Background

Yesterday, on September 22, 2021, the California Privacy Protection Agency (“CPPA”) — the new privacy regulatory agency created by the California Privacy Rights Act of 2020 (“CPRA” or “CCPA 2.0”) — issued an invitation for public comment on its proposed rulemaking.  Such comments “will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.” Thus, the CPPA invites stakeholders to propose specific language for new regulations or changes to existing ones.

This invitation for comments is not a proposed rulemaking, but an invitation for comment generally as a part of the agency’s preliminary rulemaking activities. Stakeholders will have additional opportunities to comment on any specific proposed rulemaking actions that may be issued in the future.

Topic Areas for Comment

The CPPA’s invitation includes several pages of specific questions, each categorized under the following topic areas:

  1. Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses
  2. Automated Decisionmaking
  3. Audits Performed by the Agency (CPPA)
  4. Consumers’ Right to Delete, Right to Correct, and Right to Know
  5. Consumers’ Rights to Opt Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information
  6. Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information
  7. Information to Be Provided In Response to a Consumer Request to Know (Specific Pieces of Information)
  8. Definitions and Categories
  9. Additional Comments
How to Submit Comments

Interested parties must submit comments by Monday, November 8, 2021.  Comments may be submitted via mail or via email to regulations@cppa.ca.gov as specified in the invitation.

To view the invitation for comment and the specific questions listed in the categories above, please click here.

Background

On August 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for cybersecurity failures in their policies and procedures that exposed the personal information of thousands of customers at each firm. These firms included: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).  All were registered with the SEC as broker dealers, investment advisory firms, or both. These failures violated Regulation S-P, also known as the Safeguards Rule.

SEC Prioritizes Cybersecurity

This action occurred in the midst of repeated indications from the SEC that cybersecurity is a top priority for them.  On September 14, 2021, SEC Chair Gary Gensler told a Senate Committee that:

“Today’s investors are looking for consistent, comparable, and decision-useful disclosures around climate risk, human capital, and cybersecurity. I’ve asked staff to develop proposals for the Commission’s consideration on these potential disclosures. These proposals will be informed by economic analysis and will be put out to public comment, so that we can have robust public discussion as to what information matters most to investors in these areas.

Companies and investors alike would benefit from clear rules of the road. I believe the SEC should step in when there’s this level of demand for information relevant to investors’ investment decisions.”

Details of Incidents

Alleged details of the incidents are contained in the three orders:

  • Cetera Entities Order. Between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorized third parties, exposing personally identifying information (PII) of at least 4,388 customers and clients. None of the accounts were protected in a manner consistent with the Cetera Entities’ policies. The order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
  • Cambridge Order. Between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, exposing PII of at least 2,177 customers and clients. The order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
  • KMS Order. Between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, exposing the PII of approximately 4,900 KMS customers and clients.  The order finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.

In the SEC’s press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated:

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

SEC Findings

The Commission’s orders find that each firm violated Rule 30(a) of Regulation S-P.  The orders also find that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Without admitting or denying the findings, each firm has agreed to cease and desist from future violations of these provisions, to be censured, and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

Lessons Learned

As the SEC continues to prioritize cybersecurity and issue enforcement actions, regulated entities should be taking the time and effort to assess the maturity of their cybersecurity governance and their compliance with the requirements of Regulation S-P. This means:

  • Understanding the information that the entity (and its vendors) process and who has access this data;
  • Protecting data through administrative, physical, technical and other safeguards;
  • Conducting risk assessments to identify those systems and assets warranting enhanced protections;
  • Implementing and testing incident detection and response capabilities and processes; and
  • Assigning clear responsibility for maintenance, periodic review, and updates with respect to the entity’s cybersecurity governance program as well as the information included in initial, annual, and revised privacy notices required to be provided under Regulation S-P.

To view the order against the Cetera Entities, click here.

To view the order against Cambridge, click here.

To view the order against KMS, click here.

