Skip to content

Senhasegura Upgrade Notes

Caution

Before executing the senhasegura update, always run a snapshot on your hypervisor and perform the running and restoring backup

Caution

If you are using the senhasegura Arbitrator, remove it from the cluster before updating senhasegura. Learn more in our documentation.

Version 3.29

Check out the main changes in this version before updating senhasegura.

Change in the update process

In this version, the senhasegura update process has changed. See now how to update senhasegura to version 3.29, accessing the documentation on how to Update senhasegura, section How to update senhasegura to version 3.29

API Authentication

OAuth 1.0

In this update, we improved the authentication management via OAuth 1.0.

We discontinued the old method of passing authentication parameters through the URL or request body and have adopted sending values exclusively via the header.r. This ensures compliance with the industry standard and greater protection of authentication information.

Caution

If you are using this authentication method, it’s ESSENTIAL to update the integrations to send the information in the new format before proceeding with the senhasegura update.

For instructions on how to send the information via header, see our documentation

Basic authentication

Starting from version 3.29, accessing the API will require the use of OAuth 1.0 or OAuth 2.0. Basic authentication will no longer be available.

MySafe private groups

“Access Groups” have been replaced by “Private Groups” in MySafe, providing a more efficient approach to managing permissions and access.

Integration with AD has also been improved, eliminating negative impacts by removing users manually added to groups. This update aims to offer a more intuitive and reliable experience to our customers, improving the administration of access to resources and data in MySafe.

Check MySafe documentation.

Architecture update

The Debian operating system has been updated, providing significant improvements in performance, security and hardware support.

In addition, the core programming language, databases and third-party libraries have been updated with their new features and performance improvements.

To check all the updates and improvements of version 3.29, access our detailed changelog by clicking here.

 

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

The main causes of data leaks

Data leaks occur whenever a user or organization has their sensitive information exposed, putting the security and privacy of companies and people at risk. Know more!

The Data Breach Investigation Report 2022, conducted by the Ponemon Institute, provides an overview of data breaches occurring in 2022 in 17 countries and regions and 17 different industries.

To produce it, more than 3,600 people from companies that suffered leaks were interviewed, which made it possible to gather some relevant information.

According to the study, 83% of companies surveyed had more than one data breach. In addition, 60% of leaks resulted in higher prices being passed on to customers and the average cost of one of these events was US$4.35 million.

In this article, we are going to talk more about data breach and address its main causes. To facilitate your reading, we have divided our text into the following topics:

1. What is a data breach

2. What are the 5 common causes of data breach

3. Examples of data breach

4. What are some common types of violations

5. How to prevent data leakage

6. About senhasegura

7. Conclusion

Enjoy your reading!

1. What is a data breach

A data breach happens when a person or organization has their confidential information exposed due to security breaches, creating risks for the companies and people affected.

When this occurs, the organization needs to notify the control authority soon after learning of the occurrence, in the shortest possible time, in addition to the people who had their data compromised.

If the company is a subcontractor, it is also necessary to notify the person responsible for processing this information.

2. What are the 5 common causes of data breach

The main causes of data leaks are:

  • Insider threats due to misuse of privileged access

  • Weak and stolen passwords

  • Malware

  • Social engineering

  • Exploitation of software vulnerabilities

Learn more about each of them:

  • Insider threats due to misuse of privileged access

Within an organization, employees have privileged access to sensitive data and may misuse these permissions, intentionally or unintentionally.

This can happen in a variety of ways and for a variety of reasons, whether it’s selling information on the dark web, sabotage due to dissatisfaction at work, or simply losing a device with access, such as laptops.

Therefore, it is advisable for companies to adopt the Principle of Least Privilege, according to which each user has only the necessary access to perform their functions. In this way, in the event of a leak, damage to the IT environment is limited.

  • Weak and stolen passwords

One of the main causes of data leaks is the use of weak or reused passwords, which facilitate credential theft.

The use of weak passwords occurs because many people rely on predictable patterns like ?123456?. The reuse of passwords is a practice adopted due to the difficulty in memorizing a large number of complex accesses.

As a solution, we recommend the password manager, which allows you to store all your passwords, requiring the use of a single set of credentials to access them.

  • Malware

Malware is malicious software used by cybercriminals to exploit one or more potentially connected systems.

There are several types. One of them is ransomware used to encrypt data or block a computer’s resources and demand a ransom payment in exchange for releasing that machine or system.

To avoid malware infection, it is important to be careful when accessing suspicious websites or opening emails.

