In 2018, the California Legislature adopted the California Consumer Privacy Act (CCPA) and became the first state to enact a comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale and sharing of personal information.

Employee and Business Personal Information

While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.

The Exemption and its Demise

The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.

Continue reading

Online privacy policies are ubiquitous. Sometimes they are mandated by law – that’s been the case in California for years – and a variety of other states and federal agencies (like the Securities and Exchange Commission) require them as well. As a practical matter, almost every firm that has an online presence has a privacy policy. But it’s not enough to have a privacy policy – the policy has to be “right,” and failing to do that can open a company to liability. At the same time, done correctly, a privacy policy is an important asset.

Privacy Policies as an Asset – or Liability

An accurate and well-written privacy policy can be an important asset to a company. Consumers today, more and more, look for transparency in the vendors they patronize. A privacy policy that is readable and organized benefits a company, not just because it better complies with applicable laws, but also because it reflects the firm’s commitment to accuracy and transparency. A confusing, ill-conceived policy, by contrast, opens up a company to liability, both from consumers and from governmental bodies, who regularly examine privacy policies to confirm that they comply with fair trade practices. Moreover, a privacy policy that doesn’t reflect a company’s actual practices can be used in a data breach to cast blame, and create monetary burden, on a firm.

Recent Privacy Laws Make Privacy Policies More Challenging

The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), along with similar (but not identical) laws adopted in Connecticut, Virginia, Colorado and Utah) add complexity to the mix. These laws include specific disclosure requirements in connection with the collection of personal information and enumerate rights of consumers, all of which need to be disclosed to the consumer; as a practical matter, a privacy policy is the only effective way of complying. Continue reading

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.

Complying with privacy mandates, and preparing for and defending against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, an enterprise needs to increase its knowledge of key elements in its infrastructure:

See Your Network

Most C-level executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.

Part of knowing your network also means knowing what is happening on the network. Companies need to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. When a breach is in process, speed is essential.

See Your Data

Surprisingly, many companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. Companies need to know:

  • What data does the company collect?
  • What data does the company need to collect?
  • How does the company collect data – directly from users, clients, and consumers, or through third parties?
  • Where the company stores its data?
  • How does the company use the data it collects – particularly personal information of individuals, including employees?
  • Who has access to the data?

Continue reading

A New Year, A New Challenge

The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.

This is a challenge for any business, even those that have worked to comply with existing laws – the CCPA and the EU’s General Data Protection Regulation – and best practices. It’s not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just 10 days into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.

Finding Strategies

We look at all of these developments and try to find the commonalities, as opposed to the differences, to guide our clients toward efficient, cost-effective, and meaningful ways of grappling with the constantly shifting environment. One of the common elements between each of the California, Virginia and Colorado laws, as well as the GDPR and most of the pending proposals, is data minimization. Continue reading

Current information security and risk mitigation approaches are ineffective, and this failure is nowhere more apparent than in critical supply chains – defense, energy, health services, and other key industries. The source of much of the persistent failure to secure supply chains and the success of hackers compromising these vital arteries of commerce is that most organizations do not recognize all of the components and connections that comprise their networks. This blinkered thinking leads to suboptimal measures even when leading information security frameworks are in place. We routinely encounter the following shortcomings in our supply chain security work:

  • 󠄀Inadequate supply chain mapping – Most organizations misperceive or fail to perceive at all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers regardless of what the organization does to ameliorate risk.
  • 󠄀Failing to test cyber defenses – Many organizations stress security in depth but fall far short on what is, for supply chain purposes, a far more important security element – validation in depth, an all but fatal shortcoming that hackers count on persisting.
  • 󠄀Ignoring OpSec – Organizations place much more emphasis on information security than they do on operational security. This overlooks a multitude of risks associated with their supply chains, one of which is exploits that disrupt operations.
  • 󠄀Focusing on insoluble problems – An organization will never have perfect, if any, visibility into its 3rd and 4th degree of separation vendors. Yet organizations still struggle to find a solution to such problems. But there is no viable solution. Hence, the problem should be viewed not as a problem with a potential solution but rather as an immutable fact, at least for now.
  • 󠄀Expertise Deficit – Current cyber risks are not even remotely aligned with the number of available professionals with the expertise to address these risks. And yet organizations unfairly task their IT groups with responsibility  for supply chain security.

Continue reading

2021 was a challenging year in cybersecurity, and there’s no reason to believe that this will end.  As we approach 2022, all businesses large and small need to address some basic issues that impact the security of their systems. and their customers?

