Now that the January 1, 2020 compliance deadline for the California Consumer Privacy Act (“CCPA”) has passed and the dust has settled, it may be worth taking a look at how a few other changes in California may impact privacy law. More specifically, in the chaos caused by CCPA compliance, several privacy experts have overlooked California’s steps to regulate the Internet of Things (“IoT”).

THE INTERNET OF THINGS GETS MORE DANGEROUS

While we were all focused on the impeding CCPA deadline, we can be forgiven for missing a recent incident where a Ring security camera was hacked to harass a child in her bedroom. On December 12, 2019, the Washington Post reported on 8-year-old Alyssa LeMay who went to her bedroom when she heard music. Once inside her bedroom, the music stopped and a man’s voice said: “Hello there.” The hacked Ring camera allowed the stranger to view Alyssa’s room and speak directly to her. The man also told Alyssa that he was Santa Claus. The remarkable exchange between Alyssa and the stranger allowed the man to use a racial slur with the child and prompt her to misbehave. The video on the Washington Post website has to be watched to be believed and to fully understand the significant danger created by the “Internet of Things” devices. Further, while this incident did not cause long-term damage, it is easy to see the dangers created by these devices in our homes.

This incident with the Ring camera makes parents long for simpler times, such as in December of 2015, when they only needed to worry about pictures and data saved on children’s toys that were breached by a toymaker.

LEGISLATION ADDRESSES THE DANGERS RELATED TO THE INTERNET OF THINGS

While the CCPA deadline was important, California lawmakers imposed another deadline on January 1, 2020, that requires a manufacturer of a connected device, such as the Ring camera, to take steps that would make IoT devices collect and safely store data. Specifically, the “Security of Connected Devices” law may provide a model for other state and federal laws as IoT devices become more ingrained in our lives. And, while the law may contain several significant holes and only applies to manufacturers, it provides a decent first step in regulating this new technology with the following:

• First, the new law states that “Manufacturer” “means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.” This definition will have an immediate impact to the extent this will create more security outside of California as manufacturers bring all devices in compliance with California’s laws rather than lose access to the California market. Therefore, while this law is limited to California, we can expect all IoT devices in all states will get more secure.

• Next, the law requires “[a] manufacturer of a connected device…equip the device with a reasonable security feature or features that are all of the following: (1) Appropriate to the nature and function of the device. (2) Appropriate to the information it may collect, contain, or transmit. (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  Once again, because the California market is so large, we can expect to see all IoT devices integrate “reasonable security features” regardless of whether the device will be sold in California.

• Further, many of the other definitions found in this law are broad and will most likely result in manufacturers increasing security features. For example, the term “connected device” is used in the law to mean “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Therefore, while it is clear that a Ring camera would fall under this law, we may see manufacturers of printers make sure they are in compliance.

• Finally, while the law is broad, it does not create a private cause of action. The California Attorney General will need to enforce this law. Additionally, it is clear that this law is limited to manufacturers and does not apply to individuals that install and use IoT devices.

THE INTERNET OF THINGS IS WITH US FOR GOOD

At present, the dangers presented by interconnected devices must be addressed by manufacturers of the products and law enforcement such as the California Attorney General.  California’s Security of Connected Devices law does not create a private cause of action. That being said, this technology, and the laws that control the use of this technology, are quickly evolving.  In the matter of a few years, we have gone from speculating how these devices could cause harm to see children harassed in their own bedrooms. The Economist recently reported: “One forecast is that by 2035 the world will have a trillion connected computers, built into everything from food packaging to bridges and clothes.” (The January 10, 2020 edition of the Wall Street Journal also addresses these issues in great detail.) Based on this significant increase in interconnected devices in both residential and industrial settings, the Economist article concludes: “As a result, a series of unresolved arguments about ownership, data, surveillance, competition and security will spill over from the virtual world into the real one.”  Therefore, as these dangers become clear and we see the potential for property damage or bodily injury, we can expect to see state and federal governments step up the regulation of the Internet of Things.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The Internet Of Things Gets More Dangerous And More Regulated In 2020 appeared first on Privacy Risk Report.

A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

Toymakers have recently received more than their share of scrutiny concerning the collection, storage and breaches of data belonging to children.  Cases involving this data move past questions of whether a data breach was avoidable and, instead, ask whether certain data can be collected in the first place.  A recent lawsuit against The Walt Disney Company and its related companies (“Disney”) sheds new light on how companies may be using “free” apps to gather data on their youngest customers and how that data can be used.

On August 3, 2017, a class action lawsuit was filed against in the United States District Court for the Northern District of California against Disney seeking recovery based on allegations “by parents of children, who while playing online games via smart phone apps, have had their personally identifying information exfiltrated by [Disney], for future commercial exploitation…”  (Complaint at ¶1)  In particular, the plaintiff, Amanda Rushing (“Rushing”), claims her child’s private information was improperly stored as her child used Disney’s app “Princess Palace Pets.” The Class Action Complaint includes claims against the “SDK Defendants” which were the companies that provided their own code to Disney’s apps for use in the games, known as “software development kits.”  The Complaint asserts that the SDK Defendants embedded software in Disney’s gaming apps that allowed for the app users’ personal information to be collected without authorization and “to facilitate subsequent behavior advertising.”  (Complaint at ¶7)

Before the specific allegations against Disney and the SDK Defendants, the Complaint contains a number of allegations against the app and gaming industry in general including that “[m]ost consumers, including parents of children consumers, do not know that apps created for children are engineered to surreptitiously and unlawfully collect the child-users’ personal information, and then exfiltrate that information off the smart device for advertising and commercial purposes.” (Complaint at 16) The plaintiff’s theories underpinning the allegations against Disney include:

“When children are tracked over time across the internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given smart device.  Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data point about the same user, such as app usage, geographic location (including likely domicile), and internet navigation, it discloses a personal profile that can be exploited in a commercial context.” (Complaint at ¶22)

The Complaint contains allegations that these actions taken by Disney and the SDK Defendants give rise to a violation of the Children’s Online Privacy Protection Act (“COPPA”) In short, COPPA prohibits gathering personal information of children under the age of 13 “without first obtaining verifiable consent from their parents.”   While the plaintiffs acknowledge that COPPA typically protects data more commonly understood to be personal information (names, email addresses, social security numbers, etc.), it also protects against the authorized collection of “persistent indentifier[s] that can be used to recognize a user over time and across different Web sites or online services.” (Complaint at ¶28)  In short, the Class Action Plaintiff claims the defendants violated COPPA by “incorporating the SDK Defendants’ behavioral advertising SDK’s into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent…”) (Complaint at ¶63)

The Complaint contains two causes of action against the defendants. Under the first cause of action for Intrusion Upon Seclusion, the Plaintiff claims Disney and the other defendants intentionally intruded on Plaintiff’s “solitude, seclusion, or private affairs by intentionally designing the Game Tracking Apps…to surreptitiously obtain, improperly gain knowledge of, review and/or retain Plaintiffs…activities through monitoring technologies and activities” as described in the Class Action Complaint.  Under the Plaintiff’s second cause of action entitled California Constitutional Right to Privacy, the Plaintiff claims her and the other class members have “reasonable expectations of privacy in their mobile devices and their online behavior” which Disney and the other defendants “intentionally intruded on.”

While Disney and the defendants have not responded to the allegations in the Complaint, The Hollywood Reporter reports that it received a statement from Disney related to the lawsuit indicating that it is taking the position that: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Of course, it is still early in this litigation and it may be years before we see whether the class action the Class Action Plaintiffs’ allegations have merit.  Nevertheless, the Class Action Complaint is clear that even if something is being given away for free (in this case apps based on Disney characters), people still expect to control their personal information.  As this area of the law continues to develop, data collectors must consider more than if they have the proper safeguards in place to protect data from a breach.  Rather, data collectors must consider if they have permission to collect data in the first place.  This case provides another example of where a party claims to be injured without their information being breached and what harm, if any, results from the unauthorized collection of data.

For more information, click here to contact a Tressler attorney.

The post Class Action Lawsuit Asks Whether Free Apps Were “Goofy” When They Collected Children’s Data appeared first on Privacy Risk Report.

Ransomware attacks are on the rise and appear to be a long-term problem. For example, last February in California, the Orange County Transportation Authority (OCTA) suffered a ransomware attack that shut down a number of its computers, causing more than $600,000 in damages. Specifically, the OCTA reportedly paid nearly $330,000 in labor costs and $218,000 for emergency contracts for technical assistance with the incident. The attack is said to have cut off access to 88 OCTA servers that limited access to a number of programs including e-mail, voicemail, intranet, employee assignments and payroll. Rather than pay the requested $8,500 ransom, OCTA worked for days to restore the servers, find the malware and secure the servers against future attacks. OCTA officers stated that services were uninterrupted and no credit card or other personal information was compromised during the attack. This ransomware attack and the OCTA response provide a great opportunity to analyze the response in the hours, days and months after a ransomware attack.

Hours After Cyber Attack: Pay $8,500 Ransom or $600,000 to Fight the Hackers

In defending the decision to not pay the ransom, the OCTA spokesperson stated, “[t]he FBI opposes paying ransom for cyber attacks, and so does [the Transportation Authority]. If we pay ransom to a criminal, there is no guarantee that our servers would be released, and the agency would likely be a target again because the attackers know they pay up.”

Regardless of whether this decision was correct or not, it’s clear that victims will have to make the tough decision on whether to pay the ransom or fight their attackers in the first few hours after an attack. While there is no information about when OCTA made this decision, the best strategy includes considering the potential for an attack and having a plan prior to an attack. Here, OCTA adopted a philosophy not to pay the ransom. While there are valid arguments to both situations, there is no question that the best time to make this decision is before a ransomware attack.

Days After Cyber Attack: Violation of California’s Open Meetings Law?

Since the attack, people have started to question whether OCTA complied with California’s Open Meetings Law, which requires governmental entities to make information available to the public. The OCTA’s board members were not notified about the attack until it had been resolved and the public received no information beyond statements that OCTA was experiencing technical problems. Now that the attack has been disclosed, some opponents are questioning the OCTA’s $218,000 payment for security because it “was not on the agenda and it was authorized in an unlawful closed session.” The OCTA spokesperson reasoned that, “[t]he last thing we want to do is make a public announcement…why would you let people know that your systems are compromised? It would invite, potentially, other people to hit you.”

In the days after a cyber attack, the key for any organization will be to determine its obligations under various state and federal laws. One important question will be whether the private information of others was compromised in the attack. In this situation, OCTA stated “…in this crime against OCTA, information wasn’t lost or stolen and service wasn’t disrupted. If that had been the case, those impacted would have been notified…”

Therefore, the ransomware incident at OCTA demonstrates that different types of cyber crimes will give rise to different obligations for the victim. Further, this attack demonstrates the importance that an organization must consider all the various local, state and federal regulations that may apply given certain scenarios before an incident occurs.

Months After Cyber Attack: Providing Notice and Protecting Against Future Attacks

The OCTA ransomware incident was not publicly disclosed until the first week of August, nearly six months after the incident. While OCTA claims it waited to disclose this incident until it was certain that its systems were safe from further attacks, there is growing concern that a number of cyber incidents are not being reported for reasons other than safety. In fact, there may be a number of reasons to not disclose an incident. For example, there is significant evidence that the underreporting of these incidents by government and corporate leaders comes from their worry about the impact an incident could have on their careers. Also, the risk that an entity’s reputation will be tarnished is another reason cyber incidents go unreported.

In the end, it is easy to second guess some of OCTA’s decisions in the time after the ransomware attack; anyone responsible for cyber security should assume their actions will be questioned after a cyber incident. However, the best way to survive this scrutiny is to consider as many cyber security issues before an incident ever happens.

The post Step By Step Analysis of a Response to Recent Ransomware Attack appeared first on Privacy Risk Report.

Cyber incidents are an unfortunate common occurrence in today’s marketplace and can negatively impact a company’s bottom line. A recent cyber incident shows just how quickly that can happen. In January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million. Specifically, it appears FACC AG’s accounting department fell prey to a Business E-mail Compromise (BEC) scam.

The BEC scam targets businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. FACC AG moved quickly and by January 20, 2016, had already provided the following information related to the incident on its website:

On January 19, 2016, FACC AG announced that it became a victim of fraudulent activities involving communication- an information technologies. To the current state of the forensic and criminal investigations, the financial accounting department of FACC Operations GmbH was the target of cyber fraud. FACC’s IT infrastructure, data security, IP rights as well as the operational business of the group are not affected by the criminal activities. The damage is an outflow of approx. EUR 50 mio of liquid funds.

A few weeks later FACC AG’s quarterly financial report for Q3 addressed its loss related to this scam as follows:

…The management board has taken immediate structural measures and is evaluating damages and insurance claims. All production- and engineering units operate in an unaffected and normal way. An economic threat to company concerning liquidity does not exist. The management board will decide on further actions after the outcome of the forensic investigations is available.

Since the fraud, FACC AG’s share price has reportedly fallen nearly 17% in response to news that it fell victim to a BEC scam.

While it may have been too late to save FACC AG, on January 22, 2016, the FBI issued a Public Service Announcement describing BEC scams in greater detail and provided suggestions to protect against these scams. Additionally, the FBI PSA provided a number of suggestions to limit information used in these scams including avoiding free web-based e-mail, monitoring social media and company websites, and to be aware of any business contacts making sudden changes in their business practices.

This incident at FACC AG demonstrates that cyber security and cyber insurance are necessities rather than luxuries. The value of cyber security and insurance will become better understood as we see more examples of cyber incidents having an immediate negative impact on the value of a company. Further, it still remains to be seen what impact this incident will have on FACC AG’s relationship with its customers.

The post Anatomy of a Cyber Fraud Incident: Recent Fraud Impacts Company’s Bottom Line Within a Few Weeks appeared first on Privacy Risk Report.

Super Bowl 50 kicks off this Sunday, February 7 at Levi’s Stadium, Silicon Valley’s high-tech stadium in Santa Clara, CA. Super Bowl fans will be pleasantly surprised to find they are able to tweet, text and e-mail without any problems, thanks to the 13,000 Wi-Fi access points throughout the stadium, ensuring no fan is more than 10 feet away from Wi-Fi.

While Wi-Fi access won’t be a problem, security risks created by the number of high-value targets using the wireless network might be. The Atlantic reports  “[t]he stadium is likely to be packed with wealthy corporate executives and sponsors, politicians, and celebrities, many of whom carry around mobile devices brimming with sensitive information and valuable contacts.” Based on discussions with Carl Herberger, a security expert, The Atlantic describes the threat as follows:

Herberger estimates that between fans’ mobile devices and the stadium’s built-in connections, there will be somewhere around 100,000 devices connected to the stadium this weekend. In one potential attack, hackers could infiltrate attendees’ phones through a security hole in stadium infrastructure—its wi-fi network, for example, or its official app. By infecting a large group of devices, the hacker could establish a botnet, a network of connected devices that work together to complete larger-scale attacks like sending spam or flooding a server with requests in a denial-of-service attack. The huge network “becomes a gigantic single point of failure, like the Death Star, for a bot,” Herberger said. “It’s a nice, juicy target to conscribe into your botted army.”

Security experts also warn fans that hackers could trick them into connecting to the wrong wireless network “[b]ut once they’re on the network, a man-in-the-middle attack can intercept unencrypted web traffic, or inject malicious code and infect the connected device.”

These security concerns come on the heels of investigations of attacks on fiber optic cable systems in the Bay Area that have been thought to be connected to a “more complex plot against the game.” Further, CBS San Francisco reports the FBI has issued a warning regarding a Wi-Fi hack at the Super Bowl. While no specific threat has been identified, the FBI, in collaboration with the Northern California Intelligence Center, states they expect cyber criminals will try to take advantage of these targets collected at the Super Bowl.

These concerns demonstrate that cyber security should be a priority for business owners regardless of safeguards they have put in place and further stresses the importance of cyber insurance. Businesses must be cognizant of the fact that even with cutting edge safeguards in place, employees will connect company devices to Wi-Fi in airports, hotels or if they are lucky enough, the Super Bowl. While businesses cannot control the networks employees are using in public, businesses can obtain cyber insurance for any incident caused inside or outside the walls of their facilities.

The post Cyber Risk: Hackers May Score Big at Super Bowl appeared first on Privacy Risk Report.

In a case of first impression within the Fifth Circuit, a district court has dismissed a putative class action complaint brought after a data breach against one of the larger health organizations operating in California and Texas. In Peters v. St. Joseph Services Corp., the District Court for the Southern District of Texas dismissed plaintiff’s claims upon a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.

