Last month Alastair Mactaggart announced that the organization he founded, “Californians for Consumer Privacy,” had gathered the requisite signatures for a newly proposed privacy act for the upcoming November 2020 ballot. Among other items, the newly proposed California Privacy Rights Act (CPRA) aims to modify the California Consumer Privacy Act (CCPA) in five ways that have a significant impact on incident response:
1. CPRA would modify how CCPA categorizes personal data to include a new category called “sensitive personal information.”
Creating a new category of personal information adds the burden of requiring additional precautions, and any approach that a company may have in place to manage this data for incident response purposes will need to be updated to account for this added complexity.
According to the proposed act, “sensitive personal information” is personal information that is not publicly available that includes:
- Social security number, driver’s license, state identification card, or passport number;
- A user’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- Any form of precise geolocation;
- Racial or ethnic origin, religious or philosophical beliefs, or union membership;
- The contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
- Genetic data of a consumer; and
- Biometric information used to identify a consumer;
- Information collected or analyzed about a consumer’s health; or
- Information collected and analyzed about a consumer’s sex life or sexual orientation.
2. CPRA would expand the part of CCPA that relates to data breach liability.
Liability for data breaches expands in scope in two ways under the proposed amendments.
First, consumers would be able to bring a private lawsuit for data breaches in which the exposed information included a combination of email address and password or the associated security question and answer. This would be a significant change for many companies that do not store the type of data that is more typically defined as Personally Identifiable Information (PII).
Second, implementing reasonable cybersecurity measures after a breach would no longer be a sufficient “cure” to avoid liability. Since “reasonable security procedures” is a subjective standard, this change will create a big burden for companies to prove their security procedures were reasonable even though they suffered a breach.
3. CPRA would broaden “reasonable security” standards to cover all personal information.
Broadening the scope will increase the ability of consumers to bring private lawsuits after a company suffers from a cyber attack. Currently, CCPA limits the “reasonable security” standard to a narrow subset of personal information that is defined in the security laws.
4. CPRA would limit data retention of consumer personal information to a period of time that is “no longer than necessary.”
By adding this data retention provision, CPRA would increase the likelihood of a violation after any breach. The proliferation of data scattered across an organization is already a challenge in itself for most organizations.
As a result, when incidents occur, frequently companies discover the existence of data that it may not have even realized that it possessed.
5. CPRA would create a new enforcement authority called the “California Privacy Protection Agency.”
Designating a new enforcement authority focused on privacy would presumably ensure that more enforcement actions can be brought than might otherwise be brought by the California Attorney General (the current authority under CCPA). The proposed act mandates that the new enforcement agency would be allocated $10M in funding from the State’s General Fund. This funding amount would provide enough funding to match the size of the Federal Trade Commission’s privacy enforcement team.
Rapidly Changing Regulations Make Preparing for Incidents Challenging
This proposed legislation comes on the heels of the CCPA just going into effect at the start of 2020 and shines a spotlight on how challenging it is for organizations to keep track of constantly shifting privacy regulations.
While this proposed privacy law change is particularly soon after CCPA, privacy regulations across the United States and the world are changing all the time. In just the first half of 2019, nine different states made changes to their data breach notification laws. Over 75% of countries in the world have data protection or privacy laws that are on the books or are pending in draft legislation.
Whether your company operates domestically, internationally, or both, keeping up with these rapidly evolving regulations is a tall order, especially when it comes to privacy and cybersecurity incident response requirements. One approach to the problem is to simply pick the harshest or most strict standards and apply them in all cases. For example, if your company was subject to the European Union’s (EU) General Data Protection Regulation (GDPR) that would mean that all your regulatory notifications must be made within 72 hours.
This approach, however, would likely result in over-notification, which is likely more expensive than necessary. For example, in response to the Anthem breach, the company spent $40 million just on the first class mail for customer notifications. That’s just one direct cost of notification, but obviously any notification brings additional regulatory scrutiny and ultimately includes the associated brand damage that can be even more painful.
Dynamically Updated Incident Response Plans are Best Practice
Most companies prefer to limit breach notification to those instances when it is truly required. The best way to ensure your company can avoid over-notifying in response to privacy incidents is to prepare and maintain incident response plans that are kept fully up-to-date as regulatory changes occur. BreachRx dynamically updates incident response plans as regulatory changes occur so that organizations can feel confident they are applying the current standards and avoid unnecessary expenses.
With an automated and dynamic solution that helps proactively prepare for incident response, our customers are able to exceed consumer and regulatory expectations and thus minimize the fallout from the inevitable events that will occur. Implementing the BreachRx platform is the fastest way to achieve a best in class program for effective incident response.