The new California Consumer Privacy Act (CCPA), effective January 1, 2020, and currently considered the most stringent privacy law in the United States, focuses principally on data privacy and new consumer rights, while only briefly addressing data security. However, CCPA is not just about privacy compliance. In fact, the most significant exposure for companies subject to CCPA is with respect to data security. Why? Because the one “lapse” under CCPA for which consumers may individually seek damages is, in many ways, the Achilles tendon of so many tech companies: data security. CCPA includes a private right of action triggered by an unauthorized access or disclosure of a consumer’s non-encrypted personal information stemming from a covered business’ failure to implement and maintain reasonable security procedures and practices. And, as if designed only to encourage class action suits, statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This may seem relatively minimal to anyone who hasn’t spent much time in litigation, but in real terms, this means that one incident affecting just 30,000 individuals could cost a company at least $22M should the high end of the statutory damages range be awarded. This also means that plaintiffs’ attorneys will be gearing up for more class actions.
When the EU General Data Protection Regulation (GDPR) appeared on US tech companies’ collective radar, many in the privacy world made a huge commotion over the potential for administrative fines of up to 2-4% of global revenue. Ironically, CCPA potentially presents an even greater financial risk for companies that aren’t paying enough attention to their security practices (and there are many). Yet most CCPA prep tools, webinars and materials seem to focus almost exclusively on the privacy side of things with little emphasis on this major security-related risk. To be clear, businesses SHOULD be mapping their data, updating their privacy notices, addressing consumer rights and checking vendor agreements (to sum it up ever so quickly), but they must also ensure that they implement and maintain reasonable security procedures and practices. And in reality, many companies don’t know how to benchmark “reasonable security procedures and practices” and don’t even know where to begin.
CCPA itself provides no additional specifics, but there is plenty of guidance out there. A global standard would be helpful, but in the absence of this, figuring out what may be reasonable given the type of personal data that your business processes and retains and, of course, its size and activity as a whole, really requires a case by case analysis. Nevertheless, there is quite some consensus on what businesses processing personal data should be doing at the very least.
A chain is only as strong as its weakest link. Security should consist of a multi-tiered approach that includes employees and staff handling data, internal processes and policies, vendor management and IT systems.
Where to begin? On an internal level, data mapping, which is required by CCPA and necessary to comply with consumer rights, is really the first thing that all companies processing personal information should focus on. Without knowing what data your organization collects, discloses and stores (and who within and outside of the organization has access) it’s impossible to protect it. Mapping also includes classifying data by establishing “sensitivity” labels for data and assigning those labels in order to configure baseline cybersecurity based on the financial value of each class of data. Once this is completed, we recommend implementing and maintaining internal policies and processes, including an Incident Response Plan and InfoSec Policy, and this includes training employees (and no, handing employees internal policies and calling it a day is not enough).
With respect to IT and information security practices, various frameworks and standards provide best practices, guidance and certifications/ attestations:
- The Center for Internet Security (CIS), which is highly regarded in the security industry for making both current and concrete recommendations to help enterprises improve their security, provides a list of 20 controls for companies looking to implement and maintain security measures. Whereas many standards and compliance regulations aimed at improving overall security are industry-specific, the CIS Controls were designed (and are regularly updated) by security experts to be universally applicable. The CIS controls are considered by many the gold standard, and any organization seeking more guidance should start with those. You can find more information here.
- The National Institute of Standards and Technology (NIST) framework also provides a very thorough plan based on core values: Identify, Protect, Detect, Respond and Recover. Although primarily focused on required controls for U.S. federal agencies (or any organizations working with U.S. federal government data), the NIST documents contain best practices that are helpful for any organization to use as a reference in their own security operations. NIST is also in the process of creating a privacy framework. You can find more information here.
- ISO/IEC 27001 is a well-known standard providing requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information, which includes people, processes and IT systems. An ISMS is useful for companies of all sizes and is not sector-specific. Certification to ISO/IEC 27001 is possible but not mandatory: some organizations choose to simply implement the standard in order to benefit from its best practices, while others prefer the actual certification, which is more helpful to assure customers and clients that the recommendations have been followed. You can find more information here.
- SOC 2 (SOC meaning Systems and Organization Controls) compliance is one of the industry standards given for technology service organizations. SOC 2 Type II reports are the most comprehensive certification within the SOC protocol, and organizations seeking to engage vendors such as IT service providers often find that a SOC 2 Type II is the most useful attestation when considering a possible service provider’s credentials. Note that the ISO 27001 process may certify your organization, whereas a SOC report is not a certification but rather an independent attestation, confirming certain elements about the control environment of a service organization.
- COBIT is an IT management framework developed by the ISACA, an independent, nonprofit, global association, to help businesses develop, organize and implement strategies around information management and governance, as well as emerging threats. You can find more information here.
And of course, vendor security assessments are key: transferring personal information between interconnected information systems representing different security domains with different security policies introduces an inherent risk. Insecure vendors are one of the most common causes of data breaches and regulators here (and abroad) require companies to carry out risk-based assessments of the security practices of their vendors. On this topic, FTC provides information on where to begin for small businesses, and the Vendor Security Alliance, a coalition of companies, publishes a free questionnaire.
Whether your organization is subject to CCPA or not, we always recommend making security a top priority. In a recent Ernst & Young survey spanning the globe, CEOs, board directors, and institutional investors cited national and corporate gaps in cybersecurity as the biggest threats to business growth and the global economy. And another study from the Ponemon Institute and sponsored by IBM Security found that the financial impacts of data breaches (both malicious cyber-attacks and accidental breaches caused by human error) are becoming more serious with each passing year. For small businesses, the multi-million-dollar figures cited in the study could lead to bankruptcy. It is also important to note that a staggering number of security incidents are related to third-party products and systems that provide insufficient security and that go unchecked. In this day and age, having strong security reduces the risk of an incident and thus potential financial exposure keeps customers happy and makes your organization more attractive to potential partners.
And in case you were wondering, CCPA, for those who are subject to it, contains a provision that precludes agreements that waive the right to a class action. In other words, you can forget magically waiving away CCPA-related class actions in your organization’s terms of use.
Stay up to date on the latest privacy and security news by subscribing to our Data Privacy mailing list. Click here to subscribe.
If you have any questions about data privacy practices and policies, or any other issue relating to privacy law, please contact one of our privacy attorneys: