Category Archives: Compliance

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s CCPA – Step 3

For those companies who have customers in California – independent of where the company is located – or are doing business in Europe, you have new privacy regulations to deal with.  While California’s law doesn’t go into effect for another 16 months and it is possible that there will be changes to the law before it goes into effect, it is important to start getting ready for the law because complying with all of the requirements will take a significant effort.  For businesses operating in Europe, you should already be compliant with GDPR.

Step 1 was to create a vendor data inventory (see article here).

Step 2 was to create a vendor cyber risk management program (see article here).

Now, here is step 3.

Step 3 – Map the flow of data between systems and between vendors.

Both CCPA and GDPR have requirement to delete data, stop processing data and provide a copy of data that you have, in a machine readable format if possible, if the user requests it.

You have to do this quickly and you have to track and document what you have done.

If you do not know what data you have, who you share it with and all of the places it may be stored, you are unlikely to be able to comply with these laws and you could wind up getting sued.

Where it is stored, for example, could include on web servers, on internal servers, on workstations and at cloud service providers.

Building and maintaining a map will assist in designing the process of complying with those requests when we get to those steps.

If you need assistance with this, please contact us.

Facebooktwitterredditlinkedinmailby feather

Land Rover Telematics Not Secure – Gee, I Am Surprised

While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model.  If this is a surprise to you, it should not be.

If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.

In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner.  That does not always happen.

In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.

When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.

That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.

Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner.  Sure!  Right!

After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.

They did say that he could take the car to the dealer and the dealer would reset it.  Probably for a not-so-nominal fee, but they did not address that.

So, as a buyer of a used car, what do you need to do?

First of all, hopefully, if the car is a new car from the dealer, this should not be a problem.  This is only a problem with used cars.

If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics.  To be safe, you can get the dealer to help you download the app and connect the car to the app.  That way if the dealer is lying, you can call him on it right then, right there.

If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).

One other note.

With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market.  After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read.  I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Complying with GDPR and California’s New Privacy Law (CCPA) – Step 1

This is step one of a multi-part series on complying with the new privacy rules, both in Europe and, just recently, in California.  Watch for further steps over the next several weeks.

While companies are supposed to be compliant with GDPR already, many are not and the California law’s effective date is still almost 18 months away.  In either case, these tips should be useful in either case.  With regard to California’s law, the steps needed are complex and far reaching, so getting started now is a good idea, even if the law changes a little bit before it goes into effect.

While there are many differences between the two laws, there are many similarities as well.  These similarities allow us to cover major aspects of both laws together.

The core component of both laws is to give consumers more control – a lot more control – over what companies do with the data that is collected about them and, in many cases, sold.  For both laws, while there are aspects of the law that only apply if your data is sold (with the term “sold” having an extremely broad definition), there are many aspects that apply even if the data is never, ever sold.

One of the requirements of the law is to give consumers a right to ask a company what data the company has collected about them, where the data is stored, who they shared it with and to obtain a copy of it.

Another right is, in at least some cases, to request that the company delete the data,  again, no matter where it lives.

These rights make it critical that a company understands what data it has, where it lives and what the data “flows” are.

For both laws, it does not matter where the company is located, but rather where their customers are located.  For GDPR, those customers who live inside the European Union are covered.  For CCPA, those customers who live in California are covered.  For CCPA alone, there are probably over a half million businesses that are impacted.

With all that background, here is our recommendation for step 1.

STEP 1 – CREATE A VENDOR DATA INVENTORY.

Our vendor data inventory or VDI process identifies all vendors that a company does business with – from the Post Office to some niche cloud based software service.

For each vendor, we collect information such as what type of data is collected, how it is shared, where it is stored, what the risk level of the exposure is, whether there is a contract with the vendor, who in the company is ACCOUNTABLE for that vendor relationship and many other fields.

Even for a small company, we have found that there are often 100-200 vendors in this list.

For larger companies, it could be up to a thousand.

The company identifies a point person to work with us and the process begins.

In many cases, we discover that NO ONE is accountable for a particular vendor relationship.  In some cases, very few people are even aware that it exists.

Often accounting is a good place to start because usually,  but certainly not always (Ex: Gmail is free) vendors get paid.

Of course, even the free vendors have to be accounted for.  Also the vendors that are paid for by someone in a branch office on a personal credit card which is later reimbursed have to be captured.

One way to catch the personal credit card payment is for accounting to refuse to reimburse employees for these charges.  Once the particular account is turned over by the employee to IT or vendor management and the company has control of the account and the data, then accounting will be authorized to reimburse the employee.

Remember, whether the account is free, employee paid for or company paid, the company still owns the liability in the case of both laws.

If this seems daunting, it can be, but we can make the process less painful.

Watch for the next step – create data flow maps.

Facebooktwitterredditlinkedinmailby feather

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

EU’s GDPR May Cause Challenges For Businesses

According to a survey conducted by storage software vendor Veritas,  2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have  within the first six months after the GDPR goes into effect later this month.

Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.

Under GDPR, businesses have about 30 days to provide that information.  They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it.  All within less than 30 days.

Which companies have to deal with GDPR?

In general, companies that collect data on EU people – customers or just people who visit their website.

Different companies face different risks.  The companies at the highest risk are those located in Europe.  Those are followed by ones that have operations (business units) in Europe.  At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.

Other responses from the survey include:

  • 56% plan to approach financial firms with data privacy requests
  • 48% plan to approach social media firms
  • 46% plan to approach retailers
  • 24% plan to approach employers and
  • 21% plan to approach healthcare providers
  • 65% of those who plan to contact these businesses will ask for access to the data those companies have
  • 71% of those who contact businesses will ask them to delete the data

Information for this post came from Computing.co.uk .

Based on that, what should you do?

First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.

BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.

What we don’t know is what the EU regulators plan to do.

Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.

UNLESS someone or more than one complains about you to the regulator.

And we don’t know how many resources each regulator plans to allocate to this process.

It will certainly be interesting to watch.  Unless you are the one that the regulator picks on.

 

Facebooktwitterredditlinkedinmailby feather