Photo of Nathan D. Taylor

The California Attorney General continued its series of public forums regarding the California Consumer Privacy Act (CCPA), with forums last week in Riverside (January 24, 2019) and
Los Angeles (January 25, 2019). As in the previous forums, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our reports on the public forums held earlier this month in San Francisco and San Diego.

Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks at both forums and identified the areas of the AG’s rulemaking on which speakers should focus their comments, specifically those areas of the Act that call for specific AG rules.  Ms. Kim encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase. Consistent with the prior forums, she noted that the AG’s office would be listening, and not responding, to comments made in Riverside and Los Angeles.

Of note, the presentation slides made available at the forum (and available here) state that the AG anticipates publishing proposed rules in Fall 2019,and that after that there will be a period for public comment and additional public hearings.


Continue Reading

In anticipation of preparing rules to implement the California Consumer Privacy Act, the California Attorney General recently announced six public forums that he will host in January and February 2019 across California.  On January 8, 2019, the AG hosted the first of these forums in San Francisco.  The following provides an overview of the forum and the comments made at the forum.

Overview of the January 8, 2019, San Francisco Forum 

Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks.  Ms. Schesser confirmed that the AG’s office is at the very beginning of its rulemaking process.  Although the AG’s office will solicit formal comments after it prepares proposed rules, the AG is interested in receiving detailed written comments from the public with proposed language during this informal period.

These forums appear to be designed to inform the AG’s rulemaking and potentially streamline the process, by allowing public input before rules are drafted.  In this regard, Ms. Schesser clarified that she and other AG representatives in attendance at the San Francisco forum were there only to listen to the public comments and would not respond to questions or engage with speakers.  As a result, if the remaining forums follow a similar approach, it is unlikely that the forums will elicit meaningful intelligence regarding the AG’s anticipated approach to, or the substance of, the anticipated rulemaking.


Continue Reading

Computer laptop with ransomware malware virus key icon on red display background. Vector illustration technology data privacy and security concept.

The global WannaCry ransomware attack should be a wake up call for all companies about the threat ransomware poses. While WannaCry was one of the first highly publicized attacks in which ransomware was weaponized and used against numerous companies at once, there will undoubtedly be future attacks.  Companies can take proactive steps to reduce their

GettyImages-538899668-600pxWith corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those “Cybersecurity Requirements for Financial Services Companies” (the “Cybersecurity Rule” or “Rule”) finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule’s phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information (“Nonpublic Information”) from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule’s requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule’s reporting, recordkeeping and certification requirements.
Continue Reading

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warning text. Part of the display is reflected on a shiny surface. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc...

Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for what seems like the inevitable—a security breach—can be the difference between successfully navigating the event or not. While we still hear some companies say, “That would never happen to our company!” a significant breach can happen to any company.

In light of this and the close scrutiny that the high-profile breaches reported over the past year have received, many companies have taken the opportunity to consider their preparedness and ability to respond quickly and decisively to such an incident. We have prepared for our readers who are in-house attorneys or privacy officers the following checklist highlighting some steps that companies may consider taking so that they can be better prepared in the event that a significant breach incident occurs.

  1. Make Friends With Your IT/IS Department.

It is important to be familiar with your company’s risk tolerance and approach to information security in order to develop an understanding of your company’s security posture. The time to explore these issues isn’t after a breach has happened, so ask your colleagues in your company’s information technology or information security departments the basic questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we addressed the data security concerns raised in last year’s audit?). You would rather learn, for example, that your company does not encrypt its laptops before one is stolen.
Continue Reading

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker).

The news has been filled this year with reports of ransomware attacks against companies and government agencies, including even law enforcement. Ransomware refers to a type of malware that encrypts or otherwise restricts access to a machine or device. As part of the attack, the attacker will demand that the victim pay a ransom in order to receive the encryption key or otherwise recover access to the compromised machine.

The reality is that ransomware attacks have been proliferating against all types of companies and organizations. Ransomware is a profitable business for underground circles, and we expect to see continued targeting. Because these attacks may be isolated to a single machine, they frequently do not impact a company’s business continuity or result in a noticeable service disruption. In response to an infection, companies may be able to obtain the technical assistance needed to defeat the attack. Free online resources exist that will identify which ransomware infected your system and provide victims with known decryption keys. In other cases, companies may determine that the data loss is not significant and/or that backups exist, allowing them to rebuild the computer by reformatting the hard drive and reinstalling a clean operating system, applications and data. In other cases though, companies pay the ransom.

