On October 11, 2019, the California Attorney General (the “California AG”) issued draft regulations (the “Draft Regulations”) pursuant to his authority under the California Consumer Privacy Act of 2018 (“CCPA”).1 The publication of the Draft Regulations commences the public comment period during which numerous interpretative issues relating to the implementation of the CCPA hopefully will be addressed and resolved.Unfortunately, the California AG chose to limit the Draft Regulations to basic process issues relating to the overall structure of the CCPA, and elected not to address many of the more difficult compliance problems identified by industry participants. More troubling is the inclusion of additional procedural steps that a covered “business”2 must follow when complying with “requests” for “personal information”3 (“PI”). (If ultimately adopted, several of these additional compliance obligations could likely create technical and unintended violations of the CCPA.)4This Alert provides an initial analysis of the approach taken by the Draft Regulations, as well as suggestions for participating in the rule-making process.5
Businesses may receive a bit of breathing room as a result of two amendments to the California Consumer Privacy Act (CCPA) passed on Friday, September 13, 2019, by the California Legislature. The Legislature gave businesses a one-year moratorium on two significant aspects of the law: its application to employees, job applicants, owners, officers, directors, medical staff members, and contractors; and its application to business-to-business transactions. The Governor has until October 13, 2019, to sign or reject the amendments. Although the amendments provide some of the needed clarifications and error corrections and a significant break from needing to respond to certain data subject requests from employees and B2B contacts, businesses will still need to complete their data mapping (even for these categories of consumers) and will still need to be prepared to offer the rights not exempted on January 1, 2020, even if these amendments are signed by the Governor.For those following the process, five bills passed the Legislature: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Proposed amendment AB 846 on loyalty programs was shelved. In addition to the two widely applicable amendments about employees and business-to-business transactions discussed in detail below, the Legislature also passed a number of minor or narrowly applicable amendments. The amendments amount to 98 pages of printed material. We will cover only the more significant of them in this article.
By: Divya Gupta, Dorsey & Whitney Partner and Coy Wamsley, Dorsey & Whitney Associate
With the California Consumer Privacy Act (“CCPA”) set to take effect on January 1, 2020, and the resulting looming specter of statutory damages and data breach class action litigation for failure to implement “reasonable security” on the near horizon, reducing or mitigating the harms that result from such cyber-attacks is more important than ever. Since 2015, more than three in five Californians have been a victim of a data breach, making implementation of reasonable security controls now a critical and necessary component of CCPA compliance.1 While the retail industry has had record breaking breaches from malware and hacking, especially with card data, no industry is risk free when it comes to adequate data security.
Managing or mitigating risk, however, requires implementing “reasonable security,” which derives from the Center for Internet Security’s Top 20 Critical Security Controls (CSC 20) per then California Attorney General in 2016, Kamala Harris. In California’s 2016 Data Breach Report, Harris stated that “[The CSC 20] are the priority actions that should be taken as the starting point of a comprehensive program to provide reasonable security.”
By: Ron Moscona, Jamie Nafziger and Clint Conner The EU General Data Protection Regulation (GDPR), which is billed as the most important development in data privacy regulation in at least 20 years, arrived with a bang in May of this year and companies have been scrambling to implement compliance measures that will avoid its stiff… Read More
Two new developments this past year have made it easier for employers to sue employees in federal court for stealing data from company computers. The most recent is the U.S. Court of Appeals for the Ninth Circuit’s July decision in U.S. v. Nosal interpreting what it means to access a company computer “without authorization” under the Computer Fraud and Abuse Act (CFAA), the federal computer criminal statute. 18 U.S.C. 1030. The other development is the May amendment to the Economic Espionage Act (EEA), the federal criminal trade secrets act, permitting companies to file a federal civil action against individuals who steal the company’s competitively sensitive data. 18 U.S.C. 1831, et. seq.
On November 7, 2016, the Standing Committee of China’s National People’s Congress promulgated the Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the “CSL”) to become effective on June 1, 2017. While the law purports to create an overall national cyber security plan, its provisions, some of which are still vague, create significant potential uncertainties for companies doing business in China.
While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
In two independent and much-anticipated actions, separate EU entities took actions which will continue to complicate the ability of US companies to do business in Europe.
By: Barry Glazer, Ron Moscona and Chris Koa Significant uncertainty and concern regarding US companies’ ability to process and use personal data received from the EU has loomed since the October 2015 decision by Europe’s highest court invalidating the EU-US Safe Harbor. US and EU regulators earlier this week announced conceptual agreement regarding a new… Read More
In December, a divided panel of the U.S. Court of Appeals for the Second Circuit in U.S. v. Valle interpreted the Computer Fraud and Abuse Act to exclude employees who access their employer’s computers. The upshot is that if you are an employee in the Second Circuit and steal data from your employer to commit identity theft or to provide it to a competitor, you cannot be prosecuted by the Department of Justice or sued by your employer under the CFAA.