New California Data Breach and Privacy Amendments

[Lee J <lee () riskbasedsecurity com>]

http://www.natlawreview.com/article/new-california-data-breach-and-privacy-amendments

Within the last few weeks, California Governor Jerry Brown signed into law
two new data privacy bills: S.B.
46<http://reaction.dbr.com/rs/ct.aspx?ct=24F76719DFAE4EE0CDDA80A5DA259719919107A2A2AD1>
amending
California’s data security breach notification statute and A.B.
370<http://reaction.dbr.com/rs/ct.aspx?ct=24F76719DFAE4EE0CDDA80A5DA259719918307A2A2AD3>
addressing
the disclosure of “do not track” and other related practices in online
privacy policies. Both laws will go into effect on January 1, 2014.
*New Data Security Breach Notification Triggers*

California law already requires the provision of notice to affected
customers of unauthorized access to, or disclosure of, personal information
in various circumstances. *S.B. 46* adds to the current breach notification
requirements a new category of breach triggering these requirements: a user
name or email address, in combination with a password or security question
and answer, that would permit access to any online account.

However, when the information subject to a breach falls under this new
category only, companies may notify affected customers in electronic or
another form that directs these customers to promptly change their
passwords and security questions or answers, or to take any other steps
that may be appropriate to protect the affected online account and any
other online accounts for which that customer uses the same user name or
email address and password or security question or answer. In those
situations involving login credentials for email accounts provided by the
company, the company must not send the notification to the implicated email
address, but rather must provide the required notice via one of the other
methods provided for by California law, or by “clear and conspicuous
notice” delivered to the affected user online when the user is connected to
the online account from an IP address or online location from which the
company knows the user ordinarily accesses the affected account.

Breach notification in California is currently triggered only by the
unauthorized acquisition of an individual’s first name or initial and last
name in combination with one or more of the following data elements (when
either the name or the data elements are unencrypted): social security
number; driver’s license or state identification number; account, credit
card or debit card number in combination with any related security or
access codes; medical information; or health information. As a result, S.B.
46 expands the categories of information the disclosure of which may
trigger the requirement for notification – however, it fails to apply the
existing exception for encrypted data to the user credential information
subject to this amendment.  Thus, even if a breach is related solely to
online access data that is itself encrypted, the amendment will
nevertheless still require notification.  It is unclear whether this
omission was intentional or not.  As a result, S.B. 46 is a significant
expansion of the circumstances in which notification may be required.
*New Disclosure Requirements For Online Tracking Practices*

A.B. 370 amends the California Online Privacy Protection Act (CalOPPA) to
require companies that collect personally identifiable information (PII)
online to disclose how they respond to “do not track” signals, in addition
to other information about their collection and use of PII. These new
disclosures include:

   -

   How the company responds to “do not track” signals or other mechanisms
   that allow consumers to choose how their PII is collected as to their
   online activities over time and across third-party websites or online
   services, if the company collects such information; and
   -

   Whether third parties may collect PII about a consumer’s online
   activities over time and across different websites when that consumer uses
   the company’s website.

These disclosures must be included in a company’s privacy policy. To comply
with the first requirement above, companies may provide a “clear and
conspicuous” hyperlink in their privacy policy to an online description of
any protocol that the company uses that provides the user that choice,
including its effects on functionality and service.

Finally, note that CalOPPA’s application is very broad.  In particular, it
applies to any “operator of a commercial Web site or online service that
collects personally identifiable information through the Internet about
individual consumers residing in California who use or visit its commercial
Web site or online service.” In view of the inherent difficulty of doing
business online without attracting users residing in California, these
provisions will almost certainly apply to most online businesses.
*Recommended Best Practices*

To comply with these recent amendments, companies should review their data
privacy and security policies and practices to determine whether updates
are needed.  Companies should review and revise as necessary their data
security breach contingency plans now to include the newly added
notification triggers as well as the new notification protocols allowed
when only that data is at issue. Similarly, companies that collect PII
online or through mobile applications should review their online tracking
activities and all applicable privacy policies (i.e., website *and* mobile
apps) to determine whether and to what extent revisions may be required by
January 1, 2014.

In this way, necessary revisions can be thoughtfully prepared and
implemented into all related documentation, thereby avoiding last-minute
implementation miscues and/or public relations nightmares arising from
unnecessary/embarrassing dealings next year with the California Attorney
General’s office.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.