[BreachExchange] California Consumer Privacy Act: What you need to know to be compliant

[Inga Goddijn]

https://www.csoonline.com/article/3292578/privacy/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html#tk.rss_news

In late June, 2018, California passed a consumer privacy act, AB 375, that
could have more repercussions on U.S. companies than the European Union’s
General Data Protection Regulation (GDPR) that went into effect this past
spring. The California law doesn't have some of GDPR's most onerous
requirements, such as the narrow 72-hour window in which a company must
report a breach. In other respects, however, it goes even farther.

The California Consumer Privacy Act takes a broader view than the GDPR of
what constitutes private data. The challenge for security, then, is to
locate and secure that private data.

What is the California Consumer Privacy Act?

AB 375 allows any California consumer to demand to see all the information
a company has saved on them, as well as a full list of all the third
parties that data is shared with. In addition, the California law allows
consumers to sue companies if the privacy guidelines are violated, even if
there is no breach.

Which companies does the California Consumer Privacy Act affect?

All companies that serve California residents and have at least $25 million
in annual revenue must comply with the law. In addition, companies of any
size that have personal data on at least 50,000 people or that collect more
than half of their revenues from the sale of personal data, also fall under
the law. Companies don't have to be based in California or have a physical
presence there to fall under the law. They don't even have to be based in
the United States.

When does my company need to comply with the California Consumer Privacy
Act?

The law goes into effect on January 1, 2020. As a practical matter,
companies need to have their data tracking systems in place by the start of
2019, since it gives consumers the right to request all the data a company
has collected on them over the previous 12 months. That's a very tight
timeframe.

What happens if my company is not in compliance with the California
Consumer Privacy Act?

Companies have 30 days to comply with the law once regulators notify them
of a violation. If the issue isn't resolved, there's a fine of up to $7,500
per record. "If you think about how many records are affected in a breach,
it really increases very quickly," says Debra Farber, senior director for
privacy strategy at BigID. Since the bill was put together and passed in
just a week, it will probably see some amendments, she adds. "Things like
the fine amounts are likely to change."

There's also another potential financial risk, Farber says. "The bill
provides for an individual's right to sue, for the first time " she says.
"And it allows class action lawsuits for damages."

[ Prepare to become a Certified Information Security Systems Professional
with this comprehensive online course from PluralSight. Now offering a
10-day free trial! ]

Again, there's a 30-day window that starts when the consumers give written
notice to a company that they believe their privacy rights have been
violated. "If it's not cured, and the attorney general declines to
prosecute, then they can bring a class action suit," Farber says. "And it's
not just around breaches."

For example, the law specifies that companies must have a clearly visible
footer on websites offering consumers the option to opt out of data
sharing. If that footer is missing, consumers can sue. They can also sue if
they can't find out how their information has been collected or get copies
of that information. “It can be around anything," Farber says.

The law assigns specific penalties should unauthorized access occur,
whether through a breach, exfiltration, theft, or “disclosure as a result
of the business’ violation of the duty to implement and maintain reasonable
security procedures and practices,” As currently written, AB 375 allows for
penalties of $100 to $750 per consumer per incident, or actual damages,
whichever is greater.

"Add in all the other breach related costs -- IT response, forensics and
recovery, legal, notification, and so on -- and this could push a breach
into the realm of an existential threat to many businesses," says Chris
Prevost, vice president of solutions at Prevoty.

In general, if a company took the steps needed to comply with the GDPR,
then it's most of the way there for the California Consumer Privacy Act. At
least, it's closer than if it isn't ready for GDPR, says Eric Dieterich,
data privacy practice leader at Focal Point Data Risk, LLC. "Some
multinationals made changes for their European markets, but maybe didn't
roll it out to U.S.-based activities, so there might be a scoping change,"
he says.

What data does the California Consumer Privacy Act cover?

The California law takes a broader approach to what constitutes sensitive
data than the GDPR. For example, olfactory information is covered, as well
as browsing history and records of a visitor's interactions with a website
or application. Here’s what AB 375 considers “personal information”:


   - Identifiers such as a real name, alias, postal address, unique
   personal identifier, online identifier IP address, email address, account
   name, Social Security number, driver’s license number, passport number, or
   other similar identifiers
   - Characteristics of protected classifications under California or
   federal law
   - Commercial information including records of personal property,
   products or services purchased, obtained or considered, or other purchasing
   or consuming histories or tendencies
   - Biometric information
   - Internet or other electronic network activity information including,
   but not limited to, browsing history, search history and information
   regarding a consumer’s interaction with a website, application or
   advertisement
   - Geolocation data
   - Audio, electronic, visual, thermal, olfactory or similar information
   - Professional or employment-related information
   - Education information, defined as information that is not publicly
   available personally identifiable information (PII) as defined in the
   Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34
   C.F.R. Part 99)
   - Inferences drawn from any of the information identified in this
   subdivision to create a profile about a consumer reflecting the consumer’s
   preferences, characteristics, psychological trends, preferences,
   predispositions, behavior, attitudes, intelligence, abilities and aptitudes


What are the key privacy provisions in the California Consumer Privacy Act?

