If you were just starting to relax, having fulfilled your compliance responsibilities for GDPR, I can’t help but wonder – have you thought about CCPA yet? Sure, it’ll be easier this time – many of the policies, programs, and safeguards you’ve implemented will apply to CCPA as well – but there are some distinct differences between the European and Californian privacy stances. In this post, I’ll talk about one of the big ones from a privacy perspective: the shift to identifiable households (rather than individuals). I’ll also discuss the change that means this privacy law has consequences for your security – because Californians are entitled to a private right of action under this law, which means that should their personal information be exfiltrated or stolen from your business, it is not only subject to hefty fines, but also lawsuits that can recover statutory damages between $100 and $750 per incident, per person. Or more, if there are actual damages. Let’s have a look!
Why should I care? I’m not in California!
Like GDPR and the recent NYS DFS Cybersecurity regulation, businesses are not required to be based in the specific geography that the law is from in order to be bound by it. You don’t even need to have a physical presence there. If your company does business in California, and you meet at least one of these other eligibility requirements below, you are subject to the CCPA.
- Has annual gross revenues in excess of twenty-five million dollars
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Why "Household" Is Important
Personally Identifiable Information (PII) has been a tenet of privacy considerations for a while now. At its core, this idea places weight upon information that can be used to uniquely identify a person – a social security number for example. CCPA has shifted this definition of sensitive data, to that of a household, making far more information a concern than just PII. So, “HII” (you heard it here first 😊) could represent the start of a trend that will mean exercising far greater caution when considering customer data moving forward.
It's when this new parameter for evaluating the sensitivity of a given attribute is paired with the increased ability of the individual to enforce consequences for not complying, that the implications for your security are most apparent.
Infractions and Penalties
The two most relevant risks for your business concerning the enforcement of the CCPA are the Civil Penalties for Noncompliance and the Private Right of Action for individuals. Penalties for Noncompliance (1798.155) are fines of up to $7,500 per violation. Organizations will have 30 days to rectify the issue and become compliant. Of course, this could add up significantly, depending on what exactly constitutes a violation.
The Private Right of Action (1798.150) enables individuals to pursue legal action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” The law specifies that individuals can recover between $100 and $750 in statutory damages per incident, or actual damages suffered as a result of the breach.
ActZero Can Help!
As with most privacy, cybersecurity, or industry-specific compliance frameworks, our Virtual CISOs can help guide you, create policies, provide documentation, and ultimately help you meet the requirements of CCPA. From a privacy perspective, that’ll include helping you to understand which of your data is sensitive/private under the CCPA, and which steps constitute “reasonable security procedures and practices.”
Our Managed Detection and Response service helps to mitigate the risk of your data being subject to “an unauthorized access and exfiltration, theft, or disclosure” as described above, by actively detecting when a breach occurs, and responding to it to minimize the amount and sensitivity of data exposed/accessed/exfiltrated, etc. On the days you’re not hacked, we provide you with a report detailing your hygiene, enabling you to harden your systems further to improve your prevention posture.
Remember, although CCPA came into effect back in June 2018, California can’t issue any penalties or pursue any violations until January 2020 – and even then, there’s a further grace period of 6 months from the last modifications to the law. All this is to say that you have lots of time to engage ActZero Networks for any of your cybersecurity or compliance concerns relating to California’s Consumer Protection Act.
Related Content: Check out our other Regulatory Compliance posts!