The massive SolarWinds supply chain breach in December 2020 has been top-of-mind for many security and compliance professionals, especially those who work with or for US Federal government agencies or the many other large enterprises that were affected by the attack.
SecureLink does not use and has never used any SolarWinds products including the Orion software that was affected in the recent supply chain attack. Our preliminary investigations of vendors and third parties who might use SolarWinds show no significant exposure to third-party risk from this event. Nonetheless, we will continue to review reports and announcements of the incident and monitor third parties for any suspicious activity or indications of compromise in order to keep our environments and product as secure as possible from this and any other attack.
Additionally, features in our product such as multi-factor authentication, credential vaulting, and granular high-definition audit capabilities are an important part of a robust vendor risk management program that can prevent or blunt the effect of supply chain attacks. Please reach out to your Customer Success Manager if you are not already using these features to get information on taking advantage of this protection.
After the California Consumer Privacy Act (CCPA) went into effect in mid-July 2020, many US-based firms had to put in place new controls and processes to comply with these novel privacy regulations. At the end of 2020, the California Legislature passed an addendum to CCPA, known as the California Privacy Act (CPRA) which amended, clarified, and extended CCPA. It contains more stringent data privacy rights and additional responsibilities for certain businesses who collect covered Personally Identifiable Information (PII), which can be almost anything (like a person’s name, for example) under the law’s definitions. The new law does not go into effect until 2023, but there is a “lookback” period that starts in 2022 for any data collected, so affected corporations (which is most medium to large US entities, given the size of the California market) must start putting any processes and procedures in place this year in order to be compliant when the law goes into effect.
You will want to review your compliance programs to make sure you are prepared to comply when the time comes. Full details can be found from the Attorney General of California’s website and The International Association of Privacy Professionals website.