At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing
Utah To Become The Fourth State to Pass Privacy Legislation
Introduction
The Utah legislature has passed Senate Bill 227, otherwise known as the Utah Consumer Privacy Act (UCPA). Barring a veto from Utah Governor Spencer J. Cox, who, as of March 15, 2022, officially has the bill on his desk for action, Utah will become the fourth state to pass a comprehensive privacy bill, following the likes of California, Virginia, and Colorado. If enacted, the UCPA would take effect on December 31, 2023.
Continue Reading Utah To Become The Fourth State to Pass Privacy Legislation
Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat
This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software. Since then, vulnerability has been independently verified and confirmed by Microsoft. It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021. Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.
While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.
Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation. Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable. The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016. The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc. Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.
The seriousness of the issue is difficult to understate. Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use. A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone.
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat
California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really?
Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations
Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA. This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.
Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft. In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.
An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable. Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date.
Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations
Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers
In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.
With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.
It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.
Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements.
Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers
And the Wait for CCPA Rules is Over …. Kind Of
Cross-posted from The Global Privacy Watch blog.
Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.
Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress.
Continue Reading And the Wait for CCPA Rules is Over …. Kind Of
FBI Public Service Announcement on Ransomware
This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures. There is a section in the bulletin discussing whether victims should consider paying ransom to attackers. According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.
Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list). However, several others are more specific. All of the measures listed should be considered as parts of a comprehensive standard information security program.
Among the list of the FBI’s “Cyber Defense Best Practices” recommended are:
Continue Reading FBI Public Service Announcement on Ransomware
Nevada: Bucking the Wait and See Approach to Consumer Privacy Law
In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.
First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:
Continue Reading Nevada: Bucking the Wait and See Approach to Consumer Privacy Law
CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About
Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About