Ransomware attackers frequently use many of the same tools and tactics, such as spear phishing, as do other hackers. Unlike many hackers, however, ransomware attackers are not focused on stealing data that can be sold or used for illicit purposes (e.g., credit card information and trade secrets). Instead, ransomware is about economic extortion. The attackers prevent a company from being able to access its own system or data, and they make a demand. Usually, they want money, but that could change. Imagine a hacker who holds data and systems hostage in return for the company’s releasing a public statement, making a divestiture or a arranging for a senior executive’s departure? The distinction between routine malware and ransomware is important to manage the scope of the threat. While some companies may not maintain data that is of value to cyber thieves (although that is becoming less and less the case, as evidenced by the proliferation of W-2 tax information phishing attacks), every company is a potential target of a ransomware attack.
Continue Reading

Not to be outdone by Florida, California has yet again amended its data security breach law and again in groundbreaking (yet confusing) fashion. On September 30, 2014, California Governor Brown signed into law a bill (“AB 1710”) that appears to impose the country’s first requirement to provide free identity theft protection services to consumers in connection with certain data security breaches. The law also amends the state’s personal information safeguards law and Social Security number (“SSN”) law. The amendments will become effective on January 1, 2015.

Free Identity Theft Protection Services Required for Certain Breaches

Most significantly, AB 1710 appears to amend the California breach law to require that a company offer a California resident “appropriate identity theft prevention and mitigation” services, at no cost, if a breach involves that individual’s name and SSN, driver’s license number or California identification card number. Specifically, AB 1710 provides, in pertinent part, that if a company providing notice of such a breach was “the source of the breach”:

an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached.

The drafting of this requirement is far from clear and open to multiple readings. In particular, the use of the phrase “if any” can be read in multiple ways. For example, the phrase “if any” can be read to modify the phrase “appropriate identity theft prevention and mitigation services.” Under this reading, the law would impose an obligation to provide free identity theft protection services if any such services are appropriate. The phrase “if any,” however, could be read to modify the “offer” itself. Under this alternate reading, the law would provide that if a company intends to offer identity theft protection services, those services must be at no cost to the consumer. It is difficult to know how the California Attorney General (“AG”) or California courts will interpret this ambiguity. One thing is clear: until the AG or courts opine, the standard will remain unclear.

The drafting of the requirement also is not clear in other ways. For example, the statute does not specify what type of services would qualify as “appropriate identity theft prevention and mitigation services.” For example, would a credit monitoring product alone be sufficient to meet the requirement? Or would the law require something in addition to credit monitoring, such as an identity theft insurance element?

Nonetheless, state AGs historically have encouraged companies to provide free credit monitoring to consumers following breaches. In addition, even though not legally required, free credit monitoring has become a common practice, particularly for breaches involving SSNs and also increasingly for high-profile breaches. Nonetheless, California appears to be the first state to legally require that companies offer some type of a free identity theft protection service for certain breaches.

AB 1710 is particularly notable in its approach. First, the offer of free identity theft protection services will only be required for breaches involving SSNs, driver’s licenses or California identification card numbers. In this regard, an offer of free identity theft protection services will not be required for breaches involving other types of covered personal information, such as payment card information or usernames and passwords. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). In addition, the offer of free identity theft protection services will only be required for a period of one year (as opposed to, for example, two years). The length of the offer of free credit monitoring has always been an issue of debate, and California has now endorsed a position that a one-year offer is sufficient.


Continue Reading

When most Americans think of drones, they think of unmanned, often weaponized aircraft that are used by governments in areas of conflict for intelligence or combat purposes.  However, the proverbial sky is the limit on the potential commercial use of drones.  For example, in a December 2013 60 Minutes interview, Jeff Bezos, the founder of Amazon.com, described his company’s efforts to develop GPS-programmed, autonomous drones (or in his words, “octocopters”) to serve as “delivery vehicles” to provide half-hour delivery of your future Amazon order.  Although there will be hurdles to the widespread commercial adoption of drones as the Federal Aviation Administration works out the regulatory issues surrounding the licensing and use of drones in our airspace, our not-too-distant future could involve a world in which drones are literally buzzing above our heads.

Drones are, among other things, unmanned, light, easy to deploy and relatively cheap.  As a result, companies could use drones for numerous purposes, including scientific research and exploration, monitoring livestock or gas pipelines, remote troubleshooting of technology, finding lost shipments or even as a substitute for the Super Bowl blimp.  Because of advances in camera, video and audio technology (and the decreasing cost of that technology), however, drones could also be used to collect and communicate massive amounts of information about individuals and their everyday lives.  Imagine a company taking its drones out for a spin on a Saturday morning in your town to conduct market research, observing how the average person mows the lawn, when the average person goes to grab coffee or how many bags of groceries the average person leaves with from the supermarket.  Or, imagine a company flying a drone around its factory or retail location to monitor when its employees go on break or what end-caps its customers gravitate to or avoid.  As is true with many new technologies, drones raise complex and often troubling privacy issues (remember your first cell phone…it didn’t have a camera or location services, right?).
Continue Reading

On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued final guidance for financial institutions relating to their use of social media (the “Guidance”).  With its release, the FFIEC adopts its January 2013 proposed guidance in substantially the same form.  (Socially Aware’s overview of the proposed guidance is available here.)

With the explosive growth of social media, consumers increasingly expect to be able to interact online with the companies from which they buy goods and services. As a result, financial institutions have begun to explore the use of social media, both to strengthen relationships with existing customers and to attract new ones. Financial institutions, however,