  • Social engineering

Social engineering is also among the leading causes of data leaks. In this type of attack, malicious actors manipulate their victims into sharing confidential information or taking actions on their behalf.

A tip to avoid attacks of this nature is to always be suspicious of promises that seem too good to be true.

  • Exploitation of software vulnerabilities

Malicious actors can exploit software vulnerabilities in a number of ways. As such, it is important that exploits are found and addressed by the organization before they are identified by hackers.

When a vulnerability is fixed, the software provider releases an update patch that must be applied by the company. This must be done immediately in order to avoid exposure to the threat.

3. Examples of data breach

Below are examples of the main causes of data breaches:

Major data breach caused by misuse of privileged access

Recently, there was a privilege leak at Uber, allegedly caused by the misuse of permissions. The attacker is believed to have purchased the password from an Uber professional on the dark web after his personal device was infected with malware, exposing his data.

The contractor would have received two-factor login approval requests and granted access to the hacker.

This social engineering technique is known as an MFA fatigue attack and consists of bombarding users’ authentication application with notifications to get them to accept and allow access to their accounts and devices.

Massive data breach caused by the use of weak and stolen passwords

A single stolen password prompted a hack attack against U.S. pipeline operator Colonial Pipeline in May 2020.

It is believed that this was possible because the corporation used an old virtual private network (VPN) system that did not have Multiple Authentication Factor, requiring only a password to access its resources.

Massive Data Breach Caused by Malware

New Mexico’s largest county was the target of a ransomware attack in early 2022, which left several government offices and county departments offline.

This attack disabled the security cameras and automatic doors at the Metropolitan Detention Center and due to failures in the electronic locking system, inmates had to be confined to their cells.

Massive data breach driven by social engineering

Between 2009 and 2011, American tabloids were reported to have hired hackers to find out news about their targets, who ranged from movie stars to ordinary citizens, by intruding on their cellphone voicemail.

For this, various social engineering techniques were used, including the pretexting scam, which refers to lies invented by cybercriminals to request information from users.

Major data breach caused by exploiting software vulnerabilities

In this topic, we did not bring an occurrence, but one of the great examples of software vulnerability that can generate data breach: Log4Shell.

Log4j is a computer program developed and used to record activities that occur in various systems, including errors and routine operations. Log4Shell happens when using a certain feature in Log4j, which makes it possible to define a custom code to format a log message.

Through this feature, it is possible to register the username, related to the attempts to login to the server, and its real name, if a separate server has a directory that associates usernames and real names.

Thus, Log4j ends up allowing malicious attackers to send software code that can perform all kinds of actions on the victim’s computer, opening loopholes for numerous threats, including data breaches.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

What is a lateral movement attack and how does it occur?

A lateral movement attack occurs when the cybercriminal gains access to an initial target to move between devices within the network without their presence being noticed.

In this article, we explain in detail what side threats are and how to avoid them. Want to know more about it? Read our text to the end.

A lateral movement attack can present itself in a variety of ways and for a variety of purposes.

In practice, this type of action is related to accessing an entry point, which corresponds to the initial target, so that the attacker can later gain access to other locations on the network, being able to steal data or infect devices and demand a ransom payment, for example.

However, it is possible to avoid lateral threats with the support of an IT team prepared to identify them in a timely manner and with the support of powerful cybersecurity solutions, such as PAM.
In this article, we share key information about a lateral movement attack. To make it easier to read, we have divided our text by topics. They are:

1. What is a lateral movement attack?

2. How does a lateral movement attack occur?

3. Examples of lateral movement attack

4. How to detect a lateral movement attack?

5. How to prevent a lateral movement attack?

6. PAM senhasegura: the ideal solution for preventing lateral movement attacks

7. About senhasegura

8. Conclusion

Enjoy your reading!

1. What is a lateral movement attack?

Lateral movement attacks occur when cybercriminals use current access to move around the rest of the network, infecting computers and internal servers until they reach their target, unidentified.

After intrusion, the malicious attacker uses various resources to increase their privilege and gain access to sensitive data and other high-value assets.

As it avoids the detection of cybercriminals, this type of attack makes it possible for them to stay in the IT environment for a long time, and it may take weeks or even months for them to be discovered.

2. How does a lateral movement attack occur?

The lateral movement attack starts from an entry point, which could be a stolen credential, a malware-infected machine, or other intrusion strategies.

This point is usually connected to the attacker’s command and control (C&C) server, which allows it to store information stolen from remotely accessed devices contaminated by malware.

At that point, the attacker explores the network, observing its users and devices. Therefore, they understand host nomenclatures and network hierarchies, identify operating systems, and put together a plan to make targeted moves.

