Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series

First Steps First – the Data Map

It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice  procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  So where should a business begin in its efforts to meet the Act’s requirements?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

What businesses must comply with the Act?

As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California.  The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California –  a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

What to do first – Data mapping

The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it.  Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations.  A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.  Continue reading

By Michael Gold and Bob Braun

A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation.

The Case and Its Holding

On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion doesn’t do any favors for business.  The Court ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – like using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege concrete injury in order to sue.  Rather, simply pleading a violation of BIPA’s technical requirements will be enough, without alleging any actual injury.  Because each violation carries a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the doors to the next wave of extremely risky and costly litigation for Illinois businesses.

Warning Signs

The decision is a warning sign, not only for Illinois businesses that use biometric information, but for businesses generally.

The case is one of a series that make it easier for plaintiffs to bring claims without asserting damages.  In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact.  This has, for years, been a stumbling block for lawsuits arising out of data breaches, as the existence of damages has been difficult to prove.  Just as more courts are willing to assume damages in those kinds of cases,  the Illinois court has done the same for violations of BIPA.  Importantly, this will not only ease the burden for individual plaintiffs; it is likely to expand the availability of class action claims as well.

The case is also demonstrative of the increasing willingness to reshape statutes that may not originally have been treated or viewed as privacy protection statutes.  The Federal Trade Commission, many attorneys general, local district attorneys and private plaintiffs have used laws prohibiting “unfair and deceptive trade practices” to address perceived privacy and security shortcomings. The use of BIPA in this context may well embolden governmental and private plaintiffs alike to consider whether existing statutes can be used to bring claims.

Finally, the Court’s opinion reflects a shift in attitude that underlies privacy legislation in the United States.  Just as the European Union and other jurisdictions have adopted the position that personal information belongs to the individual, this case recognizes the same trend in the United States. This decision, along with the California Consumer Privacy Act, and proposed laws in Washington, Vermont and other states – as well as measures being considered by the federal government – point to a new attitude toward the use of personal information by businesses.

Actions to Take

The Rosenbach case has implications far beyond Illinois.  Businesses operate in a world where regulators, law enforcement, and private individuals actively seek ways to hold companies responsible for ensuring personal privacy.  Part of their method is to use laws that may have been ignored, or to find ways to interpret existing laws, to support damage claims.  This creates a challenge for companies, since addressing the challenges posed by these laws requires companies to focus not on reacting to events, but on establishing information governance systems that addresses the collection and use of personal data.

These developments also cannot be effectively addressed solely at a technical level – in particular, they cannot be delegated to an information technology department.  Rather, the active involvement of senior management is crucial to evaluating the risks a company is willing to take in the context of existing and emerging privacy laws, and ensuring deployment of governance frameworks that realistically address these risks without undermining the company’s business mission.

The JMBM Cybersecurity and Privacy Group counsels companies on incorporating privacy and information security into enterprise governance.  For additional information, contact Michael Gold (MGold@jmbm.com) or Bob Braun (RBraun@jmbm.com).

 

In their column, Top 10 cybersecurity predictions for the new year, Robert Braun and Michael Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group offer predictions on federal privacy legislation (they won’t pass any and if by chance they do, it won’t work), data localization (more companies will have to decide whether to maintain services in foreign jurisdictions or leave those markets), governance (companies will get finally  get real about enforcing written cybersecurity policies), and more.

Published by the Daily Journal, you can read the column here.

 

About JMBM’s JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity & Privacy Group counsels clients in a wide variety of industries, including retail, aerospace, health care, utilities, sports, media, and professional services such as accounting firms, law firms, business management firms and family offices. We represent clients in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity & Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

Robert E. Braun and Michael A. Gold are co-chairs of the Cybersecurity & Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP.

Contact Bob Braun at RBraun@jmbm.com or +1 310.785.5331.
Contact Mike Gold at MGold@jmbm.com or +1 310.201.3529.

