Who’s on First? A New State Law Confounds as The Quest to Define “Reasonable Security” Continues
As Curtis Hucheson’s March 28, 2018 blog post noted, the United States is in a bit of a race to adequately regulate the omnipresence, and risk, of personal data online. Cybersecurity is a topic which frames the issue well, but more and more privacy concepts are up for grabs in this debate. No topical item is more apt for a discussion than the recent passage of The California Consumer Privacy Act of 2018.
In June 2018, multiple news outlets hailed Assembly Bill No. 375, as it is officially called, as “historic” and “landmark”. The bill even directly outs Cambridge Analytica, rare for a piece of legislation to “name names”. Perhaps this rings true due to the progressive nature of California in the data security law space, contrasted with the stilted nature of federal privacy legislation (at least as it relates to data breach notification), perhaps because the state’s global impact is rivaled by few, or perhaps because several legal interpretations argue the bill is broader in scope than GDPR. But upon further inspection the bill clearly borrows heavily from earlier domestic and international regulations, including the General Data Protection Regulation, and other California law, as it seeks to protect Californians and their constitutional right to privacy; and while the word “cyber” never appears in the bill and “computerized” is listed only once, it is a document aimed to combat information security problems and data leakage that stems from an almost daily onslaught of breaches by focusing on protecting “personal information” or “personal data” and allowing legal recourse if this “personal information” is violated. However, what exactly is “historical” or “groundbreaking” remains to be seen.
For purposes of this blog post, the key provision analyzed here is as follows:
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…
Based on this section, logical reasoning dictates that a trigger for a civil action in this bill is a breach tied to a business’s unreasonable security procedures and practices. The criticism of this section is obvious, though, because the definition of “maintain reasonable security procedures and practices” is nowhere to be found. A review of the Bill Analysis section, fully available online at the link listed above, revealed references to various civil code, including Cal Civ. Code § 1798.81.5. In fact, “maintain reasonable security procedures and practices” is actually lifted from this section, so at least there is some consistency. Analysis of other state laws reveal similar or exact language. However, one must look outside the bill for guidance so as not violate a business’s duties. With dollars at stake if a civil action were to prevail, more definition is better than less definition – for everyone.
The bill does not officially go into effect until January 1, 2020, which gives businesses plenty of time to plan for its arrival, much like the ramp up to GDPR, but what does this all mean to anyone as it relates to their information security or privacy plan?
Here are 5 basic steps a business can take to prepare:
(1) Read the bill. Perhaps an understatement but getting familiar with the provisions, the definitions, etc. will empower a business to be ready come 2020.
(2) Consult counsel. Security consultants are excellent resources for understanding this bill, but a review with a licensed attorney versed in privacy and data security will be invaluable.
(3) Educate employees. Brief all employees, not just those based in California, on this bill and what it means, especially information security teams and information technology teams, who will be the people interacting most with the data covered in this bill.
(4) Have a plan. Through ongoing assessing, planning and testing, incorporate features of this bill, such as learning the extensive definitions of a ‘business’ under the bill’s language.
(5) Master the numbers. 750. 90. 45. 30. 12. Which numbers are days, months, years? Which are fines? Learn what the numbers mean and when certain requirements are triggered.
See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 for full details.