In 2018, the State of California passed one of the most sweeping privacy and data laws to date called the California Consumer Privacy Act (CCPA). Once this law takes effect on January 1 2020, all-for-profit businesses that fit the following criteria will have to comply with CCPA:
- Have over $25 million in revenue annually; or
- Purchase, sell or share over 50,000 records as part of their business (defined as information linked to “consumers, households or devices”); or
- Have as their primary business the sale of personally identifiable information (PII); and
- Do business in California, even if they are not based in California and have no physical presence there.
While there are certain exclusions for businesses that already hold regulated data (such as healthcare providers), an enormous number of enterprises who do business in California will be impacted. Complying with CCPA requires an organization to think carefully about how it handles consumer data. Most of the nearly 10,000 words of this law are dedicated to the rights of California citizens, how enterprises should interact with them regarding their data, and how this data will be used.
Exponential Fines Ahead
Failure to follow this statute is subject to a fine of up to $7,500 per violation. Furthermore, the act requires organizations to protect the data they have been entrusted with. Specifically, it states that:
"Any consumer whose non-encrypted or non-redacted personal information […] is subject to an unauthorized access and exfiltration, theft or disclosure, as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, may institute a civil action"
This civil action could result in damages ranging from $100 to $750 per consumer record, per incident – a number that can add up very quickly. While the law does not specifically define “reasonable security,” the California Attorney General did release a report in 2016 entitled California Data Breach Report that provides some guidance on the subject. This report recommended that organizations consider the NIST (800-53 or CSF) or ISO 27001 standards and use the CIS Controls as prioritized guidance. Specifically, as it relates to the CIS Controls, it states that:
"The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet."
While the report from the Office of the Attorney General is not a legal opinion, it does provide some good guidance and resources for organizations to consider.
Responding to the CCPA
First, you will need to understand your level of exposure to the new law before it takes effect on January 1. This is best done with the aid of outside counsel specializing in data security and privacy, who may work with technical experts to present a complete picture. Your review should cover not only the specific qualification criteria for being covered by the CCPA, but also a thorough review of your consumer data and privacy practices. This review should include determining what types of data you collect, how much data you have and where it resides within your enterprise, whether you track the origin of collected data, how long you retain consumer data, and your ability to comply with retention or deletion requests.
Furthermore, you will need to look at your cyber security posture through the lens of this legislation and recommendations provided by the California Attorney General. While there is still much to be discussed with regards to what is reasonable security, looking at the NIST CSF, ISO 27001, and CIS controls are a great place to start.
CCPA Exemptions
In the video below you can hear Jonathan Fairtlough, Managing Director of the Cyber Risk practice at Kroll, along with his colleagues discuss the potential pitfalls of the CCPA. They cover how the financial services entities regulated under the Gramm-Leach-Bliley Act (GLBA) and healthcare entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) may be exempt from the provisions and requirements of the CCPA, but for most organizations the coverage provided by the CCPA exemptions is not complete, and concrete steps will be required to ensure compliance.
