Does your company collect, store and protect consumer data consistent with the California Consumer Privacy Act (CCPA)? On January 1 of this year, the CCPA took effect, and already there are lawsuits being filed under its provisions. The CCPA is a far-reaching privacy law that is designed to protect California consumers by requiring companies to secure their consumer data. According to a March article by the legal website JDSupra, the first wave of CCPA lawsuits is upon us with the filing of a lawsuit against Salesforce.com, Inc. and Hanna Andersson, LLC, a children’s clothing retailer, in February.
And because of the huge potential fines and criminal penalties possible under the CCPA, JDSupra says “this case serves as a reminder to make sure your business has implemented reasonable security measures to protect consumers’ personal information in all its forms and wherever it may be stored.”
NOTE: This article is not intended to be legal advice. Please contact appropriate legal counsel for questions and advice concerning your specific situation.
What Is The CCPA?
Up to now, the data collected by businesses about consumers was owned by those businesses, who could make use of the data to benefit their organization in almost any way they chose. That included sharing the data, selling the data, and in some cases storing the data in insecure ways. The California Consumer Privacy Act seeks to protect consumers’ personal information by giving them rights with respect to this data. And, if the business fails to abide by the requirements of the CCPA, the regulation has sharp teeth such that the business may be subject to severe penalties.
Difference Between The CCPA and GDPR
The GDPR, Europe’s General Data Protection Regulation, has similar goals. But one big difference between the two regulations is that the CCPA grants a Right of Private Action, which means that individuals whose data was breached or improperly used can sue the offending company directly. The GDPR does not have such a provision.
Another difference -- and this one is quite surprising -- is that the GDPR applies to all business entities in the United States and elsewhere, while the CCPA applies only to companies that meet at least one of three thresholds:
- The company has revenues of $25 million per year or more
- The company has in its database 50,000 or more California consumers, families or devices.
- The company makes half or more of its revenue from the sale of consumer data.
That said, many other laws and regulations (including the GDPR) may apply to the company, and so the issues and consequences in this article are still important for all companies.
Who Is Responsible For A Data Breach?
In the case mentioned above, Salesforce is a vendor for Hanna Anderson that is responsible for storing and processing Hanna Anderson’s data. The plaintiff asserts that both Salesforce and Hanna Anderson “failed to provide adequate security measures to protect consumers’ personal information” and that consequently Salesforce was infected by malware. In addition, although Hanna Anderson knew of the breach, they did not notify the FBI for six weeks. The plaintiffs also allege that they (as consumers) were not notified for approximately three months after the breach.
So the lawsuit alleges that not only is the retailer who collected the data on their website responsible for the data breach, but so is their vendor.
More recently, MSSP Alert reported on another lawsuit citing the CCPA in which Epiq Class Action & Claims Solutions, Inc. is being sued by Benjamin Karter, a private person, just this past May. In the lawsuit, Karter asserts that his social security number, along with private information belonging to thousands of other consumers, was breached as a result of a Ransomware attack on Epiq’s network. The suit “claims that the malware attack succeeded because Epiq had not updated Microsoft’s Windows operating system to a later version less vulnerable to hacking.”
Fines and Penalties Under the CCPA
If either of these cases succeeds, the defendants face potentially steep fines and penalties. Under the CCPA, consumers who sue for security breaches may sue for the greater of a) between $100 and $750 per consumer, per incident, or b) actual damages. They may also sue for injunctive or declaratory relief.
But if the case is brought by the California Attorney General, fines can be much higher, up to $2,500 for unintentional violations, and $7,500 for intentional violations.
Add to that the cost of lawsuits, disruption of the business, loss of reputation for the business, and other costs, and violations can run well into the millions of dollars.
Your Company’s Duty To Protect Consumers’ Personal Information
Both these and other lawsuits related to the CCPA and other privacy laws require that the company protect consumers’ personal information. According to the National Law Review, in order for a company to be sued under the CCPA, the breach in question must be “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
So the question becomes “What are reasonable security procedures and practices” for your business? The answer is that it varies from one business to the next, because no two businesses collect, store and process data in the same way.
The best way to determine reasonable security procedures and practices for your company is to begin with a Risk Assessment, which is a requirement of any good Cyber-Liability Insurance policy. The Assessment will…
- Identify all of the assets (including devices, systems and information) that require protection
- Identify all of the potential risks
- Make Recommendations to improve the security of your network and your data
- Need to be redone annually.
If your current IT company has not recommended a Risk Assessment in the last 12 months, it’s certainly time not only for an assessment, but to reconsider the IT company that you are working with. The goal is to complete your Risk Assessment before you get hacked. If your organization qualifies under the CCPA, GDPR, HIPAA or other privacy laws, your organization must comply. Call us at 818-913-1335 or contact us online to discuss privacy compliance for your company.