California Privacy Law Now in Effect; Ransomware Infections at US Coast Guard and Maastricht University; Malware on Landry's Restaurant POS Systems

Meaningful enforcement action by July 1 is very unlikely, as there are many areas where the wording of the Act is broad and open to interpretation and the industry legal actions to fight/delay will be fast and furious. Advice to corporate management: whether CCPA gets delayed or not, consumer demand and legislative trends are definitely on the side in the companies needed to give customers more visibility and more control over the use of their personally identifiable information. Companies can save money in the long run by skipping the "OK, let's just wallpaper our website with disclaimers" stage by starting with "let's make our customers happy and safe, and then be able to easily demonstrate GDPR/CCPA et al compliance."

John Pescatore

One of the challenges in implementing CCPA is that legal guidance is not finalized. For example, while it appears to exclude non-profit entities, a small institution doing online business may have data on over 50,000 devices, which may put them back in-scope for CCPA. Work with your legal department to establish and record your applicability decision. The good news is the implementation can leverage measures taken for GDPR; even so, CCPA specific guidance is still maturing.

Lee Neely

One has been thankful to the California Legislature in the past for going where angels fear to tread. Their reach has been long, their aim true, and their impact salutary. One hopes that this effort will prove to be as effective. However, as with much law, the devil is in the detail and the enforcement.

William Hugh Murray

Hospitality has been a major target for PCI data for a decade. It is unconscionable, even in a business that has grown by acquisition, that is should take so long to identify and remediate such a compromise. These compromises persist for so long because no one is looking for them. One should have in place an objective, stated in days, for mean-time to detection of a compromise and a plan to achieve it.

William Hugh Murray

End-to-End encryption protected the cardholder data where applied. The trick is making sure all the points where the data is entered have equivalent protection, or ensure omitted devices can no longer process or collect that data. In this case, the order entry terminals were intended to process reward card data not payment cards, so neither the security fix was applied, nor was payment card processing disabled. Additionally, Landry's has taken steps to remove the malware and increase security to prevent re-introduction.

Lee Neely

Not only is MU prioritizing recovery, they are providing alternative options for students needing services which are still offline. Because they have not determined the exact scope of the incident, all systems are suspect and being investigated. MU has brought in external expertise as well to aid with analysis, response, and recovery. Additionally, they are paying attention to the status of their scientific data, adding protections where needed, not only to ensure integrity of that data but also as current Ransomware TTPs now include requests for payment to prevent release of customer data.

Lee Neely

The disclosure of "health information" was limited to tens of people in the beta test of a connected scale. The ZDNet article is worth a read for what it says about irresponsible disclosure by those who ought to know better. We continue to see disclosure motivated by the desire for recognition by the discloser rather than by the safe, timely, and effective repair of the compromise or vulnerability.

William Hugh Murray

Consider the question: Is this type of application appropriate for corporate devices, and does it fit within your incidental use policy; further, what action should be taken when devices are introduced to your network. In this case, devices with the disallowed application are blocked from the network. The issue is that the app is passing PII information to China through the services provided by the Musical.ly component. U.S. Senate Minority Leader Chuck Schumer and Senator Tom Cotton asked for a national security probe in a letter to Joseph Macguire, acting director of national intelligence. The Committee on Foreign Investment in the United States (CFIUS), which reviews deals by foreign acquirers for potential national security risks, has started to review the Musical.ly deal. CFIUS reviews are confidential.

Lee Neely

As with the US, the KCC also doesn't want their citizens PII routed to China.

Lee Neely

With the current rapid software production and update cycles, automation is necessary to verify code is not pushed to repositories that contain sensitive configuration items, including API & SSH keys, passwords, or other sensitive configuration files. Additionally, if possible, configure services to limit access to only authorized addresses and make sure that you have good key management and revocation processes.

Lee Neely

Good to see the major browser providers (Google and Firefox) getting behind CCPA. Facebook acts as a "browser" to the walled garden that is Facebook - it doesn't look like they are taking a proactive stance. As part of providing information/recommendations around what CCPA will mean to your company, it is worth mentioning that a special look should be given to any corporate Facebook presence or advertising efforts.

John Pescatore