For over 25 years, Haystax has been the provider of world-class commercial software products for direct use by individuals in the agencies charged with protecting our communities, cities, and country. Thus, our product is one of the most widely deployed risk management software solutions, used by school, law enforcement, fire, emergency management, and other government agencies across the United States.

Image module

Haystax for School Safety

Haystax meets the constantly evolving challenges of providing safe learning environments for students, faculty, staff, and local security partners by integrating all vital incident and school facility information into a single, online platform.  Physical assessments and behavioral assessments along with the ability to report and monitor incidents on or near campus are hallmarks of Haystax for School Safety.  Know your threats sooner, respond faster, and effectively coordinate actions for all stakeholders.

Image module

Haystax for Public Safety

Law enforcement professionals are called upon daily to perform a broad range of tasks—from routine patrols, intelligence gathering and investigations to major crime and incident responses. Their challenge is to ensure public safety despite incomplete intelligence, limited cross-jurisdictional information sharing, and tight budgets. Haystax helps law enforcement agencies prepare for and respond to any crisis with a dynamic picture of emerging threats, rapid  intelligence-collection and incident-reporting tools, and a seamlessly integrated user environment that  ensures maximum collaboration and analytically sound command decisions for rapid response.

Image module

Haystax for Enterprise Security

Haystax has developed a suite of applications designed specifically to help corporate security decision-makers and analysts navigate this challenging environment. Haystax alerts corporate leaders to their most likely threats and natural hazards, provides critical security and operational information about each physical facility, regardless of its size or geographic location, and allows risk managers to identify and mitigate their biggest vulnerabilities. Moreover, the Haystax platform enables security teams to manage incidents and major events—from the ops center or out in the field.

Equipped with these insights, CSOs can better anticipate their risks, communicate with leadership and limit their company’s exposure to financial, legal and reputational liabilities.

PrevHaystax Product Update: Improved Critical Asset Protection15 May 2019NextHaystax Product Update: Inviting New Users13 June 2019

GDPR, One Year Later

May 25, 2019

The European Union’s General Data Protection Regulation (GDPR), focused on the rights of individuals to protect their identities, came into effect one year ago today. What’s it been like for security analytics companies subject to the GDPR since then? And what lies ahead?

In the leadup to the regulation’s May 25, 2018 launch, there was rising anxiety in the boardrooms of companies with EU-based customers and/or workers, as it became clear the bar for compliance would be set very high and the fines and penalties for non-compliance would be onerous.

In the intervening year, GDPR enforcers have had an unexpectedly soft touch. Perhaps recognizing the widespread panic the GDPR generated (or more likely because many of the regs were downright confusing) regulators took a mostly advisory approach, offering guidance on how companies could comply rather than bringing the hammer down straight away.

That said, an estimated 100 companies were penalized — including Google, Facebook and a clutch of lesser-known companies in Poland, Germany, Portugal and Denmark — but most had either improperly collected personal data or carelessly exposed it.

Security analytics firms were particularly focused on making sure they complied with a provision known as the right to explanation, one of eight citizens’ rights enshrined in the GDPR. Spread across three articles and a recital, the measure gives citizens the right “not to be subject to a decision based solely on automated processing” that “significantly affects him or her”; the right  “to obtain an explanation of the decision reached… and to challenge the decision”; and the right to know what personal data a company is using and how it’s being used. Additionally, the data controller must provide the subject, at the time his or her personal data is obtained, with “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing” for the subject.

We have argued consistently that the right to explanation is a good thing. Many machine-learning systems and similar ‘black-box’ solutions are incapable of explaining to users and subjects why a particular decision — say, to deny a loan or launch a corporate insider-threat investigation —  was made.

The EU was correct to make fixing that shortcoming a core goal of the GDPR, even if the right to explanation has apparently not been a factor in EU regulatory actions to date. Individuals have an inherent right to privacy, and companies investigating those who may be planning to harm the organization or sabotage its system or steal its data should be able to articulate exactly why their security analytics solution flagged up the individual for investigation in the first place.

So what will the next few years look like for GDPR enforcement?

The International Association of Privacy Professionals estimates enforcement actions in the past 12 months have resulted in over $62 million in fines paid; there have been 64,000 data breach notifications and 94,000 individual complaints. More than 375,000 organizations are known to have registered data protection officer, with by far the most in Germany. (The actual number EU-wide is estimated to be closer to 500,000.) Expect those numbers to go up.

Security analytics companies should not be lulled into believing they will get the same pass as they did in Year 1. Efforts to make algorithmic decision-making more transparent should continue, despite the reported drop-off in board attention and buy-in, and uneven enforcement across different EU countries.

For all of its concrete effects, the GDPR is most notable for having raised awareness of data privacy, not just within EU borders but worldwide. Some non-EU countries are now aligning with the GDPR. Early this year, Japan became the first to have its data protection regime declared “adequate” — in effect a GDPR proxy. Other countries are expected to apply for adequacy recognition or have already aligned their data privacy regulations closely with the GDPR, including Switzerland, Norway, Iceland, Liechtenstein and Brazil.

It is highly unlikely the U.S. will be one of them in the near or medium term, at least not at the federal level. That said, individual states seem to be leaning in the direction of adopting GDPR-like regulations. Most notable is California, with its California Consumer Privacy Act (CCPA) coming into effect on January 1 of next year.

In other words, treat GDPR as an EU-based harbinger for things to come in parts of the U.S. and in other non-EU countries. Even if it takes years to get there, the time to prepare for compliance is now.

#   #   #

Note: Want to know more about how the Haystax for Insider Threat solution fully meets GDPR requirements for the right to explanation using multiple artificial intelligence techniques? Contact our sales team through info@haystax.com or visit www.haystax.com for a demo.

Related posts