New ISO standard on IT security and changes to California privacy law

A recent ISO/IEC introduces new standards on information security and the latest proposed amendments may

postpone California Privacy Law.

#DataSecurity: new ISO/IEC 27005:2018

The newly revised ISO/IEC 27005:2018 provides detailed guidelines to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) on how to effectively manage the information security risks.

The standard is complementary to ISO/IEC 27001:2013, which defines the requirements for setting up and managing an information security management system and is part of the ISO 27000 series. This are more than a dozen standards that make up the cyber-risk toolkit for companies operating in the Information Technology sector.

In our data-driven world implementing a strategy that guarantees the IT security of an information system, it is crucial since cyber-attacks remain a significant threat to organizations. Moreover, the coming into force of the GDPR and similar legislative frameworks all over the world imposes high standards of data protection, especially relating to data breach events, thus putting the security of a company’s information under the spotlight as never before.

The ISO standards are not compulsory, but they are a best practice whose compliance will be favourably seen by competent authorities in case of audit, also following a data breach.

 #Privacy: proposed amendments postpone California Privacy Law

As previously discussed here, California statehouse had passed what is considered the most comprehensive and strict digital privacy law of the United States, due to the similarities of its approach with that provided by the GDPR. But after the technical amendments recently proposed by the California legislative leaders, the picture may change.

The published revisions include only 45 amendments. But they really introduce some key changes which include the following:

  • The enforcement of California’s landmark new privacy law would be deferred from January 2020 to July 2020;
  • Data categories such as IP addresses, purchasing histories and geolocation data will no longer automatically be deemed to be personal information, but only if capable of being reasonably linked, directly or indirectly, with a particular consumer or household; and
  • The exemption for information held by healthcare providers and financial institutions is expanded.

While these and other relevant changes are up to discussion, it clearly appears from the last two months of intense lobbying and pushback that data are truly the new oil and until a compromise solution is reached, the debate between US companies and consumers’ associations is going to escalate.

If you would like to receive more information please contact  Tommaso Ricci, @