Written prior to Marriott International’s announcement on November 30, 2018 that a data breach exposed the private data of up to 500 million guests, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, wrote the article Guest Privacy – It’s Your Business, published by HotelExecutive.com on December 2, 2018.

In that article, he writes:

“Gathering and processing information [about guests] provides not only opportunities, but creates obligations, one of the most basic of which is ensuring the security of guests’ personal information.

That obligation has become increasingly complex due both to the vulnerability of hotel companies to breach, and the enactment of laws and regulations, worldwide, that impose additional burdens on hotels – the EU’s General Data Protection Regulation, California’s Consumer Privacy Act, as well as industry developments have further heightened the concerns with guest privacy and security.”

He also notes:

“This focus must be seen in the context of two key issues: first, that hotels collect large amounts of data from their guests, both directly and through third parties; and second, that the hospitality industry has a checkered track record in protecting personal information. Both these demand that the hospitality industry take a renewed focus on data security.”

To read the full article, including Braun’s suggestions as to what hotel owners and operators should do to begin the process of securing their systems, see Guest Privacy – It’s Your Business.

To read more on Braun’s take on the Marriott International data breach, see Avoiding Hotel Data  Breaches with a Risk Assessment Audit – Lessons from the Marriott International “Glitch”.

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Today’s revelation by Marriott International that a data breach exposed the names and personal details of over 500 million guests sent a shudder throughout the hospitality industry worldwide.

Hoteliers know they are an appealing target for hackers as their databases contain identifying and financial information for very large numbers of people, and they have systems that by necessity must be accessible to many different levels within the company. Because privacy laws in the US, the EU (and other countries around the globe) are becoming increasingly stringent, hoteliers are also keenly aware that the retention and use of guests’ personal information now comes with greater potential liability than ever before.

It is time for hotel brands, and hotel owners and operators, to create effective and comprehensive privacy and cybersecurity policies, procedures and systems.

For JMBM’s Hotel Law Blog, I have outlined some key takeaways from the Marriott International breach. To read the blog,  see  Avoiding Hotel Data Breaches With a Risk Assessment Audit – Lessons From the Marriott International “Glitch”

—  Bob Braun

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.

The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.

The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.

The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.

Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?  Continue reading

Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters.  Continue reading

Uber has had a hard time getting data security right. This past week, the ride-sharing company agreed to pay $148 million in a settlement with 50 state attorneys general and the District of Columbia after it intentionally concealed a 2016 data breach. According to the New York Attorney General, it is the largest settlement ever in a multi-state breach case. Uber was found to have breached notification laws by hiding the fact that hackers accessed the information of 57 million users. Uber then paid the hackers $100,000 to destroy the data, without publically disclosing the loss.

This isn’t Uber’s first time mishandling customer and driver personal information, and misleading the public. This spring, Uber agreed to expand an earlier settlement with the FTC, agreeing to additional conditions. “After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” acting FTC Chairman Maureen Ohlhausen said in April 2018. Just to be clear, Uber failed to report a data breach while in the midst of an ongoing FTC data breach investigation – not easy to believe, but true. Some of the lessons here are crystal clear. Others are still unfolding. But they will come to bear on all companies, not just Uber. Uber’s conduct creates a more highly charged environment for all companies. Here’s why.

