At a glance.
- Governments seek geolocation data to track COVID-19 infections.
- US Government tries for more expansive telework arrangements and permissions.
- New York's SHIELD Act comes into effect.
- California's CCPA continues to take shape.
Tracking a pandemic by phone.
The AP says that the Czech Republic has become the first European country to announce plans to introduce a geolocation tracker into mobile phones that would aid authorities in tracking people infected with COVID-19, and in identifying others who've come into contact with potential sources of infection. Other European countries are not expected to lag far behind the Czechs. According to Reuters, mobile carriers are already sharing data not only with Czech authorities, but with the Italian, German, and Austrian governments.
Feds try to make telework more available.
The White House, through the Office of Management and Budget, continues to push Federal agencies to make telework more widely available to both Government employees and contractors, ZDNet reports. That push gained urgency with the first death of a contractor to COVID-19. The Administration is particularly concerned that agencies send at-risk workers home. Five Senators have introduced legislation, the Emergency Telework Act, which, Federal Times says, aims to introduce more sensible consistency into the remote work policies that have emerged in various agencies.
New York's SHIELD Act will affect disclosure practices.
The SHIELD Act (the name is a limping acronym for "Stop Hacks and Improve Electronic Data Security") passed by New York State last year is beginning to come into force, and is expected to shape disclosure practices in the US generally. CSO explains that the SHIELD Act will expand data breach notification law to cover biometric data and email credentials (including security questions and answers), and unauthorized access to private information. It will require any person or organization that has private information about any New York resident to comply with breach notification requirements, and it prescribes new notification procedures companies and state agencies must follow in the event of a breach of private information. And, finally, it created data security requirements tailored to a business's size--this last measure went into effect over the weekend. The other provisions had already been phased in.
Corporate compliance with the SHIELD Act will require designation of an employee responsible for cybersecurity. Businesses will have to establish a "reasonable" security program, with both employee training, technical information security measures, monitoring of security controls, and effective physical security measures (proper erasure of storage media, etc.).
CCPA evolves as California's Attorney General modifies guidance.
Cooley walks through the clarifications that have attended the California Consumer Privacy Act since it's coming into force (some of them are clarifications of clarifications), and BankInfo Security has also published comment on the current state of the CCPA. Among the more interesting clarifications are a relaxation of the requirement to provide notice upon collection: if a business collects personal information from a third party, it need not notify affected persons upon collection, provided the business isn't selling such data. Businesses that sell data about minors will need to be able to explain how they've identified the minors' parents or guardians. And the detailed specifications for opt-out buttons and associated logos have been removed. The full text of the modifications may be seen here.