A New Year, A New Challenge

The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.

This is a challenge for any business, even those that have worked to comply with existing laws – the CCPA and the EU’s General Data Protection Regulation – and best practices. It’s not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just 10 days into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.

Finding Strategies

We look at all of these developments and try to find the commonalities, as opposed to the differences, to guide our clients toward efficient, cost-effective, and meaningful ways of grappling with the constantly shifting environment. One of the common elements between each of the California, Virginia and Colorado laws, as well as the GDPR and most of the pending proposals, is data minimization. Continue reading

Current information security and risk mitigation approaches are ineffective, and this failure is nowhere more apparent than in critical supply chains – defense, energy, health services, and other key industries. The source of much of the persistent failure to secure supply chains and the success of hackers compromising these vital arteries of commerce is that most organizations do not recognize all of the components and connections that comprise their networks. This blinkered thinking leads to suboptimal measures even when leading information security frameworks are in place. We routinely encounter the following shortcomings in our supply chain security work:

  • 󠄀Inadequate supply chain mapping – Most organizations misperceive or fail to perceive at all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers regardless of what the organization does to ameliorate risk.
  • 󠄀Failing to test cyber defenses – Many organizations stress security in depth but fall far short on what is, for supply chain purposes, a far more important security element – validation in depth, an all but fatal shortcoming that hackers count on persisting.
  • 󠄀Ignoring OpSec – Organizations place much more emphasis on information security than they do on operational security. This overlooks a multitude of risks associated with their supply chains, one of which is exploits that disrupt operations.
  • 󠄀Focusing on insoluble problems – An organization will never have perfect, if any, visibility into its 3rd and 4th degree of separation vendors. Yet organizations still struggle to find a solution to such problems. But there is no viable solution. Hence, the problem should be viewed not as a problem with a potential solution but rather as an immutable fact, at least for now.
  • 󠄀Expertise Deficit – Current cyber risks are not even remotely aligned with the number of available professionals with the expertise to address these risks. And yet organizations unfairly task their IT groups with responsibility  for supply chain security.

Continue reading

2021 was a challenging year in cybersecurity, and there’s no reason to believe that this will end.  As we approach 2022, all businesses large and small need to address some basic issues that impact the security of their systems. and their customers?

  • Vendors. No company stands alone – they depend on a multitude of vendors and third parties to operate.  These range from point-of-sale systems to HVAC operators to property management systems.  Every vendor that has access to company systems – and it’s surprising how many do – presents a threat.  When they have access to a company’s network, that creates an opening for a bad actor.  Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the company’s network.  And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
  • Internet of Things. Internet of things – the elf on the shelf, alarm systems, internet-enabled heating HVAC, solar panels, and public Wi-Fi systems have long been a soft underbelly of cybersecurity.  In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” (https://techcrunch.com/2021/12/17/security-flaws-wifi-gateway-hundreds-hotel/).  The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they are then able to use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.  This is not something unique to hotels – everything that connects to your system is a potential weak spot in cybersecurity.
  • Social Media. Virtually all companies use  social media to promote their businesses and attract customers.  But social media depends on the collection and use of personal information, and that information can make companies a prime target of bad actors.  Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks.  When a threat actor gains access to a network – which could be your network – they can pose an existential threat to a business through ransomware, extortion, denial of service and other attacks.

Continue reading

The Challenge

Complying with the ever-increasing number of privacy laws is a daunting task. In addition to comprehensive state laws, like California’s Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act and the Colorado Privacy Act, there are a multitude of targeted laws on the federal and state level. Other laws to consider include the EU’s General Data Protection Regulation (and corresponding laws in the United Kingdom, Switzerland and a host of other countries); industry specific laws, like the Health Insurance Portability and Protection Act and the Gramm-Leach-Bliley Act; privacy and security standards issued by governmental and industry authorities; and the ever-present risk of individual and class actions that follow a data breach. And the landscape is in constant flux.

Increasing Threats

At the same time, firms are under attack by increasingly sophisticated threat actors. Bad agents have graduated to attack tools that are comparable to nation-state crypto-weapons, and are often sponsored, explicitly or implicitly, by host nations. The availability of malware on the Dark Web, often in the form of software as a service, has increased the number of potential bad actors, as has the increase in the marketplace for stolen information. Phishing expeditions continue, and individuals continue to open emails they should not, visit websites that expose them to hacking, and publish personal information on social media, making them and their companies more vulnerable.