Malicious agents still use resources that make it possible to discover where they are located on the network, what they can access and what type of protection is in effect.

3. Examples of lateral movement attack

Several types of cyberattacks can be associated with lateral movement. Among them, we can highlight: spying, data exfiltration, botnet and ransomware infection.

In the case of espionage, hackers associated with rival nations and groups or competing companies can carry out a lateral movement attack in order to monitor the actions of a government or organization.

In practice, when the motivation for the crime is not related to financial gain, the tendency is for malicious attackers to try to remain hidden for a long period.

In data exfiltration, the attacker moves or copies information belonging to a company without authorization. The motivations for this type of attack can be several, among them, stealing intellectual property, requesting ransom of stolen data, or carrying out identity theft.

Botnet infection usually occurs in distributed denial-of-service attacks. In this sense, the hackers use lateral movement to add many devices to their botnet, enhancing its performance1.

Lastly, the lateral movement attack could also be related to ransomware, causing cybercriminals to infect as many devices as possible in order to demand ransom payment.

4. How to detect a lateral movement attack?

Actions taken by malicious actors can become suspicious for an IT team prepared to deal with a lateral movement attack.

This is because these professionals must remain alert to any unusual occurrence, investigating all movements in the IT environment rather than running the risk of overlooking anomalies that represent a threat of lateral movement.

To assist IT teams in this task, it is advisable for organizations to have automated solutions that monitor interactions between devices and/or computers and provide information on vulnerabilities found.

By gathering the necessary data, the application starts to control software, providing network security to prevent access by malicious attackers, who are prevented from performing lateral movements or obtaining privileges.

The main steps of a lateral movement attack are exploiting an initial target, establishing communication between the cybercriminal and the target, persisting with the initial target, and identifying and exploiting other targets on the network.

5. How to prevent a lateral movement attack?

Most organizations have faced or will inevitably face attacks from malicious actors. Therefore, the ideal is that they are prepared to contain these threats as soon as possible, avoiding financial losses.

One of the ways to stop the lateral movement of ransomware and other types of attacks is micro-segmentation, which makes it possible to isolate assets and applications and prevent malicious attackers and ransomware from spreading across the network.

It is also possible to close vulnerable parts of the network by hiring an ethical hacker to perform a penetration test, which will show how far a cybercriminal could penetrate the network without being detected.

With the findings obtained by the hacker, the company will be able to fix flaws that generate insecurity.

If your goal is to prevent a lateral movement attack on your company, it’s also critical to adopt the Zero Trust network security philosophy, whereby no user, connection, or device should be trusted by default.

Endpoint security shouldn’t be overlooked either. Therefore, it is highly recommended to apply security technologies to devices such as smartphones, notebooks, and desktop computers.

The use of Multiple Authentication Factor is also recommended, which makes it more difficult for a malicious attacker to act, since in order to act, they would need, in addition to credentials, other authentication factors, such as a token or even the fingerprint of the user.

Finally, it is essential to limit user privileges through PAM, the most suitable solution for companies that want to prevent lateral movement attacks.

In practice, the role of PAM is to remove high privileges from regular user accounts and use administrative accounts with limited access to certain activities. This can reduce the chances of a successful lateral movement attack if the malicious attacker compromises an unprivileged user’s account.

Generally, companies maintain numerous privileged accounts, which allow administrative tasks in the IT environment, which poses a risk to their digital security. Therefore, PAM should be adopted to reduce the attack surface and protect systems and data against lateral movement attacks, among other threats.

6. PAM senhasegura: the ideal solution for preventing lateral movement attacks

As we mentioned in the previous topic, PAM is an indispensable solution to prevent successful lateral movement attacks.

Since 2001, we at senhasegura have offered the global market a PAM solution with features that ensure the digital security of organizations around the world. Among its benefits, the following stand out:

  • Fast deployment and simple maintenance

  • Full life cycle management of privileged accesses

  • No extra costs

  • Personalized offer of high-performance hardware appliances

  • Management of DevOps secrets

  • Integrated Digital Certificate Management

  • Solutions for cloud infrastructure, etc.

7. About senhasegura

We at senhasegura are recognized as leaders in cybersecurity by our customers and IT consulting companies worldwide.

Our mission is to guarantee the sovereignty of organizations over their privileged information through PAM, preventing data theft and leakage, as well as periods of inactivity that impact business performance.

To do this, we follow the privileged access management lifecycle using machine automation, before, during and after the access.

