Even if your firm is not mandated to comply
California has jumped on the Personally Identifiable Information (PII) regulatory bandwagon. The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. The law, thought of as “California’s GDPR” (General Data Protection Regulation for Europe) will be enforced by the California Attorney General, and enforcement is anticipated to start no sooner than July 2020.
While your firm may not have employees or do business in California, just as other regulations like HIPAA (Health Insurance Portability and Accountability Act) or GDPR, these laws provide guidance which are good habits and security practices for any business to follow. We have always recommended businesses follow the best practices required by HIPAA, even if you do not fall under HIPAA regulation, because they are sound practices to protect your firm data. Likewise, CCPA reminds us of certain rights we should respect for our employees and clients.
What does California consider Personal Information?
The CCPA really broadens the definition of personally identifiable information. If it seems like it might be PII, it likely is under the CCPA. California considers the following examples to be PII:
- Identifiers (name, alias, postal address)
- Protected classifications (i.e. citizenship, sexual orientation, race, medical conditions, marital status, political affiliations)
- Commercial information (i.e. products or services purchased, obtained, or considered)
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional employment-related information.
PII that is covered by other laws such as HIPAA data, Driver’s license data, FDA common rule data, etc., are out of scope of the CCPA. California does not consider publicly available data, or anonymized data as PII.
Who is in Scope:
CCPA applies to for-profit entities doing business in California that collect, share or sell California consumer’s personal data and:
- Have annual gross revenues exceeding $25 Million;
- or possess PII for 50,000 or more consumers,
- or earn more than 50% of its revenue from selling PII.
The CCPA promises California consumers ownership, control and security of their personal data. There are several personal rights the law seeks to protect:
Right of Inform. This is the right of transparency to know what is collected about you and why.
Right to Access. This right allows you to review the PII collected on you with a 12–month lookback period.
Right to Data Portability. This is the right to export your PII to take it to another service.
Right to Deletion. You have the right to get your PII deleted.
Right to Object. You can opt-out of processing of your PII (including do not sell).
Right to non-Discrimination. You have the right to still receive service even if you have exercised your rights.
What Should Your Firm Do?
All of these regulations come with hefty fines that can kill a business. Even if these privacy regulations to not apply to your business, the following are best practices are still good to implement:
- Gap Assessment. Review the firm’s risk, identify measures to improve, and make an action plan.
- Encrypt devices. If a breach ever did occur, this will limit costly notification requirements and give peace of mind that company data (whether it is PII or other) is compromised.
- Complex passwords and 2FA. Using two-factor authentication and complex passwords will reduce the risk of the PII or company data being stolen.
- Cookie banners. If you fall under GDPR or CCPA regulation, these are needed to disclose you are collecting cookies. Consider including language that you do not sell the data.
- Security/Privacy training. Train your employees on company policies and security best practices and create a culture of privacy and security.
- Limit your exposure. This can be managed with data retention policies and only giving access to employees on a need to know basis.
- Vet your vendors. Get data protection agreements with your 3rd party vendors and review your vendors’ exposure to PII.
- Be ready to act. Conduct tabletop discussions and tests to simulate a breach. What if your firms’ data was stolen? What would be the ramifications? How would you respond?
No matter where you are in the process, every firm should do a gap assessment on a regular (i.e. annual) basis. Use this review to plan for remediation and continuous improvement. Use a risk-based approach and start with assigning resources where they will be most effective. Privacy, just like security, should be embedded in your processes and tools. This process will require senior management to buy into a privacy and security program.