So what is a company to do? Whether a firm seeks to comply with privacy and security laws or face potential sanctions, or to create actual data security, companies are simply not prepared to face the task in full, especially when the demand for competent privacy and security experts far exceeds the supply. Continue reading

Bob Braun was recently quoted in an article distributed by the National Institute of Standards and Technology (NIST), evaluating the organization’s recent publication of a three-part guide to securing guest and credit card data at hotels. “This publication analyzes and addresses the challenges common to almost all hotels in creating secure data systems,” he said. “Hotels would be well-advised to incorporate its recommendations in their information protection protocols.”

The guide, Securing Property Management Systems, uses commercially available technology to implement a range of data security strategies, including zero trust architecture, role-based authentication, and tokenization of credit card data. Hotels are attractive targets for attackers seeking sensitive guest or financial data; one industry report ranked the hospitality industry as the third-most frequently compromised, suffering 13% of all incidents in 2019.

Read the full article here.

All three parts of the guide are available as a downloadable PDF here.

The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider:

  • Do Not Sell Button. The regulations introduce, but do not require, the use of a blue opt-out icon designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. While earlier versions of the regulations discussed placement of the icon, the only mandates that remain are that the icon is the same size as others on the web page. Businesses can download the icon here. Importantly, the icon may be used in addition to, but not in place of, the existing do not sell procedures.
  • Ongoing Enforcement. While the Attorney General has not been active in bringing enforcement actions for violations of the CCPA, the Attorney General’s office has actively issued notices to cure violations. The press release accompanying the new regulation notes that there has been “widespread compliance … especially in response to notices to cure.” Last year, Supervising Deputy AG Stacey Schesser told the IAPP, the International Association of Privacy Professionals, that enforcement targeted online businesses that were missing key privacy disclosures or “Do Not Sell” links, and came in response to consumer complaints, including on social media.

    The future of enforcement will depend on a number of factors, including the impact of the newly formed California Privacy Protection Agency and the Governor’s nomination of Rob Bonta as Attorney General to succeed Xavier Becerra, who was recently confirmed as U.S. Secretary of Health and Human Services.

Continue reading

Just as we were getting used to the California Consumer Privacy Act of 2018 (the “CCPA”), Californians voted to approve Proposition 24, the California Privacy Rights Enforcement Act of 2020 (the “CPRA”). For now, the CCPA is still with us – the CPRA becomes effective on January 1, 2023 – but companies that do business in California need to address the new industry requirements, consumer privacy rights, and enforcement mechanisms as far in advance as possible.

The CPRA, like the CCPA, is a consumer-focused law with the goal of expanding consumer knowledge about and control over the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. To that end, the CPRA introduces a new class of information, sensitive personal information. Companies that collect sensitive personal information are required to follow disclosure requirements and implement additional protections and rights for California residents. In order to comply with the new law, a critical first step for businesses is to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

What is sensitive personal information?

The CPRA’s approach to sensitive personal information generally tracks the European Union’s General Data Protection Regulation’s definition of Special Category Data, but adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages. Specifically, the CPRA defines sensitive personal information as:

  • social security, driver’s license, state identification card, or passport number;
  • account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • precise geolocation;
  • racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a mail, email and text messages;
  • genetic data;
  • biometric information for the purpose of identifying a consumer;
  • personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation.

Continue reading

LOS ANGELES—Jeffer Mangels Butler & Mitchell LLP (JMBM) is pleased to announce that Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, has been recognized by the Daily Journal as one of California’s Top Cyber Lawyers.

As reported by the Daily Journal, his clients include companies that operate within large and complex data environments, particularly those with international operations and regulatory challenges.

In the Daily Journal’s profile, Gold said:

“Threats and exploits and hacks are existential problems for companies when they lead to lawsuits and regulatory investigations. Nobody takes this lightly, and part of my job is to help clients see a path forward.”

Read the full profile here.

Gold has been recognized as one of the “Most Influential Lawyers: Digital Media and E-Commerce Law” by the Los Angeles Business Journal, has been designated a “Top Rated Lawyer in Technology Law” by Martindale Hubbell, and was listed in the Daily Journal’s Top 20 Cyber – Artificial Intelligence Lawyers” in 2018. He is the co-publisher of the blog, Cybersecurity Lawyer Forum, a resource for lawyers, executives, boards of directors and IT professionals.

“Michael remains on the forefront of the dynamic cyber and technology issues that continue to impact businesses worldwide,” said Bruce Jeffer, JMBM’s managing partner. “He is a tremendous asset to our clients and to our firm.”

Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them. The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor.

Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately. It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study. But all businesses that have a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.

New Sheriff in Town

Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations. This makes California the first state with an agency focused solely on enforcing privacy laws. This new agency will replace the California Attorney General in interpreting and enforcing the CCPA. The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.

Select Key Provisions

The CPRA is not an entirely new law – it is an extension and modification of the CCPA. It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA. The result is that companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA. Key provisions include:

  • Sensitive Data. The CPRA adds a definition of “sensitive data,” which includes government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation, and allows consumers the ability to limit the use and disclosure of sensitive data.
  • Data Breach Liability. The liability for data breaches under the CCPA has been expanded to include a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. These kinds of breaches are common and raise the stakes for companies doing business in California. The CPRA also eliminates the 30-day cure period for bringing private actions – something that was more confusing than effective.
  • Annual Audits and Risk Assessments. Under regulations to be adopted by the new Agency, businesses that undertake high-risk processing will be required to have annual audits and regular risk assessments. In particular, such regulations would require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit annually.
  • Automated Processing Limitations. A new concept of “profiling” has been added to the CCPA, consisting of “any form of automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” The Privacy Agency is required to develop regulations addressing access and opt-out rights for this kind of technology, similar to the requirements of the EU’s General Data Protection Regulation.
  • Right to Correct Inaccurate Data. The CPRA adds the right to correct consumer data to the existing rights of notice and deletion.
  • Limits on Sharing Personal Information. In addition to restrictions on the sale of personal information, the CPRA extends many of those limits to the “sharing” of personal information. This change will expand the obligations of companies to comply with opt-out and similar requests.
  • Data Minimization. Similar to the GDPR, the CPRA adds concepts of data minimization, requiring companies to limit the personal information they collect to the type of information that is necessary for their operations, and to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
  • Service Providers, Contractors and Third Parties. The CPRA places new contractual and direct obligations on service providers, contractors and third parties. In particular, the CPRA adds and revises existing definitions in the CCPA, and adds a new definition for contractors, which focuses on the business providing data pursuant to a written contract, prohibiting the contractor from sharing or selling the personal data, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with some limited exceptions. Moreover, the CPRA contractually extends the data protection obligations of the act to service providers, contractors and third parties, and requires service providers and contractors to cooperate with and assist businesses in providing requested personal information in response to consumer requests, and complying with correction or deletion requests. As we learned from the CCPA, an effective date in two years is a short time when it comes to compliance with complex privacy laws. Companies that have taken steps to comply with the CCPA will need to take concrete steps to comply with the CPRA, including:

Continue reading

Are your cybersecurity management practices reasonable? Do you know your risk tolerance? Are you covering all the cybersecurity bases that make up reasonable cybersecurity?

The California Consumer Privacy Act (CCPA) and other emerging laws require organizations to have “reasonable cybersecurity practices.” The challenge is that there is no accepted definition of exactly what “reasonable” means.

Addressing this challenge, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, will participate as a panelist for the online interactive program Cybersecure LA2020: A Reasonable Approach to Reasonable Security sponsored by SecureTheVillage.

There is no one size fits all: Whatever “reasonable” is to mean, it must – at the very least – take into account the particular circumstances of the organization and the information it possesses. It would clearly be unreasonable, for example, to hold a small manufacturing company or nonprofit to the same standard as a large bank.

Join SecureTheVillage at CybersecureLA 2020 and learn how to think through your organization’s particular cybersecurity and privacy circumstances … the information you must protect … the laws and regulations governing protection … your own corporate risk-tolerance … and integrate these together into an information security management program that’s reasonable for your organization.

Register Now

Date:   Wednesday, October 28th

Time:   2:30 – 5:00 pm Pacific Time

Who should attend:  Board members. C-Level Executives. CFOs, Chief Risk Officers, Chief Information Security Officers. Anyone in the organization with management responsibility for information security. Trusted advisors.

Learn by doing: CybersecureLA 2020 is organized as an interactive workshop, taking advantage of online event capabilities including small group discussion, polls, surveys, and interactive Q&A.

You will learn to:

  1. Identify your cyber-risk exposure
  2. Explore your cyber-risk tolerance
  3. Know the key elements of reasonable cybersecurity
  4. Leave with a well-defined process to follow in identifying what reasonable security is for your organization.

Register Now For This Informative Program

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

About JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.