The California Consumer Privacy Act (CCPA) is a California state law protecting the personal information (PI) of California residents (“consumers”), which affects most large businesses (in any state) which serve those consumers. Compliance will be fully enforced by the CA Attorney General no later than July 1, 2020, but the private right of action (PRA) for certain PI breaches - the right of private citizens to seek damages - is already in effect. The potential damages are stunning: a breach of one million records subject to CCPA’s PRA could result in a class action lawsuit with damages of up to $750 million for the plaintiffs. The minimum amount of damages a court could award in such a case where a business was found liable under the CCPA PRA is $100 million.
While government regulators do generally want to enforce the law, they typically don't want to drive companies out of business as a result of their being victims of a malicious and criminal incident. On the other hand, with a private action, the plaintiff’s trial bar is ethically required to seek the largest monetary sum legally permissible for their clients, without concern for the effect on the business. For this reason, consumer class action lawsuits under CCPA’s private right of action are likely to result in far larger civil awards or settlements than government fines. While it’s still early days for CCPA, a good example of this playing out is the 2015 Anthem Inc. data breach, which affected nearly 79 million individual records. While Anthem was able to settle with the federal government for alleged violations of HIPAA for “only” $16 million, its settlement of the private class action lawsuit resulting from the breach was $115 million. It’s worth pointing out that if this incident had occurred today (post-CCPA), the additional CCPA PRA liability alone would have been $790 million (minimum) up to a potential $59.25 billion! Considering the scale of these potential risks from a PI breach, an investment in assessing (and potentially reducing) the risk is warranted. But there are ways to effectively and efficiently reduce this risk.
The first step in addressing the risk from CCPA’s PRA is for a business to determine what, if any, information is being stored, processed, or transmitted which is subject to the PRA. While personal information is defined broadly in the CCPA for most provisions, the PRA uses a more narrow definition, as follows. Note that this list is complete at the time of writing, however the law has already been changed once since the CCPA became law to add a new subset of PI to the PRA. It is advisable to treat any PI which could have a significant adverse impact on consumers in the event of a breach with appropriate safeguards.
An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number.
- Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical information.
- Health insurance information.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
This subset of personal information subject to the PRA would likely include payment card information (PCI), most HR records, biometric access control system data, check verification data, and many other common business records. Often the knowledge of these PI use cases is heavily siloed, so it may be necessary to use an automated PI discovery tool or an external PI/privacy risk assessment team with experience and expertise in privacy compliance to ensure all such use cases are mapped. One strong indicator is that if you are subject to HIPAA or PCI DSS, that data is most likely PI under CCPA. If the continued use of this information is not necessary, the business should consider securely deleting it to reduce PRA risk and compliance costs. The data can also be redacted to remove all unique identifiers, at which point if it cannot reasonably be associated with an individual consumer, then it is no longer PI. If the PI is needed and cannot be redacted, tokenization or other outsourcing strategies that shift at least some of the risk to a third party may be worth considering.
If a business must continue to store or process PI subject to the CCPA PRA on its own systems, then it should take “reasonable” steps to ensure this information is secure. The most obvious way to implement such security is encryption. Encryption is particularly important because the definition of personal information (above) specifically excludes encrypted data. But this isn’t the easy panacea it may seem to be, in fact many large breaches involve PI that was purportedly encrypted. The problem is that if PI containing systems are compromised, there are many ways an attacker could subvert the encryption; from stealing the encryption keys to brute forcing a weak encryption algorithm. At this point the PI is no longer protected by encryption, and potential PRA liability returns. Encryption may also pose technical challenges where large amounts of PI data need to be quickly accessible.
For this reason a comprehensive defense-in-depth approach to cybersecurity based on a commonly recognised framework from organizations such as CIS, NIST, or ISO is recomended. These standards can be difficult and expensive to implement, so businesses often utilize outside professional services firms with specialized experience and expertise in cybersecurity and privacy. Expert consultants from firms such as Truvantis know how to apply a risk based approach to determine which controls may be applicable, and how to quickly and cost effectively implement them with minimal impact to a business. These experts can advise on how other similar businesses are addressing similar risks, as well as what changes to privacy laws and compliance may be on the horizon.