Oct 062018

I’m really going to miss California when it falls off into the Pacific some day.

Zack Whittaker reports:

Good news!

California has passed a law banning default passwords like “admin,” “123456” and the old classic “password” in all new consumer electronics starting in 2020.

Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”

It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.

Read more on TechCrunch.

Sep 112018

Akin Gump Strauss Hauer & Feld LLP write:

The California Consumer Privacy Act (CCPA), the nation’s broadest privacy protection statute, was enacted by the California Legislature in June 2018 as part of a last-minute deal to stop a proposed statewide ballot measure that could have ushered in an even stricter privacy law. We have written about the CCPA’s passage in earlier alerts.

Sponsored by San Francisco real estate magnate Alastair Mctaggart and privacy advocacy groups, the ballot measure was strongly opposed by business groups and tech interests. Racing to beat a statutory deadline for the Mctaggart measure to be placed on the ballot, the Legislature hastily passed the CCPA in June while promising to introduce cleanup legislation after the summer recess.

Efforts to substantively revise the CCPA began nearly immediately after its passage, with the AGO (the chief enforcement agency for the CCPA), business groups, and privacy activists pressing for focused changes. Those efforts coalesced around Senate Bill 1121 (SB 1121) in August.

Read more on JD Supra.

Sep 042018

Craig A. Newman of Patterson Belknap writes:

By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.

Today’s deadline requires companies to meet five new milestones, mostly technical in nature. Earlier requirements from the New York State Department of Financial Services or DFS cybersecurity regulation focused on developing and implementing written cybersecurity policies and procedures.

Yet, the most difficult requirement for most companies is still six months away. By March 1, 2019, businesses are required to get their third-party vendors in line by adopting policies and procedures that govern the way these outsiders access the company’s network and its most sensitive information.

Read more on Data Security Law Blog.

Aug 082018

From Hunton Andrews Kurth:

On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent orderalso requires Unixiz to pay a civil penalty of $98,618.

The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.

Read more on their Privacy & Information Security Law Blog.

Jul 252018

Katie Lannan reports:

A compromise bill filed Tuesday by a House-Senate conference committee would afford Massachusetts residents a year and a half of free credit monitoring services if their personal data and Social Security number are compromised by a data security breach.

The panel, chaired by Rep. Tackey Chan and Sen. Barbara L’Italien, filed its report with the House clerk’s office around 5:30 p.m. after all six of its members had signed off. The bill could surface for a vote on Wednesday.

Read more on WBUR.

Bill information:   H4806

Headline corrected post-publication. I had used WBUR’s headline, which unfortunately said “Protest” instead of “Protect.” Thanks to the Twitter user who alerted me to it.