Imperva Data Privacy Tool Kit

2021
Data Privacy Tool Kit

Table of Contents 2021 Data Privacy Tool Kit
Thank you for downloading the 2021 Data Privacy Tool Kit. We hope you find the elements of this tool
• 2021 Data Privacy Tool Kit 2 kit interesting and useful.
As you know customers, governments, and enterprises have become more sensitive than ever about
• Data Privacy - Now’s the Time 4
for the US to Catch Up Personally Identifiable Information (PII) - where it resides, who has access to it, and what is done with
it. As a result, regulatory bodies at all levels of government are making enterprises that keep customer
PII more accountable for securing it and enabling customers to have more control over it.
• A Closer Look at CCPA 7
In most enterprises, the people responsible for successful regulatory audits do not choose or
• The Road to Compliance: 14 implement the data privacy solutions that make it easy and fast to ensure compliance. There is
Steps for Securing Data to often lack of communication and technology gaps that if left unaddressed can become very costly.
Comply with the GDPR We want to help you overcome this challenge.

• 5 Secure Steps to 30 The papers in this tool kit have been included to give you some insight into what enterprises like
NYDFS Compliance yours are facing when it comes to complying with regulations governing data privacy. We provide
in-depth looks at a few high-profile regulations so you may familiarize yourself with the types of
requirements that you have or will have soon. Regardless of your industry, the size of your enterprise,
or the geographic area in which you operate or have customers, data privacy regulations are a concern
and your ability to comply with these regulations is critical to your success or failure as a business.
Here is a brief synopsis of the pieces included in this tool kit.
Industry Perspective: Data Privacy

– Now’s the Time for the US to Catch Up
The outcome of the recent US Presidential election will impact the federal laws requiring companies
operating in the United States to protect sensitive information. The issue has been largely overlooked,
but with many other countries enforcing GDPR-type regulations, Imperva believes the US will follow
suit. This paper explains how policies are likely to change and what enterprises will be expected to do
about them.
2 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Whitepaper: A Closer Look at CCPA 5 Secure Steps to
If it were a sovereign nation, the US state of California would rank as the
NYDFS Compliance
world’s fifth largest economy. If your business has any base of operation
in California or has customers in the state, you are likely compelled by law The New York State Department of Financial Services’ cybersecurity
to comply with the California Consumer Privacy Act (CCPA). In this paper, regulations for financial services, known as 23 NYCRR 500 (but referred
you will learn how the state defines what is personal information, how to to as NYDFS) are designed to protect customers’ data and to maintain
demonstrate compliance, and what the litigation implications are for not security of operations within the financial industry. The regulations
doing so. provide a structure on which to build cybersecurity programs and
policies specific to financial services business models to protect systems
and consumers from the increased threat of cyberattacks. Even firms
with existing security programs and procedures in place can benefit
from implementing and maintaining the processes required by NYDFS.
The Road to Compliance: Steps This e-book explores the benefits of adopting a risk-based approach
to cybersecurity.
for Securing Data to Comply
with the GDPR
The European Union (EU) represents around one-sixth of the global Next steps
economy. The EU General Data Protection Regulation (GDPR) has
expanded privacy protections and includes obligations for companies that Imperva is here to help. Data privacy is hard, you can save time and
handle personal data originating in the EU. In this paper, you will learn money by working with the industry leader in cybersecurity to build your
what are the cybersecurity best practices to help your enterprise comply compliance strategy.
with the regulation. You will also gain insight into how your enterprise can
benefit from the increased investigative capacity and streamlined breach Contact Imperva today to learn more here.
response plan that comes with process and technology measures as a
result of compliance.

INDUSTRY PERSPECTIVE
Data Privacy – Now’s

the Time for the US
to Catch Up
Data Privacy – Now’s the Time
for the US to Catch Up
The recent Netflix documentary, The Social Dilemma, may have highlighted
to many Americans just what happens to the wealth of personal information
they regularly – and willingly – share online. It may be especially concerning,
then, to know that companies in the United States aren’t required by federal
law to protect this information.
The outcome of the Presidential election may be about to change this,

however. It’s widely anticipated that the question of data privacy will be a processing of personal information from individuals living in the European Union,
significant priority for the Biden Administration. The issue has been largely and gives those individuals greater control over their own data. Variations of
overlooked under President Trump, but with many other countries enforcing these regulations exist elsewhere. Canada recently introduced the Digital Charter
GDPR-type regulations, it’s time the US acknowledged the real importance of Implementation Act, for example, while India has its Personal Data Protection Bill,
protecting its citizens’ personal information. Australia its Privacy Amendment (Notifiable Data Breaches), and Japan its Act on
Protection of Personal Information.
Piecemeal protection
Although there are exceptions – health information is regulated, as is data
Data privacy clearly matters to consumers. Most of the respondents (87%) on children under 13 – the closest the country has come to regulation at a
to a recent US survey by PWC said they’d take their business elsewhere if national level was the EU-US Privacy Shield, a framework designed to facilitate
they didn’t trust a company to handle their data responsibly. This is worrying transatlantic data transfers. But this was invalidated by the Court of Justice of
news for businesses, especially when only a quarter of respondents felt most the European Union in July 2020.
companies handled their personal information responsibly.
Instead, there is a patchwork of regional data protection laws. Since California
Elsewhere around the globe, of course, strict regulations are in place to became the first state to pass legislation requiring companies to report breaches
ensure that companies do just this. Probably the most well-known of these, of personal information in 2002, other states have passed their own breach
the EU GDPR, is a legal framework that sets guidelines for the collection and notification laws. However, each has its own definition of what constitutes
5 2021 Data Privacy Tool Kit | Data Privacy – Now’s the Time for the US to Catch Up
personal information, and its own reporting requirements and processes. In Since then, the US Senate Committee on Commerce, Science and Transportation
the absence of a consistent federally legislative framework, this piecemeal has held a hearing entitled “Revisiting the Need for Federal Data Privacy
approach is a logistical and regulatory minefield for American businesses. In Legislation”, and both Republicans and Democrats have introduced bills relating
the wake of the Coronavirus pandemic, this kind of administrative burden is to data privacy – the Setting an American Framework to Ensure Data Access,
one of the last things the US economy Transparency, and Accountability (“SAFE DATA”) Act, and the Consumer Online
needs right now. Privacy Rights Act (COPRA), respectively.
Signs of support Strength of momentum

