PrivacyData Breach Compliance Under the CCPA – What You Need to Know

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Update: CCPA Takes Effect, AG Releases AdvisoryUpdate: CCPA Takes Effect, AG Releases Advisory

Update: CCPA Takes Effect, AG Releases Advisory

As the groundbreaking California Consumer Privacy Act (CCPA) took effect on January 1, many were still working to understand the new requirements for businesses and rights bestowed to consumers. The California attorney general (AG) followed up on January 6 with a CCPA advisory pressrelease reviewing the regulations and restating that California residents are now afforded new, more stringent, data privacy rights. The CCPA has been bignews for anyone who does business in California. But the million-dollar question for New York-based companies that handle CA consumer data is whether the CCPA applies to them.  While we still await clarity on many of the key components of the Act, the recent advisory does provide some useful reminders for businesses to think about.

Read More
Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly ApproachesYesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

With only a few months left before the landmark California Consumer Protection Act (CCPA) takes effect, yesterday the California Attorney General announced Proposed Regulations implementing the CCPA. By way of background, the CCPA comes into effect January 1, 2020 and will put some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. While the law addresses the processing of personal information of California residents, the CCPA is likely to have far reaching impacts on businesses across the nation, including New York-based businesses. The text of the CCPA can be found here.

Read More
Important Privacy Developments in New York State

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Beckage lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.

1.       THE SHIELD ACT

Passed by the State’s legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.

STATUS

Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

2.       THE NEW YORK PRIVACY ACT (NYS5642)

This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act’s jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.

STATUS

Pending in Senate Consumer Protection Committee.  

PREDICTION

This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Beckage PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.