Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:
Part 4 of a Series

Verified Requests for Data

The CCPA is hurtling headlong toward implementation on January 1, 2020.  The Act, which is likely to be amended, perhaps substantially, in the next sixty days, and which has no guiding regulations, continues to present a conundrum for companies faced with designing and implementing policies and procedures that need to be consumer-ready by Day 1.

One requirement that has created substantial confusion and uncertainty is directly related to a key element of the Act – the right of consumers to control the personal information held by companies. Under the Act, companies must develop or identify internal mechanisms to respond to a consumer’s exercise of their right to access the information collected about them, verify their identity, respond within the mandated 45 days, and document both the request and response.

While the obligation is clear and seemingly innocuous, it is creating both confusion and its own cottage industry of consultants and service providers.

The sticking point of this requirement is determining how a company will reasonably verify the requester’s identity. The California Attorney General was to have adopted regulations to help businesses determine when a request is a verified consumer request (sometimes referred to by the quaintly anachronistic acronym “VCR”). Those regulations have not yet been proposed.

In the interim, companies are left with little more than what feels like the type of direction from U.S. Supreme Court Justice Potter Stewart, when he was forced to define a threshold test for obscenity in 1964:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so. But I know it when I see it….”

Like so much of the CCPA, the obligation is appropriate on its face, but difficult to implement. Continue reading

Ever since the California Consumer Privacy Act (the “CCPA”) was adopted in 2018, various constituencies have lobbied for revisions. While multiple proposals were considered in the California legislature, only a few have a chance for passage and enactment. Last month, the California Senate Judiciary Committee passed several amendments to the CCPA, and we now have a better idea as to what amendments are likely to be adopted. The bills head now to the Appropriations Committee and then to the full state Senate. Here are the important highlights:

  • Employee Exemption: With AB25, lawmakers weakened the employee exception, which now sunsets on Jan. 1, 2021. The current exemption means CCPA does not cover collection of personal information from job applicants, employees and certain others, but only for one year. Afterward, employers will be required to tell employees what type of information they are collecting, and why.
  • Loyalty Programs: AB 846 clarifies and modifies CCPA application to loyalty and reward programs. Businesses would still be prohibited from selling consumer information gathered as part of these programs.
  • Phone Access: AB 1564 requires businesses to provide a toll-free phone number for customers to request access to their personal information. On-line only businesses are only required to provide an email address.

Three bills, AB 873, AB 1416 and AB 981 failed. They would have changed the definition of “personal information” and “de-identified information,” weakening the privacy protections.

These and several related bills will head to the full Senate, which must vote by Sept. 13, 2019. Governor Newsom then has a month to consider signing them (along with another 1,000 or so bills), and any bill that is signed will go into effect Jan. 1, 2020.

Bottom Line: The law’s strong consumer protections withstood challenges, though observers anticipate there will continue to be debate and negotiations with unions as to how CCPA affects employees. Companies should continue apace with their plans for implementation.  Companies that haven’t yet begun to comply should start now!

See our recent blogs on the CCPA below.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
 Part 3 – the Privacy Policy

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps 
Part 3 of a Series

 The Privacy Policy

This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.

The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.

In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including: Continue reading

Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.

If that were all it took.

In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information.  Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.

Look at Your Settings—Often

When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings. Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 2 of a Series

What’s Next – the Breach Response Plan

This is the second in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to impact more than 500,000 businesses, many of them smaller and mid-size businesses., Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  In our last article, we highlighted the importance of the Data Map. When you finish your data map, what should you do next?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

After the Data Map – the Incident Response Plan

Most businesses understand that if they suffer a data breach – if specified personal information is accessed by unauthorized users – the business has to consider notifying the individuals whose information has been accessed, and possibly their regulators. Despite the fact that laws requiring notification laws have been in effect for more than 15 years, many companies do not have plans to address a breach. Commencing on January 1, 2020, when the CCPA goes into effect, the inability to respond will become a bigger issue. The reason – the CCPA grants a private right of action to individuals.

Actions under the CCPA

Under the CCPA any natural person who is a resident of California may bring an action if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. The definition of personal information under the CCPA is broader for most purposes of the Act than when determining a breach – it is limited to a person’s name (at least first initial and last name) and either their social security number, driver’s license or state identification number, bank or credit card information, or medical or health insurance information.

There is no requirement that a plaintiff demonstrate damages; instead,` plaintiffs can seek statutory damages between $100 and $750, injunctive or declaratory relief, or “any other relief the court deems proper. In addition, plaintiffs can seek actual damages in excess of the statutory recoveries. And the Act specifically allows the aggregation of claims into a class action. The specific authorization of a private right of action means that any breach is more likely to result in extended, costly, and embarrassing legal action. Continue reading

It is difficult to overstate the current backlash against social media. Social media giants are under attack from virtually all sources, including both governments and individuals. The #humblebrag du jour is a social media addict publically stating the intent to close accounts, take social media sabbaticals, cull friend and follower lists, and boasting about how much better life has become after weaning themselves from the constant attention-drain – even if many do not follow through on the threat.

If you join the movement, you might be helping your company’s information security profile.

