Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps: Part 2 – the Breach Response Plan

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 2 of a Series

What’s Next – the Breach Response Plan

This is the second in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to impact more than 500,000 businesses, many of them smaller and mid-size businesses., Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting.  In our last article, we highlighted the importance of the Data Map. When you finish your data map, what should you do next?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020.  The effective date of the Act gives covered businesses little time to prepare.  Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

After the Data Map – the Incident Response Plan

Most businesses understand that if they suffer a data breach – if specified personal information is accessed by unauthorized users – the business has to consider notifying the individuals whose information has been accessed, and possibly their regulators. Despite the fact that laws requiring notification laws have been in effect for more than 15 years, many companies do not have plans to address a breach. Commencing on January 1, 2020, when the CCPA goes into effect, the inability to respond will become a bigger issue. The reason – the CCPA grants a private right of action to individuals.

Actions under the CCPA

Under the CCPA any natural person who is a resident of California may bring an action if their unencrypted or unredacted personal information has been exposed due to a business’s failure to maintain appropriate security safeguards. The definition of personal information under the CCPA is broader for most purposes of the Act than when determining a breach – it is limited to a person’s name (at least first initial and last name) and either their social security number, driver’s license or state identification number, bank or credit card information, or medical or health insurance information.

There is no requirement that a plaintiff demonstrate damages; instead,` plaintiffs can seek statutory damages between $100 and $750, injunctive or declaratory relief, or “any other relief the court deems proper. In addition, plaintiffs can seek actual damages in excess of the statutory recoveries. And the Act specifically allows the aggregation of claims into a class action. The specific authorization of a private right of action means that any breach is more likely to result in extended, costly, and embarrassing legal action.

Why a Breach Response Plan

One of the important ways to reduce potential liability in a data breach is preparation. Companies need to be realistic: avoiding a breach is difficult, and may not be possible to achieve – so a response plan is essential. A sufficient incident response plan offers a course of action for all significant incidents, not just data braches. Some incidents lead to massive network or data breaches that can impact an organization for days or even months. When a significant disruption occurs, the company needs a thorough, detailed incident response plan to stop, contain, and control the incident quickly. For physical disruptors, such as natural disasters and flooding, create a disaster recovery plan.

What’s in the Plan?

While every plan is different, just like every company is different, all plans share some key elements in common:

  • A list of roles and responsibilities for the incident response team members.
  • A list of the outside experts – attorneys, forensic investigators, public relations and others – whom the company can call upon.
  • The procedures for reporting a breach, and specific identity of who should be contacted, and in what order.
  • A business continuity plan.
  • A summary of the tools, technologies, and physical resources that must be in place.
  • A list of critical network and data recovery processes.
  • Communications protocols, both internal and external.

Once the plan is in place, it is essential to test the plan, and to review and update it at least annually, or when a material factor changes, such as a change in personnel. Having the plan in place will reduce response time, limit the damages to affected individuals, allow for more accurate disclosures, and help avoid other violations of law that could lead to greater liability.

As noted above, an incident response plan is necessary to comply with the CCPA, but it has more benefits – many disasters can disrupt business, and having a well-developed incident response plan provides a map for all serious disruptions in a company’s business.

Next on deck in our series on complying with the CCPA – privacy policies and the CCPA.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.