The California Consumer Privacy Act (CCPA) was barely a month old when the first private lawsuit was filed under the law. The action against a children’s clothing company and Salesforce Inc., the giant developer of CRM software that hosted the retailer’s customer data, was filed in federal court in early February 2020.
The details of the lawsuit are not as important as the reality that it highlights the need for companies of all sizes and types to do two things. They must ensure they are taking proactive steps to prevent data hacks and leaks and know what will be required to defend themselves against allegations made by consumers and the state.
The state attorney general says his office will not launch enforcement actions against companies until July 1, 2020, as long as they can show they are taking steps to comply with CCPA’s requirements. Yet as the lawsuit underscores, there is nothing stopping individuals from seeking damages as a result of alleged leaks and hacks well before mid-year.
Offense is Defense
In 2018, a 15-year-old, self-taught, ethical hacker named Marcus Weinberger terrified a packed hall at a technology conference by having attendees call out the name of their firm. Using the laptop he takes class notes on and some things he bought with his allowance at the mall, he hacked into every organization’s data in under 15 minutes.
This proves that companies must begin to acknowledge that what can get hacked will get hacked, deliberately or leaked by accident, carelessness or error.
The first line of defense is to ensure that identifiable or personalized information is thoroughly encrypted. In fact, the CCPA specifies this as a possible safe harbor against fines or a lawsuit. One technology company went so far as to set up its software so that it could be downloaded only onto an encrypted stick it licensed to its users. Non-users could not acquire it.
But there are additional steps that must be taken by businesses to prepare themselves to defend against CCPA complaints.
Another vital move is to prepare and document a plan that will detect and stop a breach, whether from a potential hacker or because an employee made a mistake, and know how to notify people whose data may have been compromised. The CCPA requires prompt notification. Being able to show a court or a state tribunal that this was done and the company had taken proactive steps to limit the damage can be a strong defense.
Limit the number of people who have access to customer data to only those that need the customer data to do their job. For instance, an ERP software system will likely contain an enormous amount of identifiable information about customers. An employee responsible for the supply chain or one who is involved in the production process may not need to have access to data about specific customers. The fewer people who can accidentally or deliberately expose this information, the lower the risk of a breach.
If employees use their own devices for work – perhaps because they travel for their job – check these devices regularly for any malware or viruses. When Barack Obama was elected president, he did not want to give up his beloved Blackberry. So, the NSA spent a week making sure it was clean and installing safeguards to prevent it from being hacked in the future. Businesses need to do something similar with the phones, tablets and laptops carried around by people who use them to remotely access customer data. It may not need to be as stringent as needed to protect a president’s communications and data, but sufficient to safeguard a company’s customer information.
Likewise, every company needs to remind all employees at every level in the organization that data security is their job and not merely the responsibility of somebody in IT.
CCPA Can Be Costly
The CCPA creates statutory damages for any business that collects and stores a customer’s personal data. The penalties range from $100 to $750 per customer, per incident or the actual damages – whichever is greater. The law states the breach itself is a damage.
A breach involving 10,000 individuals or households could result in a fine of $7.5 million and unleash a torrent of individual and class action lawsuits around minor and major breaches because the plaintiffs do not have to prove actual damages.
In fact, the law instructs judges to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, over how long the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.
For a large corporation, the award could be in the hundreds of millions of dollars and a smaller, privately owned business might be forced into bankruptcy.
As data security and privacy lawyers, we have helped companies establish internal procedures, policies and rules around protecting the data they hold. If you are a general counsel or executive and want to ask questions about what programs your organization can implement to head off CCPA sanctions from the state or lawsuits, please call or email us. We’ll be happy to share what we know about the law and what other companies are doing.