In addition to automatically auditing privilege usage, we investigate privileged actions to prevent abuse, reduce cyber risks, and bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001 and Sarbanes-Oxley.

8. Conclusion

In this article, you saw that:

  • A lateral movement attack can present itself in many ways

  • It occurs when hackers access an entry point and use that entry to move through the rest of the network, infecting computers and internal servers until they reach their target

  • Malicious agents can take weeks or even months to be discovered

  • Examples of lateral movement attacks include espionage, data exfiltration, botnet infection, and ransomware

  • To detect a lateral movement attack, it is important to have qualified professionals and effective solutions

  • To prevent this type of attack, the following are recommended: micro-segmentation, penetration tests, adoption of the Zero Trust security philosophy1 and endpoint security, and investment in a PAM solution, which provides each user with only the access necessary to perform their tasks. functions.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Concepts of Federated Identity Management

Federated Identity Management

Federated identity management enables authorized users to access multiple platforms using a single set of credentials. To learn more about it, read our text.

In the past, each website or application required a set of credentials. This meant every time you wanted to access a service, you had to create a username and password, which were stored on that platform.

Thus, when accessing the website again, it was necessary to re-enter the credentials because the users did not remain connected, even if the websites were managed by the same organization.

Also, when companies wanted to transfer user credentials from one domain to another, they had to use a new authentication system.

As the internet became more complex, developers realized this authentication system was not scalable and federated identity management would be the best solution in this regard.

In this article, we discuss federated identity management and its different concepts. To facilitate your reading, we divided the text into the following topics:

1. What Is a Federated Identity System?

2. What Is the Difference Between SSO and Federated Identity?

3. What Is SAML Federated Identity?

4. What Are the Two Components of a Federated Identity System?

5. Advantages of Federated Identity

6. senhasegura and AuthID Integration

7. About senhasegura

8. Conclusion

 

Enjoy the read!

 

1. What Is a Federated Identity System?

A federated identity is a system that enables authorized users to access different services using a single set of credentials securely and efficiently.

In practice, when a company implements this solution, its users can access Active Directory, partner websites, and web applications, among other services without logging in separately.

 

2. What Is the Difference Between SSO and Federated Identity?

Single sign-on (SSO) is a solution that allows users to access multiple platforms through a single set of credentials. In practice, when the user logs into an SSO service, they have access to connected websites and applications, without having to log in again.

That is, SSO is a feature of federated identity management and makes it possible to provide secure logins to users, while federated identity management itself provides access to resources from various organizations.

 

3. What Is SAML?

SAML (Security Assertion Markup Language) is a protocol used to enable identity providers (IdP) to pass authorization credentials to service providers (SP). With this, one can use a single set of credentials to access different services.

For standardized communications between the identity provider and service providers, SAML transactions use Extensible Markup Language (XML). SAML connects the authentication of a user’s identity to the authorization for using a service.

 

4. What Are the Two Components of a Federated Identity System?

The federated identity covers two concepts: Identity Provider (IdP) and Service Provider (SP).

The first consists of an entity that creates and manages user identities and authenticates them for other applications where IdP is required.

The second refers to an entity that provides web services. In practice, SPs do not authenticate users on their own, but need the IdP to authenticate them.

5. Advantages of Federated Identity

Federated identity management brings several advantages to users. Among them, we can highlight:

  • Improved security: In traditional authentication systems, users need to log in to each platform they access, using a set of credentials.
    In contrast, the federated option allows the user to securely authenticate across multiple websites and applications. With the reduction in the number of logins, the risks of invasion also decrease;
  • Secure resource sharing: With federated identity management, one can share resources and data without risking security. Moreover, by storing user data with an IdP, companies simplify their data management process;
  • Improved user experience: With federated identity management, users need to authenticate themselves once to have access to various services, which provides convenience in their work routine;
  • Single-point provisioning: Federated identity management also enables single-point provisioning, which facilitates user access, even if the user is outside the company area; and
  • Cost reduction: Organizations don’t need to create their own SSO solutions or manage multiple user identities, which reduces their costs.

 

6. senhasegura and AuthID Integration

senhasegura has developed integration with several identity providers. One of these providers is AuthID, a federated identity management solution that allows you to use the same login to access various services, in addition to the following benefits:

  • Integration with existing IAM in the solution in minutes ? through OpenID or API options;
  • Interruption of cyber threats;
  • Recovery and biometric MFA;
  • Elimination of password costs and risks with portable identity; and
  • Federated identity ? SaaS, cloud, and legacy applications.