What happens next will depend on the Georgia Senate runoff, the outcome Consumers are, understandably, concerned about the safety and security of their
of which we won’t know until early January. If the Democrat challengers flip personal information, and businesses are working hard to comply with inter-state
both seats, the party will hold a majority in both the Senate and the House, as well as international regulations. To satisfy the concerns of both consumers and
lending much-needed leverage to any plans that President-elect Biden businesses, the incoming administration needs to implement something along the
might have. If the Republican incumbents maintain their seats, that leverage lines of the GDPR – a single, consistent framework of rules that can be rigorously
will be reduced. enforced with strict financial penalties for non-compliance.
But whichever way the vote in Georgia plays out, passing a piece of As we’ve seen from recent activity in the Senate, there is some momentum behind
legislation which sets out clear definitions of personal information, and firm the introduction of the kind of legislation we’ve seen in place elsewhere in the
guidance on its secure and respectful handling, should be toward the top of world. However, we won’t know just how strong that momentum is until the new
the Biden Administration’s to-do list. Fortunately, there are signs of support year. Watch this space. This topic and several other trends that we anticipate
for such legislation from both sides of Government. impacting 2021 are discussed in the “Where Do We Go From Here? 2021 Security
Predictions”. We invite you to listen the fire side chat here.
In July, for example, the bipartisan Cyberspace Solarium Commission
published the draft of its proposed Personal Data Security and Privacy
Protection Act of 2020, which outlines the need to provide consumers with
transparency and access to their data, states requirements for reasonable
security measures, and that considers the importance of international
interoperability.
6 2021 Data Privacy Tool Kit | Data Privacy – Now’s the Time for the US to Catch Up
THE CALIFORNIA CONSUMER PRIVACY ACT
A Closer Look at CCPA

The California Consumer Privacy Act (CCPA) came into effect January 1, 2020.
This executive brief will help you prepare for the new regulation.
Contents
What is the CCPA?
• What is the CCPA? 8 The California Consumer Privacy Act (CCPA), passed in 2018, is meant to improve privacy rights and consumer
When did it come into effect? 8 protection for residents of California. The new act draws much from Europe’s General Data Protection Regulation
(GDPR) as it relates to the access to, deletion of, and sharing of personal information. Its intent is to provide
Californian citizens with the right to know when their personal data is being collected, whether their personal
• Who needs to comply? 9 data is being disclosed or sold, and to whom.
Definition of personal information 9
The act also intends to provide consumers with the right to:
Violation or data breach 9
Agility, data privacy and security 9 • Say no to the sale of personal data
• Access their personal data SECTIONS OF THE CCPA
• CCPA and GDPR differences 10 • Request that a business delete their personal information
What is the CCPA?
• Not be discriminated against for exercising their privacy rights
When does it come into effect?
• How Imperva can help 11
Data discovery and classification 11 When did it come into effect? Who needs to comply?
Data monitoring 11
The legislation came into effect on January 1, 2020 Definition of personal information
Data risk analytics/RASP/WAF 12
with regulatory enforcement expected to begin six
Data masking 12 Violation or data breach
months later on July 1.
• Conclusion 13
8 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

Who needs to comply?
The CCPA applies to any business that collects the personal data of Violation or data breach
consumers based in California and that meets any one of the following
thresholds: The CCPA could have significant implications for litigation including injunctive,
declarative, equitable relief and data breach litigation. Violation of the CCPA
• Has annual gross revenues in excess of $25 million regulation or a data breach can result in the following penalties:
• Possesses the personal information of 50,000 or more
• Organizations that become victims of a data security breach can be
consumers, households, or devices
ordered in civil, class action lawsuits to pay statutory damages of
• Earns more than half of its annual revenue from selling
between $100 to $750 per California resident and incident, or actual
consumers’ personal information
damages, whichever is greater.
• A fine up to $7,500 for each intentional violation and $2,500 for each
All businesses that collect the personal data of California residents and meet
unintentional violation.
the above thresholds must comply with the CCPA, even those that have no
physical presence in Californian and are not otherwise ruled by California law.
Agility, data privacy, and security
If you are a California citizen who temporarily resides outside the state, you
are still protected by the CCPA. One of the key findings of the California state legislature is that as the role of
technology and data in the daily lives of consumers increases, so too does the
Definition of personal information amount of personal information they share with organizations. This data growth
and the simultaneous increase in cyberattacks and data breaches is making data
Under CCPA, personal information is defined as any information that could security a top priority for businesses around the world and driving more stringent
be reasonably linked to a particular consumer or household, including a real data privacy regulations.
name, alias, postal address, unique personal identifier, IP address, email
address, account name, social security number, driver’s license number, More digital interaction with data means companies find themselves having to
passport number, or other similar identifiers. store growing volumes of personal customer data. This makes data security and
regulatory compliance more of a challenge. To fully protect their assets and meet

data privacy requirements, businesses need to know exactly what data they Some differences:
possess, where it is stored, and who has access to it.
• The CCPA definition of personal information specifically includes household
The CCPA requires businesses to create a number of new procedures to information whereas the GDPR definition of personal data applies only to any
meet requirements including: information related to an identifiable natural person.
• The content in the required privacy notices differs for each of the regulations
• Respond to requests from consumers who want to see the personal data and a privacy policy that meets the requirements of the GDPR will likely not
that the company has stored, delete their personal data, or ask a company satisfy the CCPA privacy requirements, which must include how to restrict the
not to sell their personal data. sale of personal information.
• Verify the identity of consumers who make such requests. • Under the CCPA, individuals have the right to opt-out of the sale of their
• Disclose financial incentives offered in exchange for the retention or sale personal information and organizations are obliged to add a “do not sell my
of a consumer’s personal information. personal information” button to their websites which is not a requirement of
• Maintain records of requests and how the business responded for 24 GDPR.
months.
To provide true data privacy for consumers and to implement any of the above
procedures for CCPA compliance, organizations need to fully understand what
personal consumer information they have stored on their networks, who has
CCPA and GDPR differences access to it, and how to protect it. Large organizations that store high volumes of
data will find this especially challenging as they often manage multiple locations
The CCPA is often compared to Europe’s General Data Protection Act (GDPR) and and store data across multiple environments. Their data security teams can receive
it’s fair to say that organizations that have ramped up to GDPR compliance will tens of thousands of threat alerts daily causing alert fatigue and the risk of a
find it easier to meet the requirements of CCPA. Businesses should not assume, serious threat slipping through the net.
however, that complying with GDPR lets them off the hook. While there are
similarities – for example both regulations give individuals the right to access and
delete their personal information - they are two separate legal frameworks and
that impose different obligations.

Imperva offers a
range of data security
solutions that help
organizations meet
data privacy and
protection compliance
How Imperva can help obligations.
To help organizations comply with CCPA obligations, the table below

cites the relevant sections of the regulation aligned with the respective
Imperva solution.
Data discovery and classification Data monitoring

Where is personal data stored? Which data has been added or updated within the last 12
CCPA Sections: (1798.100, 1798.110, 1798.115, 1798.120, months?
4798.105) CCPA Sections: (1798.100, 1798.130)
The Imperva Data Discovery and Classification solution scans Imperva Data Security solutions provide enterprise-wide visibility
your network and servers to find any unknown databases, into all database activity by monitoring all user database access,
pinpoints and classifies sensitive data using dictionary and on-premises or in the cloud, and retains all the audit logs.
pattern-matching methods, and can scan database content
Using policies that Imperva provides for regulations such as CCPA,
for pre-defined data types such as credit card numbers,
organizations can identify the user by role (including privileged
national identifiers, email addresses, system credentials,
users) or account type (such as a service account), know whether
and more. This helps companies take a risk-based approach
the data accessed was sensitive, and easily detect non-compliant
to their data security by evaluating and prioritizing which
access behaviors. This automates detection of the nature or origin
datasets require which levels of protection to reduce the
of a threat and helps to accelerate any required incident response.
impact of a breach and reduce risk to their organization.
Organizations can create custom policies of their own as needed.
The policies also allow an organization, at their discretion, to

automate breach prevention responses such as terminating the
download of a large number of sensitive database records.

Data risk analytics/RASP/WAF Data masking
Unauthorized access and exfiltration, theft or disclosure as “Pseudonymize” or “pseudonymization”.
a result of the business’ violation of the duty to implement CCPA Section: (1798.140)
and maintain reasonable security procedures and
Imperva Data Masking protects sensitive data from exposure in
practices appropriate to the nature of the information.
non-production or DevOps environments by replacing sensitive
CCPA Section: (1798.150)
data with fictional but realistic values using a variety of masking
Imperva Data Risk Analytics (DRA) uses machine learning to techniques including pre-defined or customer data transformers.
automatically uncover unusual data activity, surfacing actual Data masking reduces the risk of sensitive data exposure,
threats before they become breaches. DRA provides granular prevents data security breaches, and helps you comply with data
visibility and actionable insights into how data is being used protection and privacy laws.
and by whom so that companies can quickly detect unusual
behavior, enabling them to contain a breach before damage
happens.
Imperva’s Runtime Application Self-Protection (RASP)

detects and blocks attacks from inside the application.
RASP monitors all traffic through your applications showing
you which vulnerabilities in your applications are under
attack, who’s attacking and how, and what they’re trying to
accomplish. The result? Fast and accurate protection with NO
signatures and NO learning mode.
Imperva WAF works on-premise and in the cloud, to protect

against the most critical web application security risks
accurately detecting attacks and minimizing false positives.
Through an intuitive single pane of glass dashboard Imperva
WAF enables you to quickly assess security status and
streamline demonstration of regulatory compliance.

Conclusion Imperva is an
analyst-recognized,
Digital transformation has made more and more data available everywhere resulting in unprecedented levels of data
availability and accessibility. With regulators stepping up to enforce tighter data protection laws, data security and data-
cybersecurity leader
driven compliance have become two major priorities for companies in recent years. As California will be the first state to championing the
pass anything similar to the GDPR in the United States, CCPA could be the tip of the data privacy regulation iceberg. fight to secure data
Find out more about Imperva Data Security and compliance solutions here.
and applications
wherever they reside.

GUIDE
The Road to Compliance:

Steps for Securing Data
to Comply with the GDPR
01 02 03 04 05 06 07
EXECUTIVE INTRODUCTION ABOUT THE GDPR DOES GDPR APPLY TO THE PRICE OF A CHECKLIST FOR IMPERVA CAN HELP
SUMMARY YOUR ORGANIZATION? NON-COMPLIANCE APPROACHING GDPR
Executive summary
The European Union (EU) General Data Protection Regulation (GDPR) has This guide is for CISOs who want to understand whether their
replaced the Data Protection Directive 95/46/EC (Directive). companies are impacted by the new regulation, how it impacts them,
and what steps their teams can take to comply with GDPR data
The regulation expands privacy protections and includes obligations for
security requirements. You’ll learn:
companies that handle personal data originating in the EU. Unlike the
Directive, it extends the reach of the data protection law to companies who • The basic framework, intent, and extent of the GDPR
may have no presence in the EU as long as those companies • Which companies are affected
process an EU resident’s personal data in connection with goods or services
• What the penalties are for non-compliance
being offered or if those companies monitor the behavior of individuals within
• A pragmatic approach to approaching a GDPR compliance project
the EU.
• How Imperva can help
Even for organizations that already follow cybersecurity best practices,
GDPR data security requirements could result in process and technology
changes that will require substantial time and resources to implement. The
potential upside for security teams is twofold: they may benefit from the
increased investigative capacity and streamlined breach response plan that
comes with process and technology measures as a result of compliance.
15 2021 Data Privacy Tool Kit | The Road to Compliance: Steps for Securing Data to Comply with the GDPR
01 02 03 04 05 06 07
Making GDPR data security

compliance a top priority
Any company that processes personal data originating in the EU (whether or GDPR ONE YEAR IN
not the data subject is a citizen or resident of the EU) or the data of an EU
resident—whether the company has operations in the EU or not—is covered Only 28% of firms say they are
by the GDPR. Because this could affect nearly every website or app in the
compliant with the GDPR today,
world, it’s no wonder that GDPR compliance is a top priority for CISOs around
the world.
with 30% “close to compliant.”
For companies located in the EU, doing or seeking to do business with SOURCE: CAP GEMINI SURVEY - SEPT 2019
individuals in the EU, or monitoring the behavior of or collecting information
from individuals in the EU, the GDPR has introduced a new level of
compliance obligations around privacy and data security.
Wherever your company is on the road to GDPR compliance, this guide can
help you take the right steps to get there.
01 02 03 04 05 06 07
About the GDPR

The Official Name What Is Personal Data?
Regulation (EU) 2016/679 of the European Parliament and of the Council Any information relating to an identified or identifiable natural person
of 27 April 2016 on the protection of natural persons with regard to the that originates in the EU. More specifically, the GDPR states: “‘personal
processing of personal data and on the free movement of such data, data’ means any information relating to an identified or identifiable
and repealing Directive 95/46/EC (General Data Protection Regulation). natural person (‘data subject’); an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data,
Properties and online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of
Length of the full text 88 pages
Status Effective since May 25, 2018 that natural person.”
Purpose Gives individuals in the EU stronger rights, empowering them
with better control of their data and protecting their privacy in the
Certification
digital age.
For those that successfully meet the requirements, there is an optional
certification, which may provide a competitive advantage and help
Organizations Impacted build customer trust.
Both data controllers (those that determine the purposes and means
of processing personal data) and data processors (those that process
personal data on behalf of the controller) of personal data originating in
the EU or of EU residents, regardless of the location of the business.
01 02 03 04 05 06 07
Does GDPR apply to your

organization?
Many global organizations operating outside of the EU may still require While simply having a website or email accessible in the EU is not enough to
guidance as to how the regulation applies to them. While CISOs should bring a global business under the GDPR scope, certain factors may indicate
always consult with their legal departments about applicability, the following that a business intends to offer goods or services to EU residents or visitors
explanation and examples provide a starting point for understanding the within the EU, which then bring the business within the scope of the new
reach of the regulation. rules. These factors may include:
GDPR requirements apply to any organization doing business in the EU • The use of a language or a currency generally used in one or more EU
regardless of whether the processing of personal data takes place in the EU Member States with the possibility of ordering goods and services in
or not, and whether it’s data about EU residents or EU visitors. that language
It is important to note that the new rules will apply to businesses established • The mentioning of customers or users who are in the EU1
outside the EU if they process the personal data of EU residents or visitors in
connection with:
• Offers of goods or services, irrespective of whether payment is required;

or,
• Monitoring of behavior that takes place within the EU
1
Paragraph 23 of the Introductory Recitals to the GDPR.
01 02 03 04 05 06 07
Does GDPR apply? Two examples
Example 1
A financial analyst firm is tasked with projecting a European company’s
revenues for the next three years. The primary analyst works out of an office
in the US, but uses personal data provided by the client. Because the data
was collected in the EU, it is subject to GDPR requirements, even though the
analyst is based out of the US office and didn’t originally collect the data.
Example 2
A mobile and online website allows people to shop for, buy, and rate
products. The US-based company that owns the retail storefront collects
personal data about the people that visit and make purchases. The
information is subsequently used in advertising campaigns and sales reports.
If a person visits the website while they are physically present in the EU, the
requirements of the GDPR follow the personal data collected during that
visit. That means that any website or mobile application that is accessible by
and collects personal data from a person in the EU will need to comply with
the GDPR.
1
Paragraph 23 of the Introductory Recitals to the GDPR.
01 02 03 04 05 06 07
The price of non-compliance

If the benefits of complying with GDPR aren’t The greater of €10 million/~$11 million or 2% The greater of €20 million/~$22 million or 4%
incentive enough, the potential penalties for of global annual turnover of the preceding global annual turnover
companies that do not comply should help you financial year For failure to adhere to the core principles of data
create a convincing business case for the
For non-compliance related to consents, data processing, infringement of personal rights, or
investment needed. While fines are discretionary
protection, controller and processor obligations, the transfer of personal data to other countries or
rather than mandatory, to be imposed on a case-
written records, privacy impact assessments, international organizations that do not ensure an
by-case basis, in ways designed to be effective, adequate level of data protection, among others.
breach communications, and certifications, among
proportionate and dissuasive, the two tiers of See Article 83(5).
others. See Article 83(4).
maximum administrative fines set out in the
regulation are steep. Depending on the violation,
fines may fall into one of two categories:2
2
Official Journal of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council.
01 02 03 04 05 06 07
What large organizations could face

Consider this example. Acme, Inc. generates €20 billion/~$21.5 billion in EU Levy
revenue in 2017 and is found to have transferred personal data to the €800 million/~$862 million
United States (a country that the European Commission has determined
does not have an adequate level of protection for personal data) without
implementing appropriate safeguards to protect the data and without
ensuring that the data subjects have enforceable data privacy rights and
effective legal remedies.
EU regulators (i.e., the relevant data protection authority) have the power to
levy a fine of €800 million/$862 million (4% of €20 billion), which is far more
than the €20 million minimum. With typical operating margins in single digits,
a fine of this magnitude could easily consume most of the profit for a large
company for an entire year.
Annual Revenue
€20 billion/~$21.5 billion
01 02 03 04 05 06 07
A checklist for approaching GDPR

To help your organization get started with your GDPR compliance project, the
Information
data security experts at Imperva recommend following this checklist: Collection
GDPR CHECKLIST EXPLANATION

Information
Storage/
Processing
Data privacy impact A DPIA helps identify and minimize privacy risks.
assessment (DPIA) Working with stakeholders within the business and
partner organizations, you document how personal data Credit card
Merchant Services
processing complies with the GDPR. A DPIA is required
by the GDPR in high-risk situations.
Loyalty Program Inventory & Order

Vendor Processing
Personal data Assess what personal data you have and where it is
inventory stored. By conducting a personal data inventory, you gain
a clear understanding of the personal data used in your
organization. Enterprise
Data
Internal CRM Warehouse
Data flow analysis Identify all systems which touch data that is within the
Information Information
scope of the GDPR. Map the flows of data from point of Access/ Archive/
Transfer Destruction
entry all the way through to destruction, including third-
party processes. Data mapping helps you ensure that Filfilment
Vendor
Disaster Recover
& Backups
all risks are uncovered appropriately as you gain a solid
understanding of your organization’s complete data life Combined Data Transaction Data Cookies
cycle. See Figure 1. Financial Data Customer Data (non-financial)
Figure 1: Data Flow Analysis
01 02 03 04 05 06 07
HELP WANTED: 28,000 DPOS NEEDED
Risk assessment(s) Follow the touch points for the data (including The GDPR requires public authorities processing
databases, file systems, and people) and perform a risk personal information to appoint a data protection
assessment against each of them. You’ll be evaluating officer (DPO) when core activities require “regular
current data protection policies and processes as well as and systematic monitoring of data subjects on a
the technology controls that enforce those policies and large scale” or consist of “processing special
procedures. For example, do you have controls in place categories of data” on a large scale or if required
to enforce cross-border data transfer requirements of to do so by local law.
the GDPR? Identify areas of higher risk and what needs
to happen to mitigate that risk. As written in the GDPR, the DPO’s tasks include:
informing and advising on compliance obligations,
monitoring compliance, advising with regard to
Evaluate your procedures and controls to detect, report data protection impact assessments, working
Data breach
procedures review and investigate a data breach. The GDPR imposes and cooperating with the designated supervisory
breach notification requirements for data controllers and authority, and being available for inquiries from
processors. For example, data controllers must report data subjects.
data breaches to supervisory authorities within 72 hours According to a study by the International Association
of becoming aware of a breach unless the breach is of Privacy Professionals (IAPP), in Europe alone,
unlikely to result in a risk to the rights and freedoms of a 28,000 DPOs were expected to have been appointed
natural person. by May 25, 2018.
Source: Rita Heimes and Sam Pfeifle, “Study: At least 28,000 DPOs needed to
Identification Identify how you’ll remediate any compliance gaps meet GDPR requirements,” International Association of Privacy Professionals,
April 19, 2016.
of gaps and detected in your risk assessments. Prioritize which
remediation plans gaps are higher risk and should be addressed first.
Remediation plans can include: training or hiring
staff, process or policy changes, legal contracts, and
implementing new technology controls.
01 02 03 04 05 06 07
Sign off on Present the results of your analysis along with the
outcomes recommended solutions to get support and budget for
(benefits) the project. You should get executive sign off on the
expected outcomes of the project.
Implement Execute the project using a proven implementation

improvements/ methodology that includes definition, design, and
remediation plan implementation phases.
Governance Put processes in place to conduct ongoing DPIAs and

(ongoing ensure continuous compliance through testing.
accountability
and DPIAs)
01 02 03 04 05 06 07
Imperva can help

More than 5,000 customers worldwide, including Data Discovery and Classification: Data Activity Monitoring:
financial services firms, healthcare companies, and Imperva Data Security provides a proven The GDPR requires organizations maintain a secure
government agencies rely on Imperva to protect methodology to discover and classify data, which environment for data processing, making data activity
their critical data and applications. When it comes to is a critical aspect of GDPR compliance. It provides monitoring critical. To comply with GDPR, you need
complying with GDPR, Imperva offers expert services visibility into what personal data your organization to be able to answer WHO is accessing WHAT data,
and award-winning technology that combine to holds and processes. Key deliverables include: WHEN, and HOW that data is being used. Imperva
create best-of-breed solutions. These solutions can identification of database assets, data owners and Data Security provides complete visibility into data
assist your company in implementing risk-reduction data custodians; risk classification of data; and activity. It continuously monitors and analyzes all
measures and improving your organization’s control recommendations. database activity, including local privileged user
compliance with data security requirements under access and service accounts, in real time.
the GDPR.
Data Masking or Pseudonymization:
The GDPR requires organizations practice data Breach Detection and Incident Response:
Imperva Data Security minimization, which means they collect and In the event of a personal data breach, the GDPR
Imperva Data Security protects sensitive data from use data limited to only what is necessary for a dictates that data controllers must notify the
potential data breaches and can help you implement specific purpose. Imperva Data Security includes supervisory authority “without undue delay and,
adequate data safeguards, which Data masking capability that replaces real data where feasible, not later than 72 hours after having
are a core component of GDPR compliance. Imperva with realistic fictional data that is functionally and become aware of it.” Imperva utilizes machine
Data Security includes: statistically accurate. It facilitates processing of learning and data risk analytics to pinpoint and
personal data beyond original collection purposes prioritize high-risk incidents, filtering out the noise
and also limits the spread of personal data beyond and allowing security team to accelerate threat
“need-to-know”. investigation and response.
01 02 03 04 05 06 07
Professional Services
In addition to Imperva Data Security, Imperva Imperva Project Discovery and Analysis Service:
provides professional services to help organizations
Imperva Project Discovery and Analysis (pDnA)
accelerate GDPR:
service evaluates current database security controls
to identify control gaps. Key deliverables include:
Imperva Data Discovery and Analysis Service: identification of key stakeholders, risk assessment,
and recommendations of solutions and plans to
Imperva Data Discovery and Analysis Service:
address identified gaps.
Imperva Database Discovery and Analysis (dDnA)
service provides a proven methodology to discover
and classify data, which is a critical aspect of
GDPR compliance. Key deliverables include:
identification of database assets, data owners and
data custodians; risk classification of data; and
control recommendations.
01 02 03 04 05 06 07
Table: Mapping key GDPR requirements to Imperva Data Security

ARTICLE WHAT IT MEANS REQUIREMENTS FOR DATA SECURITY
25: Data protection by Implement technical and organizational measures • Data minimization
design and by default to show consideration and implementation of Data • User access limits
Protection Principles and appropriate safeguards
• Limit period of storage and accessibility
32: Security of processing Implement appropriate technical and organizational • Pseudonymization and encryption
security controls to protect personal data against • Ongoing protection
accidental or unlawful loss, destruction, alteration,
access or disclosure • Regular testing and verification
33 and 34: Data breach 72 hour notification to Data Protection Authority fol- Breach report that includes:
notification lowing discovery of data breach, and notification • what happened
to affected individuals
• numbers of affected individual
• what data was breached
35: Data protection impact Assessment of the purpose, scope and risk Inventory of personal data across organization, access
assessment associated with processing personal data rights to data, and risk associated with that access
44: Data transfers to third Permit transfers only to entities in compliance with Monitor and block access to entities or regions that do
country or international GDPR regulation not meet requirements
organization
01 02 03 04 05 06 07
About Imperva
Learn more
Recognized by industry analysts as a cybersecurity
leader, Imperva champions the fight to secure data and
Find out more about how to comply with the data applications wherever they reside. In today’s fast moving
protection regulations within GDPR:
cybersecurity landscape, your assets require continuous
protection, but analyzing every emerging threat taxes
• Read the full text of the General Data Protection
Regulation (GDPR) your time and resources. For security to work, it has to
work for you. By accurately detecting and effectively
• Check out the white paper GDPR: New Data
blocking incoming threats, we empower you to manage
Protection Rules in the EU
critical risks, so you never have to choose between
• Learn more about Five Ways Imperva Helps You innovating for your customers and protecting what
with GDPR Compliance matters most.
At Imperva, we tirelessly defend your business as it

