Michael Monyok
A major new cybersecurity law, the California Consumer Protection Act, recently became enforceable. And while the CCPA shares similarities to other states’ laws concerning personal data, it goes further than most statutes, mainly in that it allows individual California residents to bring a private cause of action against a business in case of theft or disclosure of non-encrypted or non-redacted personal information.
That’s a notable development, as it gives Golden State consumers more agency than they’ve had in the past, when companies struck by data breaches or misusing information mainly faced civil penalties. But this statute is not limited to California’s borders.
Similar to when the European Union’s wider-ranging General Data Protection Regulation (GDPR) went into effect, businesses everywhere must be aware of the CCPA. Any entity considered to “do business” in California, regardless of their physical location or residency of their employees, could be subject to the jurisdiction of California courts and enforcement.
What the law says
As the name implies, the CCPA gives California consumers broad rights regarding how businesses collect, use and share residents’ personal data (including but not limited to names, postal addresses, email addresses, personal identifying numbers and IP addresses). It also creates obligations for businesses pertaining to data collection and rules for retaining and selling data.
A business is subject to the CCPA if any of the following apply:
- Has at least $25 million in annual revenue
- Holds more than 50,000 California users’ or devices’ data
- Derives more than 50% of revenue from selling data
Crossing state lines
A business headquartered on the east coast may not want to ignore what’s happening on the west coast. Given the amount of online commerce occurring within a state that is the world’s fifth-largest economy on its own, the CCPA will have ripple effects. If a business holds enough data from California residents, it does not matter if it is Newport Beach or New Jersey.
For example, a Pennsylvania-based clothing manufacturer may fulfill orders from a shop in California and have access to customer data. If the manufacturer has a breach on its servers, exposing personal information, who is responsible? The manufacturer or the company that originally collected the information? Certainly, the latter could be targeted for enforcement, but will it be able to pin the blame on the manufacturer? These are situations that remain to be seen.
Covering your business
There is something of an irony when it comes to cybersecurity. Even with a constant flow of headlines about data breaches or mishandled data, not enough companies make it a priority. Setting up a firewall or outsourcing the work to an IT company is not always enough. With more laws coming into effect and a greater public awareness of data privacy issues, passive measures must be replaced with active efforts to protect information.
Following the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) can be considered a baseline for reasonably protecting consumer data and personal information. It is an evolving and voluntary guidance that provides standards, guidelines and practices for organizations to manage and reduce cybersecurity risks.
At a contract level, any time there is going to be a transfer of data between parties, they should determine what precautions will be in place — and who is responsible for the data. This might be done similarly to contracts concerning intellectual property, which normally include specific wording and repercussions for accidental disclosures. In that case, a contract provision regarding data privacy may state a vendor is only responsible for data necessary to the contract, describe what penalty is involved if a party is directly responsible for losing the data, list what is considered a reasonable level of cybersecurity, and indemnify the other part against any claims of wrongful misuse of data or breach that occurs.
Measures like these are wise for companies everywhere, not only in California. From coast to coast, modern practices dictate that businesses are sure to handle data at some level, so they must take cybersecurity seriously.
