Data privacy legislation is here. Is your company ready?

Tony Anscombe, Global Security Evangelist

As a consumer, do you know which companies have data about you, what that data holds, or just how personal that data is?

The digital age is enabling all businesses, regardless of size, to collect information about their customers and prospects to better serve them and potentially increase sales and company revenues.  But with that massive data-gathering capability, there’s a growing belief that consumers should be in control of data about them, and how it’s used. Companies have the responsibility to ensure that personal data is used appropriately, stored securely and never falls in the hands of bad actors. To set the expectations between consumers and companies concerning data-handling practices, governments have stepped in.

Privacy regulation is here. It started with the GDPR, the European Union’s sweeping privacy rules that impact U.S. companies that sell products or services in Europe. Now it’s landed in the U.S. California, the home of some of the world’s largest technology companies, is joining the drive for greater transparency, control and security to protect its residents.

The California Consumer Privacy Act (CCPA) represents the most comprehensive data privacy law within the United States. It comes into effect on January 1, 2020. Businesses that meet the criteria of having more than $25 million in gross revenue, handle the personal data of more than 50,000 California residents, or make 50% or more of their annual revenue from trading data will be subject to the new legislation.

How we got here

The scandal surrounding Cambridge Analytica’s harvesting of personal information of over 80 million individuals was shocking. It wasn’t that they stole data or maliciously accessed it, they just abused a mechanism that allowed them to collect it. An online survey invited people to participate by downloading an app. Unbeknown to the consumer, the app gave the creator access to the personal information from the consumer’s Facebook account, and all the personal information of their friends.

In the wake of these revelations, business handling of personal information has emerged as a billion-dollar issue. The US Federal Trade Commission (FTC) and European regulators have fined many companies for not protecting personal data effectively, or collecting it without informed consent and then misusing it. U.S. and CFPB vs. Equifax resulted in a $275 million fine, British Airways vs. British Government resulted in $230 million and the U.S. vs. Uber, $148 million. All of these were eclipsed by the recent $5 billion fine imposed on Facebook. This is not only the largest fine for a breach of this type in the U.S., it is also the largest fine imposed on a global basis.

Data security and the CCPA

With the term “data breach” becoming a household term, privacy regulations mandate that businesses that hold personal information safeguard it against theft by cybercriminals.

With CCPA, the opportunity to financially penalize a company that falls afoul of the legislation belongs to the California Attorney General, but in a data breach, consumers can also sue the company for actual damages or a statutory penalty of $100-750 per incident or actual damages, whichever is greater. In a breach affecting the data of millions of California residents, you may need to get a calculator with extra digits to work out the actual cost of the penalty.

For a company that experiences a data breach to become the subject of a lawsuit, they must fail to implement and maintain “reasonable security procedures and practices.” To put it another way, the best defense against a potential lawsuit is to maintain the kind of “reasonable security” that could have prevented the breach in the first place. However, the “reasonable” standard is not specifically spelled out in the law. Until the legislation takes effect and the first cases are bought to light, the precise definition may continue to be murky.

In the meantime, our view is that the best approach is to draw from the definitions, requirements and suggested best practices that already exist. This is why we are releasing guidance for companies to begin assessing their security profile, identifying gaps and creating a reasonable security roadmap and implementing it in our new white paper.

Are businesses ready?

Despite the potential for extremely high penalties, our new survey found that confusion reigns in the business community. Almost half of the business leaders surveyed (44.2%) have never heard of the law, and only 11.8% know whether they need to comply. About a third (34%) don’t know if they’ll need to change their data handling processes. Crucially, 33% don’t know if they’ll have “reasonable security” in place as of January 1.

What is clear is that businesses need to focus on implementing defensive mechanisms, processes and procedures to ensure they are adhering to “reasonable security” requirements to protect the personal information of California residents.

There will be no excuse for non-compliance. If you have not already done so then establish a working group and start a project to ascertain whether you need to comply. If you do, create a plan to achieve “reasonable security.”

To learn more about CCPA, how it may impact your current cybersecurity profile and what steps to take next, download our Practical Guide to CCPA and Data Security.