Best in Law: California Tightens Online Security Laws

Equifax, Target, Marriott. Another day, another data breach.

Hacking takes an immense toll on both the company and the consumers. As technology evolves, and businesses continue to collect and use personal information, they must also keep pace with the expanding set of data security regulations.

In 2016, California published its Data Breach Report. The report references 20 controls published by the Center for Internet Security, and calls them the “minimum level of information security that all organizations that collect or maintain personal information should meet.”

The 20 controls are divided into three categories: Basic, Foundational and Organizational. They include requirements such as a secure configuration of computerized devices, email protection, boundary defense, account monitoring, training programs, and penetration tests and exercises. The Data Breach Report goes on to state that a failure to implement all 20 controls constitutes a “lack of reasonable security” under California’s information security statute – California Civil Code section 1798.81.5(b).

The new regulation on the block is the California Consumer Privacy Act. Effective in 2020, it will require many businesses, even those outside of California, to change the way they interface and collect information from consumers.

What Does the Act Require?

The Act provides consumers with several rights:

1. Consumers will now have the right to know exactly what personal information a business has collected from them, where the business received it, what it is using it for, whether it has been sold — and to whom.
2. A consumer can request a copy of his or her personal information that a business retains about him or her twice during a 12-month period. The business must provide specific information free of charge.
3. With certain exceptions, consumers may submit a request that a business delete any personal information it has collected from the consumer.
4. The Act gives consumers the right to “opt-out” to prevent a business from selling their personal information to third-parties.
5. The business cannot discriminate against a consumer for exercising his or her rights under the Act.
6. The Act allows consumers to file litigation against a company if specific “sensitive” personal information is subject to unauthorized access, theft or disclosure.

Does the Act Apply to My Business?

With minimal exceptions, the Act applies to any for-profit businesses that:

1. does business in the state of California,
2. collects and controls personal information from California residents and
3. has annual gross revenues in excess of $25 million or receives or discloses the personal information of 50,000 or more California residents, households or devices on an annual basis, or derives 50 percent or more of their annual revenues from selling California residents’ personal information.

The Act applies to corporate affiliates of these qualifying businesses.

What Does This Mean for My Business?

The CCPA has a sweeping impact. Businesses throughout California and across the United States that collect Californians’ information should start preparing.

Companies will need to build mechanisms to handle consumer requests, update policies and procedures, and handle and monitor consumer opt-outs. Given the time and expense required for compliance, companies should start now, as 2020 is just around the corner.

This article first appeared in The Press-Enterprise and other Southern California Newspaper Group publications online on Dec. 27, 2018. Republished with permission.

Lauren Strickroth is no longer with BB&K. If you have questions about this article please contact our business attorneys.