BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Your Cat’s Name Could Soon Be Your "Personal Information"

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 12 Sep 2013 12:48:48 -0600
http://www.mondaq.com/unitedstates/x/262296/Data+Protection+Privacy/Your+Cats+Name+Could+Soon+Be+Your+Personal+Information+4+Steps+You+Can+Take+To+Prepare+Yourself+For+The+Proposed+Expansion+Of+Californias+Data+Breach+Notification+Requirements

As we learned this summer, online account usernames can be, well . . .
somewhat embarrassing when made public.  Here in California, however,
that type of username or an email address, in combination with a
password or security question and answer, could soon be considered
personal information.  As a result, any person or business that
conducts business in California may be required to notify its users if
that type of information is compromised by a data breach incident.

Along with a number of other data privacy bills, the California
legislature has sent Senate Bill 46 to Governor Jerry Brown for
signature.  S.B. 46, together with companion bill A.B. 1149, would
amend Sections 1798.29 and 1798.82 of the California Civil Code to
expand the definition of "personal information."  This could have a
wide impact, given that notification requirements following a data
breach incident depend upon whether the information that was
compromised constitutes "personal information" as defined by the
applicable state law.

As it currently stands, California defines "personal information" to
include an individual's name in combination with that individual's (i)
social security number, (ii) driver's license or California
identification card number, (iii) account, credit or debit card number
together with a security or access code that would permit access to
that individual's financial account, (iv) medical information or (v)
health insurance information; where either the name or the other piece
of information is not encrypted.

As amended, California's definition of "personal information" would
also include "[a] user name or email address, in combination with a
password or security question and answer that would permit access to
an online account."  This expansion is significant, especially
considering that the number of data breach incidents that require
notification are already dramatically on the rise.  Information like
emails and passwords are commonly collected by online services, so
adding that type of information as a trigger for data breach
notification could exponentially increase the number of persons and
businesses that are subject to those requirements.

If your business collects emails, user names, passwords and/or
security question information, here are 4 steps you can take to
prepare for the coming changes:

Reassess your security measures.  Services that collect medical
information or social security numbers have known for some time that
they need proper protections in place to secure that information.  If
your business is newly subject to data breach notification
requirements, understanding your risk profile will require a fresh
look at how secure your system is.
Understand who you share information with.  When it comes to data
breach notification, you can be equally responsible if the person or
entity who experiences the data breach was a third party who received
the information from you.  Be sure that you understand who you share
personal information with and how they protect it.
Consider deleting what you don't need.  The easiest way to reduce your
risk profile is to limit what you collect and retain.  Consider
putting a process in place for deleting information that you no longer
require, such as information related to closed accounts.
Have a plan.  The moment when you discover there has been a data
breach is not the time to figure out your plan for what to do when you
have a data breach.  There's no time like the present to put a game
plan in place that can be used in the event of an emergency.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

o()xxxx[{::::::::::::::::::::::::::::::::::::::::>
# InfoSec Builders, Breakers and Defenders - Time Square, New York City  18-21 November
# OWASP AppSecUSA 2013  -   http://www.appsecusa.org
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: