Between increasing regulatory frameworks and the material enforcement of existing regulatory schemes, it is becoming increasingly complicated for organizations to manage the intersection of cyber security, privacy and regulatory compliance.
Consequently, companies must pay increased attention and dedicate additional resources to cyber security and privacy compliance, as well as their overall security and privacy strategy.
Privacy Rights: The California Consumer Protection Act
On the heels of the European Union’s General Data Protection Regulation (“GDPR”) becoming effective in May 2018, California passed the California Consumer Privacy Act (“CCPA”) of 2018 (AB 375), which elevates regulatory requirements for data security and privacy to levels not previously seen in the United States. The CCPA goes into effect January 1, 2020, and, like the GDPR, provides individuals expanded
privacy rights and greater control over their own data, while imposing potentially significant civil penalties and statutory damages for noncompliance. Although there are still bills pending which seek to amend the CCPA to both strengthen the rights of California consumers, while being more commercial for California businesses, the CCPA will bring about significant challenges for organizations.
To Whom Does the CCPA Apply?
Any company doing business in California, or that collect information on California residents, who meets one or more of the following criteria is subject to the CCPA:
1. More than USD 25 million in annual gross revenue
2. Buy, receive, sell or share the personal information of 50,000 or more consumers or devices
3. Derive 50% of more of their annual revenue from selling consumers’ personal information
The CCPA also redefines and expands “personal information” to include biometric data, browsing history, purchasing histories, geolocation data, and IP address information. The inclusion of biometric data mirrors similar statutory protection previously imposed by Illinois and subsequently enacted in July 2019 by the State of New York.
What Rights and Obligations Are Proposed Under the CCPA?
– Right to deletion – California consumers may request of businesses to delete their data, or “opt-out” of the sale of their data.
– Access and required response – businesses are required to disclose what personal information is being collected and how it’s used within 45 days.
– Notice and consent – company websites are required to add a clear link titled “Do Not Sell My Personal Information” to further assist consumers who want to exercise their “opt-out” rights.
– Mandated “opt-in” before the sale of children’s information (under the age of 16).
What are the CCPA’s Enforcement Measures and Potential Penalties?
The CCPA provides for both civil and statutory penalties. Any person, business or service provider that intentionally violates the law may be liable for up to $7,500 per violation enforced by the Attorney General, though the law does not describe what constitutes a “violation”.
Given California’s status as the largest state economy in the United States, the CCPA creates significant urgency for organizations to prepare themselves to be compliant with the law’s mandates and avoid the potential for severe penalties.
However, California is not alone in its recent enactment of enhanced data protection regulations. On July 25, 2019, New York’s “SHIELD Act” was signed into law, amending its existing breach notification law to expand the definition of protected private information to include the addition of biometric information, as well as to provide additional guidelines around required reasonable safeguarding of private information. With California and New York taking such steps, it is likely to see other states follow their lead.
Regulatory Enforcement in Europe Signals Sharpening of Regulatory Teeth
Although effective since May 25, 2018, recent regulatory fines in Europe have refocused the magnitude of the penalties associated with the GDPR.
Failure to comply with the GDPR allows regulators to impose fines up to EUR 20 million or, if higher, 4% of an organization’s annual global turnover, regardless of whether a breach of network security or privacy occurred. EU citizens have a private right of action under the GDPR.
While fines have been assessed against many organizations since the passing of the GDPR, the fines issued in July 2019 are significantly more than fines levied historically, and larger than other GDPR enforcements observed since the regulation went live. Within a matter of days, two major global brands were reported to be facing proposed fines for breaches reported in 2018*. The UK Information Commissioner’s Office (ICO) levied a fine of over USD 200 million against an airline, while a hotel chain was fined over USD 100 million by ICO under the GDPR. Although on a percentage basis these fines are not the maximum potential fine of 4% the company’s annual global turnover, they are material and will have an impact on the company’s financial performance.
While these recent fines were related to data breaches, there have been non-breach related fines against other organizations that are well into the six figures. Privacy regulations, like GDPR, demonstrate that a breach is not a “cyber” or “privacy” issue, but rather represent an operational risk that organizations must manage from the executive level down. Elizabeth Denham, ICO commissioner, has repeatedly said:
“hefty fines can and will be levied on those organizations that persistently, deliberately or negligently flout the law.”**
As the enactment of the CCPA and recent amendments to New York’s breach notification law make clear, the regulatory environment in the United States is evolving rapidly and imposing increased obligations on organizations with the potential for severe penalties for non-compliant companies. At the same time, the significant fines starting to emerge from the EU amplify both the gravity of the need for regulatory compliance, but also the steep price paid for failing to do so.
To best prepare for this increased regulatory activity and enforcement, organizations should employ an integrated approach to cyber security, data protection and privacy:
1. Involve key stakeholders from across the company, including Risk Management, Legal, Information Technology, Cyber Security, Compliance, Internal Audit, and Business Unit Leadership.
2. Consider risk transfer in the form of cyber insurance.
3. Identify sensitive data.
4. Use a framework for cyber security controls. Assess and monitor controls.
5. Implement vulnerability management.
6. Restrict network access.
7. Draft an Incident Response Plan (and test it).
8. Implement third party risk management of vendors, service providers and the supply chain.
9. Train employees on security and privacy awareness.
10. Evaluate innovations such as cloud, mobile, and data analytics for new vulnerabilities and vectors for malicious actors.