Tag Archives: California

California Becomes First State to Pass IoT Security Law

California continues to pass tighter laws in the cybersecurity world.

California Governor Jerry Brown recently signed into law bill No. 327 which requires connected device manufacturers to include “reasonable” security features for those devices sold in California. With passage of this new law, California becomes the first state in the nation to adopt such legislation.

What the Law Requires

Beginning on January 1, 2020, the law will require a manufacturer of a connected device to equip the device with reasonable security features that are “appropriate to the nature and function of the device” and appropriate to the type of information collected by the device. It also mandates that any maker of an Internet-connected, or “smart” device ensures the device has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Continue reading California Becomes First State to Pass IoT Security Law

California’s Sweeping New Privacy Legislation – What You Need to Know!

With the recent passage of the California Consumer Privacy Act of 2018 (CCPA), California continues to be a leader when it comes to protecting the privacy rights of individuals. Many experts agree that the CCPA is the most comprehensive consumer privacy legislation in the United States to date.

Like the new EU privacy regulation GDPR, the CCPA is meant to give consumers more control over their personal information, including:

  • knowing what kind of information is being collected about them;
  • knowing if their information is being sold or disclosed (and to whom);
  • allowing them to restrict the sale of their information; and
  • giving them access to their information.

Most U.S. privacy legislation focuses on specific sectors or privacy issues, but the new CCPA applies broadly to businesses that collect personal information about California consumers and creates significant new consumer privacy rights. That means your business may face new obligations. Here’s what you should know.

Does it apply to you?

The CCPA only applies to companies that conduct business in California and Continue reading California’s Sweeping New Privacy Legislation – What You Need to Know!

California Amends Data Breach Notification Law…Again

California passed AB 2828, amending the state’s breach notification law once again. With the latest change, California joins Illinois, Nebraska, Nevada, and Tennessee in addressing breaches of encrypted information.

The current law requires companies to disclose breaches of “unencrypted” information. California’s new law now considers encrypted information breached if it’s acquired along with the key or credential that would render the information readable and usable.

Encryption usually gives companies a safe harbor from notification requirements when encrypted personal information is breached. But this amendment fills the gap of the old law and correctly triggers notification protocols when there’s a breach of readable or usable data.

This provision is already reflected in several other state laws, so the change should be taken in stride. Companies should take note and adjust their incident response plans accordingly.

The amendment will go into effect January 1, 2017.

Ransomware Classified as Extortion by California Law

Ransomware key on keyboard - A red key with the text ransomware on a black keyboard combined with the dollar sign.California Governor Jerry Brown signed a new law (SB-1137) that specifically integrates ransomware into California’s extortion laws. While installing malware onto a computer already breaks federal law, this is the first law to expressly expand extortion laws to include ransomware.

This move in California makes sense, as one of the more widely reported cases of ransomware occurred when Hollywood Presbyterian Medical Center paid $17,000 to regain its data following a ransomware attack. We reported on that story earlier this year.

The new California law seems more of a logistical move to increase awareness around the issue. With the anonymity of collecting payment through Bitcoin, not many cyber criminals have been caught and arrested for ransomware attacks.

Defend Against Attacks

There is no silver bullet solution for protecting against Ransomware. However, the following steps can reduce your chance of being infected.

Top IT Best Practices:

  • Use Anti-Virus and ensure that the software is up-to-date.
  • Ensure Windows users have EMET enabled to sandbox applications.
  • Use regular backups and ensure backup copies are stored in a separate and secure location (not on the local area network).
  • Limit access to different areas on the network to the minimum necessary. It could help control the spread of malware.

Top User Best Practices:

  • Do not open attachments included in unsolicited e-mails.
  • If you have to download free software, always verify the website’s reputation before downloading.
  • Block pop-ups on your browser to prevent fake update ads.
  • Use virtual browsing sessions whenever possible. The virtual session is deleted including any malware when the browsing is closed.
  • Make sure User Account Control (UAC) is on and users are aware of its functions.

California Law Protects Student’s Privacy

A new law, AB 2097, was passed in California limiting the personal information public schools are allowed to collect from students.

The new law prohibits school districts from collecting students’ Social Security numbers and other information, except when required by federal and state law.

The law surfaced after a judge earlier this year ordered Social Security number and other personal information be released on over 10 million California students earlier this year. What followed was a frenzy of objections filed regarding the data release. The judge reversed that decision a couple months later, based on the concerns over identity theft.

How Failure to Notify Cost Wells Fargo $8.5 Million

A month after releasing the California Data Breach Report 2012-2015, CA Attorney General Kamala Harris settled with Wells Fargo for $8.5 million over privacy violations under California law. The chief violation was the recording of consumers’ phone calls without timely telling consumers they were being recorded.

