California and Massachusetts Legislatures Push Data Breach and Security Bills

Posted on May 3, 2011 by Jason C. Gavejian

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

Tags: , , , , , , , , , , , , , , , , , , , ,

Federal Contractors To Deal With Federal File Sharing Concerns

Posted on March 29, 2010 by Joseph Lazzarotti

Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.

Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:

to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.

Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to

  1. require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
  2. update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
  3. ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.

Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully. 

Tags: , , , , , ,