On May 12, 2021, President Biden issued an executive order to strengthen U.S. cybersecurity defenses. The order comes in the wake of the ransomware attack on Colonial Pipeline and numerous other cybersecurity attacks against the U.S. government and private companies over the past few years. The order proposes a wide array of changes to bolster the federal government’s ability to respond to and prevent cybersecurity attacks. The major sections of the order are highlighted below:

 

  • Removing Barriers to Sharing Threat Information – IT and OT service providers contracting with the federal government will be required to share data and information related to cybersecurity breaches that could impact U.S networks. The order requires review and updates to the Federal Acquisition Regulation (FAR) and agency-specific cybersecurity requirements to meet this goal.

 

  • Modernizing Federal Government Cybersecurity – Agencies will be required to modernize their approach to cybersecurity. The order imposes requirements to reach this modernization goal, including: (a) requiring all agencies to develop a plan for implementing Zero Trust Architecture (an approach to network security that focuses on user authentication and limiting access on a need-to-know basis), (b) requiring agencies and the Director of OMB to develop a federal cloud security strategy, and (c) requiring agencies to adopt multi-factor authentication and encryption for data at rest and in transit (to the maximum extent possible under applicable laws).

 

  • Enhancing Software Supply Chain Security – After receiving input from the federal government, private sector, academia and others, the Director of the National Institute of Standards and Technology (NIST) will develop guidelines to enhance the security of commercial software. Once such guidelines are put in place, agencies will only be allowed to purchase software that meets the guidelines. Software suppliers will have to “self-certify” that the guidelines have been met and suppliers who do not comply will be removed from federal procurement lists.

 

  • Establishing a Cyber Safety Review Board – A “Cyber Safety Review Board” will be established by the Secretary of Homeland Security to assess significant cyber incidents affecting federal civilian agency systems and non-federal systems. The board will be composed of private and public sector officials and will convene after “significant cyber incidents” to analyze and make recommendations on responding to such cyberattacks.

 

  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents – The Secretary of Homeland Security will develop a standard set of operational procedures (or “playbook”) to be used in planning and conducting cyber incident response.

 

  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks – All federal civilian agencies will be required to deploy an Endpoint Detection and Response (EDR) initiative. EDR is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The goal of EDR is to proactively and quickly identify cybersecurity threats and respond to them.

 

  • Improving the Federal Government’s Investigative and Remediation Capabilities – The Secretary of Homeland Security will provide the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks.

 

  • National Security Systems – The Department of Defense will be required to adopt at least equivalent requirements for “National Security Systems” to the extent the order is not otherwise applicable to such systems.

 

To view the Executive Order, click here.

On March 17, 2021, Governor Gavin Newsome, Attorney General Xavier Becerra, Senate President pro tem Toni Atkins, and Assembly Speaker Anthony Rendon announced the members of the California Privacy Protection Agency (CPPA) the new administrative agency created by the California Privacy Rights Act (CPRA) charged with protecting consumer privacy rights overs personal information.

“Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal,” said Governor Newsom. “These appointees represent a new day in online consumer protection and business accountability.”

The five board members include:

Jennifer M. Urban, 47, of Kensington, has been appointed Chair of the California Privacy Protection Agency Board by Governor Newsom. Urban has been a Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley – School of Law since 2009, where she has held multiple positions since 2002, including Fellow, Lecturer, and Visiting Acting Clinical Professor of Law. She was a Clinical Professor of Law and the founding Director of the Intellectual Property and Technology Law Clinic at the University of Southern California, Gould School of Law from 2004 to 2009. Urban was a Visiting Associate Professor of Law and Interim Director of the Cyberlaw Clinic at Stanford University – Stanford Law School from 2007 to 2008. She was an Attorney in the IP Group at Venture Law Group from 2000 to 2001. Urban is a Member of the American Association of Law Schools, American Intellectual Property Law Association, Takedown Research Network, American Civil Liberties Union, and Authors Alliance. She earned a Juris Doctor degree from the University of California, Berkeley, School of Law..

John Christopher Thompson, 49, of Pasadena, has been appointed to the California Privacy Protection Agency Board by Governor Newsom. Thompson has been Senior Vice President of Government Relations at LA 2028 since 2020. He held multiple positions at Southern California Edison from 2013 to 2020, including Vice President of Local Public Affairs and Vice President of Decommissioning. Thompson held multiple positions at the United States Senate from 2003 to 2013, including Chief of Staff, Legislative Director, and Legislative Assistant. He was a Legislative Assistant at the United States House of Representatives from 1996 to 2001. Thompson is a member of the California Science Center Foundation, Public Media Group of Southern California, and Public Policy Institute of California Statewide Leadership Council.

