Data breaches globally have run at a record pace in 2019. Over 3,800 number of publicly disclosed breaches were reported. On average, it takes 197 days for a breach to be identified. There were 4.1 billion number of records exposed. In 2019 there was an increase of more than 54% in the number of reported breaches vs. first six months of 2018. Some of the significant breaches reported were Capital One, Door Dash, Evite, American Medical Collection Agency, Georgia Tech, and FEMA. Given this environment, it is no wonder cybersecurity laws are being introduced to protect consumers and organizations.
 
As many of you may have already heard, the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It has been referred to as California’s GDPR (EU cybersecurity law). You may be wondering what it is and why is it important for me as a consumer and as a member of an organization.
 
The CCPA is a comprehensive set of regulations to protect the digital privacy rights of consumers in California. It is aimed at for-profit business” (i.e., sole proprietorship or corporation), and that also collects customer information. CCPA focuses on companies with annual gross revenue that exceeds $25 million and who either manage/sell 50,000 or more personal information records. Finally, if the business derives 50% or more of their revenues from selling personal information.
 
It must be noted for those organizations who are small to medium-size businesses, they should be aware of this act and the requirements for this act. Many enterprises are requiring that their vendors and sub-contractors be able to demonstrate that they qualify for a minimum of $2 million in cybersecurity liability insurance. For small and medium-size businesses to be eligible for cybersecurity liability insurance, they need to ensure that they meet the minimum requirements outlined in the CCPA and other cybersecurity frameworks in the US.
 
As a consumer and as a business, you should be aware of the following requirements.
 
According to the CCPA, personal information includes, but is not limited to:
• Real names, alias, addresses, or aliases online or offline and any real or online IDs or passwords.
• Commercial information, including records of personal property, products/services, and information not publicly available.
• Biometric information such as fingerprints, DNA samples, etc.
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history.
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory, or similar information.
• Professional or employment-related information.
• Education information, defined as information that is not publicly available.
• Meta-analysis of any of the above data
 
However, some exceptions for requests to delete from consumers are the following:
• If the information is required to execute a contract.
• Used in a work order requested/ordered by the consumer.
• Used in the business relationship with the consumer requesting the deletion.
• Used to manage the cybersecurity of the organization.
• Used in scientific, historical, or statistical research in the public interest.
• Used solely for internal purposes so long as they are reasonably aligned with the consumer. Need a judge to rule on this as needed to explain “reasonably.”
• To comply with a legal obligation or applicable laws.
 
As a consumer, you have the right to request Personal Information:
• Consumers have the right to request a detailed list of all the information collected about them by the business.
• This list should be sent within 45 days to the requesting consumer.
 
What are the Fines and Damages associated with not complying with CCPA:
• Loss of nonencrypted or non-redacted Personal Information as defined in Section 1798.81.5 resulting from a breach of duty to protect.
 
Remedies
• The greater of $100-$750 statutory damages or actual damages
• Injunctive or declaratory relief
• Any other relief the court deems proper
 
Pre-conditions
• Must give a written notice of 30 days to business giving them a chance to rectify the situation
• Notice is not required for suits limited to actual damages
• Consumers may also sue for breach of express written statements
 
Parties may seek Attorney General opinions
• Business violates the title if it fails to rectify within 30 days of getting a notice
• Attorney General may seek injunctions
• Civil Penalties can be $2,500-$7,500 per intentional violation
 
As a business, you should consider the following steps to get your organization ready for the CCPA
• Educate your full organization on cybersecurity governance (board members to your value chain including vendors and sub-contractors)
• Ensure you have encryption both at rest and in transit in play for your client’s personally identifiable information
• Undergo a technical and governance cybersecurity Audit (should be done bi-annually)
• Establish a vendor management best practices policy (should request that your vendors can demonstrate they have cybersecurity insurance in place)
• Establish a bring your own device policy
• Ensure that cybersecurity governance is part of your business continuity plan
• Create an attack preparedness, responses policy (start undertaking cyber drills on a bi-monthly basis)
• Implement technical systems and governance processes (address all the weaknesses and gaps as soon as possible)
 
It is important to remember, regulations such as CCPA are in play to help protect consumers and businesses from further breaches. It is not a matter of if you will be breached; it is a matter of when you will find out that you have been breached. As a consumer, you should be aware of these minimum requirements and feel free to check if your financial, medical, legal professionals, and any organizations that you deal with daily can demonstrate they take your privacy and cybersecurity information seriously.  

For more information, please contact www.xahive.com.