 

7. About senhasegura

We, from senhasegura, are part of MT4 Tecnologia, a group of companies specializing in digital security founded in 2001 and operating in more than 50 countries.

Our main objective is to provide our public with digital sovereignty and cybersecurity, granting control over privileged actions and data and avoiding breaches and leaks of information.

For this, we follow the lifecycle of privileged access management through machine automation, before, during, and after accesses. We also:

  • Avoid interruption of companies’ activities, which may impair their performance;
  • Offer advanced PAM solutions;
  • Automatically audit privileged changes in order to identify privilege abuses;
  • Automatically audit the use of privileges;
  • Reduce cyber threats;
  • Bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001, and Sarbanes-Oxley.

 

8. Conclusion

In this article, we shared concepts related to federated identity management. If you liked our content, share it with someone who might be interested in the topic.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Data Protection Laws: Why Should I Comply with Them?

Data Protection Laws: Why Should I Comply with Them?

Much discussed today, data protection laws are regulations developed by governments and have come into force to protect the personal and confidential information of data subjects.

However, many companies have not yet adapted to these laws and may be impacted by millionaire sanctions in case of information leaks.

Do you want to learn more on the subject? Follow our article to the end!

 

By 2023, 75% of the world’s population will be covered by data protection laws, according to Gartner estimates. These laws are intended to define guidelines for the collection, processing, and storage of personal data, preserving the privacy of data subjects.

Currently, 71% of countries already have privacy laws, 80% have laws related to cybercrime, 49% have consumer protection laws, and 81% have electronic transaction laws.

Given this scenario, organizations must comply with the terms established by these laws, avoiding the loss of revenue with millionaire sanctions.

In this article, we show you everything you need to know about data protection laws, which are in place in different countries. Our content explores the following topics:

 

1. Data Protection Laws: What Are They, How Do They Work and How Important Are They?

2. Data Protection Laws by Country

3. GDPR: Important European Data Protection Law

4. LGPD: Brazilian Data Protection Law

5. Main Data Protection Laws

6. Iconic Cases of Data Leaks

7. Basic Practices for Complying with Data Protection Laws

8. About senhasegura

9. How Does senhasegura PAM Enable Compliance with Data Protection Laws?

10. Conclusion

 

Enjoy the read!

 

1. Data Protection Laws: What Are They, How Do They Work and How Important Are They?

Data protection laws regulate personal data protection and privacy policies, directly impacting the way companies handle information relating to their employees, customers, and business partners.

In practice, they are sets of rules applied in the collection, processing, and storage of data used by individuals, companies, and governmental organizations.

It is important to note that countries that want to maintain negotiations between themselves must comply with the laws in force in both nations.

Many countries still do not have strict and well-established laws when it comes to data protection, but some already have them, and that will be the subject of the next topic.

 

2. Data Protection Laws by Country

 

Now you will know the context of data protection laws around the world. Check it out:

 

  • Germany

When it comes to privacy and data protection regulations, Germany is ahead of many countries. Its Federal Data Protection Act (Bundesdatenschutzgesetz ? BDSG) was made official in 2017 to replace the legislation with the same name created in 2001 and complement the GDPR.

Germany’s data protection law addresses the rights and duties of public and private institutions regarding the collection and processing of data. It also presents specific guidelines on how companies should handle their employees’ data.

In practice, this legislation offers guidance on specific topics, such as data processing in the context of employment, the stipulation of a data protection officer, profiling, and credit checks.

Moreover, several German laws set strict privacy standards for certain topics, such as television and telecommunications providers, banks, and energy.

 

  • Argentina

Argentina’s Data Protection Law must be complied with by any person or institution dealing with personal data. In addition, this legislation requires the consent of the user for the collection of information.

Another right provided by Argentine law is that the data subjects can access, correct, delete, and request the deletion of their data whenever deemed necessary.

 

  • Australia

The Australian Privacy Act of 1988 imposes rules aimed at the public and private sectors. Issues such as data subject rights, transparency, and use and disclosure of information stand out among the 13 Australian Privacy Principles addressed in the legislation.

In addition to the law in force throughout the country, Australian states also have their own regulations, aimed at certain segments.

 

  • Brazil

In Brazil, the General Data Protection Law (LGPD) came into force in 2020, but the topic had already been explored before in the Federal Constitution and the Consumer Protection Code.

In addition, in 2014, the Internet Civil Framework was approved, which addresses the rights and duties of network users, such as privacy, freedom of expression, and civil liability.

 

  • Canada

Between provincial and federal laws, Canada has a total of 28 data protection regulations. Its federal law is the Personal Information Protection and Electronic Documents Act (Pipeda), which regulates the collection, processing, and disclosure of personal information.

