Articles Posted in Policies and Procedures

by

CCPA: Hotel Loyalty Programs, Data Retention and the Brave New World of Privacy

By Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from www.HotelExecutive.com.

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.

Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.

The Act as Part of a Broader Shift in Consumer Preferences

In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.

In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions – financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children’s information is addressed under the Children’s Online Personal Privacy Act. But in general, personal information – names, addresses, and other identifying information – may be collected and used without significant restriction, and consumers did not typically object.

The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers’ attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the “legitimate” use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.

Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.

Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information – essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.

Do Hotels Need to Comply with the Act?

The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria: Continue reading

by

As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.

The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”

Part 1 – Data Mapping

A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.

There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.

Continue reading

by

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps 
Part 3 of a Series

 The Privacy Policy

This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are.

The CCPA says that California residents, including minors, have the right to know if their personal data is being collected, and to whom the data is being sold, and with whom it is being shared. Armed with that knowledge, California residents have the further right to object to the sale of their data and to have their data deleted. In short, California consumers now own their personal information and have real control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Complying with the detailed requirements of the CCPA — including disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements — is daunting. In our first article, we highlighted the importance of the data map. In our second article, we covered breach response.

In this post, we’ll review the changes companies need to be making to their privacy policies in order to comply with the CCPA. The Act mandates that any company subject to the CCPA make specific public disclosures, including: Continue reading

by

Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.

If that were all it took.

In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information.  Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.

Look at Your Settings—Often

When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings. Continue reading

by

Looking back with the perspective of two years, the Equifax data breach still has many lessons to teach us. Unfortunately, some of the most important lessons are masked by the extremes of the errors that characterized the original breach, which include insider trading by top executives after the breach was discovered but before it was disclosed. That, combined with the length of time the company withheld news of the breach, and the irony that its entire business model is built on security, may lure some observers into believing that the incident is unique, and they could never screw things up as magnificently.

That would, however, be a mistake.

As litigation over the breach continues, there are some takeaways that might not be as obvious, but which are important to all companies. As courts and regulatory agencies struggle with how to respond to such breaches, punish companies that disregard regulations and look to compensate victims, it becomes increasingly clear that securities compliance is more important than ever. For public companies, data breaches are doubly dangerous.

First, a key lesson from Equifax is that words matter.

Earlier this year, a federal judge upheld most of the plaintiffs’ claims in a securities class action against Equifax (note, these are claims brought by shareholders, not those whose data was breached, though of course those subsets likely overlap), in part because statements on the company’s website, in SEC filings and during investor conferences stated it employed “strong data security.” Plaintiffs allege that the statements misled investors regarding “the strength of Equifax’s cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.”

All companies, and especially those in the security business or whose business model is based on gathering, storing and processing information, can be tempted to tout one’s defenses as “the best,” “state of the art,” “industry-leading,” etc. More to the point, a marketing department is bound to use that kind of language. That language, however, is the basis for shareholder lawsuits, FTC enforcement actions and other problems. Here are three steps to take to ensure your cybersecurity statements aren’t what compound your misery after a breach: Continue reading

by

Written prior to Marriott International’s announcement on November 30, 2018 that a data breach exposed the private data of up to 500 million guests, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, wrote the article Guest Privacy – It’s Your Business, published by HotelExecutive.com on December 2, 2018.

In that article, he writes:

“Gathering and processing information [about guests] provides not only opportunities, but creates obligations, one of the most basic of which is ensuring the security of guests’ personal information.

That obligation has become increasingly complex due both to the vulnerability of hotel companies to breach, and the enactment of laws and regulations, worldwide, that impose additional burdens on hotels – the EU’s General Data Protection Regulation, California’s Consumer Privacy Act, as well as industry developments have further heightened the concerns with guest privacy and security.”

He also notes:

“This focus must be seen in the context of two key issues: first, that hotels collect large amounts of data from their guests, both directly and through third parties; and second, that the hospitality industry has a checkered track record in protecting personal information. Both these demand that the hospitality industry take a renewed focus on data security.”

To read the full article, including Braun’s suggestions as to what hotel owners and operators should do to begin the process of securing their systems, see Guest Privacy – It’s Your Business.

To read more on Braun’s take on the Marriott International data breach, see Avoiding Hotel Data  Breaches with a Risk Assessment Audit – Lessons from the Marriott International “Glitch”.

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

by

Today’s revelation by Marriott International that a data breach exposed the names and personal details of over 500 million guests sent a shudder throughout the hospitality industry worldwide.

Hoteliers know they are an appealing target for hackers as their databases contain identifying and financial information for very large numbers of people, and they have systems that by necessity must be accessible to many different levels within the company. Because privacy laws in the US, the EU (and other countries around the globe) are becoming increasingly stringent, hoteliers are also keenly aware that the retention and use of guests’ personal information now comes with greater potential liability than ever before.

It is time for hotel brands, and hotel owners and operators, to create effective and comprehensive privacy and cybersecurity policies, procedures and systems.

For JMBM’s Hotel Law Blog, I have outlined some key takeaways from the Marriott International breach. To read the blog,  see  Avoiding Hotel Data Breaches With a Risk Assessment Audit – Lessons From the Marriott International “Glitch”

—  Bob Braun

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

by

The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.

The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.

The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.

The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.

Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?  Continue reading

by

Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters.  Continue reading

by and

iheartcalifornia-300x138On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.

__________________________

This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

__________________________

The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

  • Does business in the state of California;
  • Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
  • Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?  

California businesses will need to take several steps to achieve compliance, including:

  1. Adopt a method for handling consumer requests for personal information.
  2. Develop templates and procedures for responding to consumer requests.
  3. Develop procedures for collecting and processing data.
  4. Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
  5. Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

 What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

 

Gold_Michael_Highres_03
Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.201.3529
MGold@jmbm.com
Bob Braun Photo
Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.785.5331
RBraun@jmbm.com