At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

These certainly sound like concepts that could be referenced as The Right to Access; The Right to Be Forgotten; and Data Portability.

Business requirements include:

  • Meaningful notifications to consumers at the point of contact where Personal Information is collected;
  • Updated online privacy notices to include the types of Personal Information collected, the purpose of collection, and rights information;
  • Implementation of Data Security measures to protect Personal Information;
  • Providing training to employees handling Personal Information or involved in consumer inquiries;
  • The inclusion of provisions in contracts with third parties with whom Personal Information is shared to include data privacy protections and restrictions on disclosure; and
  • The inclusion of a “do not sell my personal information” option on public facing interfaces and websites that collect personal information. Companies must take measures to not discriminate against users who opt out, but at the same time they can offer price incentives to those who chose to opt in.

The Act takes effect on January 1, 2020.  It has the same approximate 2 year “runway” period that GDPR provided in 2016 (leading up to May 25, 2018) for companies to gear up their compliance.  This law has potentially widespread impact, but some of the mechanisms of its application remain unclear, due in some degree to some of its broadly worded language.  In this way, it is also similar to the GDPR.

The challenge with implementation for large companies is the same as every other State level data privacy law – it is often virtually impossible to reliably identify who the “California” consumers are.  Thereby making it by practical necessity a global requirement for all publicly facing systems and applications for all users.

We recommend that most companies prioritize and stage their compliance today, focusing on GDPR in the short term, but  a California (or potentially necessary practical nationwide) compliance strategy should be included in late 2018 and 2019 IT and Privacy compliance plans.

In his “Data Is a Toxic Asset” blog post, Bruce Schneier argues that data is a toxic asset and that the lesson all the recent data breaches are teaching us is that storing this asset is “dangerous,” because it makes companies vulnerable to hackers, the government, and employee error. Schneier suggests addressing data breaches through stronger regulation at every stage of the data lifecycle and through personal liability of corporate executives. “Data is a toxic asset,” concludes Schneier, “We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

Calling data a “toxic asset” sensationalizes the data-security conversation into alarmist territory. The term “toxic asset” has a certain meaning in financial circles and typically refers to assets that become illiquid when they no longer can be sold on a secondary market. This hardly applies to data, which is more of a lifeblood for corporations than toxic asset. Continue Reading Is Data Really a “Toxic” Asset?

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days. Continue Reading Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans