The U.S. Senate Committee on Commerce, Science and Transportation met recently to discuss considerations for implementing federal privacy laws. Not surprisingly, the main impetus to reevaluate a federal framework is the ongoing COVID-19 pandemic with the greatly increased reliance on online working and school arrangements, as well as the need to share personal information for contact tracing and other efforts to weaken the pandemic.
While federal regulation of personal information has been proposed in the past, there are a few key issues that still remain unresolved. One is enforcement of the regulations. The issue is whether enforcement should be handled by the Federal Trade Commission or if the establishment of a new federal authority is needed to enforce privacy requirement violations. Other key outstanding issues include pre-emption of state rights and whether any regulations should include a private right of action.
Given that the California Consumer Privacy Act of 2018 (CCPA) is the most stringent state regulation addressing data privacy in the United States, California Attorney General Xavier Becerra participated as a witness in the recent Senate Hearing. He shared his opinions as to both federal pre-emption and the need for a private right of action. He recommended that the committee preclude federal regulation from pre-empting state laws, including the CCPA. He noted that individual states are in a better position to adapt and keep up with technological innovation, and that some states have also already implemented thorough privacy protections, such as Mississippi and Washington. With respect to the private right of action, he admitted his office can only do so much to enforce these regulations amongst California’s huge population of businesses and residents. His belief is that individual consumers need the ability to pursue their own remedies in court.
While no formal regulations came out of the meeting, the Senate committee does have a number of proposed bills addressing privacy regulation. The key remaining question is whether one of these will pass in the near future.
What Do Businesses Need to Do Now?
As the California Attorney General reiterated, the private right of action regarding data breaches under the CCPA is a tool to be used by consumers. It is critical to evaluate the personal information collected and maintained by your organization. Personal information is broadly defined under the CCPA1 as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Any contact information for a customer, supplier, employee or any other individual your company works with will easily satisfy this definition. This data should be mapped to understand where it is stored and how it is shared – in both electronic and hard copy. Protecting such information from breach is a crucial component of any CCPA compliance strategy.
Privacy professionals should be engaged to create a CCPA compliance plan that will include working with IT professionals to implement measures designed to mitigate the risks of a breach. Other compliance requirements such as adapting privacy policies and preparing necessary disclosure statements should be completed during this process. And you may want to consider obtaining a cyber liability insurance policy to afford coverage in the event of a breach as well as address CCPA requirements. This work can be completed - even for those businesses working remotely due to COVID-19.
Why Does This Matter For Businesses
- Regulation of personal data and the protection of that information is not going away. In fact, it is likely going to be subject to further regulation at the state and/or federal level.
- If you do not have a plan to identify your data, address CCPA requirements and prevent a possible data breach, now is the time to do so.
- If you are considering securing a cyber liability insurance policy, have the form policy as well as applicable endorsements reviewed by an experienced cyber insurance coverage attorney prior to binding coverage to confirm that you will actually have the coverage you want to secure.
- Even if your current work environment is remote at this time, provide periodic on site or virtual training to ensure all employees are on the alert when it comes to cyber security, privacy and the protection of personal information.
1 California Civil Code 1798.140(o)(1).