Companies must allow consumers to choose not to have their data shared with
third parties. That means that companies will now have to be able to
separate the data they collect according to the users' privacy choices.

In addition, while a company cannot refuse users equal service, it can
offer incentives to users who provide personal information. "This provision
might be subject to change, but as stated today, it gives you the ability
to offer discounts to people who are willing to have their data shared or
sold to third parties," says Dieterich. "Traditionally, systems aren't
designed so that your pricing structure might change depending on your
privacy choices. That's a new concept that has very technical implications."

Another major difference with GDPR is that the California law allows
customers much greater access to their records, says Subra Ramesh, SVP of
products at Dataguise. A California consumer has the right to find out what
information a company collects about them. Most companies are going to have
trouble pulling that information together. "First, the amount of data they
collect is already massive and continues to grow, often in the hundreds to
thousands worth of terabytes, and with enterprise-level organizations
processing petabytes of data," he says.

That data is contained in multiple storage platforms, in different file
times. "Most file search tools lack the ability to search across the modern
file repository ecosystems so prevalent today,” says Aaron Ganek, CEO of
Cloudtenna.  “Cross-silo file management is a major challenge. It is
difficult to understand context for each file if they are scattered inside
different repositories." Plus, compliance issues are associated with
pulling together data, he says. "Legacy enterprise tools struggle to
observe the disparate permissions and security models, violating the very
laws and regulations they’re being used to satisfy.”

Then there's the time limit. "After the access request, a company has 45
days to provide them a comprehensive report about what type of information
they have, was it sold, and to whom, and if it was sold to third parties
over the past 12 months, it must give the names and addresses of the third
parties the data is sold to," says John Tsopanis, privacy product manager
at 1touch.io. "You can't do that in Europe."

Since the rule covers the previous 12 months of records, companies have to
start complying six months from now, he says. Then, on January 1, 2020,
every company has to disclose every other company they sell data to. "It
will change the privacy landscape in America forever," Tsopanis says.

What does the California Consumer Privacy Act mean for security?

AB 375 is light on requirements around security and breach response when
compared to the GDPR. As stated earlier, the law does define penalties for
companies that expose consumer data due to a breach or security lapse. It
also allows courts to offer “injunctive or declaratory relief,” or “any
other relief the court deems proper.”

Businesses are not required to report breaches under AB 375, and consumers
must file complaints before fines are possible. The best course of action
for security, then, is to know what data AB 375 defines as private data and
take steps to secrure it. Again, any organization that complies with the
GDPR likely does not need to take further action to comply with AB 375 in
terms of securing data.

The AB 375 requirements around tracking, accessing, and storing data mean
security teams will need to work closely with database administrators, says
Terry Ray, CTO at Imperva, a cybersecurity vendor. Any tools selected to
help deal with AB 375 will not only need to have full visibility into data
stored across the entire heterogenous corporate environment, but also
ensure that access to this data is properly secured. "Lastly, they will
need these tools to cooperate with the new consumer portal by sharing
specific consumer data with the verifiable consumer requesting it," he says.

If the data is stored with cloud providers, the problem just gets worse.
For example, employees might set up a file-sharing account to keep track of
marketing or sales contacts. "It’s not surprising the large tech companies
like Google and Facebook opposed the bill," says Kevin Bocek, VP of
security strategy and threat intelligence at Venafi. "Controlling the
privacy and personal information that flows between machines is incredibly
difficult, and a major challenge for all businesses."

A work in progress

The bill was put together in just seven days because legislators wanted to
avoid a ballot initiative to pass an even stricter law that was opposed by
many tech companies. "Right now, many of the provisions and definitions
conflict with one another," says Andy Dale, general counsel and VP of
Global Privacy at SessionM. "The law becomes effective in 2020, so expect
amendments between now and implementation -- but the core tenets and rights
are likely to remain."

One problematic area is whether a company can charge consumers different
prices based on their privacy settings. For example, many companies have an
option where a consumer can upgrade to a paid tier where they don't see any
ads. Here, the law as currently written is a little bit contradictory.

"If the consumer exercises his rights under the regulation, businesses
cannot provide a different level or quality of product, goods or services
to the consumer," says Pravin Kothari, CEO of CipherCloud. "On the other
side of the coin, according to the regulation, businesses are not
prohibited from charging a consumer a different price or rate, or from
providing a different level or quality of goods or services to the
consumer, if that difference is reasonably related to the value provided to
the consumer by the consumer’s data."

It looks like California is trying to define a framework where consumers
can get paid for sharing their data, Kothari says. "In this area the
legislation is a bit visionary," he says. "We'll see in practice how this
actually works out."

Many companies offer free reports on their websites in return for personal
information. "We do that ourselves," says BigID's Farber. "By January 1,
2020, that might very well be illegal in California. We don't know."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180730/7327336a/attachment.html>