grows, giving you clarity for today and confidence for
tomorrow. Imperva - protect the pulse of your business.
Learn more: imperva.com, LinkedIn and Twitter
Imperva is an analyst-recognized,
cybersecurity leader championing the
fight to secure data and applications
imperva.com
Copyright © 2021 Imperva. All rights reserved +1.866.926.4678
A SECURITY PROFESSIONAL’S GUIDE TO
THE NYDFS CYBERSECURITY REGULATION
5 Secure Steps to
NYDFS Compliance
Executive summary
Financial firms face many challenges today, not least the growing number
On March 1, 2017, the New York State Department of Financial Services1
of cyberattacks. This e-book looks more closely at these challenges and
(NYDFS) introduced new cybersecurity regulations for financial services to
explores the benefits of adopting a risk-based approach to security as
protect their customers’ data and to maintain security of operations within
encouraged by NYDFS.2 It also outlines how Imperva solutions can help
the industry.
you comply with specific elements of the regulation.
The regulation, formally known as 23 NYCRR 500, but referred to as
NYDFS, provides financial firms with a structure on which to build
cybersecurity programs and policies specific to their business models to
protect systems and consumers from the increased threat of cyberattacks.
The comprehensive nature of the NYDFS means that even firms with
existing security programs and procedures in place will benefit from
implementing and maintaining the processes required by the regulation.
This guide is for CISOs, security professionals and compliance managers

who want to get a better understanding of how NYDFS applies to their
organizations and what the effects might be. You’ll learn:
• How to identify your assets to protect your organization from a breach

• How to answer WHO is accessing WHAT data and WHEN
• How to protect your network and maintain operational uptime
• How monitoring who is accessing your data helps with compliance
• How data risk analytics can help accelerate threat investigation and
response times
1
The NYDFS regulates approximately 1,500 financial institutions and banks as well as over 1,400 insurance companies.
2
The NYDFS regulation encourages adopting a risk-based approach to cybersecurity. It was revised after considering feedback received during a 45 day comment period on the original proposal issued September 13, 2016.

01 02 03 04 05 06 07 08
CONSEQUENCES MARKET THE INSIDER THE RISKS OF MITIGATE RISK CONCLUSION FIVE SECURE ADDITIONAL
OF CHALLENGES THREAT A RISK-BASED FROM DAY ONE STEPS TO NYDFS RESOURCES
NONCOMPLIANCE APPROACH COMPLIANCE
Consequences of noncompliance
NYDFS has not outlined any specific information on consequences
NON-COMPLIANCE / TIME ALLOWED TO
regarding penalties for noncompliance with the cybersecurity regulation REGULATION
VIOLATION OF REGULATION REPORT INCIDENTS
other than including a requirement to notify the superintendent of a breach
“as promptly as possible but in no event later than 72 hours”3 after a breach Up to (a) $2,500 per day during which a vi-
has occurred. However, given the severity of penalties imposed under olation continues, (b) $15,000 per day in the
event of any reckless or unsound practice
similar global regulations and considering penalties outlined in the New NYDFS 72 hours
or pattern of misconduct, or (c) $75,000
York Banking Law,4 the penalties could be severe. See the table below: per day in the event of a knowing and willful
violation (if New York Banking Law applied)
Up to 20 million euros or up to 4 % of a
GDPR company’s total global turnover of the pre- 72 hours
ceding fiscal year, whichever is higher
Fines under the CCPA will cap at $7,500 per

CCPA Not specified
record breached
IT incidents
and systems
malfunctions within 60
Reputational Damage and Revocation
MAS-TRM mins. Incident
of License
report to be
submitted within
14 days
3
https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
4
https://www.nysenate.gov/legislation/laws/BNK/44

01 02 03 04 05 06 07 08
Market challenges
Maintaining normal business operations in today’s rapidly changing market
is a constant challenge for financial firms who find themselves balancing
Pressures in financial services industry
performance, compliance, and security to remain ahead of the game. Risk mitigation, transformation, compliance
Digital transformation
The pressure is mounting to innovate with fintech start-ups developing the
latest digital apps and solutions at a fast pace, and tech giants getting in Complex legacy system
on the act by offering their own range of financial products to their loyal Innovative Risk Digital application
Compliance
Mitigation
customer bases. A lack of skilled security professionals is also hindering Fintech models Cloud adoption
Big Tech
firms from keeping up with digital transformation and the move to cloud More data, everywhere
Open Banking
computing. Increased competition
Transformation
Stricter regulations
The financial sector remains a prime target for cybercriminals because of the
high value of the rewards to be gained.
According to Forbes, “Financial services firms also fall victim to cybersecurity

attacks 300 times more frequently than businesses in other industries.” 5
5
https://www.forbes.com/sites/bhaktimirchandani/2018/08/28/laughing-all-the-way-to-the-bank-cybercriminals-targeting-us-financial-institutions/#39691b716e90

01 02 03 04 05 06 07 08
With DDoS and social engineering attacks on the increase, it only takes Compliance
one bad actor to make its way into your network for a breach to occur.
In parallel, financial firms must comply with more complex regulations to
Financial institutions were once considered bastions of security, prevent large enforcement fines, reputational damage, and intervention by
protecting their valuable assets, including vast amounts of critical and the regulators.
sensitive data, by storing it within the secure confines of their data centers.
Since the European General Data Protection Regulation was introduced
Perimeter lines were clear, with the only people having access to the data
in 2018, the matter of data privacy has come under the spotlight for all
being employees, using company-owned computers located on business
industries across the globe and, as a result, firms are much more cautious
premises.
about protecting data that is of a personally identifiable nature (PII)
In contrast, today’s use of cloud technologies means users are connecting and are looking for ways to simplify and automate their regulatory
to networks remotely using multiple devices, and data is stored across compliance processes.
hybrid hosting environments as firms rely on legacy systems while
they transition to the cloud. As a result of all these changes, data is
experiencing exponential growth, and while more data brings business
benefits and opportunities, it also poses real challenges for the industry.
With the advancing data sprawl, the once-clear security perimeter lines
have become blurred and the threat surface has expanded. Security
teams are struggling to cope with the sheer volumes of data and the
subsequent numbers of threat alerts received daily. According to the
CyberEdge Group’s 2019 Cyberthreat Defense Report,6 the biggest
inhibitor to establishing effective cyber threat defenses for security teams
is having too much data to analyze.
Firms must discover new ways to strengthen their security posture to

better protect their assets from a breach.
6
https://www.imperva.com/resources/reports/CyberEdge-2019-CDR-Report-v1.1.pdf

