Archive

Archive for the ‘Law’ Category

Comments on 201 CMR 17:00

September 29, 2009 - י"א תשרי תש"ע Ariel No comments

 

Readers of my blog know that I was a big supporter of Massachusetts Breach Notification proposed law, 201 CMR 17:00.     You may also have known that I authored an article, together with Ken Mortensen, esquire, about the rule, at CSO Magazine.  You can see the article at "201 CMR 17: A New Tea Party!"

At the time, we thought the proposed rule was a very good development.  But… then the Massachusetts Office of Consumer Affairs and Business Relations, OCABR, changed 201 CMR 17:00 to be a lot more…. "watered down".

So, doing what any thoughtful consultant would do, I sent the following letter, showing my opinions on the latest version of 201 CMR 17:00, and adding my suggestions.

So here is the letter.  Tell me what you think:

 

Office of Consumer Affairs and Business Regulation,
10 Park Plaza, Suite 5170,
Boston, MA 02116,
(by postal mail and email)

 

Sunday, September 7, 2009

 

 

Re: 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth

Dear Madame Under Secretary, Mr. Egan, and Commission members,

Upon review of the latest (August 24, 2009) revision of the proposed rule, I find that quite a few elements in the regulation were substantially relaxed. Believing that the intent of the legislature was to create a more effective regulation protecting the privacy and security of the residents of the Commonwealth, I find that the current revision effectively renders such protection non-existent.

Having been in the information security and data privacy industry for over 21 years, and having had my own identity stolen and misused, I find that the realities of the business world are such that certain elements ought be considered carefully.

That said, the change from the previous version is so massive as to represent an example of how not to regulate, rather than the piece of straightforward and exemplary control that I so enthusiastically wrote about for CSO (Chief Security Officer) magazine.

In the next paragraphs, please find the changes found, my objections to them, and my suggestions on how to improve the regulation. I would be delighted to testify in front of your committee and to help update these to enhance the benefit to all residents of the Commonwealth, persons and businesses combined.  

 

Comment Number One:

Starting with section 17.01(1), the change to remove the emboldened words (… by persons who own, license, store or maintain personal information…) represents a major shift in policy. In the real world, the protection sought by this entire effort is needed at least from mid-sized and small companies as is from large companies. While smaller companies are more likely to use a third party provider for their storage and hosting needs, there is no reason why these hosting environments should not be compliant with the demands of this regulation. Conversely, these hosting companies ought to partake in the responsibility for protection of personally identifying information (PII).

Further, the current revision actually encourages data set holders to use third parties to host the data. What is to stop a company from using the system and creating a fictitious sub-company, a separate legal entity, whose entire reason d’être would be to hold the data? Doing so will clearly circumvent any protection intended by this regulation. This situation occurs again in the following sections: 17.01(2),  

 

Comment Number Two:

Section 17.03 (definitions), in its previous incarnation contained the following verbiage:

Encrypted," transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

In its current form, the verbiage was changed to:

Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

My comments on these changes are several: The first is an applaud to taking OCABR out of the business of approving or disapproving encryption. You are right not be in that particular storm. However, there is a need for encryption, nearly always. There are two choices here – the first is to require encryption no matter what; the second is to define certain data elements that will require encryption. While 128-bit is no longer “good enough” and 256-bit is the current “gold standard”, there are certain standards of encryption that are accepted more-or-less universally.

 

Comment Number Three:

Please specify that encryption is required.

 

Comment Number Four:

Please specify that “a minimum of 256-bit” is needed AND select from certain industry standards. For example, AES is appropriate for today’s day-and-age, and perhaps for the next four or five years.  

 

Comment Number Five:

Please do not use the term “a low probability”. This is understood by all practitioners in the art, and here serves to confuse, rather than clarify.  

Comment Number Six:

Still within this section, the following appears:

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

This section, and especially the highlighted text, seems to conflict with the first change noted above. Let me request a clarification of this text, as it would seem to include third-parties.  

 

Comment Number Seven:

Similarly to Comment Number Six, above, the text stating:

Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” shall not include the U.S. Postal Service.

In addition, especially the emboldened text, seems to conflict with the changes in the first item. What is your true intent?

 

Comment Number Eight:

In addition to Comment Number Seven above, and in full understanding of the need to call-out federal agencies away from compliance requirements, I question the naming of the USPS and its subsequent removal. Let me play devil’s advocate here by giving two examples, for two different scenarios that are likely to be butting against this regulation:

  1. Since any state law attempting to regulate a Federal agency is automatically void, is there a need to call out the USPS? Imagine that the US Department of Health and Human Services discovers that it is not excluded from this regulation de jour. What would happen then?
  2. Imagine that UPS or Federal Express, both of which are common carriers de facto, chose to contest this regulation based on the concept of “like-service”. How would you defend against such action?

