Skadden Arps – In this edition of our Privacy & Cybersecurity Update, we look at a number of important developments, including a key amendment to California’s data protection law, President Obama’s recent executive order regarding secure payment processing by the government, an FTC warning about executive liability for privacy violations, the FCC’s entry in the data privacy enforcement arena and a request from the New York Department of Financial Services for vendor cybersecurity information from banks
October 2014 was the 11th annual National Cyber Security Awareness Month, sponsored by the Department of Homeland Security (DHS) in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. DHS emphasizes that cybersecurity is the shared responsibility of the public sector, the private sector and the general public.
In sponsoring the month, the agency and its partners seek to promote awareness of cyber threats to the nation’s critical infrastructure and educate citizens about measures they can take to protect them- selves from such threats. DHS highlighted its efforts to promote online safety through its ongoing Stop.Think.Connect campaign, which focuses on the importance of secur- ing the increasing number of household devices that connect to the Internet and noted the ways in which various branches of law enforcement are tailoring their efforts to combat cybercrime.
New California Data Protection Law
On September 30, galvanized by the many high-profile data breaches suffered during the past year by retailers such as Target, Neiman Marcus and Home Depot, California Governor Jerry Brown signed into law Assembly Bill No. 1710 (the Amendment), which enhances California’s existing laws concerning the protection of sensitive personal information.1 The Amendment, which will take effect on January 1, 2015, seeks to improve the protection of personal information of California residents by mak- ing three changes to California’s existing laws concerning breach notifications and the protection of personal data:
Broadening the obligation to implement reasonable security procedures to include not only businesses that own or license personal information, but also data brokers, third-party service providers, and other businesses that “maintain” such information without owning or licensing it from others;
Prohibiting the sale of an individual’s social security number, except where the release of the social security number is ancillary to a legitimate transaction; and
Enhancing consumer protections in the event of a data breach by requiring “the source of the breach” to “provide appropriate identity theft prevention and mitigation services, if any,” at no cost to the affected person for at least one year.
Increased scope of covered Businesses
California law currently requires all businesses that “own or license personal infor- mation about Californians to provide reasonable security for that information.”