Tag Archives: California

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather

California Attorney General Defines Reasonable Security

Some businesses have complained that the FTC has not been clear about what is required in order to be in compliance of section 5 of the FTC act and avoid being fined.

California, usually a leader in the privacy arena, has begun to put some detail to those requirements, at least for businesses that have customers in California.  After California implemented SB 1386, the defining privacy law in the U.S., other states followed over the next few years.  This is likely to be the case with this decision.

Kamala Harris, the California Attorney General, released a report this month on data breach impact in California between 2012 and 2015.

The report goes into some detail on the types of breaches, types of businesses, number of records breached and related information.  Retail was the leading breached business type, followed by financial and healthcare.

She then goes on to talk about reasonable security and the fact that the California information security statute requires businesses to use “reasonable security procedures and practices”.

She explains her definition of reasonable security as follows:

  1. The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
  2. Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.

The CIS 20 is an almost 100 page document, so I am not going to try and summarize it here, but it addresses inventory, configuration, continuous vulnerability assessment, controlling admin users, data recovery, need to know, wireless, account monitoring, incident response and penetration testing, among other things.

And, I would agree with her – organizations that take on the CIS 20 seriously are likely to be way more secure than the average company.

On the other hand, doing this is a serious undertaking and likely affects many aspects of your business.

One other thought.  The California Information Security Law (AB 1950) also REQUIRES a company to enter into CONTRACTS with its sub-contractors to also implement these same controls.

What we don’t know yet is what the AG plans to do about this.  For example, the California law does not say that you are required to use reasonable security only in the event that your systems are breached.  This means that the AG could go after businesses for not implementing reasonable security, even if they have not been breached.  While I think this is unlikely, she certainly would get a lot of press if she decided to make an example of someone.

It seems more likely that, in the event of a breach and after investigation, her office discovers that a breached organization was not implementing her definition of reasonable security that she might go after a business.

Bottom line is this –

If you are located in California, have customers located in California or do business with a business located in California, you now have some pretty clear guidelines for what you need to do.

The AG’s report is available here.

The CIS 20 controls are available here.

Information on CA AB 1950 can be found here.

Facebooktwitterredditlinkedinmailby feather

Systema Leaves Insurance Claims Data In The Cloud – Unprotected

Databreaches is reporting that someone discovered a large amount of data on a public segment of Amazon Web Services.  This person, described as a technology enthusiast (i.e. a geek) downloaded some of this data and discovered it contained medical claims data.

The repository, which supposedly contained gigabytes of data was later identified to belong to Systema Software.  Systema is a vendor of claims processing software and offers cloud services to host the claims data.

In the data which was publicly available on Amazon, were insurance claims forms, address books with over a million names, addresses and social security numbers, birth dates, financial information and claims information.

Also included in the repository was a database with 3 million payment records and another database with 4.7 million notepad entries.  Still other databases include bank account information.

At least some of the records were workers compensation claims from Kansas and Utah.

The geek who found this reported it to the entities who’s data he found such as the state of Kansas.  The person said that within 30 minutes of him reporting what he found to officials in Kansas, the data was no longer publicly available.

Likely the data had been publicly available for months.

What is interesting here is not that Systema screwed up or that data records for Workers compensation claims were exposed, but rather that as we move more and more information to the cloud, the opportunity for human error to make data that should be private public increases.

If Systema stored these records on a file server in their office instead of in the cloud and they screwed up the permissions, then maybe some people in their office might be able to see data that they should not see.

However, if you store this data in the Amazon cloud and screw up the permissions, then the potential is that anyone in the world might be able to see it.

The interesting question is whether this is a HIPAA breach.  Some of the businesses involved with this may not be HIPAA “Covered Entities” while others may be “Business Associates” of covered entities.  It seems likely that it violated state privacy laws due to the financial data exposed.

As of right now, no one has posted a breach notice on their web site other than databreaches.

In fairness to the states involved such as Kansas, Utah and California, this revelation of the breach is only a few weeks old, so they are likely still trying to figure out what was compromised, who is responsible, etc.

This is a reason why having an incident response plan in place before a breach is important.  Even with one, it still takes time to sort things out.

But this breach does point out the obvious – when you put things in the cloud, it is critical that you set the access permissions correctly!

Information for this post came from Databreaches.com ,

Facebooktwitterredditlinkedinmailby feather

New California Data Privacy Laws for 2015

As has been the case for more than 10 years, California leads the way, for better or worse, for the rest of the country in protecting resident’s privacy.  Their original breach law, SB 1386, is the model for laws for the rest of the country.

So, what is new in 2015 – read on.  If SB 1386 is any indication, expect to see this in a legislature near you soon.

REMEMBER, one of the big challenges for businesses is that many laws cover people based on WHERE THEY LIVE, not where you live.  So, if you have a business in Dallas, Texas and a California resident uses your web site, you are required to follow California law and if you don’t the California Attorney General can (and has in the past) come after you.  AND, you have to defend yourself in Sacramento, not Dallas. Small breach and they are not likely to visit you.  Bigger breach and they might.

  • SB 568 extends the federal law for protecting minors online (COPPA).  COPPA defines kids as anyone under the age of 13;  SB 568 defines it as anyone under the age of 18.  So, if you have a web site that may attract Cali residents under the age of 18, this law affects you.
  • AB 1710 removes the wiggle room in the old law.  The old law talked about owning or licensing information.  The new law says if you MAINTAIN information on a California resident you must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”  Of course, reasonable is not defined, but there likely will be some discussion about what is reasonable if you are breached.
  • There are several new laws that govern information collected by third parties and schools about pupils and how that information may be used.

For more details, see this article.

Facebooktwitterredditlinkedinmailby feather