Data Security

The 86th Texas Legislature passed several bills related to cybersecurity during its regular session, which came to a close on May 27, 2019.

Texas Privacy Protection Advisory Council

HB 4390, which creates a Texas Privacy Protection Advisory Council to study privacy laws in Texas, other states, and relevant foreign jurisdictions, has been sent to the Governor for signature. Composed of members of the Texas House of Representatives, Texas Senate, and relevant industry members appointed by the Governor, the Council will be charged with recommending statutory changes regarding privacy and protection of information to the Legislature. The Council will expire on December 31, 2020.

On May 15, 2019, President Trump issued Executive Order 13873 (“E.O. 13873”) and declared a national emergency in response to increasing actions by “foreign adversaries” to create and exploit “vulnerabilities in information and communications technology and services” supplied to the U.S.  E.O. 13873 broadly prohibits persons subject to U.S. jurisdiction from engaging in information and communications technology or services transactions with “foreign adversaries” that: (i) pose undue sabotage or subversion risks to U.S. information and communications technology or services, (ii) pose an undue risk to critical U.S. infrastructure or the U.S. digital economy, or (iii) otherwise pose an unacceptable risk to U.S. national security.  Within one hundred fifty (150) days of E.O. 13873, the Secretary of Commerce, in consultation with other executive agencies, will issue formal rules or regulations which will identify the specific “foreign adversaries” who are subject to E.O. 13873’s prohibitions, establish criteria for determining the types of transactions that are prohibited by E.O. 13873 and establish procedures for obtaining licensing to conduct transactions that would otherwise be prohibited by E.O. 13873 and its associated rules and regulations.

[Update:  After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject to the CCPA with little to no legislative direction as to how they can demonstrate that they are undertaking reasonable security procedures and practices. It also exposes the CCPA to the argument that the subject language is void for vagueness. Given the substantial penalties businesses are exposed to under the CCPA’s private right of action, the failure of the legislature to address this issue is notable especially considering that Ohio implemented legislation last year that California could have used as a guide.]

Given the near ubiquitous coverage of proposed CCPA amendments, it may be hard to believe that any bill could fly under the radar, but that appears to be the case with AB 1035, which would amend the CCPA’s private right of action to link “reasonable security procedures and practices” to NIST standards.

Recently, I had the pleasure of being interviewed by Julia Kerrigan, an articulate and insightful young journalist writing for her high school paper, The Dart. In my mind (that’s foreshadowing the challenges caused by my ego-centricity dear reader), the point of the conversation was for me to provide Julia with a primer on information privacy and security issues so that she could weave into her article a few observations from a so-called expert.

Blockchain technology is seeing increasingly wide use internationally, but security issues are becoming a major problem.

Blockchain is a public electronic ledger that can be openly shared among users and that creates an unchangeable record of their transactions. Each transaction, or “block”, is time-stamped and linked to the previous one. Each block is then linked to a specific participant. Blockchain can only be updated by consensus between users in the system, and when new data is entered, it can never be erased, edited, adjusted, or changed.

For over twenty years, my father was a wholesale seafood supplier. One day over dinner (probably lobster, because that’s just how we rolled), my father tells us that he has hired an off-duty US Department of Agriculture inspector to inspect the fish that his company will be sending out to its grocery store clients. When I asked him if this was a legal requirement, he said it was not (the Department of Health and Human Services, via the FDA, apparently regulates fish, not the USDA). When I then asked him why he was doing it, he said, “If you were in the grocery store and you saw one piece of fish labelled ‘USDA Government Inspected’ and one piece of fish without that label, which one would you buy?” An informal “seal” program had been born!

Recently, I counseled an employer regarding the termination of a high level HR employee. The termination wasn’t fun but the company’s termination process was followed. Unfortunately, that was the problem. The employer collected and turned off the exiting employee’s company badge. The employer took the same actions for the corporate credit card. The exiting employee’s laptop was collected and IT was informed to shut down the individual’s access to all systems immediately.