The California Consumer Privacy Act took effect on January 1. By now, most companies should have in place their privacy policies, notices of collection, and access, delete, and opt-out mechanisms. However, one concern still looms large: the private right of action. Notwithstanding the state Attorney General’s substantial enforcement powers, this provides an individual with the right to obtain statutory damages of $100 to $750 per defined data breach if “reasonable security procedures” are not in place. Actual damages need not be established, unless they are even greater. The private right of action means that companies need to think long and hard about what “reasonable security procedures” they need to implement.
Background
The CCPA gives California consumers new rights with regard to their personal information acquired by qualifying businesses. Among other things, it provides consumers with the right to know, access, and delete this personal information, as well as the right to opt out of its sale. Although the CCPA is already in effect, consumers’ rights cannot be enforced by the state Attorney General until July 1. However, the CCPA gives consumers the right to immediately file their own lawsuits under specified circumstances. Under Section 1798.150(a)(1), a private right of action under subsection (b) is afforded to
[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information . . . .
What precisely does “reasonable security procedures” mean? These procedures are likely to be defined by the industry best practices. Contrary to popular belief, however, “reasonable security procedures” are not merely cybersecurity. They are an all-encompassing information governance plan, and companies must be able to demonstrate that they have robust security postures in order to protect themselves.
Reasonable security procedures
Ensure encryption and redaction. If you encrypt and redact all data containing the covered personal information, it would appear you’re safe from liability under the CCPA private right of action. Many companies, however, do not routinely encrypt or redact all their data. Indeed, in a modern, fast-paced working environment these procedures can sometimes be cumbersome and costly. For example, email encryption can require the user to take additional, inconvenient steps to send or receive a “routine” email. Redaction and encryption are nonetheless the better way to go, so implement these procedures to the extent that you reasonably can. It will give you that much less to worry about.
Without encryption and redaction, reasonable security procedures must be in place to defend against a private right of action. (They should already be in place as you have a common law duty to act with reasonable care for the information you hold. Other statutory law may also apply, depending on your industry.)
Confirm network security. You need appropriate cybersecurity, both from a network and an end-user standpoint. In 2016, the California Department of Justice defined a “minimum level” of cybersecurity as the CIS 20, but it will really depend on your business. If you’re a large organization, ISO 27001 and NIST 800-30 are arguably the gold standards, but these expansive protocols are costly, time-consuming to implement, and may well be overkill for a smaller company.
The measures you ultimately implement will depend upon the type of information your company retains, where it resides, and who owns it. This will require some serious data mapping, which can’t be done in a day. Although the CCPA itself doesn’t explicitly address data mapping, it’s the linchpin for a successful information governance program. Once you know what you have, you can design the appropriate protections.
Only your IT experts can provide an accurate assessment of your cybersecurity needs. But from a network standpoint this would typically include a firewall (for obvious reasons), a web application firewall (to stop DDOS bot attacks, XS scripting and SQL injection), database segregation and layering (to prevent a “flat” network), logging (to mitigate any intrusion by tracing the threat vector), white-hat hacking (to plug any holes in the system), and proper on- and off-boarding of employees (to spot suspicious activity, among other things). For end users, you would need two-factor (or better) authentication and the appropriate end-point security (a good anti-virus software). None of the foregoing will be effective, however, unless all software is routinely patched upon the release of updates. If not, remember Wannacry?
Safeguard physical documents. If your company maintains any physical documentation, and most still do, those documents also must be properly secured. A locked room with limited and closely monitored access is required. If sensitive personal information such as names, addresses, Social Security numbers, or online identities are in documents sitting in boxes in an unlocked office, even if that office belongs to your general counsel, you have a problem.
Rethink document retention policies. Document retention is another often-overlooked area. Many companies keep data indefinitely for one reason or another, but frequently because it’s just too troublesome to delete. This is also a problem. Unless you’re retaining data as required by law (including recordkeeping requirements), as part of a litigation hold, or for security reasons, it’s generally not reasonable to hold onto it. And the more personal data you retain, the greater your exposure. After all, do you really need to keep all that data? It costs money to store. Indeed, most insurance carriers require that you dispose of data that is no longer required in order to limit their exposure. If you’re subject to the European Union’s General Data Protection Regulation (GDPR), you should already have a head start on the “right to be forgotten.”
Email security and password management. Another troublesome area is email security and training. A recent survey has shown that approximately 60 percent of data breaches were initiated by malware planted via email hoax. You know the drill. You get an email purporting to be from, for example, Federal Express stating that they couldn’t deliver a package and inviting you to click on a link for details. At first blush the email looks authentic, but the moment you click that link malware is injected into your system that may well provide a hacker with access. Phishing is another way to potentially wreak havoc and obtain the personal information, including login credentials, of the user. Proper employee on-boarding to spot these issues as they arise is a best practice.
Active password management is also a must. Change passwords frequently, do not use derivative words, use separate passwords for different systems, employ lockouts after a number of unsuccessful login attempts, and notify users of any suspicious activity. Finally, all passwords, including employees’, should be changed after a data breach.
There are other ways to protect your company, of course, and this article does not deal with service provider and third-party security requirements. These are topics for another day.
Final Warning: The “Safe Harbor” provision doesn’t provide as much safety as you may think
Finally, don’t place too much faith in the 30-day “safe harbor” provisions of Section 1798.150(b). A notice to cure must be provided before a plaintiff initiates a suit, but you get a pass only “in the event a cure is possible,” you actually cure the alleged violation within 30 days, and you provide the consumer with written notification thereof. If data has already been exfiltrated, you are probably out of luck. Indeed, this subsection expressly provides that if “actual pecuniary damages” have been suffered as a result of the violations, no notice is required prior to initiating suit – you’re exposed to the private right of action.
Conclusion
All of the foregoing best practices must be laid out as part of a comprehensive information governance program. This starts with designating who within your organization will be responsible for information security and analyzing and processing CCPA requests. You must create a dedicated team and system to handle these compliance issues. Your plan should include, but not be limited to, a formal Information Security Policy, Incident Response Plan, Disaster Recovery Plan, Document Retention Policy, and Employee Handbook.
Data privacy is a team sport. Work closely with your IT people and privacy attorney to make sure your security procedures are reasonable!