Pipeda addresses 10 principles to be followed by organizations and has similar and complementary legislation used in Alberta, British Columbia, and Quebec.

 

  • China

Also known as The Standard, the Information Security Technology ? Personal Information Security Specification law is Chinese legislation on data privacy.

It is a set of rules that addresses things such as the rights of the subject, transparency, and consent. This law came to replace several separate regulations on these matters.

 

  • Europe

GDPR is the data protection law in force in Europe, which is based on seven principles for data processing. They are: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

By following these principles, companies can remain compliant with the regulation. Moreover, data controllers also assume responsibility for their processing and must comply with European legislation.

In practice, personal data should be:

  • Processed in a lawful, fair, and transparent manner;
  • Collected for specific, legitimate, and explicit purposes, and processed in a manner compatible with the explanations offered. In the case of further processing for purposes of public interest, they should not be considered incompatible with the initial purposes;
  • Appropriate, relevant, and limited to what is essential for the proposed purposes;
  • Accurate, updated, erased, and rectified immediately after use;
  • The data must allow the identification of its subjects only for the time necessary for their use. However, they can be stored for longer periods if they are processed exclusively for purposes of public interest, scientific research, historical, or statistical purposes related to the implementation of technical measures and organizations required by the GDPR.
  • Its processing must also ensure the security of personal data, which includes protection against unlawful processing, accidental loss, destruction, or damage.

 

  • Colombia

Four laws regulate data privacy in Colombia. They are: Decree 1,377/13, Law 1,581/12, Law 1,273/09, and Law 1,266/08.

The first addresses issues such as consent, personal data processing policies, and international transfers of information.

The other laws address, respectively, how the collection, storage, and processing of data should be performed; cybercrimes and commercial and financial data, among other topics.

 

  • The United States

The United States has several laws governing data privacy, depending on the industry or state. All in all, there are about 20 laws related to a single area, in addition to approximately 100 state laws.

The state of California alone has 25 laws, with the California Consumer Privacy Act (CCPA) being the main one.

Despite these state laws and legislation such as the Privacy Act, the Privacy Protection Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act, the United States still does not have specific legislation for the protection of its citizens’ data.

 

  • Philippines

The main legislation on the protection of personal information in the Philippines is the Data Privacy Act, drafted in 2012 and implemented in 2016.

According to this regulation, individuals have the right to know which companies access their data, for what purpose, who will have access to the information, and by whom it will be processed.

 

  • France

Like Finland, France has also replaced its old regulations in order to more faithfully contemplate the aspects addressed in the GDPR: its Data Protection Law (Law 78-17) was replaced by the 2nd French Data Protection Act (2016-1321).

Under the new legislation, companies must specify the purposes of data processing and ensure only information essential to those purposes is collected.

 

  • India

Currently, India has several complementary laws on data security, but the Information Technology Act and the list of Information Technology Rules are the most important ones.

In addition, the country published the Digital Personal Data Protection Act in 2019, which is being analyzed by a parliamentary committee.

 

  • Indonesia

Indonesia has a set of data protection rules, which focus on the Electronic Information and Transactions Law, its amendment, and two other regulations.

Soon, its rules should also be gathered around a single piece of legislation, formulated along the lines of GDPR.

 

  • Japan

Data protection in Japan was governed by the Act on the Protection of Personal Information until 2003, however, in 2017, the country adopted the APPI Amendment, which includes aspects such as sharing information with third parties, information held in databases, and leaks.

 

  • Malaysia

In place since 2010, Malaysia’s first data protection legislation is based on seven principles: generality, notification and choice, disclosure, security, retention, data integrity, and access.

According to this regulation, it is necessary to inform the holder in writing of their rights, the purpose of the collection and processing of the data, and who will access them.

 

  • Mexico

In 2010, the Federal Law on Protection of Personal Data Held by Individuals was established in Mexico, which includes data collected and processed by private organizations.

These companies are also governed by the rules of the list of Regulations of the Federal Law on the Protection of Personal Data Held by Individuals, the Privacy Notice Guidelines, and the Self-Regulation Parameters.

Also, Mexico relies on the Federal Institute for Access to Information and Data Protection (IFAI) to manage all these rules.

 

  • New Zealand

In New Zealand, data protection is controlled through the country’s Privacy Act, which has 12 Information Privacy Principles, established in 1993. In addition, the country has regulations directed at certain industries.

What’s more, the Data Privacy Act 2018 should soon be approved, which will replace 1993’s legislation.