  1. The cover-up is worse than the crime.  Uber guessed that it could cover up its mistakes , and it guessed wrong. Uber used its “bug bounty program” to try to hide the fact that it paid a ransom to have the data destroyed. It’s not even clear that a breach notice would be required under many state laws because the data that was stolen didn’t include personal financial information, even if it included what we now consider, broadly, personal information: names, mobile phone numbers, and email addresses of customers and, in the case of drivers, their driving license information. But in trying to hide the issue, Uber heaped problems on itself. Uber could have reported the issue up the line and let those with real authority decide how to handle it. Instead, the matter was hidden from Uber’s CEO for months, denying the company the chance to go to regulators and seek their guidance.
  2. Welcome to a stricter data regime—for all of us. As part of the settlement, Uber is now mandated to put in place more secure systems, and acknowledge breaches of a broad variety of personal information. It will undergo 20 years of audits, at significant expense, both monetary and in terms of human resources. The company is also required to provide records of its bug bounty reports relating to any vulnerability of consumer data, as well as turn over all third-party audits in full to the FTC. One could argue that the FTC is now running security at Uber, not the company. This is a new line in the sand; any company with less than stellar security programs should be on notice that if they don’t install state-of-the-art systems and processes, the government will be happy to direct them specifically how to do so. The FTC does not like to be fooled, and, while no lap dog in the past, the commission will surely not tolerate being trifled with again.
  3. The expansion of the definition of protected data. Up to this point, data breach notification laws have focused on financial data, such as credit card numbers or social security numbers, or other sensitive protected information, such as health records. This action has the possibility of enlarging the scope of protected data that must be reported if accessed or breached to include any information that can identify a person, much as the European Union has done through the General Data Protection Regulation, or California proposes in its recently-enacted Consumer Privacy Act. This means that the conditions that would merit government disclosure of a loss of information have greatly increased, perhaps exponentially.
  4. Look for more coordinated state actions. The coordinated action by all of the state Attorneys General may foreshadow additional joint action in the future, which could have an effect on pending federal proposals, and impact the FTC’s authority. The $148 million fine was paid directly to the states (California received $26 million), making large fines a powerful incentive for state regulators to jump on what it sees as egregious conduct. And seeing this kind of money on the table will only embolden class action counsel representing consumers whose data is compromised.

 

We’ve previously written how to handle ransomware attacks. What we didn’t mention in that post, because it seemed to go without saying, is that regardless of the amount of data stolen, or the seemingly innocuous sum requested to get it back, is that all breaches should be analyzed and acted upon as quickly as possible so that the responsible parties evaluate and minimize the risks from a breach. The fact that there may be a chance to secure the data, or ensure it is destroyed, or confirm it has not yet been misused, should not enter the equation. The risk in not acting on a breach is 100%. And getting more expensive by the day.


Robert E. Braun
is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 

JMBM’s Cybersecurity & Privacy Group is pleased to announce that the Group’s Co-Chair, Michael A. Gold, will be participating as a panelist for the webinar Bristows Legally Speaking! Data protection and information security in EU, India and California – what next?

Sponsored by the London-based law firm Bristows, the webinar is open to C-suite executives, Chief IT officers, in-house counsel, and others whose companies are doing business in California, Britain, the EU, or India.

Date: Tuesday, October 30, 2018
Time: 9:00 AM – 10:00 AM Pacific

No registration fee is required. Register here.

Panelists include:

Robert Bond, Partner and Notary Public at Bristows LLP, London
Salman Waris, Partner at TechLegis Advocates & Solicitors, Delhi
Michael Gold, Partner at Jeffer Mangels Butler & Mitchell LLP, Los Angeles

Topics that will be explored include:

  • Draft data protection law in India
  • California data privacy laws explained
  • Overview of US privacy laws
  • Comparisons with EU laws
  • What else is on the global horizon for data protection?

We invite you to join us for this informative webinar. Register now!

iheartcalifornia-300x138On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.

__________________________

This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

__________________________

The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

  • Does business in the state of California;
  • Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
  • Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?  

California businesses will need to take several steps to achieve compliance, including:

  1. Adopt a method for handling consumer requests for personal information.
  2. Develop templates and procedures for responding to consumer requests.
  3. Develop procedures for collecting and processing data.
  4. Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
  5. Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

 What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

 

Gold_Michael_Highres_03
Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.201.3529
MGold@jmbm.com
Bob Braun Photo
Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.785.5331
RBraun@jmbm.com