My suggestion: Remove the reference to any Federal Agencies. Then, decide what you want the data owners to do. It would be perfectly ok, in a vein similar to requiring encryption, to require that sensitive data be transported physically only while encrypted (as one example only). This responsibility should belong to the data owners. I expect many questions regarding this point, and I will be thrilled to assist with all I can.  

 

Comment Number Nine:

Section 17.03 (remainder) drops the requirement (in a manner similar to my Comment Number One) related to third party. It then proceeds to make a bad situation worse by removing the need to be compliant to organizations that monitor data.

The situation, however, become much worse, if the intent is to drop the requirement to monitor the performance of such compliancy program.

In the real world, there is no substitution for ongoing monitoring of performance of compliance programs. This should not present an un-due burden to small businesses, as long as pragmatism prevails. I recommend clearly demanding a written review and monitoring of such compliance programs.

 

Comment Number Ten:

The changes to section 17.03(2) are very significant and leave the regulation completely without purpose or merit. They seem to go in a contrary direction to the National policy of tightening controls, as exemplified in changing HIPAA by the addition of the HITECH amendment.

By removing the need for a formal risk assessment this regulation just became a best intent regulation. Risk assessments are the only mechanism, short of guessing to understand any data privacy, security, and compliance issues. Nowhere in the original document there is a call for a risk assessment to be done just for the sake of compliance with CMR 17:00 – so do not call for one now, but please DO demand that the very important issues brought forth within this regulation be included in such formal risk assessment.

Even small businesses can conduct (inexpensive) formal risk assessments. Size of the business does not need to affect this requirement.

 

Comment Number Eleven:

By not requiring a person to have overarching responsibility for the performance of such regulation, the OCBAR is risking the “failure has no father” syndrome. In line with most European and US laws and regulations, assigning ownership to the data and to the privacy protection efforts is of major import. Please reconsider.  

 

Comment Number Twelve:

The removal of the call to handle terminated employees’ access, while seemingly in-line with the high-level intent of this regulation is not a good choice. As can be seen from many occurrences this year alone, organizations oft “forget” to do so, resulting in major security breaches and incidents – a subject on which I would be glad to discuss, if you wish. Please call that specific requirement in the next version.  

 

Comment Number Thirteen:

The movement of the compliance date to March 2012 is not a good move. In essence, a “hunting season” was just declared to allow organizations to sign contracts moving the data (as suggested by my Comment Number One) to third parties. Doing so, will leave no one as the responsible party.

 

Comment Number Fourteen:

Further, the language today is in effect a license, in perpetuity, as far as I can tell, to never be compliant as long as the contract is signed in time. This wide loophole must be addressed.  

 

Comment Number Fifteen:

The dual dating of March 1 2010 and 2012 here is quite confusing.  I asked several legal professionals to read this paragraph and they all indicated this writing is confusing. Can this be clarified?  

 

Comment Number Sixteen:

Another change emerges from this version. Briefly, the data owner no longer has to take reasonable steps.  As long as the owner has a contract, he or she appears to be in the clear. Surely, that is not the intent here.  

 

Comment Number Seventeen:

The removal of a need for a formal comprehensive information security program (CISP) leaves the regulation to interpretation of “I had one, in my mind, we all knew of it”. CISPs are requirements of today’s reality. Please consider adding the requirement for such a written program.

Again, even small businesses can create a formal CISP. The terms “formal”, “comprehensive”, or “written” should not be seen as equivalent to “expensive”. A sample guideline can be easily developed. One that is shared with the small business owner.  

 

Comment Number Eighteen:

With regard to item (g) herein, the removal of the requirement to keep least records for least amount of time and the least access, go against the grain of any good privacy program. As can be seen in the AICPA’s Generally Accepted Privacy Principals, and other places, these requirements are essential to the program. They must be called out, explained, and demanded.  

 

Comment Number Nineteen:

In my view, the changes called out in Comment Number Eighteen, taken together with the changes no longer requiring Risk Assessment make this entire regulation pointless.

No risk assessment + no knowledge+ no need for knowledge + no rules of least access = no protection  

 

Comment Number Twenty:

The new language, still in section (g), to:

(g) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.

Virtually guarantees that this Rule will be visited repeatedly by the courts. The call for “Reasonable”ness has proven unwieldy in every instance it was used. This must be clarified. Other organizations have defined and validated such access rules and I suggest we use some of the language called out by certain of them to define this paragraph more meaningfully.

 

Comment Number Twenty-One:

The removal of section (J)’s (old section (k)) words “or the potential therefore” has a chilling effect on the regulation. Near-breaches, together with known vulnerabilities, are no longer required to be investigated. This WILL result in substantially less protection to the data. I respectfully request that they be re-introduced, and perhaps expanded upon.

 

Comment Number Twenty-Two:

Section 17.04’s header has two changes in it. The first was referenced by my Comment Number One. The second change, “…and to the extent technically feasible” appears redundant and, frankly, nonsensical to me. If it is not feasible…. It cannot be done, right? What is risked here is that a business will say: “My experts believed it was not technically feasible.” This is another loophole which must be sealed.

 

Comment Number Twenty-Three:

Section 17.04(1) again re-introduces the word “reasonable”. Please see my Comment Number Twenty for a discussion why this should be changed and clarified.

 

Comment Number Twenty-Four:

In section 17.04(1) (b) I applaud the change from “seven….” to “or use of unique identifier technologies, such as biometrics or token devices;” OCABR has no need to define secure vs. non-secure.

 

Comment Number Twenty-Five:

In section 17.04(1) (c), the new language to “…and/or format that does not compromise the security of the data they protect;” has two difficulties. Firstly, the previous version was correct to demand that passwords will not be kept with the data they protect. While that might seem obvious to some, it is not to all.

 

Comment Number Twenty-Six:

Continuing from the above, in that self-same section, the term “format” seems to not include other-than-password methods, such as physical keys, or tokens. Let us revise this section to enhance its usability.  

 

Comment Number Twenty-Seven:

In section 17.04(2) (b), the new introduction of “that are reasonably designed to maintain the integrity of the security of the access controls;” suffers from the same malady as I described in Comment Number 20 and others. There are well-ratified standards for that. Let us use one of them.

 

Comment Number Twenty-Eight:

Section 17.04(4) has several changes. Again, the introduction of “reasonable” is objectionable as detailed several times above.  

 

Comments Number Twenty-Nine and Thirty:

Continuing, and adding 17.04(5), the removal of a specific word: “recording” has the value of negating anything good that this Regulation intended. From the trenches: the requirements of recording and regular review are two of the keystones of any security and privacy program. There can be no protection without an audit trail. There can be no protection without a regular audit.  

 

Comment Number Thirty-One:

I applaud the addition of the demand for encryption on mobile devices. I suggest further, in-depth review of the meaning of this change, to the usage of extremely popular devices, such as the iPhone®.

 

Comment Number Thirty-Two:

In section 17.04(6), the word “reasonably” has appeared again. Twice. This is not an actionable standard.  

 

Comment Number Thirty-Three:

Reading on, the phrase: reasonably designed to maintain the integrity of the personal information”, is non-implementable in the sense that only Secure operating systems, such as some that are employed in unique instances by the Department of Defense, can be called “designed to …”.

 

Comment Number Thirty-Three:

I suggest that the plug-and-patch cycle, which unfortunately is a part of life for system administrators, be handled via the call for inclusion in the CISP I suggest in Comment Number Seventeen of a written change control procedure.  

 

Comment Number Thirty-Four:

In section 17.04(7), the word “reasonably” has appeared again.  

 

Comment Number Thirty-Five:

The removal of all reference to physical security in section 17.04(9) is wrong. There can be no information protection without physical protection. I request that this be added back into the Regulation and enhanced. There are quite a few guidelines available from well-tested regulations.

Thank you very much for your attention and review.

Sincerely,

Ariel Silverstone, CISSP

 

Permalink

Categories: Law, Privacy Tags: , , , , ,

California’s New Privacy & Breach Notification Law: SB 20

September 14, 2009 - כ"ה אלול תשס"ט Ariel 7 comments

 

The California Assembly passed a new Breach Notification Law.   This proposed law, called SB 20, will become effective if and when California’s Governor, the Schwartzenator, will sign it into law.   Here is my analysis of the requirements specified in the new law:

 

Analysis of California SB 20 Privacy Law
 Section  Text  Meaning
 Long Title  An act to amend Sections 1798.29 and 1798.82 of the Civil Code, relating to personal information.  Changing the current Security Breach Notification requirements
 Preamble  … This bill would require any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, as specified… Self explanatory
   …The bill would also require any agency, person, or business that
is required to issue a security breach notification to more than 500
California residents pursuant to existing law to electronically
submit a single sample copy of that security breach notification to
the Attorney General, as specified…

This is the gist of the bill.   Here you see two important items:

  1. First, this bill applies to State agencies, unlike some other bills in other States.
  2. Secondly, if the breach involves data on more than 500 California residents, you must now let the California Attorney General know.
     
 Section 1 Section 1798.29 of the Civil Code is amended to read:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person…

It seems to imply that if the data was encrypted at the time of compromise, than this law does not apply.   This is a major issue that may invalidate the bill.   Let me explain:

When data is stored on a hard drive or a tape, it is stored often in a file format specific to the program storing it.   One can argue, I believe, that that is a form of encryption…

 
   The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system….

Here I see another "gotcha".   The need for expediency here is trumped by  "any measure necessary to determine the scope of the breach" and by "restore the reasonable integrity of the data system….".

