Tag Archives: Florida

What Will the New State Privacy Laws Mean

As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?

Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:

The only one of these that is not LAW YET is Washington.

Here are a couple of interesting hand grenades.

For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.

What does sensitive personal information mean? It depends.

For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.

Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.

You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.

Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.

Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.

Needless to say, it is probably better to follow the rules.

Credit: Ballard Spahr

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.