The California Privacy Protection Agency (CPPA) Board will hold its third public hearing on February 3, 2023, at 10 am PST.

The meeting will open with the Chairperson’s Update, during which CPPA Chairperson Jennifer Urban will likely address the status of the delayed California Privacy Rights Act (CPRA) regulations. Chairperson Urban is also a Clinical Professor of Law, the Director of the Samuelson Law, Technology & Public Policy Clinic, and the Co-Director of the Berkeley Center for Law and Technology at the UC Berkeley School of Law. Hopefully, we will see further guidance on the technical requirements of the CPRA and the implementation standards.

Long-awaited amendments and the possible adoption of final CPRA rules are on the agenda. The agenda includes preliminary rulemaking activity for new regulations on risk assessments, cybersecurity audits, and automated decision-making. The fact that the CPPA is undertaking other rulemaking activities may indicate that the Board hopes to adopt the final CPRA regulations at this meeting. Fingers crossed. Members of the public can join the meeting on Zoom.

Members of the public attending will be given the opportunity to comment on each agenda item before any Board action. To view the agenda and learn more about how you can attend, click here

On January 22, 2023, T-Mobile was sued in federal court in California alleging negligence, unjust enrichment, breach of express contract, breach of implied contract, and invasion of privacy over the recently-disclosed data breach of more than 37 million postpaid and prepaid customer records.

According to the complaint, the plaintiff was informed just two days before suit was filed that information belonging to her and other class members was “accessed and acquired by the unauthorized actor” and that class members “are at imminent risk of identity theft.”

On the other hand, T-Mobile has stated in a recently filed Form 8-K that the threat actor obtained data through a single API (application programming interface), that the company discovered and stopped it within one day, and that the threat actor was unable to compromise its systems or network. Significantly, T-Mobile stated that the data accessed by the bad actor did not include any financial information or Social Security numbers. Instead, the data accessed included customers’ “names, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”

Based on the facts presented by T-Mobile, we expect that the company will vigorously defend the suit and a motion to dismiss the complaint will be forthcoming. There is strong precedent that requires plaintiffs to prove substantial harm in order to withstand a motion to dismiss. No matter how this particular case plays out, what is astounding is the speed at which suits are filed after a data breach is announced, no matter the facts.

In response to a rash of employment offer scams, the Federal Trade Commission (FTC) recently issued a scam alert intended to educate job seekers so they can avoid being victimized.

Not only are individuals subject to these scams, but legitimate businesses are spoofed and used to conduct the scams and they only find that out after the fact. It is frustrating when your business name is used by a criminal to conduct fraud and you don’t know it’s happening, how it’s happening, or how to stop it.

How does an employment offer scam work? There are several ways, but one common way is for a fraudster to set up a fake website that spoofs a real business, or spoofs a recruiter from a legitimate business by copying their information from a social media platform.  Fraudsters use the website to offer jobs online, conduct interviews, and then “onboard” the victim. During the “onboarding” process, the fraudster instructs the victim to insert their personal information, including Social Security number, bank account information (all supposedly used to set up payroll) into an online form, or may ask that they purchase certain equipment before starting the job, for which the applicant will be reimbursed once they start the job. If you are searching for a job in the new year, be wary of job offer scams. Check out these tips from the FTC.

Israeli cybersecurity firm Hudson Rock has reported that the email addresses of more than 235 million Twitter users have been stolen and posted by more than one hacker on an online hacking forum. According to the security researcher’s Twitter posts, the compromise “is real and has an impact on almost every Twitter user. The database is likely circulating pretty heavily and will unfortunately likely leak in the near future.”

The original offering was posted by threat actor “Ryushi.” The offering was expanded by other threat actors to include telephone numbers of some users as well. According to Hudson Rock’s LinkedIn post, the compromise “will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

In response to Hudson Rock’s report, Twitter issued a statement on January 11, 2023, that “based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.” Twitter suggests that users enable two-factor authentication and “remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns.”

Twitter users should be aware of the report of this compromise and be on high alert for spearphishing and doxxing. (Doxxing explained.)

