted on May 25, 2018 mandates that personal data collected on EU citizens – even by non-EU entities and in non-EU countries – be protected. Should a breach of this data occur, the data processors are mandated to notify affected individuals within 72 hours and if negligence or failure to comply with protection guidelines are identified, a fee of up to €20 million (approx. $23 million) can be assessed or up to 4% of annual turnover – whichever is greater.
GDPR mandates that personal data collection must only be conducted when legitimate interests to do so are identified. Title 47 includes fraud prevention as one such case:
Title 23 is a section of New York Codes, Rules and Regulations (NYCRR) 500 that covers regulation of organizations operating in the state of New York subject to NY Department of Financial Services oversight. This includes entities regulated by NY Banking Law, Insurance Law and Financial Services Law.
Compliance with NY Title 23 includes that those covered entities protect the financial and other personal data they collect. These entities must also notify any affected individuals within 72 hours of a breach of their data once determining that a breach has occurred. Protections of personal data include maintaining audit trails designed to detect and respond to Cybersecurity Events (§500.06) and implementing measures designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized users (§500.14).
Organizations subject to NY Title 23 can face loss of licenses and financial fines of up to $250,000 fine or 1% of total assets of the organization and 1% of total assets of subsidiaries.
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."
TThe California Consumer Privacy Act or 2018 is a California state law to enhance the privacy rights of California residents. The law applies to any organization doing business in California that collects consumers' personal data and meets any of the following criteria:
Under CCPA, companies can be prosecuted or subject to civil suits if victim of a data theft or other data security breach for failure to implement and maintain reasonable security protections of PII including unauthorized access and exfiltration, theft, or other disclosure – whether from external breached or the result of actions of authorized users.
Companies could be required to pay damages ranging from $100 to $750 per affected California resident and incident or ordered to pay actual damages and other relief, whichever is greater. Fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation can also be levied under California law.