01 02 03 04 05 06 07 08
Risk mitigation
Digital transformation and compliance are major drivers of change for financial “In times of transformation, it is
services and change brings risk as organizations adapt to new processes critical to pay attention to opera-
and workflows and growing volumes of data increase the threat landscape. tional risk - the risk of loss due to
However, the pace at which firms are adjusting their security posture is
errors, breaches, loss or damage.”
disproportionate to the speed at which the attack surface is expanding.
BAIN & COMPANY REPORT, 2018 7
There are several ways that firms can mitigate change-driven risks including
having a robust governance framework in place, regularly monitoring the risks,
and consistently risk-assessing the changes.
7
https://www.bain.com/insights/how-banks-can-manage-operational-risk/

01 02 03 04 05 06 07 08
The insider threat

Despite the growing threat landscape today the traditional approach to “As the business becomes
cybersecurity concentrates on network endpoints, the assumption being that by digital, security must
protecting attackers from entering the network you will keep your assets safe become Data-Centric.”
from untrusted external threats.
FORRESTER RESEARCH, 2018
Security at the edge is, of course, critical, as it addresses inbound traffic to
combat external threats to your applications, APIs, and infrastructure. But
despite advancements in edge security, many firms struggle with solutions that
do not adequately address managing the escalating volume of data and number
of applications, making it more difficult to protect themselves from a breach.
Security teams are suffering from alert fatigue from the tsunami of security
alerts they receive daily, which increases the risk of a real threat slipping
through the net. There is also the very real issue of insider threats that occur INCIDENT OVERLOAD
due to lack of care, compromised credentials, or malicious activity. AND ALERT FATIGUE
54%
The most effective way to buy-down risk for your organization is to of companies admitted that they
secure the data itself and to take a unified approach using both edge and data tend to ignore security alerts.
security to give you the defense-in-depth you need to fully protect your assets.

01 02 03 04 05 06 07 08
The risks of a risk-based approach

Many businesses store large volumes of personal and sensitive data However, while this may seem like a sensible approach, it is important to
that they are unlikely to use. However, regulation often requires that remember that data that is important for regulation is not the only data
organizations be able to prove that they have identified all sensitive data that can get you into trouble,9 and that other data, such as unprotected
to protect it accordingly, and organizations tend to focus on monitoring live production data, can also be monetized by hackers. While you focus
and protecting the data that helps meet these regulatory requirements. on protecting only the data that matters for compliance you risk leaving
For example, PCI applies to credit card data only where HIPAA regulation live production data open to a breach which could bring down operations
covers health information only. for your business. In short, by not protecting all of your data you might as
well hand the cybercriminals the keys to the castle.
According to Gartner,8 businesses should conduct a risk-based review of
their assets “to assess the size of potential liabilities and prioritize them Buying down risk for regulatory compliance and risk mitigation for data
according to impact,” the idea being that only those datasets representing security are two completely separate value drivers for firms. Risk mitigation
the most value and highest liability for the company, would be ring-fenced is far less data privacy-centric and instead, is centered around quickly
for protection. and easily identifying data access and usage risk, regardless of the data
type. The data classification required for the risk-based approach can
Adopting a risk-based methodology to your data protection allows you
be a long and arduous task, sometimes taking months to complete, and,
to evaluate your data according to your organization’s risk profile and
while security professionals are well aware that regulatory compliance
priorities, significantly reducing the likelihood of a breach.
is not security best practice, they get weighed down with the process,
preventing them from implementing the best security measures for their
business.
8
Gartner - Develop a Financial Risk Assessment for Data Using Infonomics - Published 30 January 2019
9
The Federal Trade Commission (FTC) has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury.

01 02 03 04 05 06 07 08
Mitigate risk from day one

To mitigate risk effectively and reduce your overall security vulnerability,
Imperva recommends using data discovery techniques to identify and
monitor all of your data wherever it resides. By doing so you buy-down risk
across the full breadth of your assets even before prioritizing your data for
deeper regulatory audit purposes.
But how does this monitor-everything-approach solve the problem of alert

fatigue for security teams inundated with millions of threat alerts?
Companies can address this problem and reduce monitoring scope for
their security teams through implementing security measures such as data
masking and data risk analytics.
Data masking reduces monitoring scope by anonymizing sensitive or

production data while it is being used for non-production purposes, such
as dev and testing, allowing you to monitor all your assets without leaving
large segments of your data unprotected.
Data risk analytics uses machine learning to identify the most critical
threats by uncovering suspicious data access behaviors that could put
your enterprise data at risk. It also applies grouping and scoring algorithms
for each incident and, as a result, only a few high-risk incidents bubble up
to the surface making user access much easier to manage.

01 02 03 04 05 06 07 08
Conclusion
The final NYDFS regulation issued in 2017 was a revised version based
on feedback from industry consultation. One of the biggest concerns
was that a ‘one-size-fits-all approach was not suitable for an industry
with firms with such diverse risk-profiles. The outcome was that NYDFS
adjusted and reissued the 23 NYCRR 500 regulation in 2017 to allow firms
to take a risk-based approach to compliance.
At Imperva, we believe that, while taking a risk-based approach to

data protection reduces the risk of regulatory noncompliance, it is not
a best practice for security and will still leave your business vulnerable
to a breach.
In the next section, we look at five of the policies required by the

NYDFS regulation and how Imperva’s Application and Data Security
solutions can help you to comply while effectively buying down the
security risk for your organization.

