Equifax, Target, Marriott. Another day, another data breach.
Hacking takes an immense toll on both the company and the consumers. As technology evolves, and businesses continue to collect and use personal information, they must also keep pace with the expanding set of data security regulations.
In 2016, California published its Data Breach Report. The report references 20 controls published by the Center for Internet Security, and calls them the “minimum level of information security that all organizations that collect or maintain personal information should meet.”
The 20 controls are divided into three categories: Basic, Foundational and Organizational. They include requirements such as a secure configuration of computerized devices, email protection, boundary defense, account monitoring, training programs, and penetration tests and exercises. The Data Breach Report goes on to state that a failure to implement all 20 controls constitutes a “lack of reasonable security” under California’s information security statute – California Civil Code section 1798.81.5(b).
The new regulation on the block is the California Consumer Privacy Act. Effective in 2020, it will require many businesses, even those outside of California, to change the way they interface and collect information from consumers.
What Does the Act Require?
The Act provides consumers with several rights:
Does the Act Apply to My Business?
With minimal exceptions, the Act applies to any for-profit businesses that:
The Act applies to corporate affiliates of these qualifying businesses.
What Does This Mean for My Business?
The CCPA has a sweeping impact. Businesses throughout California and across the United States that collect Californians’ information should start preparing.
Companies will need to build mechanisms to handle consumer requests, update policies and procedures, and handle and monitor consumer opt-outs. Given the time and expense required for compliance, companies should start now, as 2020 is just around the corner.
This article first appeared in The Press-Enterprise and other Southern California Newspaper Group publications online on Dec. 27, 2018. Republished with permission.