August 9, 2020

Volume X, Number 222

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

California Bill Would Mandate Expedient Software Updates for Credit Bureaus

Following the Equifax data breach in 2017, there has been heightened awareness surrounding how credit reporting agencies handle consumers’ personal information. At the same time, recent high-profile attacks, such as the “WannaCry” ransomware attacks, have focused media and regulatory attention on vulnerabilities associated with unpatched systems. In response to these two concerns, on January 10, a bill was introduced in the California legislature that would amend existing law regulating the cybersecurity practices of consumer credit reporting agencies (CRAs) specifically as they relate to vulnerability patching.

AB 1859 would add provisions requiring CRAs to update software vulnerabilities in certain circumstances.  Namely, if the CRA knows or reasonably should know that one of its computer systems is subject to a vulnerability and knows or reasonably should know that a software update is available to address that vulnerability, the CRA must apply the software update expediently, “in keeping with industry best practices,” but in any case within 10 days after becoming aware of the vulnerability and the available software update.

The bill would also create a private right of action for California residents whose personal information was acquired by a breach caused, in whole or in part, by a violation of the software update provisions described above.  Moreover, it would allow residents to recover civil penalties for “willful, intentional, or reckless” violations of the software update provisions.

At first blush, by mandating a particular security practice in one specific industry sector, the language of AB 1859 appears to be a departure from the traditional risk-based regulatory approach that encourages organizations to adopt “reasonable” security best practices tailored to their cyber risks without mandating more specific cybersecurity requirements. Notably, however, in 2016 the California Office of the Attorney General adopted a more prescriptive approach to regulating the cybersecurity practices of companies doing business in California. Specifically, in its 2016 Data Breach Report, the Attorney General stated that the list of twenty Critical Security Controls (“CSC”) developed by the Center for Internet Security (“CIS”) “define a minimum level of information security” that all organizations that collect or maintain personal information about California residents should meet.  Most importantly, in light of the requirement under California law to implement and maintain reasonable security practices, the report stated that a “failure to implement all the [c]ontrols that apply to an organization’s environment constitutes a lack of reasonable security.”  See 2016 Data Breach Report (emphasis added). Included among the CSC controls is Control 4, “Continuous Vulnerability Assessment and Remediation,” which requires regular scanning for vulnerabilities and the adoption of proactive patching processes. Moreover, California law already provides a private cause of action for damages by customers injured by a company’s failure to “implement and maintain reasonable security procedures and practices” in violation of California Civil Code Section 1798.81.5.

The bill is currently set for hearing in committee on February 10.

© 2020 Covington & Burling LLPNational Law Review, Volume VIII, Number 17


About this Author

Caleb Skeath, data and cybersecurity lawyer, Covington

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation.

Mr. Skeath specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and...

Theodore J. Karch, Covington, intellectual property attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online behavioral advertising, geolocation information, genetic privacy, children’s privacy, student privacy, and unfair and deceptive practices. This advice often spans multiple jurisdictions, including the US, the EU, and China, among others.

In addition, Mr. Karch advises clients in managing their intellectual property portfolio, especially copyright and trademark assets.