CA’sPrivacyLegalFramework
•  ReasonableSecurity
–  Minimumstandardof“reasonablesecurity”
•  ConsumerNoBce
–  CaliforniaOnlinePrivacyProtecBonAct
1
CivilCode§1798.81.5
Abusinessthatowns,licenses,ormaintains
personalinformaBonaboutaCaliforniaresident
shallimplementandmaintainreasonable
securityproceduresandpracBcesappropriateto
thenatureoftheinformaBon,toprotectthe
personalinformaBonfromunauthorizedaccess,
destrucBon,use,modificaBon,ordisclosure.
2
2016DataBreachReport
4yearsofbreaches
affecBng>500CA
residents(2012-2015)
–  657breaches
–  49+millionrecords
ofCAresidents
breached
3
2016DataBreachReport
GreatestThreat:
•  Malware&hacking,bothinthenumberofbreaches
andthenumberofrecordsbreached.
–  54%totalbreaches,
–  90%ofrecordsbreached=44.6millionrecords.
IndustryHardestHit:
•  Retail,with25%ofbreaches,42%records
–  TypeofData:PaymentCards
4
CISCriBcalSecurityControls:
AReasonableFloor
•  The20controlsintheCenterforInternet
Security’sCriBcalSecurityControlsdefinea
minimumlevelofinformaBonsecuritythatall
organizaBonsthatcollectormaintainpersonal
informaBonshouldmeet.Thefailureto
implementalltheControlsthatapplytoan
organizaBon’senvironmentconsBtutesalack
ofreasonablesecurity.
5
CISCriBcalSecurityControls
CSC1
InventoryofAuthorizedandUnauthorizedDevices
CSC2
InventoryofAuthorizedandUnauthorizedSofware
CSC3
CSC4
SecureconfiguraBonsforHardwareandSofwareonMobileDevices,
Laptops,WorkstaBonsandServers
ConBnuousVulnerabilityAssessmentandRemediaBon
CSC5
ControlledUseofAdministraBvePrivileges
CSC6
Maintenance,Monitoring,andAnalysisofAuditLogs
CSC7
EmailandWebBrowserProtecBon
CSC8
MalwareDefenses
CSC9
LimitaBonandControlofNetworkPorts,protocols,andServices
CSC10
DataRecoveryCapability
6
CISCriBcalSecurityControls
CSC11
SecureConfiguraBonsforNetworkDevices(Firewalls,Routers,
Switches)
CSC12
BoundaryDefense
CSC13
DataProtecBon
CSC14
ControlledAccessBasedontheNeedtoKnow
CSC15
WirelessAccessControl
CSC16
AccountMonitoringandControl
CSC17
SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
CSC18
ApplicaBonSofwareSecurity
CSC19
IncidentResponseandManagement
CSC20
PenetraBonTestsandRedTeamExercises
7
NextChallengeforSecurity:IoT
Attorney General Kamala D. Harris Urges Consumers to Protect
their Devices from Potential “Botnet Attacks”
Monday, October 31, 2016
Contact: (415) 703-5837, [email protected]
LOS ANGELES – Attorney General Kamala D. Harris is advising Californians to protect their electronic devices from
potential hacks and urges Internet of Things (IoT) manufacturers and developers to take immediate steps to help
secure home electronic devices against capture by a potential “botnet attack” from a cyber criminal.
The IoT includes connected devices and smart devices, including everyday objects such as webcams, routers,
DVRs, lighting, heating, and refrigerators. A botnet is a network of infected computers, where the network is used by
the malware to expand. A botnet attack occurs without the computer owners’ knowledge, and is typically used to
send spam emails, transmit viruses, and engage in other acts of cybercrime.
As recent botnet attacks have shown, a greater emphasis on the security of connected devices, with a focus on
security-by-design in product development, is urgent and essential. Much is at stake as IoT continues its rapid
expansion to an estimated 38 billion connected devices by 2020. Improving the security of these devices will make
the Internet safer for all users and reduce the risk of cybercrime.
On October 21, according to public reports, a botnet of Internet-connected devices was used for a Distributed Denial
of Service (DDOS) attack on an Internet infrastructure company called Dyn that acts as an address book for
8
ConnectedToothbrush
9
CISCriBcalSecurityControls:IoT
!
!
Internet&of&Things&Security&Companion&
to&
the&CIS&Critical&Security&Controls&(Version)6)&
!
!
!
!
!
October!2015!
10
Bus.&Prof.Code,§22575
AnoperatorofacommercialWebsiteoronline
servicethatcollectsPIIthroughtheInternet
aboutindividualconsumersresidinginCalifornia
whouseorvisititscommercialWebsiteor
onlineserviceshallconspicuouslypostits
privacypolicyonitsWebsite.
11
CalOPPAComplaintTool
12
NoBcetoConsumers
13
CommercialUseofTech
PrivacyBestPracticeRecommendationsFor
CommercialFacialRecognitionUse
T
hese“PrivacyBestPracticeRecommendationsforCommercialFacialRecognitionUse”
serveasgeneralguidelinesforcoveredentities.Thefundamentalprinciplesunderlyingthe
recommendationsarebasedontheFairInformationPracticePrinciples(FIPPs)1.
Itislefttoimplementersandoperatorstodeterminethemostappropriatewaytoimplement
eachoftheseprivacyguidelines.
Giventhenumerousexistingusesinwidelydifferentapplications(suchasauthentication,social
mediaandphysicalaccesscontrol),aswellaspotentialuses,specific/detailedpracticesarenot
feasibleorpracticalacrossthiswidespectrum.
Thesebestpracticesareintendedtoprovideaflexibleandevolvingapproachtotheuseoffacial
recognitiontechnology,designedtokeeppacewiththedynamicmarketplacesurroundingthese
technologies.
Thisdocumentisintendedtoprovideageneralroadmaptoenableentitiesusingfacial
recognitiontechnologiesbyrecognizingdifferingobjectives,risksandindividualexpectations
associatedwithvariousapplicationsofthesetechnologies.
Theseprinciplesdonotapplytotheuseofafacialrecognitionforthepurposeofaggregateor
non-identifyinganalysis.Forexample,whenfacialrecognitiontechnologyisusedonlytocount
thenumberofuniquevisitorstoaretailestablishmentortomeasurethegendersor
approximateagesofpeoplewhoviewastoredisplay(formarketingresearchpurposes),those
practicesareoutsidethescopeoftheseprinciples.
Thesebestpracticesdonotapplytosecurityapplications,lawenforcement,nationalsecurity,
intelligenceormilitaryuses,allofwhicharebeyondthescopeofthisdocument.
Definitions
CoveredEntity–Anyperson,includingcorporateaffiliates,thatcollects,stores,orprocesses
facialtemplatedata.Coveredentitiesdonotincludegovernments,lawenforcement
agencies,nationalsecurityagencies,orintelligenceagencies.
UnaffiliatedThirdParty–Anypersonotherthan(1)auserofacoveredentity’sproductsor
services;(2)acoveredentity’semployees;(3)anentityundercommoncontrolor
ownershipwithacoveredentity;or(4)avendororsuppliertoacoveredentitywhensuch
vendororsupplierisusedtoprovideaproductorservicerelatedtofacialtemplatedata.
FacialTemplateData–Auniquefacialattributeormeasurementgeneratedbyautomatic
measurementsofanindividual’sfacialcharacteristics,whichareusedbyacoveredentityto
1
FIPPsareawidelyacceptedframeworkofdefiningprinciplestobeusedintheevaluationandconsiderationofsystems,processes,or
programsthataffectindividualprivacy.TheseprinciplesareatthecoreofthePrivacyActof1974andaremirroredinthelawsofmanyU.S.
states,aswellasinthoseofmanyforeignnationsandinternationalorganizations.
14
ResourcesfromCAAG
•  BusinessPrivacyResources
–  www.oag.ca.gov/privacy/business-privacy
•  CaliforniaDataBreachReports
–  www.oag.ca.gov/privacy/privacy-reports
•  DataBreachReporBng
–  www.oag.ca.gov/ecrime/databreach/reporBng
•  PrivacyEnforcementAcBons,Laws,&LegislaBon
–  www.oag.ca.gov/privacy/privacy-enforcement-laws-legislaBon
15
CivilCode§1798.82
•  “breachofthesecurityofthesystem”
•  “mostexpedientBmepossibleandwithout
unreasonabledelay”
•  “noBficaBonshallbewrimeninplain
language”(newformatreqs.)
•  “provideappropriateidenBtythefprevenBon
andmiBgaBonservices”(SSNorDL)
•  >500CA,providesamplecopyofnoBcetoAG
16