April 30, 2021
If you’re operating any part of your business in California, there’s a new Acronym to learn. Its CCPA and its is here to stay. It stands for the California Consumer Privacy Act, and its onerous. I recently returned from The Golden State, and there is much to admire about its beauty, weather, and innovative leadership. There are also some well-known tradeoffs that Californians are discussing with increased frequency. We know its residents are well-accustomed to life in a state of RED ALERT from the ever-present realities of earthquakes and wildfires, and now present legislation is impacting businesses who are unprepared… Compliance with California’s tough privacy laws.
Many California companies are already painfully aware of the CCPA. Few outside the state who do business there are fully prepared for it. ALL will regret this. Insurance Professionals working with California-based clients and those doing business in California should be discussing compliance with clients urgently.
The California Consumer Privacy Act (CCPA) of 2018 was passed on June 28 2018, and took effect on 1 January 1st, 2020. It provided privacy rights for consumers and forces companies that conduct business in the State of California to implement many fundamental changes to their privacy programs. For the many insured clients who may not even have so much as a privacy program in place, it’s mission-critical from a risk management perspective.
California consumers have been given rights that are similar to the rights provided in the European Union’s General Data Protection Regulation (GDPR). The CCPA identifies non-compliant businesses and imposes expensive fines, class-action lawsuits, and injunctions. Unaware clients face a high risk of violations, fines, and press exposure. This can affect reputation. Many recognizable brands should expect to see some very public, very expensive outings of violators begin to increase.
Penalties. When the EU introduced GDPR, they published guidelines and sizable potential fines well in advance, ensuring they would be taken seriously. These called for between 2-4% of global revenue and issued enormous fines to companies that didn’t comply. GDPR went into effect a year ago on May 25th, 2018. named regional entities would be able to monitor and report on violations, and they got to work immediately on investigations.
Fines. One of the first reported fines made public was relatively merciful. A breach taking place in Germany within weeks of GDPR resulted in smaller fines than allowable. On September 8th, 2018, a German social media platform reported a breach of Personally Identifiable Information (PII). This included email addresses and password information that was posted online. The record count totaled over 300K individuals. Investigators found the fault was due to an outdated storage method that should have been corrected. The organization took its accounts offline and improved its security profile. This resulted in what the regulator called a Proportionate Penalty of €20,000 ($22,363 USD). They also kept their name out of the press.
What followed created certainty that the EU meant business. Fines began to pile up across Europe for all flavors of violations. A business in Austria was fined heavily for not marking its CCTV security cameras sufficiently. A Portuguese hospital for improper file management and controls came next, and fines increased.
And then, to make sure the world was paying attention, the EU fined an entity from outside the EU, a global brand, with its biggest fine yet. In what the French Regulator CNIL termed vague consent agreements and poor transparency, they hit Google with a €50M fine in January 2019, announcing their findings publicly in English and French. It became clear that the EU means to enforce its policies aggressively, and has since made privacy demands upon companies including Facebook.
To date the EU has seen over 90,000 complaints, companies reporting over 60,000 data breaches, and have gotten around issuing some 100 penalties and fines only. Regulators are already finding themselves understaffed, and much of the EU countries are not yet fully reporting.
The CCPA model is different and has more flexibility, but has mirrored the patterns of the GDPR rollout. It allows for fines of up to $2,500 per violation and $7,500 per intentional violation. California does not place a cap on the total amount of fines. The CCPA is different than GDPR. CCPA provides businesses with a period of 30 days to cure alleged violations of the law. No fines can be assessed until 30 days have passed. Several additional details are listed here.
You should offer cyber risk assessments and educate all clients about these regulations. Most of them do some degree of business already with California companies or individuals. You should encourage technology risk mitigation practices and executive-led cybersecurity best practices initiatives. These include educating the workforce, proactive process, and documented planning driven from the top. You should certainly plan a risk transfer strategy with each and every client. This offers clients a bench of talent to properly manage incident response. This will remedy potential problems immediately, and provide for counsel to represent your clients’ interests.