As reported by DLA Piper and others, AB 375 (CCPA, the California Consumer Privacy Act) is a departure from the usual U.S. practice of taking an incremental approach to privacy laws.
Doubtlessly fueled by the succession of data breach scandals (Uber, LinkedIn, Target, Home Depot, Yahoo, eBay, Equifax, etc.), the bill seems set to be the potential baseline for the U.S. data privacy when it comes into effect in 2020. It is very likely that a lot of companies would want to meet the test to fall within the scope as they are doing business in California and having a gross revenue of $50 million or more. They are also selling or sharing information on more than 100,000 California residents and are probably earning 50 percent of revenue from selling the personal information.
Lawmakers have been heavily criticized. They are being criticized beyond the narrow confines of technology. Gizmodo was one of the many online and print publications to criticize the apparent inertia in government and a lack of willingness to regulate or legislate in the face of an ever-growing list of exposed personal data of citizens’.
The response has been swift. At the federal level, there are now at least three key pieces of legislation before Congress—the 2018 Data Protection and Breach Notification Act, Online Privacy Act (H.R.3175), and Social Media Privacy Protection and Consumer Rights Act of 2018 (S.2728).
So far so good. However, the temptation to legislate in the face of popular opinion and electoral pressure can have disadvantages. As a closer study is made of the California act, concerns are raised about the speed of drafting. The main concern is about what this means for the effectiveness of the new law.
WikiTribune quotes two concerned opinions:
‘Eric Goldman, a professor of internet law at the University of Santa Clara, said that despite marketing itself as the toughest data privacy law in the country, “the law [is] a terrible policy produced by a terrible process.”
In a statement, Nicole Ozer of the ACLU of California said that, in the aftermath of the Cambridge Analytica scandal, concern for privacy was at an all-time high.’
At least one initiative is underway on LinkedIn to crowdsource a response to AB 375, focusing on drafting errors and other areas of difficulty.
This criticism is not just coming from the Twitterati. In this blog post, Professor Jeff Kosseff, assistant professor at the U.S. Naval Academy’s Cyber Science Department, summarizes 10 key areas of concern with the CCPA.
- Consumers (who vote!) are increasingly disenchanted with what they perceive to be the inadequate protection of their personal privacy and personal interests or security by corporations and other organizations who store and process their personal data.
- Lawmakers are reacting to this groundswell of opinions with legislation.
- As different jurisdictions react, the result will be a patchwork of laws. Not all of those will have had sufficient review and will, therefore, need to be clarified by a case law.
- New legislation tends to provide for much tougher punishments for breach, including jail time for officers or executives and truly punitive fines or damages. This means the level of financial exposure to these risks is no longer at an acceptable level for the majority of organizations (precisely the point in the minds of those drafting the new laws).
What does this mean for your organization?
- The Worst Thing to Do Is Nothing: Ignoring the consequences of stronger laws will not make them go away.
- The Second Worst Thing to Do Is Overreact: A hasty response is not always the best response.
What Can, or Should, You be Doing?
Brief the executive leadership. This should be low key and factual, explaining:
- The background to the evolving landscape of new data privacy legislation. The EU GDPR is a great case study. There is an excellent briefing available online from the NYU law school.
- Potential impact on the business
- Long-term value to the business with a robust approach to deal with GDPR and other information security concerns
- Alignment of best practices regarding data privacy and management beyond GDPR to include the U.S. federal and state data privacy or data breach notification laws, other legislative frameworks, (such as the New Zealand Privacy Act) contractual and ethical obligations to maintain client confidentiality, and good corporate citizenship
- Proposal of the remaining steps for implementation or confirmation as part of the wider range of compliance or governance activities within the business. Most of the compliance activities related to GDPR would form part of a wider, structured information security management system (ISMS) anyhow.
Establish the data protection officer (DPO) function. While the term has specific meaning in the context of GDPR, it will also fit into or alongside existing CISO, governance or compliance related activities (e.g. SAS 70, SSAE 16, HIPAA, or Sarbanes-Oxley). The person assigned to the role should report to the C-suite or executive leadership team as part of a wider governance, audit, or CISO responsibility and have matrixed relationships with the rest of the business to enable the execution of the functions.
Initiate activities to:
- Catalog data within the company by source, location, purpose (original, stated, or intended), and actual uses to which data is put
- Identify applicable business, legal, or regulatory constraints on the use, storage, and retention of data (e.g. GDPR, contract terms, or non-disclosure agreements, Sarbanes-Oxley, protectively marked or classified documents
- Identify the technical and procedural controls required to ensure compliance with constraints (including information retention and destruction policies)
- Identify gaps in technical or procedural controls and prioritize addressing these by exposure and cost
- Identify other potential risk treatments, such as insurance, with costs
- Ensure that consents for the acquisition, use, and retention of data are in place and that these are up-to-date and available to concerned parties
- Establish processes to handle data inquiries or requests. These might not just be from GDPR subjects or authorities but may also come from internal or a client’s or customer’s personnel, agents, or auditors, law enforcement, or other third parties. Structured processes ensure that inquiries are dealt with quickly, effectively, and with due consideration for a request fulfillment.
- Educate staff, associates, and others involved in your business processes on how to recognize data security or privacy concerns or situations and the correct process to follow for getting them addressed
- Make information readily and consistently available to third parties (e.g. customers, suppliers, application, or website users), including contact details for further inquiries
- Ensure that where third parties are involved in the provision of services that appropriate technical and procedural controls are in place and backed up by suitable contractual terms
Once the major points in Step 3 are in flight, prepare a briefing to the executive leadership summarizing the findings and the action plan to address any deficiencies.
- Business as usual operation of the ISMS or IG framework with a regular audit of scope and review of policies, processes, and controls to ensure these are up-to-date and offering a suitable level of protection to the business
- Maintenance of third-party audits or accreditations of the wider information security management system or information governance space as are needed to facilitate the acquisition or retention of business, and to confirm the officers and stockholders that measures are in place to minimize any exposure to risk or liability to a level commensurate with the impact of any failing in the ISMS/IG environment