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance and implementation from the proposed regulations. While much of the draft regulations are likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.) Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

It has been difficult to watch the extreme weather patterns that have been happening around the U.S. over the past few months.  Fires and torrential rainstorms in California, tornadoes down south, blizzards in the Midwest and New York, and a devastating hurricane in the Gulf of Mexico. It is heartbreaking to see the devastation and then on top of it, to know that fraudsters are using natural disasters to perpetrate fraud on victims who have suffered through them. The Federal Trade Commission (FTC) receives so many complaints about these fraudsters that it issued a warning on January 18, 2023, entitled “How to spot, avoid, and report weather-related scams.”

Whether you have been the victim of a weather disaster or  are in the future, or you want to assist those who are victims of a natural disaster, heed the warning of the FTC and protect yourself from these scammers.

According to the Alert:

Here are a few ways to spot the scammers who might try to take your money or personal information after a weather emergency:

  • Spot imposter scams. Scammers might pretend to be safety inspectors, government officials trying to help you, or utility workers who say immediate work is required. Don’t give them money, and do ask for identification to verify with whom you are dealing before sharing personal information such as your Social Security or other private account numbers.
  • Spot FEMA impersonators charging application fees. If someone wants money to help you qualify for FEMA funds, it’s a scam. Download the FEMA Mobile App to get alerts and information. Visit FEMA.gov for more information.
  • Spot home improvement and debris removal scams. Unlicensed contractors and scammers may appear in recovery zones with promises of quick repairs or clean-up services. Walk away if they demand cash payments up front, or refuse to give you copies of their license, insurance, and a contract in writing.
  • Spot rental listing scams. Scammers know people need a place to live while they rebuild. They’ll advertise rentals that don’t exist to get your money and run. The scammers are the ones who tell you to wire money, or who ask for security deposits or rent before you’ve met or signed a lease.
  • Spot charity scams. Scammers will often try to profit from the misfortune of others, sometimes using familiar-sounding names or logos. Check Donating Wisely and Avoiding Charity Scams [https://consumer.ftc.gov/features/how-donate-wisely-and-avoid-charity-scams] before opening up your wallet.

If you are the victim of a scammer, report the incident to the FTC. Stay safe during these uncertain times and avoid being victimized twice: once by the weather and again by a scammer.

On Tuesday, January 17, 2023, the University of Texas at Austin announced that it has blocked TikTok access across the university’s networks. According to the announcement to its users, “You are no longer able to access TikTok on any device if you are connected to the university via its wired or WIFI networks.” The measure was in response to Governor Greg Abbott’s December 7, 2022, directive to all state agencies to eliminate TikTok from state networks. Following the directive, the University removed TikTok from university-issued devices, including cell phones, laptops and work stations.

An Illinois appellate court has ruled that Apple’s biometric unlock features, including Touch ID fingerprint scanning and Face ID facial geometry scanning, do not violate the state’s Biometric Information Privacy Act (BIPA). The case involved a group of Illinois residents who alleged that Apple’s Face ID feature impermissibly collects facial geometries from pictures stored in the Photo app on Apple devices. The plaintiff class claimed that Apple violated BIPA by collecting, possessing, and profiting from biometric information without the knowledge or consent of users. According to the complaint, Apple did not have an established retention policy for biometric data and failed to obtain written permission to collect the information.

According to the appellate opinion, Apple never collected, stored, or managed the data collected by Touch ID and Face ID because the biometric data are stored locally on the user’s device. The court distinguished this local storage, which Apple contends is strictly controlled by the user, from cloud-based storage that takes the data out of the user’s custody. BIPA doesn’t define “possession,” so this ruling supports a narrow reading of the law based on the data’s physical storage location.

The court did not address whether technology that stores biometric data locally but still actively “phones home” for updates would change the calculus. For now, tech companies have a tested roadmap for BIPA-compliant security features: store the data locally and encrypt it.

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process [view related post]. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance with and implementation of the proposed regulations. While much of the draft regulations is likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as the IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.)

Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

There are pros and cons to using a password manager [view related posts]. The biggest pro is that it helps keep all of our passwords organized and safe. The biggest con is that if the password manager is compromised, and the master password gets into the wrong hands, all of our passwords are compromised.

Password management company LastPass has been tackling several security incidents over the past few months. On August 25, 2022, LastPass informed its customers that it discovered unusual activity within its environment and determined that “an unauthorized party gained access to portions of the LastPass development environment…and took portions of source code and some proprietary LastPass technical information.” At that time, LastPass assured customers that their Master Password had not been compromised and didn’t recommend any action.

Continue Reading LastPass Updates Disclosure of Security Incident