Social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold in their own right.  But beyond that, they provide corporate hackers with enough information to guess passwords, whereabouts and interests, and provide enough data to craft sophisticated and effective spear-phishing emails – personalized missives that reflect the character and wording of the individuals they spoof, down to grammar, spelling and tone.

That’s why it’s so important to include a cybersecurity-focused review of your company’s social media policy and practices. If you aren’t going to set strict social media standards for C-level executives and consider conducting regular audits of their social accounts, then you at least need to educate them about the risk. Some of the key risks  – but only the most obvious ones – are below. Continue reading

Looking back with the perspective of two years, the Equifax data breach still has many lessons to teach us. Unfortunately, some of the most important lessons are masked by the extremes of the errors that characterized the original breach, which include insider trading by top executives after the breach was discovered but before it was disclosed. That, combined with the length of time the company withheld news of the breach, and the irony that its entire business model is built on security, may lure some observers into believing that the incident is unique, and they could never screw things up as magnificently.

That would, however, be a mistake.

As litigation over the breach continues, there are some takeaways that might not be as obvious, but which are important to all companies. As courts and regulatory agencies struggle with how to respond to such breaches, punish companies that disregard regulations and look to compensate victims, it becomes increasingly clear that securities compliance is more important than ever. For public companies, data breaches are doubly dangerous.

First, a key lesson from Equifax is that words matter.

Earlier this year, a federal judge upheld most of the plaintiffs’ claims in a securities class action against Equifax (note, these are claims brought by shareholders, not those whose data was breached, though of course those subsets likely overlap), in part because statements on the company’s website, in SEC filings and during investor conferences stated it employed “strong data security.” Plaintiffs allege that the statements misled investors regarding “the strength of Equifax’s cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.”

All companies, and especially those in the security business or whose business model is based on gathering, storing and processing information, can be tempted to tout one’s defenses as “the best,” “state of the art,” “industry-leading,” etc. More to the point, a marketing department is bound to use that kind of language. That language, however, is the basis for shareholder lawsuits, FTC enforcement actions and other problems. Here are three steps to take to ensure your cybersecurity statements aren’t what compound your misery after a breach: Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series

First Steps First – the Data Map

It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice  procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  So where should a business begin in its efforts to meet the Act’s requirements?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

What businesses must comply with the Act?

As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California.  The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California –  a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

What to do first – Data mapping

The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it.  Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations.  A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.  Continue reading

By Michael Gold and Bob Braun

A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation.

The Case and Its Holding

On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion doesn’t do any favors for business.  The Court ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – like using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege concrete injury in order to sue.  Rather, simply pleading a violation of BIPA’s technical requirements will be enough, without alleging any actual injury.  Because each violation carries a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the doors to the next wave of extremely risky and costly litigation for Illinois businesses.

Warning Signs

The decision is a warning sign, not only for Illinois businesses that use biometric information, but for businesses generally.

The case is one of a series that make it easier for plaintiffs to bring claims without asserting damages.  In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact.  This has, for years, been a stumbling block for lawsuits arising out of data breaches, as the existence of damages has been difficult to prove.  Just as more courts are willing to assume damages in those kinds of cases,  the Illinois court has done the same for violations of BIPA.  Importantly, this will not only ease the burden for individual plaintiffs; it is likely to expand the availability of class action claims as well.

The case is also demonstrative of the increasing willingness to reshape statutes that may not originally have been treated or viewed as privacy protection statutes.  The Federal Trade Commission, many attorneys general, local district attorneys and private plaintiffs have used laws prohibiting “unfair and deceptive trade practices” to address perceived privacy and security shortcomings. The use of BIPA in this context may well embolden governmental and private plaintiffs alike to consider whether existing statutes can be used to bring claims.

Finally, the Court’s opinion reflects a shift in attitude that underlies privacy legislation in the United States.  Just as the European Union and other jurisdictions have adopted the position that personal information belongs to the individual, this case recognizes the same trend in the United States. This decision, along with the California Consumer Privacy Act, and proposed laws in Washington, Vermont and other states – as well as measures being considered by the federal government – point to a new attitude toward the use of personal information by businesses.

Actions to Take

The Rosenbach case has implications far beyond Illinois.  Businesses operate in a world where regulators, law enforcement, and private individuals actively seek ways to hold companies responsible for ensuring personal privacy.  Part of their method is to use laws that may have been ignored, or to find ways to interpret existing laws, to support damage claims.  This creates a challenge for companies, since addressing the challenges posed by these laws requires companies to focus not on reacting to events, but on establishing information governance systems that addresses the collection and use of personal data.

These developments also cannot be effectively addressed solely at a technical level – in particular, they cannot be delegated to an information technology department.  Rather, the active involvement of senior management is crucial to evaluating the risks a company is willing to take in the context of existing and emerging privacy laws, and ensuring deployment of governance frameworks that realistically address these risks without undermining the company’s business mission.

The JMBM Cybersecurity and Privacy Group counsels companies on incorporating privacy and information security into enterprise governance.  For additional information, contact Michael Gold (MGold@jmbm.com) or Bob Braun (RBraun@jmbm.com).