Plaintiff Beverly Peters alleged that hackers had accessed and stolen her information after breaching St. Joseph Health Systems’ data network. Peters alleged that someone had attempted – albeit unsuccessfully – to make purchases on her Discover card and had attempted to access her Amazon account using a family member’s name. Peters claimed these incidents as evidence that she was at an increased risk of imminent harm stemming from the breach. In dismissing the complaint for lack of standing, the court joined the Third Circuit, as well as district courts in Ohio, New Jersey, and the District of Columbia, in finding that Peters’ allegations of an increased risk of future identify theft and fraud were insufficient to survive a motion to dismiss. “’Unless and until these conjectures become true’…Peters’ alleged future injuries are speculative – even hypothetical – but certainly not imminent.” The decision relied upon the Supreme Court’s 2013 opinion in Clapper v. Amnesty International in finding that the mere increased risk of future harm does not confer Article III standing. In doing so, the Southern District of Texas argued that the Clapper decision had “arguably resolved the circuit split” as to whether allegations of risk of future harm were sufficient to confer standing in data breach cases.

Despite the court’s opinion that Clapper has resolved the circuit split over standing in data breach lawsuits, there remains significant division among circuit courts (and even, post-Clapper, among district courts within the same circuit) as to whether an alleged increased risk of future harm stemming from a data breach constitutes imminent injury under Article III. While the Seventh and Ninth Circuits held that such allegations were sufficient to confer standing, both decisions were issued prior to Clapper and district courts within those circuits have decided the issue both ways since the Supreme Court’s opinion. What does appear clear is that plaintiffs in data breach cases face a significant hurdle in a motion to dismiss for lack of standing in the wake of Clapper, and that absent allegations of actual harm already suffered (rather than an increased risk of harm), defendants stand a good chance of dismissing class actions at an early stage.

The post Another Court Dismisses Data Breach Class Action on 12(b)(1) Standing Grounds appeared first on Privacy Risk Report.

In a recent interview, California Attorney General Kamala D. Harris quoted the following statistics from her “California Data Breach Report,” published in October:

• In 2013, there were more than 167 data breaches reported in California. This represents an increase of 28% from the 131 data breaches reported in 2012.
• The majority of these breaches involved malware and hacking. While a minority of the breaches resulted from the physical loss of a device.
• The retail industry was the biggest target for hackers with financial institutions running a close second.
• Social Security numbers were the most frequently compromised piece of personal information.

The Report also includes the following recommendations for data storage:

• Update point-of-sale terminals and necessary software to include chip-enabled technology.
• Encrypt payment card data in order to make information less valuable to hackers.
• Respond promptly to data breaches and notify affected individuals in the most expedient time possible.

This Report and the Attorney General’s comments are further evidence that companies may face liability if they have a data breach while using an antiquated storage system. While the costs to protect private information may be difficult to initially justify to a company’s bottom line, we are fast approaching a time where it may be more expensive to use an old, insecure data storage system in the long run. A number of states are already considering legislation which will make new safeguards mandatory. Moreover, companies may face additional liability if a data breach occurs at a point when a company has failed to make basic upgrades to its system.

The post California Attorney General Provides Sage Advice Regarding Data Breach Protection appeared first on Privacy Risk Report.

On September 30, 2014, California passed Assembly Bill 1710 which will create two major changes related to breaches involving the private data of California residents when it comes into effect on January 1, 2015.

First, the amended data breach law will expand the scope of the entities subject to the law. California’s existing data breach law requires entities that own or license personal information to implement and maintain security procedures to protect that information. Assembly Bill 1710 expands this requirement to include any entity that maintains personal information concerning a California resident. The amendment of the current law may include entities that store information on cloud servers. While the current version of the bill imposes notification requirements on entities that own or license personal information, the amended bill will not require an entity that maintains personal information to notify those individuals involved in a breach.

Second, the amended bill changes the obligations related to notification of a breach. Previously, an entity that owns or licenses private information was required to issue a notification of the breach. Under the amended bill, an entity that owns or licenses private information must “provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information.”

The post Mark Your Calendars: California’s Amended Data Breach Law Will Take Effect in 2015 appeared first on Privacy Risk Report.