01 02 03 04 05 06 07 08
Five secure steps to NYDFS compliance

1. Data governance and classification
3. Systems and Network Security
Imperva Data Security provides a proven methodology to discover and
NYDFS states that firms should have a policy in place to address websites
classify data, which is a critical aspect of the NYDFS compliance. It provides
and APIs and to ensure systems operations remain functioning and
visibility into what personal data your organization holds and processes
available for your customers. Imperva Application Security provides a full-
enabling you to monitor and protect all of your data wherever it resides. Key
stack application security solution to protect your websites and APIs and
deliverables include: identification of database assets, data owners and
to ensure systems operations remain functioning and available for your
data custodians; risk classification of data; and control recommendation.
customers. With integrated Cloud WAF, CDN, DDoS protection and Attack
Imperva Data Security also includes data masking capability that Analytics, plus Bot Management and Runtime Application Self-Protection
replaces real data with realistic fictional data that is functionally and (RASP), your business will be protected on the inside as well as at the edge,
statistically accurate. It facilitates the processing of personal data beyond offering a true defense-in-depth solution to comply with this part of the
original collection purposes and also limits the spread of personal data regulation.
beyond “need-to-know”.
Masking copies of production data for non-production purposes such as

development and testing reduces monitoring scope and eases the burden
for security teams.
2. Access Controls and Identity Management

The NYDFS regulation requires organizations to implement and maintain
a policy for access controls and identity management. To comply with
NYDFS, you need to be able to answer WHO is accessing WHAT data,
WHEN, and HOW that data is being used. Imperva Data Security provides
complete visibility into data activity. It continuously monitors and analyzes MORE LEGITIMATE DATA ACCESS
34%
all database activity, including local privileged user access and service of workers said they share
accounts, in real time. passwords of accounts
with their coworders.

01 02 03 04 05 06 07 08
4. Systems and Network Monitoring

To comply with NYDFS regulation, firms are required to implement
and maintain a policy on Systems and Network Monitoring. Imperva
Data Activity Monitoring (DAM) provides enterprise-wide visibility into
all database transactions, including local privileged user access and
service account activity. It continuously monitors across on-premises
or cloud environments and collects consolidated records of all logins/
logouts, updates, privileged activities and more to create granular
audit trails that pinpoint the who, what, when, where and how for each
database. DAM makes it easier for security teams to identify a genuine
threat by giving them visibility of user access across multiple data
storage locations.
5. Incident Response
In the event of a breach, the NYDFS dictates that “the entity shall
notify the superintendent as promptly as possible but in no event
later than 72 hours from a determination that a cybersecurity event
has occurred.” Imperva utilizes machine learning and data risk
analytics to pinpoint and prioritize high-risk incidents, filtering out the
noise and allowing security teams to accelerate threat investigation
and response. Reducing the influx of threat alerts received speeds up
the threat investigation process by improving visibility of the alerts
that matter. Data risk analytics also helps mitigate the risk of an attack
on the inside.

01 02 03 04 05 06 07 08
Additional resources
More information
• https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
• https://blog.focal-point.com/understanding-the-4-phases-of-the-nydfs-
cybersecurity-regulation-23-nycrr-500
• https://www.forbes.com/sites/zakdoffman/2019/04/29/new-cyber-report-25-
of-all-malware-hits-financial-services-card-fraud-up-200/#6bae3bdd7a47
• https://www.psdgroup.com/workshop-operational-risk-assessment-of-
change/
About Imperva
Recognized by industry analysts as a cybersecurity leader, Imperva champions
the fight to secure data and applications wherever they reside. In today’s fast-
moving cybersecurity landscape, your assets require continuous protection, but
analyzing every emerging threat taxes your time and resources. For security to
work, it has to work for you. By accurately detecting and effectively blocking
incoming threats, we empower you to manage critical risks, so you never have
to choose between innovating for your customers and protecting what matters
most. At Imperva, we tirelessly defend your business as it grows, giving you
clarity for today and confidence for tomorrow. Imperva – Protect the pulse of
your business.

Imperva is an analyst-recognized,
cybersecurity leader championing the
fight to secure data and applications
imperva.com
Copyright © 2021 Imperva. All rights reserved +1.866.926.4678

Imperva Data Privacy Tool Kit

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Imperva Data Privacy Tool Kit

Uploaded by

Copyright:

Available Formats

2021

Data Privacy Tool Kit

Here is a brief synopsis of the pieces included in this tool kit.

Industry Perspective: Data Privacy

2 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

3 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Data Privacy – Now’s

The outcome of the Presidential election may be about to change this,

Signs of support Strength of momentum

A Closer Look at CCPA

8 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

9 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

10 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

To help organizations comply with CCPA obligations, the table below

Data discovery and classification Data monitoring

The policies also allow an organization, at their discretion, to

11 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

Imperva’s Runtime Application Self-Protection (RASP)

Imperva WAF works on-premise and in the cloud, to protect

12 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

13 2021 Data Privacy Tool Kit | A Closer Look at CCPA - Whitepaper

The Road to Compliance:

Making GDPR data security

About the GDPR

Does GDPR apply to your

• Offers of goods or services, irrespective of whether payment is required;

Does GDPR apply? Two examples

The price of non-compliance

What large organizations could face

A checklist for approaching GDPR

GDPR CHECKLIST EXPLANATION

Loyalty Program Inventory & Order

Figure 1: Data Flow Analysis

HELP WANTED: 28,000 DPOS NEEDED

Implement Execute the project using a proven implementation

Governance Put processes in place to conduct ongoing DPIAs and

Imperva can help

Table: Mapping key GDPR requirements to Imperva Data Security

At Imperva, we tirelessly defend your business as it

Learn more: imperva.com, LinkedIn and Twitter

This guide is for CISOs, security professionals and compliance managers

• How to identify your assets to protect your organization from a breach

31 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Fines under the CCPA will cap at $7,500 per

32 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

According to Forbes, “Financial services firms also fall victim to cybersecurity

33 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Firms must discover new ways to strengthen their security posture to

34 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

35 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

The insider threat

36 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

The risks of a risk-based approach

37 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Mitigate risk from day one

But how does this monitor-everything-approach solve the problem of alert

Data masking reduces monitoring scope by anonymizing sensitive or

38 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

At Imperva, we believe that, while taking a risk-based approach to

In the next section, we look at five of the policies required by the

39 2021 Data Privacy Tool Kit | 5 Secure Steps to NYDFS Compliance

Five secure steps to NYDFS compliance

Masking copies of production data for non-production purposes such as

2. Access Controls and Identity Management