 

3. GDPR: Important European Data Protection Law

The General Data Protection Regulation (GDPR) is a set of European rules governing the use of data in electronic environments. It aims to strengthen the concept of digital citizenship and protect users in aspects such as financial services and social media interactions.

In practice, this regulation proposes individuals and legal entities should use personal data responsibly, preserving the privacy of the information holders.

Its mass spread is still recent, so not all countries in Europe have their virtual environment activities in a regulated manner.

In addition, despite being European legislation, the GDPR impacts other countries that perform commercial transactions with European nations and need to comply with its standards.

The General Data Protection Regulation addresses the collection, use, sharing, and security of personal data in the 28 countries that make up the European Union.

Therefore, organizations that do not comply with its rules are subject to fines of up to 20 million Euros or 4% of their turnover. Here are some important GDPR criteria:

 

  • Consent of Data Subjects

Before companies begin collecting personal data, they need to obtain the express consent of the information holders.

However, it is important to keep in mind some data that is not protected by the laws of the United States and not considered personal in Europe must be preserved. This is the case with IP addresses.

 

  • Notification of Data Breaches to Authorities

Another obligation of companies, according to GDPR, is to notify data subjects and authorities within 72 hours if there is a breach that affects the privacy of users.

 

  • Rights of Data Subjects

Under GDPR, data subjects must be guaranteed certain rights related to their personal information. Among them, we can highlight:

  • Be informed about the collection and use of their data;
  • Request a copy of their personal information and receive explanations about the means of collection, what is being collected, and with whom it will be shared;
  • Request rectification of data that may be incomplete or incorrect;
  • Have their personal data deleted within 30 days if they make such a request;
  • Request the restriction of their personal information;
  • Transfer personal data from one electronic system to another securely; and
  • Oppose the way the data is used, (unless the information is in the possession of a legal authority), for purposes of public interest or by a company that needs to process the data in order to offer a service that the data subject has contracted.

 

New Perspectives for the General Data Protection Regulation

The European Union is expected to update its rules on digital services soon through two new laws: the Digital Services Act and the Digital Markets Act.

The purpose of these laws is to keep what is legal online and what is illegal offline, causing websites like Google to quickly remove content deemed illegal or harmful.

The Digital Services Act and the Digital Markets Act will target very large online platforms and search engines with over 45 million monthly users.

In practice, the Digital Services Act deals with any service delivered through the internet, covering hosting services, intermediary services, and online platforms, and obligations vary according to the size of the company.

The Digital Markets Act, in turn, affects large organizations such as Apple and Facebook. Its goal is to level companies by preventing large organizations from imposing unfair conditions on companies and the public.

In the coming years, the Electronic Privacy Regulation will also enter into force, which will establish privacy guidelines for electronic communication services and institutions, which were not governed by previous legislation.

This law should also simplify consent or denial of tracking cookies, allowing users to withdraw their consent at least once a year.

Finally, there is the AI Law, which should be applied to all organizations that use programs based on artificial intelligence. The legislation has already been introduced and is in the process of being revised. It applies to any organization with customers in the European Union, regardless of where it is located.

 

4. LGPD: Brazilian Data Protection Law

The Brazilian Data Protection Law (LGPD) is a Brazilian regulation that aims to preserve the personal and private data of people residing in Brazil. This legislation describes what personal data is, further explaining what type of information deserves more attention.

Also, according to the LGPD, regardless of whether the company is located outside the country, its requirements must be respected.

 

5. US Data Protection Laws

 

CCPA

As we have already mentioned in this article, the United States has a series of data protection laws divided by segments and areas. One of the states where these regulations have solidified is California, which is governed by the California Consumer Privacy Act (CCPA).

This legislation gives consumers more control over the information collected by companies, as well as the right to know how this data is used and shared, and to delete and refuse to sell that information.

Moreover, clauses in contracts that include the waiver of rights guaranteed by the CCPA are unenforceable.

 

NY Shield

New York also has its own data protection law, the NY Shield, in place since 2020. This regulation requires security and accountability from organizations that handle the personal data of residents of the state.

NY Shield emerged through the expansion of other laws that previously existed in New York: the General Business Law and the Warn Act.

 

US Federal Laws

We will now mention some US federal laws, which, although not specific to data protection, have the function of protecting certain types of information in specific circumstances. One of them is the Health Insurance Portability and Accountability Act (HIPAA), which protects user communication with health entities such as hospitals and pharmacies.

The United States also has, as a federal law, the Family Educational Rights and Privacy Act (Ferpa), with the function of detailing who is authorized to request students’ educational records.

