Tag Archives: California

What Will the New State Privacy Laws Mean

As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?

Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:

The only one of these that is not LAW YET is Washington.

Here are a couple of interesting hand grenades.

For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.

What does sensitive personal information mean? It depends.

For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.

Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.

You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.

Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.

Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.

Needless to say, it is probably better to follow the rules.

Credit: Ballard Spahr

Privacy in the Land of California

For those of you that live in California, work in California or have customers in California, 2021 is going be different.

Probably more complicated for businesses and possibly a little better for consumers.

Act 1: CA AB-1864 creates the Department of Financial Protection and Innovation (DFPI). California is not particularly happy that the Republican administration in Washington has defanged the Consumer Financial Protection Bureau. My personal opinion is that there are people in the legislature who are not happy that Xavier Becerra, the California AG, has been less than enthusiastic about enforcing CCPA.

The result is DFPI, aka California’s own CFPB. The governor is expected to sign the bill later this month.

Like the CFPB was supposed to do, the DFPI will have the power to bring administrative and civil actions, issue subpoenas and create rules and regulations. It also requires that all money collected by the department (AKA fines) will be used to fund the department. If the commissioner wants more staff … issue more fines.

For many of our clients, there is good news. Escrow agents, mortgage originators, broker-dealers, banks and other financial institutions are exempted from this regulation.

Who is not exempted are fin-tech companies. They need to watch out. The text of the bill can be found here.

Act 2: The second bill is SB-908, which will require debt collectors to be licensed. And regulated. Mortgage lenders are NOT exempted from the provisions of this bill. The governor is expected to sign this bill as well.

Given the current financial “troubles” in the country now and in the foreseeable future, there is going to be a lot of non-performing debt. For debtors in California, this bill will attempt to make the debt collection process a little more civil. Given the reputation of the industry as a whole, civil is not a term that I would generally use when describing the process. Of course, there are many exceptions. The text of this bill can be found here.

Act 3: The last bill in the collection is CA AB-376, which establishes a student loan borrower bill of rights. Among other things, this bill, which will be enforced by the new DFPI, requires loan servicers to operate like a fiduciary by managing payments to the benefit of the borrower and to reduce fees to the borrower.

The bill would allow a borrower that suffers damages as a result of a debt collector’s failure to follow this law or other relevant federal laws to sue the debt collector for actual damages, injunctive relief, restitution, attorney’s fees and other relief, including treble damages in some cases. The text of this bill, which the governor is also expected to sign, is available here.

This is not all; there is CCPA 2.0, but I will leave that for another day.

As you can see, for folks living, working or doing business in California, 2021 will be an interesting year.

Also remember, where California leads, the rest of the country follows. If you don’t believe that, check out CA SB 1386, the 2002 law that created privacy rights and the basis of state law in virtually every state in the country.

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

California Attorney General Defines Reasonable Security

Some businesses have complained that the FTC has not been clear about what is required in order to be in compliance of section 5 of the FTC act and avoid being fined.

California, usually a leader in the privacy arena, has begun to put some detail to those requirements, at least for businesses that have customers in California.  After California implemented SB 1386, the defining privacy law in the U.S., other states followed over the next few years.  This is likely to be the case with this decision.

Kamala Harris, the California Attorney General, released a report this month on data breach impact in California between 2012 and 2015.

The report goes into some detail on the types of breaches, types of businesses, number of records breached and related information.  Retail was the leading breached business type, followed by financial and healthcare.

She then goes on to talk about reasonable security and the fact that the California information security statute requires businesses to use “reasonable security procedures and practices”.

She explains her definition of reasonable security as follows:

  1. The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
  2. Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.

The CIS 20 is an almost 100 page document, so I am not going to try and summarize it here, but it addresses inventory, configuration, continuous vulnerability assessment, controlling admin users, data recovery, need to know, wireless, account monitoring, incident response and penetration testing, among other things.

And, I would agree with her – organizations that take on the CIS 20 seriously are likely to be way more secure than the average company.

On the other hand, doing this is a serious undertaking and likely affects many aspects of your business.

One other thought.  The California Information Security Law (AB 1950) also REQUIRES a company to enter into CONTRACTS with its sub-contractors to also implement these same controls.

