The cost of a data breach for organizations that do business in California has just skyrocketed.
A recent study determined that organizations continue to lose revenue for up to 2 years after a data breach. The reason is simple, lost customers and the inability to acquire new ones due to bad PR.
Now, with the new California Consumer Protection Act (CCPA), organizations can be fined anywhere from $1,000 to $7,500 per violation and consumers can sue for up to $750 per incident or, depending on what was done with their data, they can sue for much, much more.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a new regulation that went into effect on January 1, 2020. As stated above, it now allows individual consumers to sue businesses when their personal information is breached, pending certain circumstances.
CCPA also guarantees certain consumer rights, such as:
- The right to notice.At or before a business collects personal information, a consumer must be notified which categories of information are being collected and for what purposes it is being collected.
- Right to access/ request information.A consumer may request what is being done with their information, and the business must provide this information free of charge.
- The right to know.The consumer has the right to request the categories of information collected, from where it was collected, why it was collected (i.e., the commercial purpose), with whom this information was shared, and the specific pieces of personal information collected.
- Right to delete.The consumer can request that a business delete all personal information from their databases. (citation)
Does CCPA apply to my business?
While the CCPA does not specifically define “doing business in California”, there are several criteria that must be met for this law to apply to a business.
Essentially, any for-profit entity that collects, shares, or sells personal data of consumers in California and meets one of the three criteria below can be subject to CCPA:
- Annual gross revenues in excess of $25 million
• Collects and possesses the personal information of 50,000 or more consumers, households, or devices
• Earns more than half of its yearly revenue from selling consumer information
Any other entity that owns, is owned, or shares a common branding with an affected business can also be covered. The business does not require having any operations or employees in California.
What are “reasonable security procedures?”
Currently, the CCPA does not clearly define “reasonable security procedures”. However, this term has previously existed in California law, and the California Attorney General has endorsed several security practices that would fall into this category.
What should I do now?
- Consult an attorney. Interpreting this law can become quickly complicated due to its current vague requirements of “reasonable” security and how to amend potential shortcomings.
- Get a vulnerability assessment. A vulnerability assessment should be conducted to discover if your current security solution meets these “reasonable” requirements.
- Train your employees to handle data properly. Employees will need to be trained on how to better handle consumer data.
- Create a culture of security awareness. A security awareness program for management and employees to help them identify business email compromise (BEC), phishing, vishing, and more.
- Start a data inventory/mapping program. You now need a system to track your data processing activities, including business processes, third parties, products, devices, and applications that process consumer personal data.
Regulatory enforcement of the CCPA has been delayed until July 1st, 2020, but the private right of action has been unaffected. Some security requirements and employee training programs take time to implement, so the sooner action is taken, the better.
We can help. Contact us today for a complimentary CCPA consultation at 714-840-8890.