Does CCPA Affect You? What the 2020 Deadline Means for Reasonable Security

2019
Reasonable Security CCPA States Privacy HALOCK Security Labs Reasonable Security

The California Consumer Privacy Act (CCPA) and more states are shaping data privacy management for reasonable security.

California always seems to be ahead of the game in what shapes the country.  That’s probably why so many of the fashionable trends that have taken the United States by storm over the past 70+ years have originated from there.  Some of these have included beach culture, health diets, skateboarding and casual fashion, and now, data security. Businesses need to start bracing for the next wave that is coming out of the Golden State called the California Consumer Privacy Act (CCPA).  Think of it as GDPR 2.0, California’s own version of the sweeping digital privacy act that was enacted throughout Europe last year.  CCPA is supported by the premise established back in 1972 in the state of California that privacy is an inalienable right and CCPA is redefining the standard.

Why CCPA isn’t just about California

Yes, this does apply to your business, CCPA isn’t just about California!  In fact, there’s a chance that even though your business doesn’t reside in California or that CCPA was created by politicians with no jurisdiction in your area, this complex compilation of GDPR-like requirements concerning the personal data of California residents will in fact apply to you on January 1, 2020.  That is the date that CCPA will not only become the law of the state, but its authority will reach far beyond its borders.  Like its European predecessor, GDPR, CCPA is likely to have global applicability.  Determining if your company is subject to the rules of CCPA is a simple 2-step process.

  1. First off, do you have customers from California or hold the personal data of any California resident?
  2. If so, then you need to determine if you meet ANY of these 3 criteria:
    • Your company has an annual gross revenue in excess of $25 million
    • Your company buys, sells or shares the personal information of 50,000+ consumers per year
    • Your company derives 50 percent or more of its annual revenues from selling consumers’ personal information

The legislation defines a consumer as a natural resident of the state of California.  Considering that California makes up more than 10 percent of the U.S. population, companies located throughout the other 49 states as well as other parts of the globe will be affected.  So if your company falls under its umbrella, what does it all mean?

What CCPA Requires

On the day of its passage in the state assembly, the leader of California’s Assembly’s Privacy Committee referred to the new bill as “the strictest privacy bill in the history of the country.”  The purpose of CCPA is to give consumers more rights when it comes to their personal data and to hold businesses accountable for respecting their privacy.  The new law also aims to bring more transparency concerning the hosting of personal data and how it is used and traded amongst companies.  Like GDPR, California’s new law specifically defines what data processing is as it pertains to operations involving personal data.  It also sets forth requirements concerning the security and protection of personal data and requires organizations to report data breaches to affected individuals within a defined time window.  There are also other requirements of CCPA that differ from its European counterpart.

CCPA has a broader definition of what constitutes personal data.  Under CCPA, personal information includes any data that can be directly or indirectly identify, relate, describe, associate or link to a particular consumer or household.  Such examples include IP addresses, geolocation data, audio, email address, biometric information, consumer’s preferences, psychological trends, bank account number, personal attitudes, and online tracking technologies. CCPA offers a number of requirements such as:

  • Opt-in to data collection by default, can opt-out of sale of data, or disclosure of data to third parties.
  • Opt-out needs to be reaffirmed every 12 months.
  • Sets up a process where companies can offer monetary or better services for allowing company to sell data, however company cannot discriminate against people for not selling their data. Equal services must be provided or offered.
  • Provides limited right of action for damages up to 750 dollars per person per incident.
  • No ceiling for regulatory enforcement.
  • Consumers under the age of 16 must affirmatively opt-in in order to allow their personal information to be sold while those under the age of 13 require the consent of a parent or guardian. 
  • Companies have 45 days to respond to consumer data requests.

Penalties of CCPA

Failure to comply with CCPA regulations will cost you.  Once notified of a violation by the Attorney General’s office, companies have 30 days to come into compliance in order to avoid penalties although the parameters concerning a data breach are still unclear.  Businesses are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation.  A violation could be the compromising of the personal information of a California resident due to a data breach or human error, as well as the selling of one’s information without their consent. 

Colorado Follows Suit

Just as GPDR was the shot heard around the world that alerted global companies of the need to get their cybersecurity efforts in order, California’s influential power is already migrating eastward as Colorado passed its own Consumer Data Privacy Law last September.   The new law applies to any person, commercial or governmental entity that maintains, owns or licenses the personal identifying information (PII) of Colorado residents in the course of its business, vocation or occupation.  It requires obligated parties to take reasonable steps to protect PII and implement written policies concerning the disposal of both paper and electronic records containing PII.  It also provides strict notification guidance concerning a data breach that involves the PII of Colorado residents and requires a good faith investigation to determine the likelihood that personal information has been or will be misused.

While the laws set forth by the Centennial State apply to companies residing in all 50 states, it does recognize the laws and regulations of other jurisdictions.  By following the procedures for the protection of PII established by your state or federal regulator, you are automatically in compliance with Colorado’s laws.  Like GDPR and CCPA, Colorado regulations apply to third-party service providers such as Managed Service Providers (MSP). 

How HALOCK can help

Like so many cyber security compliance laws, the new laws set forth by California and Colorado have the inclusion of one recurrent word – “reasonable.”   It’s a word that breeds a lot of confusion amongst businesses today who struggle with the uncertainty of what reasonable truly means.  HALOCK Security Labs has been helping organizations of all industries define what reasonable is as it relates to their business and its cybersecurity obligations.  We then use that definition to create a risk-based approach to security that constitutes a well conceived security plan that incorporates the necessary policies and stack to meet the required compliances of today and tomorrow.   Our staff is comprised of experts in every one of the current and forthcoming compliance regulations, so we can help you determine how the standard applies to your company.

Partnering with Experience

Knowing the type of data that collected, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data inventory.” To develop an organization wide privacy program, first, inventory the data that you need to protect, then identify the applicable privacy regulations that need to be addressed. We can help you through this course.

Privacy regulations typically require a risk assessment to establish reasonable and appropriate information security standards of practice. The purpose of a risk assessment is to estimate the likelihood and impact of potential harm that may come to individuals due to security and privacy vulnerabilities, and to plan for safeguards that would reasonably address those risks.

HALOCK can help organization perform a “risk assessment” to achieve both GDPR requirements and common US-based practices for securing information within a “duty of care” and US-based privacy regulations. As principal authors of the CIS® Risk Assessment Method (RAM), we have the unique insight of how best to balance compliance, security, and business goals. Benefit from methodology that can build reasonable and appropriate cybersecurity safeguards by defining your acceptable risk level for your specific environments. Through this approach, your organization can best prioritize and spend your information security dollars.

HALOCK partners with you to establish reasonable security controls based on your organization’s mission, objectives, and social responsibility.

Regardless of what type of business you are, your organization is open to many of the same attack vectors of vulnerability that are common to all enterprises today. For those companies that fall under the jurisdiction of CCPA, the clock is running.  Like many of the influential movements that have originated from California, CCPA is destined to be a trend setter as more states now look to enact similar initiatives.   This is one trend from California that you don’t want to wait to get in on. 

Authors: Viviana Wesley, PCI QSA, ISO 27001 Auditor and Cindy Kaplan

UPDATE: The California Privacy Law was enforced starting Jan. 1, 2020.