  • Vendors. No company stands alone – they depend on a multitude of vendors and third parties to operate.  These range from point-of-sale systems to HVAC operators to property management systems.  Every vendor that has access to company systems – and it’s surprising how many do – presents a threat.  When they have access to a company’s network, that creates an opening for a bad actor.  Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the company’s network.  And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
  • Internet of Things. Internet of things – the elf on the shelf, alarm systems, internet-enabled heating HVAC, solar panels, and public Wi-Fi systems have long been a soft underbelly of cybersecurity.  In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” (https://techcrunch.com/2021/12/17/security-flaws-wifi-gateway-hundreds-hotel/).  The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they are then able to use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.  This is not something unique to hotels – everything that connects to your system is a potential weak spot in cybersecurity.
  • Social Media. Virtually all companies use  social media to promote their businesses and attract customers.  But social media depends on the collection and use of personal information, and that information can make companies a prime target of bad actors.  Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks.  When a threat actor gains access to a network – which could be your network – they can pose an existential threat to a business through ransomware, extortion, denial of service and other attacks.

Continue reading

The Challenge

Complying with the ever-increasing number of privacy laws is a daunting task. In addition to comprehensive state laws, like California’s Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act and the Colorado Privacy Act, there are a multitude of targeted laws on the federal and state level. Other laws to consider include the EU’s General Data Protection Regulation (and corresponding laws in the United Kingdom, Switzerland and a host of other countries); industry specific laws, like the Health Insurance Portability and Protection Act and the Gramm-Leach-Bliley Act; privacy and security standards issued by governmental and industry authorities; and the ever-present risk of individual and class actions that follow a data breach. And the landscape is in constant flux.

Increasing Threats

At the same time, firms are under attack by increasingly sophisticated threat actors. Bad agents have graduated to attack tools that are comparable to nation-state crypto-weapons, and are often sponsored, explicitly or implicitly, by host nations. The availability of malware on the Dark Web, often in the form of software as a service, has increased the number of potential bad actors, as has the increase in the marketplace for stolen information. Phishing expeditions continue, and individuals continue to open emails they should not, visit websites that expose them to hacking, and publish personal information on social media, making them and their companies more vulnerable.

So what is a company to do? Whether a firm seeks to comply with privacy and security laws or face potential sanctions, or to create actual data security, companies are simply not prepared to face the task in full, especially when the demand for competent privacy and security experts far exceeds the supply. Continue reading

Bob Braun was recently quoted in an article distributed by the National Institute of Standards and Technology (NIST), evaluating the organization’s recent publication of a three-part guide to securing guest and credit card data at hotels. “This publication analyzes and addresses the challenges common to almost all hotels in creating secure data systems,” he said. “Hotels would be well-advised to incorporate its recommendations in their information protection protocols.”

The guide, Securing Property Management Systems, uses commercially available technology to implement a range of data security strategies, including zero trust architecture, role-based authentication, and tokenization of credit card data. Hotels are attractive targets for attackers seeking sensitive guest or financial data; one industry report ranked the hospitality industry as the third-most frequently compromised, suffering 13% of all incidents in 2019.

Read the full article here.

All three parts of the guide are available as a downloadable PDF here.

The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider:

  • Do Not Sell Button. The regulations introduce, but do not require, the use of a blue opt-out icon designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. While earlier versions of the regulations discussed placement of the icon, the only mandates that remain are that the icon is the same size as others on the web page. Businesses can download the icon here. Importantly, the icon may be used in addition to, but not in place of, the existing do not sell procedures.
  • Ongoing Enforcement. While the Attorney General has not been active in bringing enforcement actions for violations of the CCPA, the Attorney General’s office has actively issued notices to cure violations. The press release accompanying the new regulation notes that there has been “widespread compliance … especially in response to notices to cure.” Last year, Supervising Deputy AG Stacey Schesser told the IAPP, the International Association of Privacy Professionals, that enforcement targeted online businesses that were missing key privacy disclosures or “Do Not Sell” links, and came in response to consumer complaints, including on social media.

    The future of enforcement will depend on a number of factors, including the impact of the newly formed California Privacy Protection Agency and the Governor’s nomination of Rob Bonta as Attorney General to succeed Xavier Becerra, who was recently confirmed as U.S. Secretary of Health and Human Services.

Continue reading

Just as we were getting used to the California Consumer Privacy Act of 2018 (the “CCPA”), Californians voted to approve Proposition 24, the California Privacy Rights Enforcement Act of 2020 (the “CPRA”). For now, the CCPA is still with us – the CPRA becomes effective on January 1, 2023 – but companies that do business in California need to address the new industry requirements, consumer privacy rights, and enforcement mechanisms as far in advance as possible.

The CPRA, like the CCPA, is a consumer-focused law with the goal of expanding consumer knowledge about and control over the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. To that end, the CPRA introduces a new class of information, sensitive personal information. Companies that collect sensitive personal information are required to follow disclosure requirements and implement additional protections and rights for California residents. In order to comply with the new law, a critical first step for businesses is to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

What is sensitive personal information?

The CPRA’s approach to sensitive personal information generally tracks the European Union’s General Data Protection Regulation’s definition of Special Category Data, but adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages. Specifically, the CPRA defines sensitive personal information as:

  • social security, driver’s license, state identification card, or passport number;
  • account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • precise geolocation;
  • racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a mail, email and text messages;
  • genetic data;
  • biometric information for the purpose of identifying a consumer;
  • personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation.

Continue reading