Tag Archives: CCPA

Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Facebooktwitterredditlinkedinmailby feather

Business Roundtable Lobbying Group Wants Weak National Privacy Law

O P I N I O N

50 Very Data Hungry CEOs (Out of About 30 Million) Try to Fool Congress into Letting Them Abuse Your Data

A group of big data CEOs wrote a letter to Congressional leaders requesting a Federal privacy law which would usurp the state’s rights to protect their consumers as they see fit.

A spokesperson for Facebook responded several months ago to a reporter’s question about a New York bill requiring companies to be a data fiduciary with the response that if the bill passed (it didn’t), Facebook might as well shut down in New York.  The spin doctors tried to walk that back the next day, but the reality is, if that law passed, it would require Facebook and companies like them to change their business models.

In fairness, it is difficult for companies to keep up with all the privacy laws (we help companies do that), but unless your business model requires that you sell your customer’s data to stay in business, complying is manageable, but it does take work.  Unfortunately, the Facebooks and Googles of the world have made things more complex for everyone else.

The state of data privacy is roughly in the same place that cybersecurity was in after California passed it’s landmark security bill (CA SB 1386) in 2003.  SB 1386 is the model that every other state drew from for enact their security laws.  Now CA AB 375 (the new California Consumer Privacy Act) has already begun this process over again with privacy laws.

Even though they don’t say this, what they really want is for Congress to pass a law because they know that their lobbying billions will allow them to buy a very weak law that will nullify laws like the ones in California, New York, Nevada, Vermont and other states.

The longer Congress doesn’t act, the more states will pass strong privacy laws, because that is what consumers want and the harder it will be to get votes at the national level to obliterate rights people already have – hence the urgency from these CEOs.

The California law would allow people to sue businesses that have breaches, which would dramatically change the economics of lax security practices – right now, at the federal court level, you have to prove that you have been tangibly damaged to sue after a breach.  The defense that some companies are using is that there are so many breaches, how do you know that your damage was from our breach.  The California law removes that requirement to prove that the consumer had tangible damages.  That alone scares the crap out of the Facebooks and Googles – and it should.

They are trying to pass this off as stopping consumers from being confused about their rights (like the right to tell Facebook not to sell your data – that is certainly confusing and hard to understand), but that is completely bull.  The 6 rights that the California law gives consumers are each spelled out in one sentence and are easy to understand. For example:

  • The right to know what data a company has and to get a copy of it
  • The right to request that my data be deleted subject to a list of exclusions
  • The right to stop a company from selling my data
  • The right to equal price and service even if I tell you not to sell my data

And a couple of more rights.  These rights are easy to understand and the real problem for CEOs like Amazon’s Jeff Bezos is that people will likely actually use these rights and that might force companies like Amazon to change their business models.

If companies are transparent about their data collection practices, then this is a pretty simple choice.  People can choose to do business with companies that want to sell their data.  Or not.

One thing that makes this conversation different than the conversation around security in 2003 is that places like Europe, Japan and a significant number of others have already given their consumers these rights, so the big data companies already have to deal with this.  No matter what happens in the US, this will happen in the rest of the world.

At that point, as we are already beginning to see, the lack of a strong national privacy law in the US makes it MORE difficult and MORE expensive for US companies to compete in the rest of the world.

In Europe, the first EU/US privacy agreement, Safe Harbor, was struck down by the EU courts as not protecting EU citizens’ rights.  That was replaced by Privacy Shield (which many people say was just Safe Harbor with lipstick) and Privacy Shield is being attacked in the EU courts.  We do not know the outcome of that court battle, but we will soon.  If the courts strike down or force substantial changes to Privacy Shield, that will make the arguments of these 50 CEOs even less intelligent.    Many companies have already decided that it is cheaper, simpler and better PR to have one set of consumer friendly privacy policies worldwide.

Stay tuned;  this will not end any time soon.

Source: C-Net.

NOTE:  This is likely a hot button topic for folks.  Please post your comments to this.  I promise to approve any comment that is moderately sane and rated PG or less.

Facebooktwitterredditlinkedinmailby feather

Are You Ready for California’s New Privacy Law?

Security vendor ESet interviewed 625 business owners and executives to understand their readiness for California’s new privacy law that goes into effect on January 1, 2020.  What most businesses are missing is that Nevada’s version of the law goes into effect on October 1, 2019.  Most of the respondents were from small businesses, some of whom are exempt from the requirements of the law.  Here are the results:

  • 44% had never heard of the law
  • 11% know whether the law applies to them or not
  • 34% say that they don’t know if the law will require them to change the way they collect and store data (it likely does)
  • 22% say they don’t care if they break the law (great if you can get away with that)
  • 35% say they don’t need to change anything to be in compliance (very unlikely)
  • 37% say that they are very confident that they will have the required security in place by January 1.  Another third say that they do not know if they will have security in place
  • Half said that they did not modify their behavior or processes to bring their businesses into compliance with GDPR (most likely because they don’t know what GDPR requires)

40% of the businesses said that they did not have anyone responsible for security or privacy in their company and another 18% said they didn’t know if they had someone.

9% said they are moving to avoid having to comply with CCPA, the new California law.  Those people need to understand that they will also need to block Californians from going to their web site and refuse to ship products or deliver services in California.  None of that is realistic for most businesses.

Given the law goes into effect in less than 6 months and Nevada’s version goes into effect in two months, this lack of knowledge is concerning.  However, attorneys, especially those that specialize in class action lawsuits, are thrilled.

There is one aspect of the law that should be a cause for concern for these businesses who think they understand the law – and likely do not.

Any California resident can sue any California business that has a breach that compromises their personal information.

They do not have to show that they have been damaged to sue.

The maximum you can sue for is $750 per person.  A breach of say 10,000 records – a tiny breach by today’s standards (the Capital One breach last week compromised 106 million people) – would generate a potential lawsuit asking for $7,500,000.

Are you prepared for that?

A one million record breach – still small by today’s standards – translates to a $750 million lawsuit.

My suggestion to small businesses – think again about whether you are prepared.  If you need help, contact us.  Source: HelpNet Security.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending September 28, 2018

Cisco Will Eliminate Hard Coded Passwords One Per Month

It seems like every patch cycle, Cisco admits to another app that has an undocumented hard coded password.  I have lost track of how many of them they have removed so far, but the number is scary large.

What is more scary is that I bet Cisco is far from unique – they are just being more honest about it.  Are all the other hardware vendors pure as the driven snow.  NOT LIKELY!

In this case, very embarrassingly, the hard coded password was in Cisco’s video surveillance manager.  In other words, the bad guys could secretly watch the watchers.

Cisco CLAIMS this was because they forgot to disable this hard coded ID (maybe used for testing) before the production code was released.

Recently Cisco has removed hard coded credentials from their Linux based OS, IOS XE, from their Digital Network Architecture server and from the Cisco Provisioning Server.  That is just recently.

This bug rated a 9.8 out of 10 on the severity Richter scale (CVSS V3).   Source: ZDNet.

Gig Workers Targeted by Malicious Attackers

This one is classically simple.

Gig workers, who have no IT department, are responding to gig requests on sites like Fiverr and Freelancer.

Unfortunately, those requests have documents associated with them that are infected.  When the gig worker opens the file to understand if he or she wants to bid on the gig, his or her computer is infected.  MAYBE the gig worker’s anti virus software will catch it, but if they are crafted just slightly differently for each attack, the AV software will be blind to it.

Freaking genius.  As long as it doesn’t happen to you.  Source: ZDNet.

Your Tax Dollars At Work

Like many public sector (not all!) networks, the security of the Pennsylvania Democratic Caucus was, apparently, not so great.  Equally unsurprisingly, their computers became infected with ransomware.

So they had two choices.  Pay the bad guys $30,000.

OR

Pay Microsoft $703,000 plus.

Of course, since this isn’t coming out of their pockets, they opted for the gold plated, diamond encrusted deal from Microsoft.

Surely, some local outfit would have rebuilt their servers for less than three quarters of a million dollars.

According to Homeland Security, over 4,000 ransomware attacks happen every day.  I have NO way to validate that claim, but I am sure the number is big.  Source : The Trib.

Uber Agrees to Pay $148 Million for Breach – Instead of $2 Billion under CCPA

Uber agreed to pay $148 million to settle claims that it covered up a breach in 2016 by PAYING OFF the hackers to keep quiet and supposedly delete the data.

Lets compare that to what they might have paid under CCPA, the new California law.

57 million records – say 5% in California = 2,850, 000 records.

Private right of action up to $750 per user without showing damage.  Let’s reduce that to $500 x 2.85 million = $1.425 billion.

AG right to sue for malicious non-compliance.  $7,500 (treble damages since the cover up was willful) x 2.85 million = $21.375 billion.

WORST CASE = A little over $22 BILLION.

BEST CASE (Maybe) = 10% of that, maybe $2 billion.

They got off light.

By the way, THIS is why companies are scared of the new law.

Source: Mitch

Newest iPhone, Newest iOS – Hacked in a Week

We tend to think of iPhones as secure.  Secure is a relative term and relatively, the iPhone is secure.

iOs 12 was released on September 17th, along with the new iPhones, the XS and the XS Max.

Today is the 28th and news articles abound that the  pair (new phone plus new software) has been hacked.

To be fair, Pangu team, the ground that announced the hack, said that they had hacked the beta back in June.

So, as long as you don’t think secure means secure, the iPhone is secure.

Less insecure might be a better term.  Source: Redmondpie .

Facebooktwitterredditlinkedinmailby feather