Articles Posted in Privacy Regulations

March 11, 2019

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps: Part 1 – the Data Map

by Robert E. Braun

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps
Part 1 of a Series

First Steps First – the Data Map

It is estimated that more than 500,000 companies are subject to the California Consumer Privacy Act (CCPA), many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. So where should a business begin in its efforts to meet the Act’s requirements?

What is the CCPA?

The California Consumer Privacy Act was signed into law on June 28, 2018, and will become effective January 1, 2020 – although the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, or July 1, 2020. The effective date of the Act gives covered businesses little time to prepare. Preparing now is particularly important, because many obligations under the Act will require advance work, and companies will need to begin now.

What businesses must comply with the Act?

As has been well publicized, the Act is applicable to many businesses, whether located inside or outside California. The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria:

Generate annual gross revenue in excess of $25 million,
Receive or share personal information of more than 50,000 California residents annually, or
Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

What to do first – Data mapping

The first, and possibly most important, thing a company should do to comply with the Act is to understand what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss. Continue reading

January 22, 2019

Cybersecurity Predictions for 2019

by JMBM's Cybersecurity and Privacy Group

In their column, Top 10 cybersecurity predictions for the new year, Robert Braun and Michael Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group offer predictions on federal privacy legislation (they won’t pass any and if by chance they do, it won’t work), data localization (more companies will have to decide whether to maintain services in foreign jurisdictions or leave those markets), governance (companies will get finally get real about enforcing written cybersecurity policies), and more.

Published by the Daily Journal, you can read the column here.

About JMBM’s JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity & Privacy Group counsels clients in a wide variety of industries, including retail, aerospace, health care, utilities, sports, media, and professional services such as accounting firms, law firms, business management firms and family offices. We represent clients in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity & Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

Robert E. Braun and Michael A. Gold are co-chairs of the Cybersecurity & Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP.

Contact Bob Braun at RBraun@jmbm.com or +1 310.785.5331.
Contact Mike Gold at MGold@jmbm.com or +1 310.201.3529.

August 23, 2018

California Consumer Privacy Act of 2018 – How You Can Prepare

by JMBM's Cybersecurity and Privacy Group and Michael A. Gold

iheartcalifornia-300x138 On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.

__________________________

This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

__________________________

The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

Does business in the state of California;
Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?

California businesses will need to take several steps to achieve compliance, including:

Adopt a method for handling consumer requests for personal information.
Develop templates and procedures for responding to consumer requests.
Develop procedures for collecting and processing data.
Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.201.3529
MGold@jmbm.com

Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.785.5331
RBraun@jmbm.com

November 28, 2016

Cybersecurity Law: Back to Square One? – The FTC and LabMD

by Robert E. Braun

Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.

One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa, Tiversa reported LabMD’s vulnerability to the FTC. Continue reading

Robert E. Braun

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients' needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.Read More

Michael A. Gold

Michael A. Gold is the Chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529. Read More