California Consumer Privacy Act (CCPA)

A prevailing topic addressed by lawyers and other privacy and security professionals at the Privacy + Security Forum conference last month in Washington, DC was the impending California Consumer Privacy Act (“CCPA”), which takes effect on January 1, 2020. Perhaps only surpassed in importance by the rights of consumers to have choices about how their information is utilized, is the increased risk of private rights of action if certain types of personal information (which are non-encrypted or non-redacted) are subject to a data breach by companies who are subject to the Act, and fail to protect the personal information as required by the applicable laws.

Responsibility Regarding Vendors and Third Parties

To compound the heightened sense of risk is the reality that significant data breaches of consumer personal, health and financial information have considerably increased and are being more publicly announced. The technical and creative abilities of the hackers are rapidly surpassing the defensive protocols and maneuvers of the entities entrusted with this valuable data.

One of the most common threads in these massive data breaches is the hacking of third-party Vendors and Sub-vendors, or employees. Many corporations are not aware of specific provisions addressing data breaches in existing vendor contracts, particularly if the agreements were executed several years ago. If a company has the duty to implement and maintain reasonable security procedures and practices to protect consumer personal information, then those same obligations also extend to the oversight of Vendors and third parties that they entrust with the information.

CCPA: Statutory Damages

Under California’s existing data breach statute, consumers have the right to sue for data breach, but must prove actual damages. The CCPA adds a potentially frightening new concept, “statutory damages” can be sought up to $750 “per consumer, per incident or actual damages, whichever is greater”. A consumer may not have to prove actual damages to sue, and a potential class action lawsuit (with potentially thousands of plaintiffs, which is likely to happen) could provide a formidable legal and financial challenge to many corporations.

There is language in the CCPA that allows business to potentially avoid a private suit for statutory damages by curing the violation within 30 days of notice. It will be interesting to see how a company can provide an adequate cure (especially through Vendors and third parties) to help avoid litigation with respect to a consumer whose personal information was exposed and was subject to identity theft.

Reducing the Risk of Vendor and Third-Party Data Breaches

Planet Data receives a substantial number of requests by corporations to utilize our Exego Intelligence platform to proactively address measures to reduce the risk of vendor and third-party data breaches. We are also assisting them concurrently to prepare to respond to post-breach obligations that will mitigate legal, reputational and other costs. Exego Intelligence assists clients in their search, analysis and review of vendor contracts , specifically focusing on the CCPA requirements and examining clauses pertaining to privacy, security and sub-vendor oversight and monitoring and liability. A heavy lock on the front door of your house will not prevent entry and theft if the door on the side porch is left open.

***

This post was authored by Howard Reissner, CEO of Planet Data, who through Planet Data developed the Contract Analysis Platform, EXEGO Intelligence.