Tag: Data Protection

CCPA Rulemaking Activities – Upcoming Hearings

CPA Rulemaking Activities – Upcoming Hearings

On October 10, 2018, the Attorney General released proposed regulations for the California Consumer Privacy Act of 2018 (CCPA).  The California Department of Justice (DOJ) will hold four public hearings to provide all interested persons the opportunity to present statements or comments on the proposed regulations, as detailed below.  The hearings will begin promptly at 10:00 a.m. and will conclude when the last speaker has finished their presentation.  Please note that attendees may be required to go through building security before entering each venue.  For more information about the public hearings, and to RSVP, please visit: https://www.oag.ca.gov/privacy/ccpa/rsvp.

The deadline to submit written comments is December 6, 2019 at 5:00 p.m. (PST).  Comments may be submitted via email (PrivacyRegulations@doj.ca.gov), mail (Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013), or at the public hearings.

Please visit www.oag.ca.gov/privacy/ccpa for information about the DOJ’s CCPA rulemaking process, including the following newly added pdfs:  Tips on Submitting Effective Comments and Information about the Rulemaking Process.

PUBLIC HEARING DATES

Sacramento
December 2, 2019; 10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814

Los Angeles
December 3, 2019; 10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013

San Francisco
December 4, 2019; 10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102

Fresno
December 5, 2019; 10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

FTC Slaps InfoTrax and its CEO with Severe Cybersecurity Order

Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

As a result, hacker gained access to personal information of a million consumers, agency says

via FTC Press Release

A Utah-based technology company has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.

InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training, and data security, as well as operating its clients’ website portals.

In its complaint, the FTC alleges that InfoTrax and its former CEO Mark Rawlins failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. This includes failing to:

  • inventory and delete personal information it no longer needed;
  • conduct code review of its software and testing of its network;
  • detect malicious file uploads;
  • adequately segment its network; and
  • implement cybersecurity safeguards to detect unusual activity on its network.

In addition, the FTC alleged that InfoTrax stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”

As a result of the company’s security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. In March 2016, the intruder accessed about one million consumers’ sensitive personal information, according to the complaint.

InfoTrax did not detect these intrusions until March 2016, when it was alerted that its servers had reached maximum capacity. This alert was due to a data archive file created by the hacker who had infiltrated its network. InfoTrax’s security failures not only affected its network but also the websites of its clients, the FTC alleges.

The personal information that the intruder obtained can be used to commit identity theft and fraud. The FTC alleges that InfoTrax’s failure to provide reasonable security for personal data in its care violated the FTC’s prohibition against unfair practices.

As part of the proposed settlement with the FTC, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. This includes assessing and documenting internal and external security risks; implementing safeguards to protect personal information from cybersecurity risks; and testing and monitoring the effectiveness of those safeguards.

In addition, the proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with InfoTrax and Rawlins was 5-0. Commissioner Christine S. Wilson released a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Compliance & Privacy Partners provides smart and affordable privacy compliance, data governance and risk-management solutions designed to help organizations build privacy programs, assess, manage and remediate risks and demonstrate defensible compliance. We offer and support a variety of data privacy management platforms which include data subject fulfillment workflows, records and PI inventory management, vendor assessment and policy adherence tools, privacy impact assessments, file analysis projects and records retention enforcement.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

So, how much is this damn CCPA thing gonna #$@&%* cost me?!

The short answer? A lot, but not as much as you might have been told…

As I’ve traveled around California doing my “Blessings of the CCPA” presentation, I’ve been asked repeatedly about the “average” cost of a CCPA solution from CFO’s, GC’s and IT folks alike. It’s a loaded question as there are many requirements to the law, from policy and website disclosures to consumer data request obligations. One size does not fit all and your organization needs to spend time methodically planning its approach before setting aside budget and other resources.

While some unprepared organizations may need to beef up spending in the near-term, others may end up refining their programs over the coming years as they realize their initial investment wasn’t as strategic as it probably needs to be.

ILTA Blackberry and CAPP Presentation
At the San Diego ILTA Presentation of “Preparing for the California Consumer Privacy Act”

Decision makers, consider the following:

  • What’s our true risk exposure based on the personal data we already collect, sell, barter, manage, etc. on behalf of our business partners?
  • Can we do this all in-house or should we outsource some of it?
  • Do we have any existing talent and software that might help streamline some of the CCPA’s major workstreams like data mapping?
  • What kind of fundamental changes are we willing to make to our IT infrastructure?
  • Do we fully automate self-service requests through API’s and is that even the right idea, long-term, given our risk, the evolving nature of IT and emerging legislation?
  • How can taking a principle based approach to privacy using concepts like data minimization to insulate us going forward?

Click here for a free CCPA Roadmap from Compliance and Privacy Partners.