“Protecting the privacy of California consumers is increasingly crucial as technology rapidly develops and becomes a bigger part of our lives,” said Attorney General Harris. “This settlement holds Wells Fargo accountable for violating the privacy of its customers by recording calls without providing adequate notification, and ensures that the bank makes the changes necessary to protect the privacy of its customers.”

California has been notorious for having some of the most stringent privacy laws in the nation. With that said, before engaging in a confidential conversation, individuals must be notified at the beginning of the call if it’s being recorded, so they have the option to either object or end the call.

Corrective Action

The settlement includes obligations for Wells Fargo to comply with the California law going forward. This means making clear, conspicuous, and accurate disclosures of any recording between the bank and its customers in the future. Wells Fargo is implementing a compliance program tasked with making the necessary policy changes.

The Ultimate Guide to California Data Breaches

Attorney General Kamala Harris released a report – California Data Breach Report 2012-2015 – detailing four years’ worth of data breaches her office has seen. From 2012 to 2015, 657 data breaches were reported to the Attorney General’s Office, totaling more than 49 million records of compromised personal information.

Attorney General Harris states in the report, “California is leading the nation with measures to prevent data breaches, but we can do better. This report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.”

The report provides details about the common types of data compromised, the industry sectors most susceptible to a breach, and recommendations to reduce the risk of a data breach.

Types of Data

The top three types of data compromised over the past four years:

  • Social Security numbers
  • Payment card data
  • Medical information

Industry Sectors

The following industry sectors accounted for the most breaches over the past four years:

  • Retail sector – 24% of breaches & 42% of records breached
  • Financial sector – 18% of breaches & 26% of records breached
  • Healthcare sector – 16% of breaches
  • Small businesses – 15% of breaches

Recommendations

The Attorney General’s report made the following recommendations to organizations to comply with the state laws and help reduce the likelihood of a data breach occurring:

  • Controls: Adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program.
  • Multi-Factor Authentication: Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Encryption: Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider using it for desktop computers as well.
  • Fraud Alert: Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and highlight this in breach notices.

California Amends Data Breach Notification Law

Governor Jerry Brown recently signed three bills into law, amending California’s breach notification statute. The new laws expand the definition of personal information, add clarity to the term encryption, and add requirements for notification letters.

Personal Information Definition

S.B. 34 expands the definition of personal information to include information or data collected through the use or operation of an automated license plate recognition system.

License plate recognition systems use optical character recognition on images to read license plate numbers and store that data. Many police departments have adopted this technology, creating concerns regarding the use and safety of that data.

The amendment requires entities using the technology to maintain reasonable safeguards to protect the license plate recognition data from unauthorized use or disclosure. The law also has a provision allowing private right of action for anyone harmed by violations of the statute.

Encryption Definition

A.B. 964 provides a bit of clarity on the definition of encryption. Most state laws, including California’s, allow for a safe harbor for encrypted information that is accessed by an unauthorized person. The grey area of the law is what qualifies as acceptable encryption.

The amendment defines encryption as information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Notification Letter Changes

S.B. 570 updates the requirements for breach notification letters that are sent to individuals affected by a security breach.

Additional requirements include:

  • The notification must be titled “Notice of Data Breach.”
  • The information must be presented under the following headings – “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
  • The title and headings must be clearly and conspicuously displayed.
  • The text should be at least 10-point font size.

The new law also provides a model security breach notification form that complies with the requirements listed above.

The amendments are effective January 1, 2016.

California Passes Executive Order to Strengthen Cybersecurity

California Governor Brown signed Executive Order B-34-15. The goal of the order is to bolster the State’s preparedness and response against cyber-attacks.

The order states that the California Governor’s Office of Emergency Services will establish the California Cybersecurity Integration Center (Cal-CSIC). Cal-CSIC will take the lead role in organizing the state government’s cybersecurity activities including:

  • Coordinating and sharing threat information with the California State Threat Assessment System and U.S. Department of Homeland Security;
  • Providing warnings of cyber-attacks to government agencies and non-government partners;
  • Developing a statewide cybersecurity strategy to improve the ways cyber threats are identified, understood, and shared;
  • Establishing a Cyber Incident Response Team to lead cyber threat detection, reporting, and response in coordination with entities across the state; and
  • Assisting law enforcement agencies in criminal investigations.

According to a recent state audit, California’s size and economy make it a key target for cyber-attacks.

“State leaders including the governor have recognized that cybersecurity is a real hazard for the state, our counties and cities,” said Brad Alexander, spokesman for the Office of Emergency Services. “Protecting our information system requires proactive action to beef up our ability to be aware of cybersecurity risks and our response to those risks.”