Governor Brown signed into law AB 2828, which will update California’s breach notification statute. The law addresses encrypted Personally Identifiable Information that has been breached in the event that the encryption keys are also compromised. The law will go into effect January 1st.
AB 2828 seeks to close a loophole in California’s current data breach notification law, Civil Code Section 1798.82, under which a business must notify affected persons of a data breach where unencrypted personal information is lost. Presently, Section 1798.82 does not expressly require notification where the lost data was encrypted and the encryption key was also lost or improperly disclosed. That data would be at as much risk as unencrypted information, but there is no requirement to notify affected individuals. But requiring companies to report all data breaches where encrypted information was lost but the key remains secure may result in notifications to individuals who are not in serious risk of identity theft, fraud, or loss of privacy.
Continue reading California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys
The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.
Three new laws modify California’s data breach notification statute:
AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.
SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.
Continue reading California Updates Its Data Privacy And Security Laws For 2016
On Saturday, May 9, 2015 a bomb went off at a busy intersection of the affluent Atlanta suburb of Buckhead. Nobody was killed or physically injured, so you probably didn’t read or hear about it with your Sunday morning coffee. But both the FBI and Homeland Security are investigating the incident. The “bomb” has come to be known as the “Buckhead Billboard Bomb.” The incident reflects the ever-growing need for businesses large and small to pay attention to data security.
The Buckhead Billboard Bomb resulted when a hactivist group calling itself Assange Shuffle Collective accessed a web-connected digital billboard to display an obscene pornographic image to passers-by at the intersection of Peachtree and East Paces Ferry roads. The software running the billboard had no system security in place and, worse yet, a cyber-security expert had warned the company it was vulnerable. The billboard company responded “not interested…” to the expert’s offer to assist.
Continue reading How A Data Breach Led To A ‘Billboard Bomb’
At the White House Summit on Cybersecurity and Consumer Protection at Stanford University on February 13, 2015, President Obama called for a single national data breach standard and for improved information sharing about threats to America’s technology infrastructure between government and the private sector. In the past two months, Congress has responded with multiple bills to address these pressing issues.
First, the Data Security and Breach Notification Act of 2015 was passed by the House Energy and Commerce Committee on April 15, and was sent to the House floor. The Act would set a single national standard for data breach notification that would be enforced by the Federal Trade Commission (“FTC”) and the states’ attorneys general, and would preempt state data security and breach notification statutes. While the Act made it out of committee, the vote was along party lines, including a no vote from the Act’s Democratic co-sponsor.
Continue reading Two Federal Cybersecurity Bills Move Forward
Federal and state privacy and data security laws affect nearly every industry ranging from healthcare providers to financial institutions to start-ups. One federal bill that could bring clarity to varied state laws and regulations is the Data Security and Breach Notification Act of 2015 originally co-sponsored by Representatives Marsha Blackburn (R-TN) and Peter Welch (D-VT). If passed, it will change how companies, non-profit organizations, and common carriers handle data breach notifications from trying to comply with an uneven quilt of state laws to a single, enforceable, uniform standard.
There are two important provisions in this Act. First, this federal law would preempt all existing state data breach notification laws, providing a single uniform rule for what to do when a company discovers a data breach. Second, the rules for data breach notification are well defined for all companies. For example, the bill states what information a company will need to provide in its data breach notice, how notification should happen (even when some of the contact information for data breach victims is outdated), and when it should take place (not later than 30 days after the entity has investigated and secured its system).
Continue reading Feds Attempt To Preempt Conflicting State Laws On Data Breaches
For those who have been following all the failed federal cybersecurity legislation during the last year, it should come as no surprise that President Obama’s Summit on Cybersecurity and Consumer Protection was a call to Congress to act. Not coincidentally, the Summit was held at Stanford University on Friday, February 13, 2015, exactly one year since the National Institute of Standards and Technologies published the first version of its Framework for Improving Critical Infrastructure Cybersecurity, and two years since President Obama Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directing NIST to establish the Framework.
The Framework consists of scalable standards, guidelines, and practices to help owners and operators of critical infrastructure to manage cybersecurity-related risk.
Continue reading Obama Brings Cybersecurity Plan To The Bay