Angela Sierra is the designee of Attorney General Xavier Becerra. Sierra recently served as Chief Assistant Attorney General of the Public Rights Division, overseeing the work of the Division’s over 400 employees in areas related to safeguarding civil rights, protecting consumers against misleading advertising claims, fraudulent business practices and privacy violations, maintaining competitive markets, protecting consumers’ health care rights, preserving charitable assets and safeguarding the State’s natural resources and environment. As the Chief of the Public Rights Division, Sierra oversaw the Consumer Protection Section’s Privacy Unit, including the Unit’s multi-state data-breach settlement with Equifax in 2019 that resolved allegations that the credit reporting agency improperly exposed the personal information of 147 million consumers, including 15 million Californians. During her 33-year career at the Department of Justice, Sierra worked on a broad range of issues, including, police practices, voting rights, housing and employment discrimination, immigrant rights, civil prosecution of hate crimes, discriminatory business practices, disability access, reproductive rights, environmental justice, Native American cultural protection, and access to education. Sierra is also a seasoned litigator and appellate advocate with administrative law and rulemaking experience and throughout her career has worked closely with a wide array of state agencies.

Lydia de la Torre is the President Pro Tem’s nominee to the CPPA Board. Since 2017, de la Torre has been a professor at Santa Clara University Law School, where she has taught privacy law and co-directed the Santa Clara Law Privacy Certificate Program, a cutting-edge program that enables students to graduate ready to practice privacy law. She also has served as of-counsel to Squire Patton Boggs, where she specialized in privacy, data protection, and cybersecurity. She is leaving the law firm to take on this appointment, and during a short transition out of the firm, she will not be participating in any firm meetings or business related to the CPRA. Lydia de la Torre is an international expert in data protection issues generally and in the European Union’s General Data Protection Regulation (GDPR) in particular. Her expertise will bring a unique knowledge to the CPPA Board and to California in its examination of these international issues at the state level.

Vinhcent Le is the designee of Speaker Anthony Rendon. Le currently serves as a Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias. Le’s work has helped secure funding to increase broadband access, improve and modernize the California Lifeline Program, and create a program to provide laptops to low-income students in California. Prior to his current position, he served as a law clerk in the Orange County Public Defenders Office, the Office of Medicare Hearing and Appeals, and the Small Business Administration. Le received a J.D. from the University of California, Irvine School of Law, and a B.A. in Political Science from the University of California, San Diego.

To view the California Attorney General’s press release, click here.

California Attorney General Issues Additional CCPA Regulations Advancing Consumer Protections

On March 15, 2021, the California Attorney General (“AG”) approved additional CCPA regulations to enhance consumer protections for opting out of the sale of information.  These regulations come after the third set of modifications was approved last October, and after the California Privacy Rights Act of 2020 (“CPRA” or “CCPA 2.0”)  passed the state referendum, and will become effective in January 2023.  Specifically, the AG’s office noted that the approved regulations ban “dark patterns” that delay or obscure the opt out process, and prohibit the burdening of consumers with confusing language or unnecessary steps, such as forcing them to click through multiple screens, or presenting reasons why they should not opt out.

Specifically, the regulations:

  • require businesses selling personal information that was collected offline to also use an offline method to inform consumers of their right to opt out and to provide instructions on how to submit a request;
  • provide businesses with an optional Privacy Options icon;
  • require that a business’s methods for submitting opt out requests be easy to follow and require minimal steps to allow the consumer to opt out. A business must not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s opt out choices; and
  • clarify the proof that a business may require an authorized agent to provide, and what the business may require of a consumer to verify their request.

To view the press release click here.

To view the updated version of the affected regulations, click here.

Ascension Data & Analytics LLC, a data analytics company for the mortgage industry, has entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following allegations that it violated the Gramm-Leach-Bliley Act’s (GLB) Safeguards Rule by failing to ensure that a third-party vendor was adequately securing data of mortgage holders. The FTC complaint states that Ascension contracted with the third-party vendor, OpticsML, to scan and store mortgage documents containing sensitive financial information of thousands of mortgage holders. OpticsML stored these documents on a cloud-based server and in a separate cloud-based storage location but failed to protect or encrypt the server and storage locations, which left them unprotected on the internet from January 2018 to January 2019. As a result, approximately 52 unauthorized IP addresses accessed them with most of the IP addresses coming from computers outside of the United States, including addresses from Russia and China.

The FTC complaint concludes that Ascension violated Section 501(b) of the GLB Act (or the Safeguards Rule) which  requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program. The Safeguards Rule also requires financial institutions to oversee their third-party vendors and ensure that third-party vendors are capable of maintaining and implementing safeguards appropriate for the type of personal information collected from customers. The Safeguards Rule requires these types of measures to be in the contracts between the financial institutions and third-party vendors. The FTC complaint alleges that Ascension failed to take any formal steps to evaluate whether OpticsML could reasonably protect the personal information in the mortgage documents and failed to contractually require OpticsML to implement adequate safeguards.

FTC and Ascension have now entered into a proposed settlement agreement to resolve these allegations. The settlement agreement requires Ascension to implement a comprehensive data security program, conduct biennial assessments of the effectiveness of the data security program, and provide yearly certifications to the FTC that Ascension is complying with the FTC’s order. Ascension must also report any future data breaches to the FTC within 10 days of notifying federal or state government agencies.

On December 23, 2020, a description of the proposed settlement agreement was published in the Federal Register. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make the proposed agreement final.

To view the FTC Complaint, click here.

To view the Proposed Settlement Agreement, click here.

To view the Federal Register Notice, click here.

As the nation closely watches the election results coming in, the majority of votes counted in California suggest that the California Privacy Rights Act of 2020 (“CPRA”, or commonly known as “CCPA 2.0”), is on track to pass.  Proposition 24 under the California General Election, as of the information available to us at the time of this blog post, is likely to pass with 6,342,807 (56.1%) votes in favor and 4,966,086 (43.9%) votes against, with 99.0% of the precincts partially reporting.

The CPRA would amend the CCPA and require businesses to:

  • not share a consumer’s personal information upon the consumer’s request;
  • provide consumers with an opt-out option for having their sensitive personal information used or disclosed for advertising or marketing;
  • obtain permission before collecting data from consumers who are younger than 16;
  • obtain permission from a parent or guardian before collecting data from consumers who are younger than 13; and
  • correct a consumer’s inaccurate personal information upon the consumer’s request.

If passed, the CPRA would become operative on January 1, 2023, and would only apply to personal information collected after January 1, 2022.

On October 22, 2020, the National Institute of Standards and Technology (“NIST”) published NIST Technical Note (TN) 2111, “An Empirical Study on Flow-based Botnet Attacks Prediction”. The note, authored by Mitsuhiro Hatada and Matthew Scholl of NIST’s Information Technology Laboratory, presents a method to predict botnet attacks, such as mass spam email and distributed denial-of-service attacks (“DDoS”).  This is particularly timely as botnet threats continue to rise in the era of the Internet of Things (“IoT”), where the number, density, and connectivity of devices continue to increase.

cybersecurity, botnet attacks

The described method leverages the measurement of command and control (C2) activities and automated labeling by associating them with attacks.  The authors evaluated the method using a large-scale, real-world, and long-term dataset. The note highlighted that C2 metrics in the 30 to 60 hours before the attack increases to more of a prediction than the metrics just before an attack occurs.  The results show that the proposed method can predict an increase in attacks with an accuracy of 0.767.   NIST intends for this work to support internet security by contributing to the development of further countermeasures against botnets.

To review the press release, click here.

To review the technical note, click here.

On October 12, 2020, California’s Attorney General proposed a third set of modifications to California Consumer Privacy Act (“CCPA”) regulations. These proposed modifications come nearly two months after the final regulations were approved and made effective by the California Office of Administrative Law (“OAL”) on August 14, and less than a month before the California Privacy Rights Act (“CPRA”) will be put to the voters on the statewide ballot on November 3, 2020.

Below, we summarize the proposed modifications  as well as provide direct links at the bottom of this post. The deadline for comments is not later than 5pm (Pacific Time) on October 28, 2020:

  • Offline Notices of Opt Out Rights:

    Current section 999.306 requires businesses that “sell” personal information to provide a notice of consumers’ rights to opt out. They provide for online notices and even require businesses that does not operate a website to provide an alternative documented method to inform consumers of the right to opt out. The proposed modification would include more specific instructions and examples. It specifically requires businesses that collect personal information offline (presumably even if they also collect it online) to provide notice by an offline method. For example, they illustrate, if a business collects personal information in a store, it can print the notice on paper or post signage.  If they collect information over the phone, they may provide the notice orally.

  • Consumer Methods for Requesting Opt Out:

Section 999.315 addresses consumer opt out requests . The proposed regulations insert a new subsection (h), which would require the business’s methods for submitting opt-out requests to be easy to execute and require minimal steps, and which cannot be so complicated as to subvert or impair the consumer’s opt out attempts:

  1. Specifically, the process for requesting to opt-out shall not require more steps than the opt-in requests. The regulation also provides guidance on how to measure the number of steps for comparison.
  2. A business shall not use confusing language (“Don’t Not Sell my Personal Information”) when providing opt out choices.
  3. Unless otherwise permitted, a business shall not require consumers confirming their opt out request to click through or listen to reasons why they should not do so.
  4. The business’s process shall not require the consumer to provide any more personal information than is necessary to process the request.
  5. Upon clicking “Do Not Sell My Personal Information”, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document to locate the opt-out request mechanism.
  • Authorized Agent Requests:

Section 999.326 addresses opt-out requests submitted by an authorized agent on behalf of a consumer.  The current version allows a business to require that the consumer do the following: (1) provide the authorized agent signed permission to do so; (2) verify their owner identity directly with the business; [and/or] (3) directly confirm with the business that they provided the authorized agent permission to submit the request. (The current regulations did not specify whether all or only one of these options were required – there was no “and” or “or”).

  1. The proposed regulations modify this to allow a business to require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. It then says that the business “may also” require the consumer to do “either of the following”:
  2. Verify their own identity directly with the business; or directly confirm with the business that they provided the authorized agent permission to submit the request.
  3. Therefore, this proposed change would clarification a business’s choices in complying with requests from authorized agents.

To view the redline of proposed modifications, click here.

To view the notice summary of proposed modifications, click here.

On October 7, 2020, The Office of the Comptroller of the Currency (“OCC”) announced that it had assessed a $400 million civil penalty against Citibank, N.A. regarding alleged deficiencies in its enterprise-wide risk management and data governance programs and its internal controls.  In particular, the OCC found violations of 12 CFR Part 30, Appendix D (“OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”.  The OCC also issued a cease and desist order requiring the bank to take “broad and comprehensive corrective actions to improve risk management, data governance and internal controls.”  The order requires the bank to seek OCC’s non-objection before making significant new acquisitions and reserves the authority to implement additional business restrictions or require changes in board composition or senior management should the bank not comply with the order with timely sufficient progress.

In the consent order, the OCC found the following deficiencies:

  • Failure to establish effective front-line units and independent risk management (12 C.F.R. Part 30, Appx D);
  • Failure to establish an effective risk governance framework (12 C.F.R .Part 30, Appx D);
  • Failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and
  • Failure of compensation and performance management programs to incentivize effective risk management.

The order also identified deficiencies, noncompliance with 12 C.F.R. Part 30, Appendix D, or unsafe or unsound practices with respect to the Banks’ data quality and data governance, including risk data aggregation and management and regulatory reporting.   The OCC determined that the Board and senior management oversight was inadequate to ensure timely appropriate action to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance.

The order states that this conduct contributed to other past violations and noncompliance, for which the OCC has assessed civil money penalties in 2019. The order further states that the Bank has begun taking corrective action and has committed to taking all necessary and appropriate steps to remedy the identified deficiencies.  The OCC penalty will be paid to the U.S. Treasury.

The Federal Reserve Board took a separate but related action against Citigroup, the bank’s holding company.

To view the press release, click here.

To view the consent order, click here.