February 22, 2018

February 21, 2018

Subscribe to Latest Legal News and Analysis

February 20, 2018

Subscribe to Latest Legal News and Analysis

February 19, 2018

Subscribe to Latest Legal News and Analysis

California Bill Would Mandate Expedient Software Updates for Credit Bureaus

Following the Equifax data breach in 2017, there has been heightened awareness surrounding how credit reporting agencies handle consumers’ personal information. At the same time, recent high-profile attacks, such as the “WannaCry” ransomware attacks, have focused media and regulatory attention on vulnerabilities associated with unpatched systems. In response to these two concerns, on January 10, a bill was introduced in the California legislature that would amend existing law regulating the cybersecurity practices of consumer credit reporting agencies (CRAs) specifically as they relate to vulnerability patching.

AB 1859 would add provisions requiring CRAs to update software vulnerabilities in certain circumstances.  Namely, if the CRA knows or reasonably should know that one of its computer systems is subject to a vulnerability and knows or reasonably should know that a software update is available to address that vulnerability, the CRA must apply the software update expediently, “in keeping with industry best practices,” but in any case within 10 days after becoming aware of the vulnerability and the available software update.

The bill would also create a private right of action for California residents whose personal information was acquired by a breach caused, in whole or in part, by a violation of the software update provisions described above.  Moreover, it would allow residents to recover civil penalties for “willful, intentional, or reckless” violations of the software update provisions.

At first blush, by mandating a particular security practice in one specific industry sector, the language of AB 1859 appears to be a departure from the traditional risk-based regulatory approach that encourages organizations to adopt “reasonable” security best practices tailored to their cyber risks without mandating more specific cybersecurity requirements. Notably, however, in 2016 the California Office of the Attorney General adopted a more prescriptive approach to regulating the cybersecurity practices of companies doing business in California. Specifically, in its 2016 Data Breach Report, the Attorney General stated that the list of twenty Critical Security Controls (“CSC”) developed by the Center for Internet Security (“CIS”) “define a minimum level of information security” that all organizations that collect or maintain personal information about California residents should meet.  Most importantly, in light of the requirement under California law to implement and maintain reasonable security practices, the report stated that a “failure to implement all the [c]ontrols that apply to an organization’s environment constitutes a lack of reasonable security.”  See 2016 Data Breach Report (emphasis added). Included among the CSC controls is Control 4, “Continuous Vulnerability Assessment and Remediation,” which requires regular scanning for vulnerabilities and the adoption of proactive patching processes. Moreover, California law already provides a private cause of action for damages by customers injured by a company’s failure to “implement and maintain reasonable security procedures and practices” in violation of California Civil Code Section 1798.81.5.

The bill is currently set for hearing in committee on February 10.

© 2018 Covington & Burling LLP


About this Author

Jennifer R. Martin, Covington, cyber incident response lawyer, forensics consulting attorney
Of Counsel

Jennifer Martin has worked at the intersection of law and cybersecurity for the past 15 years. Her expertise in this area has been uniquely honed through her experience managing cyber risks and responding to threats from a variety of perspectives: as the director of cyber incident response and operations, and as lead in-house internal investigations counsel at Symantec; as a managing director of a top cybersecurity and forensics consulting firm; and as a federal and local cybercrime prosecutor and policymaker.

As both in-house counsel and as a...

212 841 1018
Theodore J. Karch, Covington, geolocation information lawyer, genetic privacy attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice focuses on U.S. federal and state data privacy and cybersecurity laws as well as the rules for transferring data across borders, including the E.U. General Data Protection Regulation (GDPR). He has advised clients about online behavioral advertising, cross-device tracking, geolocation information, genetic privacy, children’s privacy issues, and unfair and deceptive practices.

In addition, Mr. Karch advises clients in managing their intellectual property portfolio, especially copyright and trademarks.


Caleb Skeath is an associate in the firm's Washington, DC office.  He is a member of the Privacy & Data Security, Litigation, and White Collar Defense & Investigations practice groups. Mr. Skeath is a member of the Virginia Bar.  He is currently not admitted in the District of Columbia, but is supervised by principals of the firm.