The California Consumer Privacy Act of 2018 (CCPA) gave consumers more control over the personal information that businesses collected about them and CCPA regulations provided guidance about how to implement the law. New privacy rights for California consumers under the law included the right to know about the personal information a business collects about them and how it is used and shared, the right to delete personal information collected from them, the right to opt-out of the sale or sharing of their personal information, and the right to non-discrimination for exercising CCPA rights.
California voters approved the California Privacy Rights Act (CPRA), also known as Proposition 24, which amended the CCPA and added new additional privacy protections beginning on January 1, 2023. As of that date, consumers now have the right to correct inaccurate personal information that a business has about them and the right to limit the use and disclosure of sensitive personal information collected about them.
Understanding Data Security Obligations Under State Law
The CCPA not only gave California residents the right to know, access, and delete personal data stored online as well as the right to opt out of its sale, but also the right to file lawsuits against companies for data breaches of personal information resulting from a failure to implement reasonable security. Companies now face potentially staggering damages in relation to a breach, as a company will have to show that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information it was processing.
There is no definition of reasonable security in the CCPA. The Center for Internet Security, a nonprofit cybersecurity resource group in East Greenbush, New York, published a list of 20 data security controls.
Reasonable security procedures are not only about cybersecurity, as they should be all-encompassing information governance plans offering more robust security postures for greater protection. Companies should conduct data mapping exercises to determine data flows and the types of personal information collected and maintained, and identify any potential areas of risk, gaps in coverage, or areas for improvement.
Companies should formally document policies and procedures in written information security programs that are subject to review on a regular basis. Plans should identify data safeguards and document employee training, vendor management, risk assessments, measures to mitigate risk, and incident response plans and data retention policies.
Particular Areas of Concern with Data Security
Some of the best practice areas that should always be included in information governance programs include:
- Encryption and redaction. Companies that encrypt and redact all data containing covered personal information are generally safe from liability under the CCPA private right of action.
- Network security. This should include a firewall, a web application firewall, database segregation and layering, logging, white-hat hacking to plug holes in systems, and proper on- and off-boarding of employees. End users will require two-factor or better authentication and good antivirus software.
- Physical document safeguards. Any hard-copy documentation with sensitive personal information needs to be properly secured in locked locations with access that is limited and closely monitored.
- Document retention. Many companies intend to keep data indefinitely. Unless a company is retaining data as required by law, as part of a litigation hold, or for security reasons, it will not be reasonable to hold onto it. The more personal data a company retains, the greater its exposure.
- Email security. Many data breaches are the result of malware planted in emails. Employees need to be trained about how to deal with such attacks.
- Password management. Passwords should be changed frequently, and separate passwords should be required for different systems. There should be lockouts after a certain number of unsuccessful login attempts and all suspicious activity should be recorded.
Contact Our Mountain View Startup & Small Business Attorney
Data security can be a highly complex issue for companies to navigate in California. You can give yourself the best chance to really understand what you need to do when you work with Kalia Law P.C.
Our firm regularly assists clients with these kinds of concerns all the time. Call (650) 701-7617 or contact our Mountain View startup & small business attorney online to arrange a free consultation.