CCPA BACKGROUND
The new California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Businesses subject to the new California privacy law need to ensure compliance with numerous new cybersecurity requirements. These additional regulatory burdens on businesses operating in California present a potential gold mine for plaintiff’s firms. These firms could leverage CCPA’s private right action, which imposes significant statutory damages, to pursue a potential tidal wave of class action cases. Any business subject to the CCPA, may be held liable if California consumers can demonstrate that their personal identifiable information (PII), with an extremely broad definition of PII, was affected by a cyber data breach, and resulted from the business’s neglect or failure to implement “reasonable security.”
THE WORLD WE LIVE IN
According to a recent report issued by the U.S. Security Exchange Commission (SEC), the average cost of a cyber data breach is $7.5 million and continues to increase in value year over year. While all organizations are potential targets of cyber-attacks, the industries which possess the most valuable data are the biggest targets including: financial services, healthcare, government, automotive, manufacturing and retail. All organizations possess PII, valuable information assets, which may include: intellectual property, financial payment information, client information, supply chain information, protected health information (PHI), and/or payment card information (PCI), just to name a few.
IMPLEMENTING THREAT-BASED CYBERSECURITY
Businesses operating in California and subject to the CCPA will need to implement a proactive threat-based cybersecurity program, which begins by understanding the cyber threats (including threat actors, vectors, tactics, techniques, and procedures). Then it creates a customized cyber defense plan, which effectively aligns the business’s threat profile, budget and schedule. In implementing a threat-based cybersecurity program, a business can limit the risk of CCPA class action litigation, by demonstrating that they have taken the necessary and appropriate information security actions to provide “reasonable security” to protect California consumers’ personal information.
To successfully implement a threat-based cybersecurity program, a business must take specific cybersecurity actions before, during and after a data breach, including the following:
BEFORE THE DATA BREACH
Select one or two independent firms with extensive cybersecurity advanced diagnostic capabilities, cyber threat intelligence data collection and analysis capabilities, cybersecurity advisory expertise, and/or managed security services to do the following proactive actions:
Before a data breach occurs, it is vital to take cybersecurity actions to ensure “reasonable security” exists. All cybersecurity assessments and related findings should be performed and delivered under attorney-client privilege. The cyber diagnostic assessments, listed under Before the Data Breach, should all be focused on identifying potential cyber vulnerabilities within the business, which could lead to cyber data breaches. The primary purpose of the cybersecurity diagnostic assessments are to gain a clear understanding of the current threat profile the business is facing, identify the organization’s information security vulnerabilities to cyber-attacks and to develop a customized cyber defense plan of action.
DURING THE DATA BREACH
Recognizing that each data breach is somewhat unique, there are certain key actions that need to be taken as soon as possible after the initial determination that a cyber intrusion has occurred and that there was a compromise and/or exfiltration of data, the malicious encryption of data, or destruction of data has occurred, including the following actions:
AFTER THE DATA BREACH
Take the following cybersecurity remediation actions as necessary and appropriate:
SUMMARY
The risk of a data breach negatively impacting a company’s reputation and market value is both real and ever increasing. With the additional enactment of the CCPA we could see a significant increase in class action litigations in California, focused on data breaches and the CCPA imposed legal damages. Thus, all businesses subject to the CCPA need to implement a threat-based cybersecurity program to fully identify and understand the value of the information assets they possess, recognize the cyber threats they are facing, calculate the related risk factors and then implement a customized defense plan. By implementing a threat-based program, businesses can clearly demonstrate that they have provided “reasonable security” for the protection of consumers’ personal information, while ensuring shareholders that they are protecting vital information assets required to both survive and thrive in a digital marketplace.