Even when the developments might’ve been considered fairly primitive by modern standards, technological progress has always been a definitive characteristic of humanity. Like any new tool, technology has infinite capacity to be used in all the wrong ways—in this, atomic and biological weapons come to mind. And even with better intentions, sometimes technological impact can still skew negatively, such as when society’s immense reliance on it harms our environment, health, or thought patterns.

What is it? The EU Cybersecurity Act is the fruit of an initiative started by the European Parliament in 2017 with the goals of permanently establishing an agency to address cybersecurity threats, reducing the complexity for companies to comply with cybersecurity frameworks in each EU member state, and establishing a common cybersecurity certification framework. Formal adoption of the EU Cybersecurity Act occurred on March 27, 2019 and resulted in both the formation of the EU Cybersecurity Agency (formerly the ENISA) as a permanent agency and established a cybersecurity certification framework.

Giant strides have been made in privacy rights and regulations in Europe and many parts of the globe ever since the General Data Protection Regulation (GDPR) became enforceable on May 25th, 2018. In a world with serious impediments to my privacy and yours, the GDPR, to varying degrees of success, has been slowly leveling the field in how personal data is treated; rest assured, it’s a lot more than the privacy e-mail updates you’ve been receiving and the website cookie banners you’ve been accepting. In layman’s terms, the GDPR mandates requirements for storing, processing, accessing, and protecting personal data. We’ve all heard it – failure to comply with the Regulation attracts staggering fines of up to 4% annual global turnover of the prior financial year, or €20 million, whichever is higher. Despite the laundry list of concerns surrounding the Regulation, there has been reasonable progress since the enforcement date. Here are some notable observations since the inception of GDPR that you should know:

Tampa, FL, April 3, 2019 - Schellman & Company, LLC (Schellman), a leading provider of attestation and compliance services, announced today that it has been officially certified as a Great Place to Work™. Great Place to Work is the global authority on workplace culture, employee experience and the leadership behaviors proven to deliver market-leading revenue and increased innovation.

“Do I really need to retain all my HIPAA audit logs for 6 years?”

For those not tracking the evolution of California’s Consumer Privacy Act (CaCPA), we’ve got some updates for you! While most are just familiarizing themselves with CaCPA’s original requirements, a new senate bill (SB-561) was just introduced last week by two California Senators with intention to further strengthen the rights of Californians. And while changes to the bill are already hardly considered uncommon, the amendments could raise the stakes for organizations who are already concerned with the Acts expectations.

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance Program (SSPA) program (previously called the Vendor Privacy Assurance Program). Vendors providing services with a high business impact may be required to provide a letter of attestation from a qualified independent assessor such as Schellman. You might be wondering what this requirement means for your business and what to expect during the attestation process.

Introduction Welcome! In the upcoming series of articles (this is Part 1), I’ll be discussing some things to consider if you want to use Kubernetes to host an application that is subject to PCI DSS. I have been interested in containers for quite a while now and have recently had a lot of PCI DSS clients asking about Kubernetes. The concepts and controls in PCI DSS don't always translate well to a containerized environment which gave me the idea to write this series. The series will be split up into PCI DSS domains and I'll do my best to provide some discussion topics as well as demonstrations for each. Nothing in this series is a guarantee that you'll be compliant with PCI DSS; there are too many variables to consider. My hope is that this provides a good starting point for planning a migration onto Kubernetes.