New Privacy Laws Require Security Professionals Up Their Game

Two recent privacy laws—GDPR and the California Consumer Privacy Act (AB-375) –focus more attention on protecting the digital privacy of individuals.  Both laws will require that security professionals up their game.  In this post, I will cover some of the security implications of AB 375.  Gone are the days when privacy requirements could be handed off to privacy officers or legal counsel.  Today’s requirements are so granular that they will require new security technology, processes, and knowledge.

To summarize the California Consumer Privacy Act of 2018:

  • It goes into effect on January 1, 2020
  • It includes a private right of action in breaches involving unencrypted or nonredacted personal information
  • It offers California citizens the right to
    • Know what information is being collected about them
    • Know if their information is being sold and to whom
    • Forbid sale of personal information
    • Gain access to their personal information
    • Retain their rights to equitable service even if they forbid the sale of their information
  • Exceptions are made for business that are not located in California and do business outside of the state.  This exception would apply to Las Vegas casinos, even when serving California citizens.

What are some of the implications of these rights for security professionals?  Broadly, they fall into the requirements for confidentiality, integrity and risk management.    One area is data classification and handling.  Often neglected in risk management, it is now front and center.  Businesses must know what information they are collecting and where they are getting it from.  Businesses will have to respond to consumer requests regarding the categories of information they keep about consumers.  Classification must include:  categories of information; specific pieces of information collected; sources of information; commercial purpose for collecting; third parties to whom the data is sold; whether the information may be sold or not.

The definition of “personal information” is now broader than what many consider at first glance.  AB-375 defines it as: “information that identifies, relates to, describes, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular consumer or household.  Identifiers include:  name, address, IP address, email address, browsing history, search history, geolocation data, employment information, audio information, etc.  More categories of data will need to be protected by organizations covered by this law.

Consumers now have the right to request deletion of their information.  This mandates that data flow diagrams be created showing the lifecycle of the data.  These have been required by PCI DSS and now will be required to effectively assure data destruction of other categories of personal information.  More demanding are third party contracts, which now must require data destruction on an individual record basis.  Security officers will need some type of assurance that this is being done.

AB-375 does not restrict businesses from collecting, using, retaining, selling or disclosing information that is deidentified.  The bill requires that businesses have technical controls to prevent consumer information from being associated to a consumer, either directly or indirectly.  Security professionals will need to understand how “deidentified” is interpreted under this and other privacy regulations and be prepared to support the definition with technology.

Another issue is authentication of consumers who request information about their data.  The law requires that a response be provided within 45 days (extensible to 90 days).  The security team will need to have a process for verification of the identity of the consumer before any information is released.

For overall risk management, AB-375 provides some financial penalties to document security impact.  Damages up to $750 per incident per consumer may be sought in private action by the consumer.  If your firm maintains records on 1000 consumers, you could be liable for $750,000 under a class action.  In addition, the California Attorney General can bring a civil action against a firm in violation of the law and fines up to $7500 per incident can be levied.

This post illustrates the new frontier for security officers:  privacy technology.  While not completely new, the teeth provided by GDPR and AB-375 suggest that we all step up our knowledge of privacy technologies and processes.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management