Why is that a gotcha?  Because anyone can say: "We are still assessing the scope"  or "we have not restored integrity yet"
 1 (b) (b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Makes sense to me.
 1 (c) (c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.  It makes sense to me, but… delays the expediency clause above.
 1 (d)  (d) Any agency that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements:
(1) The security breach notification shall be written in plain language.		 Got to love this!
     
2

The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the notice is provided, then any of the following:

(i) the date of the breach,(ii) the estimated date of the breach, or

(iii) the date range within which the breach occurred. The notification shall also include the date of the notice.

(D) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.

This is a nice description of must be provided.  I am sure businesses appreciate it (this section, however, applies only to State agencies)

 

 

 

 

 

 

It is nice how, here, the requirement is made to supply the numbers of the three "devils".  
     
 3 At the discretion of the agency, the security breach
notification may also include any of the following:
(A) Information about what the agency has done to protect individuals whose information has been breached.
(B) Advice on steps that the person whose information has been breached may take to protect himself or herself.		 Optional addition info.
3 (e)  (e) Any agency that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.

I am not sure what happened to (C) and (D) and why we went from caps to small case….

This section is a reference to the California Government Discourse laws, making, in my opinion, these notification letters subject to the California Sunshine laws.
 3 (f)  (f) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

I understand why they say what they said, however, and this is a big HOWEVER, here we see a definition of a security breach becoming something ridiculous.    A breach is only happening after the misuse of the information. 

I am sure that there is a better way to write this…
 3 (g)  (g) For purposes of this section, "personal information" means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

It may seems petty, but I read this requirement 2 different ways.  Bear with me:

  • an individual’s first name or (first initial and last name), or
  • an individual’s (first name or first initial) and last name

See?  Under the first option, a first name is enough to trigger this requirement.
  (1) Social security number.
(2) Driver’s license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(4) Medical information.
(5) Health insurance information.

Nice list, but….

(3) so Credit Card number (with name) is not covered here?
 3(h)

(h) (1) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, "medical information" means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, "health insurance information" means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

(i) For purposes of this section, "notice" may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.

 This is good, because without this, even a medical subscription card, with already masked participant code, would be covered.
3(h)(3)

 (3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the following:
(A) E-mail notice when the agency has an e-mail address for the subject persons.
(B) Conspicuous posting of the notice on the agency’s Web site page, if the agency maintains one. (C) Notification to major statewide media and the Office of Information Security within the office of the State Chief Information Officer.

 This is a VERY good step forward.   
3(j) (j) Notwithstanding subdivision (i), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.		 Excuse me?  There is no "i" anymore…
     
 2 Section 1798.82 of the Civil Code is amended to read:
1798.82. (a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided
in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

This is a virtual mirror to the Agency-related requirements above, except that it speaks of Persons and Companies.  So the same exaltations and critiques apply.

Notice the specific call out of owns or licenses.   This section does not apply to 3rd party processors or hosting companies.
2 (b) (b) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. and here…drum roll…  the requirement of the processor and the hosting companies!
2(c) – 2(h)

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.
(d) Any person or business that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements:
(1) The security breach notification shall be written in plain language.
(2) The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting person or business subject to this section.
(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.
(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(E) A general description of the breach incident, if that
information is possible to determine at the time the notice is provided.
(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license California identification card number.
(3) At the discretion of the person or business, the security breach notification may also include any of the following:
(A) Information about what the person or business has done to protect individuals whose information has been breached.
(B) Advice on steps that the person whose information has been breached may take to protect himself or herself.
(e) Any person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.
(f) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

(g) For purposes of this section, "personal information" means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (4) Medical information. (5) Health insurance information.

(h) (1) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (2) For purposes of this section, "medical information" means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. (3) For purposes of this section, "health insurance information" means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records. (i) For purposes of this section, "notice" may be provided by one of the following methods: (1) Written notice. (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code. (3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: (A) E-mail notice when the person or business has an e-mail address for the subject persons. (B) Conspicuous posting of the notice on the Web site page of the person or business, if the person or business maintains one.

 This is a virtual mirror to the Agency-related requirements above, except that it speaks of Persons and Companies.  So the same exaltations and critiques apply.
 2(h)(C)   (C) Notification to major statewide media and the Office of Privacy Protection within the State and Consumer Services Agency.  As far as I can tell, this is the only difference between the Agency section (above) and the Business section  The Consumer Services Agency is specified here as a must-be-notified.
2(h)(j)  (j) Notwithstanding subdivision (i), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system. This is a virtual mirror to the Agency-related requirements above, except that it speaks of Persons and Companies.  So the same exaltations and critiques apply.

 

 

Thank you for coming here to see my analysis of the new almost-law: California’s new Privacy and Breach Notification Law – SB 20

The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not legal advice.

 

Permalink

 

Categories: Law, Privacy Tags: , , , , ,