Clearly, all of us subject to the law need to protect our business and expect some activity, whether it be through consumer requests or even the limited right of private action afforded by the CCPA. That doesn’t mean you turn your entire organization upside down and fork over hundreds of thousands of dollars in licensing ransom! Change management on this scale first requires proper risk analysis, roadmapping and getting stakeholders to buy-in and be accountable.

Then what’s my next step?

Before you embark on this journey to become a privacy-centric company, the real question you should be asking yourself is….

Are there consultants and affordable software solutions out there that will leverage our resources and best minds to help us implement a proportional strategy that protects us? 

The answer to that last question is YES!

Slide4
CAPP’s California Consumer Privacy Act Roadmap

Long-term solutions need to be fact-based and reasonable, recognizing the unique facets of your culture and business model. Big, complex and expensive isn’t always better.

It’s true there are some amazingly fancy privacy software products out there. But do you really want to spend a quarter to half-a-million dollars a year to fend off what might ultimately be a handful of consumer requests and opt-outs, when you can do the exact same thing with a far less expensive and better tool?

The bottom line…

There are so many vendors playing in the privacy space today and way too many folks are impulsively investing either too heavily or disproportionately in them just to “check the box.” Yes, of course you need to “check the box,” but running headfirst into this regulatory challenge could leave you with a budget nightmare and organizational headache you’ll soon regret.

The bottom line is your investment needs to be proportional to your risk profile and the complexity of your infrastructure and organization. Even then, you may not need a solution that costs you hundreds of thousands of dollars when you could be compliant and sleep comfortably for under $50,000 a year.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

40th International Conference of Data Protection and Privacy Commissioners

40th Annual Data Protection Conference

Reflections on the 40th Annual International Conference of Data Protection and Privacy Commissioners

Guest Post by Abby Moscatel

It’s been about a week since Rafael and I returned from Europe, where we attended the 40th International Conference of Data Protection and Privacy Commissioners at the European Parliment’s Hemicycle in Brussels, Belgium.

The thought leaders posed the single most important question facing us today: What kind of world do we want to live in? You see, we are at the tipping point where the internet will know more about us than we know about each other, or even ourselves. And yet there is no recognized universal ethical and moral code for how we deal with all of the data that is being collected about us. How do we handle it? Right now, Data Kings hold the cards. Companies provide free services to gather our information.

Apple CEO Tim Cook was correct when he said that we are now in a time where our data is being weaponized. We see it in our news feeds. No matter what you believe, you get socials and content that affirms your position, and makes the opposite position something you must resist.

Tim Cook at the 40th Annual Conference of Data Protection Comissioners

Hong Kong artificial intelligence researcher Pascale Fung was also right when she said that unless we get all of the world leaders together, it won’t matter.

Now, we have the GDPR. And, here in the US, we are starting to get patchwork legislation, like the California Consumer Privacy Act, heavily resisted by Big Tech in favor of a federal privacy law.

I want to live in a world where I own my data, control access to my data, and where I can delete my information. If a company or individual breaks a law, then I want a private right of action. Most importantly, I want to live in a world where we have a universal agreement on digital ethics.

What kind of world do you want to live in?

The Olympics of Privacy in Brussels!

Debating Ethics: Dignity and Respect in Data Driven Life, the 40th Annual Conference of Data Protection and Privacy Commissioners

Two Americans walk into a EU Privacy Conference…

Just a few weeks ago, a colleague reached out and reminded me “the Olympics of Privacy” were being held at the EU Parliament in Brussels in late October, and also if I’d like to attend. Well, how the heck am I supposed to turn down an invitation like that? After all, this is the year of GDPR, the NYDFS, the new California Privacy legislation and the ICDPPC has leaders like Mark ZuckerbergSundar Pichai, Tim-Berners Lee, Jagdish Singh Khehar and even the King of Spain all lining up to share their thoughts.

We want to stimulate an honest and informed discussion about what digital technology has done and is doing to do to us as individuals and as societies, and to consider future scenarios. We want to better understand the impact of technology on people of all generations, in all parts of the world, including the way people think, interact with others, develop their opinions, create art and write, how they buy and sell and how they participate in civic life.  – Privacy Conference Statement

Mark and Sundar are likely showing up because they realize the stiff penalties now associated with data security and privacy violations and the rest of the speakers realize that we are on the cusp of a digital and ethical revolution of sorts, one which will affect generations to come. In fact, Debating Ethics: Dignity and Respect in Data Driven Life is probably the most important privacy conference of the 21st century. My wife Abby Moscatel, an attorney and ethicist heard about this lineup and quickly said, yeah… I’m coming with you to this one!

Continue reading “The Olympics of Privacy in Brussels!”