Breathing Room? California Legislature Passes Two Major Amendments to California Consumer Privacy Act (CCPA)

BY:

Jamie Nafziger and Divya Gupta, Dorsey & Whitney Partners

 

Businesses may receive a bit of breathing room as a result of two amendments to the California Consumer Privacy Act (CCPA) passed on Friday, September 13, 2019, by the California Legislature.  The Legislature gave businesses a one-year moratorium on two significant aspects of the law:  its application to employees, job applicants, owners, officers, directors, medical staff members, and contractors; and its application to business-to-business transactions.  The Governor has until October 13, 2019, to sign or reject the amendments.  Although the amendments provide some of the needed clarifications and error corrections and a significant break from needing to respond to certain data subject requests from employees and B2B contacts, businesses will still need to complete their data mapping (even for these categories of consumers) and will still need to be prepared to offer the rights not exempted on January 1, 2020, even if these amendments are signed by the Governor.

For those following the process, five bills passed the Legislature: AB 25, AB 874, AB 1146, AB 1355, and AB 1564.  Proposed amendment AB 846 on loyalty programs was shelved.  In addition to the two widely applicable amendments about employees and business-to-business transactions discussed in detail below, the Legislature also passed a number of minor or narrowly applicable amendments.  The amendments amount to 98 pages of printed material.  We will cover only the more significant of them in this article.

The employment-related amendments in AB 25 exempt businesses from many of the CCPA’s requirements for one year when applied to employees, job applicants, owners, officers, directors, medical staff members, and contractors “to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business” (emphasis added).  The amendment also covers certain use of personal information in the context of emergency contact information and benefits administration.

If AB 25 is signed by the Governor, two CCPA requirements will still apply to these types of individuals when collected and used in this context:  (1) the requirements to inform them about the categories of personal information collected and the purposes for which the personal information will be used in 1798.100(b) and (2) the right to sue in a private right of action after a data breach in 1798.150.  This would mean the other consumer rights to deletion, access, opt-out of selling, and no price discrimination would not apply in this context for one year (until January 1, 2021).  This will be a welcome change to most businesses, to the extent it gives them a break from the experience EU businesses have had responding to data subject requests from employees, ex-employees and job applicants in Europe since the General Data Protection Regulation (GDPR) became effective. Unfortunately, even if this amendment becomes law, businesses will still need to complete their data mapping and draft disclosures in connection with the information of employees, job applicants, owners, officers, directors, medical staff members, and contractors.

The business-to-business (B2B) moratorium in AB 1355 would exempt businesses from many of the CCPA’s requirements for one year when applied to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency” (emphasis added).

The B2B moratorium would not apply to collection or use of personal information outside of the context described in this amendment, to the right to opt-out of “selling” in 1798.120, to the price discrimination provisions of 1798.125, or to the right to sue in a private right of action after a data breach in 1798.150.  If this amendment is signed into law, businesses will have a break until January 1, 2021, in the requirements of notice, deletion, access, information about onward disclosures, the opt-out link and the means for exercising consumer rights when it comes to B2B diligence or product/service provision or receipt.  This means businesses would still need to complete their data inventories of information received in a B2B context, be prepared to respond to opt-out requests, and apply all other sections of the CCPA to uses of B2B personal information outside of the diligence or transaction itself (such as marketing uses).

Other important amendments include:

  • Clarifications regarding authentication of data subject requests in AB 25;
  • Changes to language regarding methods for submitting data subject requests in AB 1564;
  • Changes to exempt certain vehicle-related information from the right to opt-out from selling in AB 1146;
  • Changes to exempt certain warranty and product recall information from the right to deletion in AB 1146;
  • Changes to the definition of “personal information” in connection with the reasonability of associating information with a particular consumer or household, with the definition of “publicly available,” and with the applicability to deidentified or aggregate consumer information in AB 874;
  • Correction of errors in the price discrimination section 1798.120 about “value provided to the consumer” versus “value provided to the business” in AB 1355;
  • Clarification regarding impact of encrypting and redacting personal information on civil right of action in AB 1355;
  • Changes to the exemption regarding consumer credit and related information in AB 1355; and
  • Error corrections in 1798.110(c) regarding privacy notice requirements and in 1798.115(a)(2) regarding right to know in AB 1355.

If these amendments are signed by Governor Newsom by October 13, 2019, they will provide a one-year extension in connection with some provisions of the CCPA.  However, the majority of the provisions related to consumer privacy will still be in effect.  No fundamental rights have been removed from the CCPA.  Businesses will need to continue their compliance efforts with focused intensity over the next several months.  We will provide updates regarding the Governor’s actions and the California Attorney General’s regulatory guidance as they become available.

The completed legislative session gives businesses a clearer understanding of the CCPA’s obligations (subject of course to signature by Governor Newsom).  For those companies not previously required to comply with the European Union’s GDPR, this may pose significant operational and technical challenges.  Dorsey has developed fixed fee packages to help clients on their CCPA compliance journey, a simple screening tool which is publicly available to help companies understand whether the CCPA affects them, and a more comprehensive online self-assessment tool for our clients, which can be requested by emailing Dorsey at CCPA.Assessment@dorsey.com.

 

CCPA Requires “Reasonable Security”: but You Can’t have Reasonable Security Without Proper Vulnerability Management

By:  Divya Gupta, Dorsey & Whitney Partner and Coy Wamsley, Dorsey & Whitney Associate

With the California Consumer Privacy Act (“CCPA”) set to take effect on January 1, 2020, and the resulting looming specter of statutory damages and data breach class action litigation for failure to implement “reasonable security” on the near horizon, reducing or mitigating the harms that result from such cyber-attacks is more important than ever.  Since 2015, more than three in five Californians have been a victim of a data breach, making implementation of reasonable security controls now a critical and necessary component of CCPA compliance.1  While the retail industry has had record breaking breaches from malware and hacking, especially with card data, no industry is risk free when it comes to adequate data security.

Managing or mitigating risk, however, requires implementing “reasonable security,” which derives from the Center for Internet Security’s Top 20 Critical Security Controls (CSC 20) per then California Attorney General in 2016, Kamala Harris.  In California’s 2016 Data Breach Report, Harris stated that “[The CSC 20] are the priority actions that should be taken as the starting point of a comprehensive program to provide reasonable security.”2  Recommendation 1 of the same report is more explicit:

The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet.  The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. (emphasis added).

Based on these statements, the CSC 20 likely comprise a defensive list to detect, prevent, respond to, and mitigate security incidents, and are designed to address various domains of information security to provide organizations with a roadmap to achieve resiliency.  Whether the CSC 20 will become the explicit standard for “reasonable security” is still an open question, but given the California AG’s previous statements, these controls should be top-of-mind for any organization that seeks to avoid significant liability under the CCPA.

The CSC 20 is broken down into three main categories of controls:  Basic, Foundational, and Organizational.  The total scope of the CSC 20 is beyond the scope of this article, but suffice it to say that an organization may be hard-pressed to assert that it has “reasonable security” in place if it does not at least adhere to the Basic controls.  The Basic controls consist of the following 6 items:

Inventory and Control of Hardware Assets

Inventory and Control of Software Assets

Continuous Vulnerability Management

Controlled Use of Administrative Privileges

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Maintenance, Monitoring and Analysis of Audit Logs

Of these 6 Basic controls, #3, Continuous Vulnerability Management, stands out as one of the most important for an organization to focus on to prevent data breaches.  According to a recent study, nearly 60% of recent data breaches were the result of unpatched vulnerabilities.3  Indeed, the California AG stated that “patching newly discovered security vulnerabilities is critical” while citing the related CSC 20 control.  In the last few years, the importance of vulnerability management has become more apparent and this control has risen to become the #3 control in the CSC 20.

Vulnerability management’s main purpose is to identify and remedy software vulnerabilities as quickly as possible.  It often doesn’t take any significant skill on an attacker’s part to exploit published vulnerabilities and so once a software vendor releases a patch, knowledge of its associated vulnerability quickly becomes widespread and the race is on between organizations deploying patches and attackers attempting to exploit the vulnerability.  Organizations that do not scan for and proactively address vulnerabilities are at great risk for a breach.

Patching software security is a no-brainer, or so you’d think.  Well, the challenge lies in the scale of the organization, the effect a patch could have on other organization systems, and the attacker’s ability to quickly weaponize ahead of scheduled patch rollouts, among other things.  To properly implement vulnerability management may not be as easy as we’d like, but it is critical and low-hanging fruit on the CSC 20 tree.

The European Union deems privacy a fundamental human right, and is taking enforcement seriously — think Marriott and British Airways GDPR fines.  We expect to see similar, if not greater, liability for organizations that violate the upcoming CCPA.  Organizations that haven’t yet automated the process to monitor for and remediate vulnerabilities on networks and systems should do so now and should institute vulnerability and patch management policies.  While all of the CSC 20 controls are important, perhaps the most effective solution to prevent a major data breach for any organization lies in assessing and managing known vulnerabilities.  Modernizing vulnerability management programs should be a focus in the short term run up to January 1, 2020 effective date.

Dorsey’s Cybersecurity and Privacy Team has developed a catalog of security practices and procedures to help achieve operational resilience and defend companies from the forthcoming wave of data breach litigation.  Notably, Dorsey has partnered with leading technical security industry organizations to offer full service advice.4

Additional references:
https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180
1 See California’s 2016 Data Breach Report, available at https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf.
2 https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf.
3 https://www.darkreading.com/vulnerabilities—threats/unpatched-vulnerabilities-the-source-of-most-data-breaches/d/d-id/1331465.
4 https://www.dorsey.com/services/cybersecurity-privacy-social-media.