Data Breaches

Comcast’s Xfinity Service Potentially Exposes Addresses and Partial SSNs of More Than 26.5 Million Customers

• According to security researcher Ryan Stevenson, alleged vulnerabilities in the system Comcast Xfinity uses to verify users’ identities could have allowed an attacker to learn those users’ home addresses and partial Social Security numbers.

• After being informed of the issues, Comcast patched the alleged vulnerabilities.

• According to a Comcast spokesperson, Comcast “quickly investigated these issues and within hours … blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. [Comcast has] no reason to believe these vulnerabilities were ever used against Comcast customers.”

States

Business Groups Working to Amend CaCPA

  • A variety of business groups, including the California Chamber of Commerce, the Motion Picture Association of America and the Alliance of Automobile Manufacturers, have urged the California Senate to make amendments to the California Consumer Privacy Act (CaCPA), which was signed into law on June 28.
  • The CaCPA, which goes into effect on Jan. 1, 2020, grants California residents a broad range of European-style rights when it comes to their personal information.
  • In their letter to state Sen. Bill Dodd, the business groups sought a variety of changes to the CaCPA, including delaying its implementation until after the completion of the rulemaking process and clarifying the pre-emption language to ensure that local regulations do not require more protective privacy measures before CaCPA goes into effect.

NY Department of Financial Services Rules in Place on Sept. 1

  • Entities subject to the New York Department of Financial Services have new cybersecurity and privacy obligations that go into effect on Sept. 1, 2018.
  • Those obligations include instituting audit trails to create records of transactions; taking steps to ensure security of apps, including those that are commercially available and those that are developed in-house; limits on data retention; and encryption of nonpublic information.

EU/GDPR/Foreign Jurisdictions

‘Mr. GDPR’ Already Looking Ahead to New Regulations

  • Less than three months after General Data Protection Regulation (GDPR) went into effect, Giovanni Buttarelli, the European data protection supervisor referred to as “Mr. GDPR,” is already looking ahead to a “post-GDPR future.”
  • In an op-ed for The Washington Post, Buttarelli calls for a manifesto to “de-bureacratiz[e] and safeguard[]” individuals’ “digital selves.”
  • According to Buttarelli, such a manifesto would include a “consensus among developers, companies and governments on the ethics of the underlying decisions in the application of digital technology.” It also would call for devices and programs to be designed to safeguard privacy and digital freedom by default.

Brazil Approves Data Protection Law

  • Brazil has adopted a national data protection law, which has been dubbed “Brazilian GDPR.”
  • The law, which goes into effect in early 2020, replaces the majority of Brazil’s current sector-specific privacy laws and regulations and, like GDPR, broadly deals with the processing of personal information. It also establishes a mandatory data breach notification obligation, requiring notification within a reasonable time frame to the Data Protection Authority (DPA), which may require notification to affected individuals.
  • Interestingly, the portions of the law that establish Brazil’s DPA were vetoed, but the DPA will be established through a separate law.