Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able to be completed since March 30, 2021.

This is obviously very inconvenient for those individuals whose inspection stickers have or will expire shortly, as they are at risk of being issued a citation for an expired inspection sticker, on top of having to take time off to take their car to get inspected.

To address this concern, the Massachusetts Registry of Motor Vehicles (RMV) said, “[R]ecognizing the inconvenience Applus’ outage is causing, the RMV has been in communication with law enforcement to request cooperation and discretion in citing those with an expired sticker who may have attempted to visit a station this week.” The RMV has extended a grace period of one month to drivers who were unable to get their inspection stickers because of the outage.

After inspections were delayed a week, on April 7, 2021, Applus forwarded a software patch to service stations to try to fix the problem. However, it is being reported that Applus forwarded the patch to service stations on flash drives! Flash drives are notorious for being used to plant malicious malware and ransomware in users’ systems. Sending a patch on a flash drive is completely contradictory to security best practices.

Applus has stated that it does not believe that any customer (i.e., service station) financial information has been compromised, but is working with a forensic expert.

Lesson learned: get your inspection sticker in plenty of time before it expires.

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.

On December 18, seven states have entered into a settlement agreement with e-retailer Cafe-Press for $2 million stemming from a 2019 data breach that exposed information of approximately 22 million consumers. The breach affected consumers’ personal information, including usernames and passwords, Social Security numbers and/or Taxpayer Identification numbers.

Of the $2 million, $750,000 will be an immediate payment divided among the states: New Jersey, New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.

According to the settlement agreement, if CafePress improves its data privacy practices, the states have agreed to suspend the balance of the settlement. Those improvements include implementing a comprehensive cybersecurity program that is updated and assessed regularly, a data breach notification plan (including preparation, detection, analysis, containment, eradication and recovery), as well as other safeguards like encryption, segmentation and penetration testing. CafePress must also update its disclosures to consumers including information on account closure and data deletion. The company must also have a third-party risk assessment for the next five years.