PUTTING IT INTO PRACTICE: Unlike other states which require companies to have a written security programs in place (Alabama, Massachusetts, and Oregon), Ohio’s new law seeks to provide a strong incentive to companies to put into place a similar a program without actually making having a written program a requirement.
DealerBuilt Settles with New Jersey Over Data Breach
Posted October 29, 2018
The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees.
DealerBuilt notified impacted individuals in early 2017. The New Jersey investigation arose after that notification. To resolve the investigation, DealerBuilt agreed with the AG to put in place a written security program within 120 days after the effective date of the order. Such programs are not required under New Jersey law. As part of that program, DealerBuilt agreed to have appropriate physical safeguards, encryption, access protocols and other similar security measures, as well as to appoint an officer experienced in security to implement and maintain the program. DealerBuilt also agreed to keep information only for the purposes needed to “accomplish the intended purpose” of DealerBuilt or its clients. DealerBuilt will pay a little over $80,000 as part of the settlement.
PUTTING IT INTO PRACTICE: This order gives companies some insight into what the New Jersey attorney general expects of companies with respect to data security, including a written security program, even absent a New Jersey law requiring written security programs (which exist in other states, like Massachusetts).
Upcoming Canadian Breach Notification Requirements Still in Flux
Posted on September 27, 2018
Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations. These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute. In April 2018, in preparation for the national implementation of the new law, the Office of the Privacy Commissioner of Canada (OPC), with authority to issue promulgating regulations under PIPEDA, issued Regulations that establish detailed requirements regarding the content and methodology of breach notifications to the OPC and affected individuals. After issuing those Regulations, the OPC continued to receive requests for further clarity and guidance regarding the breach notification requirements under PIPEDA and the OPC Breach Regulations. In response to those further requests for guidance, the OPC announced that it would issue further guidance (“What You Need To Know About Mandatory Reporting Of Breaches Of Security Safeguards”) on breach notification and reporting. On September 17th, the OPC invited public feedback on the draft guidance. The OPC will accept feedback until October 2, 2018. Comments can be sent to OPC-CPVPconsult2@priv.gc.ca and must be either in the body of the email or attached as a Word or PDF document. The OPC will publish the final guidance soon after the October 2nd deadline to ensure guidance is in place when the amendment becomes effective in November.
Under the current draft guidance, the OPC confirms that as amended PIPEDA requires companies to notify individuals and the OPC if the breach creates a “real risk of significant harm”. Whether a real risk of significant harm exists is determined by the sensitivity of the information involved and the probability of its misuse. To assist practitioners in making those assessments, the OPC offers further guidance regarding how to determine if information is sensitive
                      Eye on Privacy 2018 Year in Review 22