This posting is a placeholder for me to gather links to resources and articles related to these concerns - that may be relevant to some of the consulting work I do - and may be of interest to others.
California
California Consumer Privacy Act (CCPA)
- https://oag.ca.gov/system/files/initiatives/pdfs/Title%20and%20Summary%20%2817-0039%29_0.pdf
- https://oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf
- https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.80.&lawCode=CIV
- https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81
- Effective Date: 2020-01-01
- Right to know all data collected by a business on you.
- Right to say NO to the sale of your information.
- Right to DELETE your data.
- Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
- Mandated opt-in before sale of children’s information (under the age of 16).
- Right to know the categories of third parties with whom your data is shared.
- Right to know the categories of sources of information from whom your data was acquired.
- Right to know the business or commercial purpose of collecting your information.
- Enforcement by the Attorney General of the State of California.
- Private right of action when companies breach your data, to make sure these companies keep your information safe.
- On 2020-01-01, companies must also comply with being able to verify (or provide) twelve month's of history (going back to 2019-01-01)
Assumed Reporting/Governance/Compliance Implications:
- Businesses will be required to track and report, at the category > field/data element level (e.g. of a database, log file, blob storage) - data collected about customers and visitors to their site
- Compliance departments will need to be able to produce reports (e.g. for audit/legal purposes) - identifying what field/data elements are involved in storing such data; when requests are received for such information (or requests for deletion); and when such data is deleted/purged (either by specific request - or by normal operational data management policies)
- Compliance (and Security teams) will need to be able to produce reports identifying what customer-related tables/fields/data elements are stored (identifying with or without encryption ?)
- Illustrative, not exhaustive:
- For-Profit legal entity that does business in California and meets one of the following thresholds:
- $50M+ in annual gross revenue;
- Or, sells information, annually, for 100K consumers or devices (combined or separately);
- Or, derives 50% or more of its annual revenues from selling consumers personal information.
GDPR
- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- http://www.sqlservercentral.com/articles/GDPR/165180/
{To Be Research}
New York
NYDFS
- https://www.dfs.ny.gov/about/cybersecurity.htm
- https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
- 23 NYCRR 500: CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
- https://www.dataprivacymonitor.com/tag/nydfs/
- https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial
- http://f.datasrvr.com/fr1/017/12004/Cybersecurity_Alert_2.23.17.pdf
- https://www.hldataprotection.com/2017/08/articles/cybersecurity-data-breaches/a-guide-to-nydfs-cybersecurity-regulations-august-28-implementation-deadline/
- "...your policy or policies must apply specifically to your entity and cover the following topics, as relevant to your organization:"
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security and monitoring
- Physical security and environmental controls
- Customer data privacy
- Incident response
- https://www.hldataprotection.com/2018/10/articles/cybersecurity-data-breaches/new-obligations-under-the-nydfs-cybersecurity-regulation-came-online-in-september/
- As of Tuesday, September 4, 2018, covered entities are required to be in compliance with additional requirements relating to:
- Audit Trail (Section 500.06);
- Application Security (Section 500.08);
- Limitations on Data Retention (Section 500.13);
- Monitoring of Authorized Users (Section 500.14(a)); and
- Encryption of Non-public Information (Section 500.15).
Washington
No comments:
Post a Comment