The California Consumer Privacy Act entered into force on January 1. By now, most businesses should have their privacy policies, collection notices, and access, deletion, and takedown mechanisms in place. However, one concern still looms: the right of private action. Notwithstanding the substantial enforcement powers of the state attorney general, this gives an individual the right to obtain statutory damages of $ 100 to $ 750 per defined data breach if “reasonable security procedures” fail. are not in place. The actual damage does not need to be established, unless it is even greater. The private right of action means that companies must think long and hard about the âreasonable safety proceduresâ they must implement.
The CCPA gives California consumers new rights with respect to their personal information acquired by qualifying businesses. Among other things, it offers consumers the right to know, access and delete this personal information, as well as the right to opt out of their sale. Although the CCPA is already in effect, consumer rights cannot be enforced by the state attorney general until July 1. However, the CCPA gives consumers the right to immediately bring their own lawsuits under specified circumstances. Under section 1798.150 (a) (1), a private right of action under subsection (b) is granted to
[a]any consumer whose personal information is unencrypted and unredacted. . . is subject to unauthorized access and exfiltration, theft or disclosure as a result of the company’s violation of its duty to implement and maintain procedures and practices for reasonable security appropriate to the nature of the information to protect personal information. . . .
What exactly does âreasonable safety proceduresâ mean? These procedures are likely to be defined by best industry practices. Contrary to popular belief, however, âreasonable security proceduresâ are not simply cybersecurity. It is a comprehensive information governance plan, and companies must be able to demonstrate that they have robust security postures in order to protect themselves.
Reasonable security procedures
Ensure encryption and redaction. If you encrypt and delete all data containing the covered personal information, it would appear that you are immune from any liability under the CCPA’s private right of action. However, many companies do not always encrypt or delete all of their data. Indeed, in a modern and fast working environment, these procedures can sometimes be cumbersome and expensive. For example, email encryption may require the user to take additional and impractical steps to send or receive email “routine”. Writing and encryption is the best way to go nonetheless, so implement these procedures as far as you reasonably can. It will give you much less worry.
Without encryption or redaction, reasonable security procedures must be in place to defend against a private right of action. (They should already be in place because you have a common law duty to act with reasonable care for the information you hold. Other statutory laws may also apply, depending on your industry.)
Confirm the network security. You need the right cybersecurity from both a network and end-user perspective. In 2016, the California Department of Justice defined a âminimum levelâ of cybersecurity as CIS 20, but that will really depend on your business. If you are a large organization, ISO 27001 and NIST 800-30 may be the gold standard, but these extensive protocols are expensive, time consuming, and can be overkill for a small business.
The measures you ultimately implement will depend on the type of information your business keeps, where it resides, and who owns it. This will require some serious data mapping, which cannot be done in a day. While the CCAC itself does not explicitly address data mapping, it is the keystone of a successful information governance program. Once you know what you have, you can design the right protections.
Only your IT experts can provide an accurate assessment of your cybersecurity needs. But from a network perspective, this usually includes a firewall (for obvious reasons), a web application firewall (to stop DDOS bot attacks, XS scripting, and SQL injection), database segregation and overlay (to prevent a “flat” network), logging (to mitigate any intrusion by tracing the threat vector), white hat hacking (to plug all holes in the system) and l ‘Appropriate embarkation and disembarkation of employees (to identify suspicious activity, among others). For end users, you would need two-factor authentication (or better) and proper endpoint security (good antivirus software). However, none of the above will be effective unless all software is routinely patched when updates are released. If not, remember Want to cry?
Protect physical documents. If your business keeps physical documents, and most still do, those documents also need to be properly secured. A locked room with limited access and closely guarded is required. If sensitive personal information such as names, addresses, social security numbers or online identities are found in documents placed in boxes in an unlocked office, even if that office is owned by your general counsel, you have a problem.
Rethink document retention policies. Another often overlooked area is record keeping. Many companies keep data indefinitely for one reason or another, but frequently because it is just too difficult to delete. It is also a problem. Unless you retain data in accordance with the law (including record keeping requirements), as part of a litigation suspension, or for security reasons, it is generally not reasonable to hang on to. And the more personal data you keep, the greater your exposure. After all, do you really need to keep all that data? Storage costs money. Indeed, most insurers require that you have data that is no longer necessary in order to limit their exposure. If you are subject to the European Union’s General Data Protection Regulation (GDPR), you should already be one step ahead of the âright to be forgottenâ.
Email security and password management. Another problematic area is email security and training. A recent survey showed that approximately 60 percent of data breaches were initiated by malware planted via an email hoax. You know the chorus. You receive an email claiming to be, for example, from Federal Express stating that they could not deliver a package and urging you to click on a link for more details. At first glance, the email looks genuine, but the moment you click on this link, malware is injected into your system and may very well provide access for a hacker. Phishing is another way to wreak havoc and obtain a user’s personal information, including login credentials. Good onboarding of employees to spot these issues as they arise is a good practice.
Active password management is also essential. Change passwords frequently, don’t use derived words, use separate passwords for different systems, use lockouts after a number of failed login attempts, and notify users of any suspicious activity. Finally, all passwords, including employee passwords, must be changed after a data breach.
There are other ways to protect your business, of course, and this article does not cover the security requirements of service providers and third parties. These are subjects for another day.
Final warning: the “Safe Harbor” provision does not offer as much security as you might think
Finally, do not rely too much on the 30-day “safe harbor” provisions of section 1798.150 (b). A repair notice must be provided before a complainant takes action, but you get a pass only “in case a solution is possible”, you actually remedy the alleged violation within 30 days and you notify the consumer in writing. If data has already been exfiltrated, you’re probably out of luck. Indeed, this paragraph expressly provides that if âactual pecuniary damageâ has been suffered as a result of the violations, no notice is required before bringing an action – you are exposed to the right of private action.
All of the above best practices should be presented as part of a comprehensive information governance program. It starts by designating who within your organization will be responsible for information security and the analysis and processing of CCPA requests. You need to create a dedicated team and system to handle these compliance issues. Your plan should include, but not be limited to, a formal information security policy, an incident response plan, a disaster recovery plan, a document retention policy, and an employee manual.
Data privacy is a team sport. Work closely with your IT people and your privacy lawyer to make sure your security procedures are reasonable!