The California Privacy Rights Act (CPRA) leaps forward on cybersecurity by amending the California Consumer Privacy Act (CCPA) to impose enhanced protections. The CPRA enhancements apply to "for profit" companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information.
Those businesses must:
- Provide reasonable cybersecurity safeguards for all categories of personal information.
- Conduct annual cybersecurity audits and make regulatory filings of risk assessments with the newly created California Privacy Protection Agency if the processing of personal information presents a significant risk to consumers' privacy or security.
- Require contractual clauses and other safeguards to address supply chain security and privacy risks when they transfer, share or otherwise disclose personal information to their vendors and other third parties.
The CPRA also:
- Imposes breach liability subject to a private right of action and statutory damages for failures to reasonably protect an individual's email in combination with a password or security question and answer permitting access to an online account (i.e., login credentials).
- Removes 30-day safe harbors for organizations attempting to insulate themselves after the fact from statutory damages or fines by implementing cybersecurity safeguards following a data breach or following a notice of noncompliance.
The CPRA becomes effective on Jan. 1, 2023, except for requests by consumers to access their data, which will "look back" to data collected by the business on or after an earlier Jan. 1, 2022 effective date. Businesses should plan now to address these enhanced requirements because the effective implementation of operational and contractual processes will require significant lead time. One important consideration for businesses is how they will meet these new safeguards requirements in connection with internal and third-party systems, services, and applications collecting or processing categories of personal data of California residents beyond Social Security numbers, credit/debit card numbers and similar private data. The amendments will impact the duties of the workforce responsible for developing customer products, technologies and services, or who otherwise handle individually identifiable customer information, as well as information technology professionals and auditors responsible for cybersecurity. Retail, hospitality, online and other businesses that broadly collect personal information of their California customers will be among the businesses impacted by the new cybersecurity requirements.
Reasonable Safeguards Requirement for All Categories of Personal Information
The obligation to implement reasonable cybersecurity safeguards is expressly extended under the CPRA beyond the current obligation to protect Social Security numbers and other private information (such as drivers' license numbers, other government identifiers, and medical, biometric and other information defined under Cal. Civ. Code §1798.81.5) to include all categories of personal information. The CPRA mandates that it is a "responsibility" of businesses to "take reasonable precautions to protect consumers' personal information from a security breach." The CPRA further expressly requires as an affirmative "obligation" that a business that "collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure in accordance with Section 1798.81.5." Businesses will need to consider how to reasonably protect any and all individually identifiable information that under the CCPA's broad definition identifies, relates to, describes or is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular individual or household. The CPRA's inclusion of all categories of personal information under an express affirmative obligation to implement reasonable cybersecurity safeguards brings California in lockstep with the EU's GDPR requirement mandating appropriate risk-based safeguards for all personal data. The expanded coverage will require businesses to identify all categories of personal information collected or processed for their customers, the information systems that collect or process this wider scope of data, the staff that handles those processes, and a risk-based determination of the reasonable safeguards needed to protect the information from unauthorized access and other security threats.
Risk Assessments and Cybersecurity Audits Required for Businesses Whose Data Practices Present a "Significant Risk" to Consumers' Privacy or Security
The CPRA provides for the issuance of regulations requiring the performance of an annual cybersecurity audit by those businesses whose processing present a "significant risk" to privacy or security "including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent." The CPRA provides for the regulations to list those "factors to be considered in determining when processing may result in significant risk to the security of personal information [and] shall include the size and complexity of the business and the nature and scope of processing activities." At a minimum, businesses that collect "sensitive personal information" under the CPRA's new definition are likely to fall within the audit requirement because of the foreseeable adverse consequences of a breach. "'Sensitive personal information' means: . . . (A) a consumer's Social Security, driver's license, state identification card, or passport number; (B) a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocation; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer's genetic data; and (2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer's health; or (C) personal information collected and analyzed concerning a consumer's sex life or sexual orientation." The requirement of an "independent" and "thorough" audit is a significant safeguard. Whatever the particulars flushed out by future regulations, the requirement of an audit function that must be independent and thorough will require robust corporate processes for auditing cybersecurity safeguards as to systems, applications and workers that collect or process "significant risk" data supported by policies and procedures.
The CPRA also requires that business engaged in this "significant risk" processing be subject to regulations requiring the filing with the California Privacy Protection Agency "on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public." Risk assessments are a foundational best practice for an effective information security program that are required under certain statutory schemes, including the NY SHIELD Act and HIPAA. The requirement, however, that the actual risk assessment be subject to regularized governmental filing and regulatory oversight is a significant development. Organizations should begin now to identify their higher risk processing activities and consider the sufficiency of their risk assessments of these practices using a defensible risk assessment framework.
Contractual and Other Safeguards Required for Sharing Personal Information with Third Parties
A business must include, inter alia, in its contracts with third parties, service providers or contractors with whom it shares personal information that the receiving party (i) comply with "applicable obligations under this title" (including reasonable safeguards), (ii) "obligate those persons to provide the same level of privacy protection as is required by this title," and (iii) grant the business the right to take reasonable steps to stop and remediate unauthorized use. In addition, the contract must include a requirement that the third party, service provider, or contractor notify the business if it makes a determination that it "can no longer meet its obligations" to comply with the privacy and cybersecurity obligations. This last requirement mirrors recent guidance under the GDPR in connection with cross-border data transfers including use of contractual safeguards for the data importer to provide prompt advance notice to the data exporter of its inability to comply with its contractual commitments and meet an "essentially equivalent level of data protection." Businesses that disclose or transfer personal information to other organizations should begin to look now at those contractual agreements and consider modifications or addendums. These agreements, for example, may renew in advance of the Jan. 1, 2023 effective date but apply to data collected or processed on or after the effective date, or govern data practices after Jan. 1, 2022 that may be subject to a future consumer access request.
Expanded Breach Liability and Elimination of 30-Day Cure Periods
The CPRA now provides for a private right of action and statutory minimum damages for the unauthorized access and exfiltration, theft or disclosure of consumer log-in information as a result of the business's violation of the duty to implement and maintain reasonable cybersecurity practices. Moreover, for any breach subject to the private right of action, the CPRA provides that "the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 in the 30 day period following notice of a breach does not constitute a cure with respect to that breach." Violations that did not result in a breach remain curable within the 30-day notice period. Similarly, the CCPA's provision providing that a business may avoid a violation and administrative fines if it cures any alleged violation within 30 days after being notified of any alleged noncompliance has been eliminated. Future litigation and administrative enforcement actions will include a focus on the CPRA's affirmative obligation to provide preventative reasonable safeguards for all categories of personal information in advance of a breach or alleged violation. Administrative fines under the CPRA remain significant—$2,500 for each violation and $7,500 for each intentional violation.
Businesses should plan now for compliance while watching for regulatory clarification in advance of the effective date. Planning for compliance should include an analysis of supply chain, internal system and workforce risks to all categories of personal information. Organizations should consider the need for contractual safeguards, as well as determine the cybersecurity safeguards and risk assessment and audit processes that may need to be adopted in light of the CPRA's enhancements to the CCPA.
Brian G. Cesaratto is an attorney in the New York office and Deanna Ballesteros is an attorney in the Los Angeles office of Epstein Becker Green. © 2021 Epstein Becker Green. All rights reserved. Republished with permission.