The Gramm-Leach-Bliley Act (GLBA) includes banking services and requires financial institutions to explain how they share data and respect the right of customers who do not wish to provide their information.

6. Iconic Cases of Data Leaks

Here are some known cases of data leaks:

 

  • LinkedIn

In 2012, LinkedIn was hacked by malicious actors who exposed the personal information of more than 117 million users. At the time, data such as names, email addresses, and passwords were leaked.

 

  • Evernote

The following year, it was Evernote’s turn to become a target for attackers, who accessed usernames, email addresses, and account passwords on the platform.

 

  • Yahoo

Also in 2013, Yahoo announced it was the target of a data breach that exposed the names, phones, birthdates, and passwords of 3 billion users.

 

  • Adobe

Also in 2013, Adobe customers had their data leaked. It is estimated that 152 million names and passwords were exposed at the time, as well as 2.8 million credit card numbers. However, only 38 million pieces of data have been confirmed.

Adobe was sued by several US states and had to pay a $1 million fine.

 

  • Facebook

In 2014, Cambridge Analytica used personal data from Facebook users to conduct unauthorized behavioral tests that would later be used in the presidential campaign of Donald Trump.

 

  • Uber

More than 57 million users of the Uber app, including 200,000 Brazilians, had their data exposed in a data breach that occurred in 2016, but it was only released the following year.

As a result, the government of California, in the United States, fined the company R$150 million.

 

  • Myspace

The social network MySpace was also targeted by malicious agents in 2013, with 360 million users impacted. However, the information did not become public until three years later, through a notification that users’ personal data had been exposed and could be for sale.

 

  • Twitter

The 330 million people who used Twitter in 2018 had to change their passwords after the social network discovered a vulnerability in its database. A few years earlier, Twitter users’ personal data had already been exposed twice due to security flaws.

 

  • McDonald’s

In 2019, more than 2 million McDonald’s records with the personal information of its employees were leaked. The data included the full name, age, time of experience, position, and salary of the employees.

 

  • Amazon

In 2021, the company was fined by the Luxembourg National Commission for Data Protection for failing to comply with data protection law requirements in its advertising system. The fine resulted in a loss of 746 millions of Euros.

 

7. Basic Practices for Complying with Data Protection Laws

Data protection experts recommend that companies redefine their organizational management, taking into account certain factors.

Among them, we can highlight:

  • The need to have a professional in charge of data security;
  • Execution of a complete audit of the information;
  • Definition of the data lifecycle;
  • Re-elaboration of contracts with suppliers and partners;
  • Review of security policies; and
  • Preparation of privacy impact reports.

For this, one can count on the services of a legal office specialized in data protection laws, in addition to technological solutions that favor digital security.

 

8. About senhasegura

We, from senhasegura, are part of the MT4 Tecnologia group, created in 2001, to promote the cybersecurity of the companies that hire us.

We serve organizations from 54 countries, offering our customers control of insider actions and information in order to prevent threats such as malicious attackers and data leaks.

For us, digital sovereignty is everyone’s right and this goal can only be achieved using applied technology.

Therefore, we follow the lifecycle of privileged access management, before, during, and after access. Our commitments include:

  • To ensure more efficiency and productivity for businesses, as we avoid interruptions due to expiration;
  • To perform automatic audits on the use of privileges;
  • To automatically audit privileged changes to detect abuses;
  • To ensure customer satisfaction;
  • To perform successful deployments;
  • To provide advanced PAM capabilities;
  • To reduce risks;
  • To bring companies into compliance with audit criteria and standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.

 

9. How Does senhasegura PAM Enable Compliance with Data Protection Laws?

senhasegura PAM is a solution that allows companies to comply with data protection laws through tools that provide security to the digital environment.

It also proposes the implementation of policies, processes, and procedures, in addition to increasing the level of cyber awareness of users.

One of the main capabilities of this feature is the protection of privileged credentials through the Principle of Least Privilege, which guarantees each user only indispensable access to perform their functions.

 

10. Conclusion

In this article, you saw that:

  • Data protection laws affect the way companies handle sensitive information from their customers, employees, and business partners;
  • Many countries do not have well-established laws on the subject yet, but several nations are already concerned about it;
  • We showed data protection laws in force in different countries;
  • We also covered the main data laws today;
  • We presented emblematic cases of data leaks, such as Facebook, Uber, and Twitter;
  • We listed good practices for companies that need to comply with data protection laws;
  • Finally, we presented senhasegura PAM as an effective solution for these organizations to achieve their goal.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×