What we don’t know yet is what the AG plans to do about this.  For example, the California law does not say that you are required to use reasonable security only in the event that your systems are breached.  This means that the AG could go after businesses for not implementing reasonable security, even if they have not been breached.  While I think this is unlikely, she certainly would get a lot of press if she decided to make an example of someone.

It seems more likely that, in the event of a breach and after investigation, her office discovers that a breached organization was not implementing her definition of reasonable security that she might go after a business.

Bottom line is this –

If you are located in California, have customers located in California or do business with a business located in California, you now have some pretty clear guidelines for what you need to do.

The AG’s report is available here.

The CIS 20 controls are available here.

Information on CA AB 1950 can be found here.

Systema Leaves Insurance Claims Data In The Cloud – Unprotected

Databreaches is reporting that someone discovered a large amount of data on a public segment of Amazon Web Services.  This person, described as a technology enthusiast (i.e. a geek) downloaded some of this data and discovered it contained medical claims data.

The repository, which supposedly contained gigabytes of data was later identified to belong to Systema Software.  Systema is a vendor of claims processing software and offers cloud services to host the claims data.

In the data which was publicly available on Amazon, were insurance claims forms, address books with over a million names, addresses and social security numbers, birth dates, financial information and claims information.

Also included in the repository was a database with 3 million payment records and another database with 4.7 million notepad entries.  Still other databases include bank account information.

At least some of the records were workers compensation claims from Kansas and Utah.

The geek who found this reported it to the entities who’s data he found such as the state of Kansas.  The person said that within 30 minutes of him reporting what he found to officials in Kansas, the data was no longer publicly available.

Likely the data had been publicly available for months.

What is interesting here is not that Systema screwed up or that data records for Workers compensation claims were exposed, but rather that as we move more and more information to the cloud, the opportunity for human error to make data that should be private public increases.

If Systema stored these records on a file server in their office instead of in the cloud and they screwed up the permissions, then maybe some people in their office might be able to see data that they should not see.

However, if you store this data in the Amazon cloud and screw up the permissions, then the potential is that anyone in the world might be able to see it.

The interesting question is whether this is a HIPAA breach.  Some of the businesses involved with this may not be HIPAA “Covered Entities” while others may be “Business Associates” of covered entities.  It seems likely that it violated state privacy laws due to the financial data exposed.

As of right now, no one has posted a breach notice on their web site other than databreaches.

In fairness to the states involved such as Kansas, Utah and California, this revelation of the breach is only a few weeks old, so they are likely still trying to figure out what was compromised, who is responsible, etc.

This is a reason why having an incident response plan in place before a breach is important.  Even with one, it still takes time to sort things out.

But this breach does point out the obvious – when you put things in the cloud, it is critical that you set the access permissions correctly!

Information for this post came from Databreaches.com ,

New California Data Privacy Laws for 2015

As has been the case for more than 10 years, California leads the way, for better or worse, for the rest of the country in protecting resident’s privacy.  Their original breach law, SB 1386, is the model for laws for the rest of the country.

So, what is new in 2015 – read on.  If SB 1386 is any indication, expect to see this in a legislature near you soon.

REMEMBER, one of the big challenges for businesses is that many laws cover people based on WHERE THEY LIVE, not where you live.  So, if you have a business in Dallas, Texas and a California resident uses your web site, you are required to follow California law and if you don’t the California Attorney General can (and has in the past) come after you.  AND, you have to defend yourself in Sacramento, not Dallas. Small breach and they are not likely to visit you.  Bigger breach and they might.

  • SB 568 extends the federal law for protecting minors online (COPPA).  COPPA defines kids as anyone under the age of 13;  SB 568 defines it as anyone under the age of 18.  So, if you have a web site that may attract Cali residents under the age of 18, this law affects you.
  • AB 1710 removes the wiggle room in the old law.  The old law talked about owning or licensing information.  The new law says if you MAINTAIN information on a California resident you must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”  Of course, reasonable is not defined, but there likely will be some discussion about what is reasonable if you are breached.
  • There are several new laws that govern information collected by third parties and schools about pupils and how that information may be used.

For more details, see this article.