Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/22/2019
11:20 AM
50%
50%

New Legislation Builds on California Data Breach Law

This bill requires businesses to notify consumers of compromised passport numbers and biometric data.

California Attorney General Xavier Becerra and Assemblymember Marc Levine this week unveiled legislation to close a loophole in the state's existing data breach notification laws.

AB 1130, introduced by Levine, requires breached organizations to notify consumers if their passport number or biometric data is exposed. Becerra said this bill "closes a gap in California law and ensures that our state remains the nation's leader in data privacy and protection."

California became the first state to pass a data breach notification law in 2003, when it mandated companies inform consumers when they believe an unauthorized party has accessed their information. At the time, this personal data was limited to Social Security numbers, driver's license numbers, credit card numbers, and medical and health insurance data.

Legislation introduced this week will update the law to include passport numbers and biometric data, such as a fingerprint or retina/iris scan, as information protected under the statute.

The addition was prompted by the 2018 breach of Starwood Hotels' guest database. Marriott, which had acquired the company, revealed the incident had exposed more than 327 million records containing travelers' names, addresses, and more than 25 million passport numbers. California officials note how passport numbers are unique, government-issued, static identifiers, making them especially appealing to cybercriminals. Indeed, passport scans are hot on the Dark Web.

Read more details here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/28/2019 | 9:19:24 PM
Re: RIGHT - Pass a law, that will fix it
100% agree with your post. Also, enjoyed the disclaimer. :)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:08:53 PM
Re: RIGHT - Pass a law, that will fix it
This law was passed late last year. It does not go into effect until 2020 (absent an amendment delaying its effective date).

Companies have time -- big or small.

That said, someone earnestly trying their best is going to fare better than someone who just screwed up big time and doesn't seem to care.

 

(Disclaimer: This comment/post is provided for informational, educational and/or entertainment purposes only. Neither this nor other posts here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/27/2019 | 11:12:15 AM
Re: RIGHT - Pass a law, that will fix it
@Joe, definitely understandable. The upstarts are just starting to gain footing, if they are lucky enough. Not sure if there already is but for scenarios like an upstart would you think it wise to delay enforcement of those regulations as long as their is a valid corporate roadmap towards implementing them?

Or would you see it as, regardless of corporate titan or company upstart a company is a company and they all have to follow the same rules?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/27/2019 | 11:07:44 AM
Re: Systemic Change
Apologies, I should have specified. When I stated encrypt your data it should be scoped encryption. It is folly to try to encrypt all data. Specifcally you should encrypt sensitive data. But to ensure that you scope is accurate it needs to be segmented. 

I 100% concur that encrypting all data is implausible.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2019 | 10:37:23 PM
Re: RIGHT - Pass a law, that will fix it
@Ryan: Moreover, as my home-state governor Charlie Baker put it when keynoting ThingWorx a few years back, big mega-corporations secretly love regulations (to some extent) because they're the only ones that can afford to keep up with them -- while scrappy upstarts are driven out of business.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2019 | 10:35:16 PM
Re: Systemic Change
It remains to be seen, though, if federal data-breach notification laws will come into play -- and preempt preexisting state laws on that front.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2019 | 11:01:34 AM
Re: Systemic Change
A law that wholesale forbids any but the strictest security practices could undermine the Business Judgement Rule. That makes sense. That is why having the balance becomes more important. There business that may them secure and provide services, I say Google is one of them as long as you do not consider privacy a major issue.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2019 | 10:58:40 AM
Re: Systemic Change
Moreover, as much as I like security, it can't be forgotten that security and accessibility are at constant odds with each other It actually makes sense when you consider CIA. Keeping the balance between confidentiality, integrity and availability what makes security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2019 | 10:56:38 AM
Re: Biometrics
I'd anticipate that biometric-data clause getting fought tooth and naiL Yes, it makes sense. As we are using it more and more (such as FaceID) there will be more regulations around it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/26/2019 | 10:54:33 AM
Re: Systemic Change
"Oh, we are sorry we lost your data but we did tell you quicker then we use to" Yes, I hear you. That would be just not convincing and not helpful at all.
Page 1 / 2   >   >>
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.