If you haven’t been paying attention to all the Microsoft warnings for the past year and your company is still running Windows 7, time’s up.   After January 14, 2020, Microsoft will stop pushing out security updates to Windows 7 for free.  You’ll still be able to run those Windows 7 systems, but they will be more susceptible to security problems and there will be no patches pushed out for these vulnerabilities.   Failure to apply patches for known vulnerabilities exposes users to hacking and other intrusions – and after all the warnings Microsoft has been giving Windows 7 users, a new full-screen notice will pop-up on January 15 to those still running the operating system to make clear that “Your Windows 7 PC is out of support.”   The January 15 warning will tell users that their PCs are more vulnerable to viruses and malware due to the end of security updates, no software updates, and no tech support.

Microsoft will make security updates available for up to 3 years for business users who purchase Extended Security Updates and, if your company has not done so and still is running Windows 7, this should be a priority. Given that Microsoft has been issuing Windows 7 end of life support warnings for over a year, a breach resulting from a failure to upgrade would likely fail the California Consumer Privacy Act’s “reasonable security” requirement.    As a reminder, the CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations of this provision are subject to statutory penalties of $100 to $750 per incident (which did not previously exist for breaches involving California residents’ personal information), additional actual damages, and injunctive relief.   And, this provision is effective as of January 1 (in contrast to the delayed Attorney General enforcement date of July 1), so the clock is ticking.