Bill Haber | CO-Founder, Partner-TechOps

Having just returned from a trip The Golden State, there is so much to admire about its beauty, weather, and innovation leadership. There are also some well-known tradeoffs that Californians are discussing with increased frequency. We know its residents are well-accustomed to life in a state of  RED ALERT from the ever-present realities of earthquakes and wildfires, and now new legislation that threatens to impact businesses who are unprepared… Compliance with California’s new privacy laws.

What is the CCPA?

Many California companies are not aware of the CCPA. Few are preparing for it. ALL will likely regret this. Insurance Professionals working with clients who are both California-based and doing business in California should be discussing compliance with them urgently. 

The California Consumer Privacy Act (CCPA) of 2018 was passed on June 28 2018, and will take effect on 1 January 1st, 2020. It provides new privacy rights for consumers and will force companies that conduct business in the State of California to implement many fundamental changes to their privacy programs. For the many insured clients who may not even have so much as a privacy program in place, it’s worth looking urgently at these from a risk management perspective.

California consumers will be given a new set of rights, which are similar to the rights provided in the European Union’s General Data Protection Regulation (GDPR). The CCPA will identify non-compliant businesses and impose expensive fines, class-action lawsuits, and injunctions. Unaware clients face high risk of violations, fines, and press exposure. This can affect reputation. Many recognizable brands should expect to see some very public, very expensive outings of violators begin to happen immediately in 2020.

How the EU made Privacy Urgent

Penalties. When the EU introduced GDPR, they published guidelines and sizable potential fines well in advance, ensuring they would be taken seriously. These called for between 2-4% of global revenue and issued enormous fines to companies who didn’t comply. GDPR went into effect a year ago on May 25th, 2018. named regional entities would be able to monitor and report on violations, and they got to work immediately on investigations.

Fines. One of the first reported fines made public was relatively merciful. A breach taking place in Germany within weeks of GDPR resulted in smaller fines than allowable. On September 8th, 2018, a German social media platform reported a breach of Personally Identifiable Information (PII) including email addresses and password information that was posted online, and the record count was over 300K individuals. Investigators found the fault was due to an outdated storage method that should have been corrected. The organization took accounts offline and improved security profile, which resulted in what the regulator called a Proportionate Penalty of 20,000 ($22,363 USD). They also kept their name out of the press.

What followed created certainty that the EU meant business. Fines began to pile up across Europe for all flavors of violations. One business in Austria was hit with sizeable fines for not marking its CCTV security cameras sufficiently. A Portuguese hospital for improper file management and controls came next, and fines increased. And then, to make sure the world was paying attention, the EU fined an entity from outside the EU, a global brand, with its biggest fine yet. In what the French Regulator CNIL termed vague consent agreements and poor transparency, they hit Google with a 50M fine in January 2019, announcing their findings publicly in English and French. it became clear that the EU means to enforce its policies aggressively, and have since made privacy demands upon companies including Facebook. To date the EU has seen over 90,000 complaints, companies reporting over 60,000 data breaches, and have gotten around issuing some 100 penalties and fines only. Regulators are already finding themselves understaffed, and much of the EU countries are not yet reporting yet. Stay tuned.

What Will California Do?

There is some positive news here. The CCPA model is different and has more flexibility, but is expected to mirror the patterns of the GDPR rollout. It allows for fines of up to $2,500 per violation and $7,500 per intentional violation.  California does not place a cap on the total amount of fines. Unlike the GDPR, the CCPA provides businesses with a period of 30 days to cure alleged violations of the law before a fine can be assessed. Many more details can be found here.

What can Agencies do?

You should begin to assess risk and educate ALL of your clients. Most of them do some degree of business already with California companies or individuals. You should encourage technology risk mitigation practices and executive-led cybersecurity initiatives including educating the workforce, proactive process and documented planning driven from the top. Of course, you should have a risk transfer strategy in front of each and every client, which offers a bench of talent to properly respond to incidents, remedy potential problems immediately, and provide for counsel to represent your clients’ interests.

Don’t leave your clients uninformed. Let us help you assess CCPA exposure, and suggest strategies that your clients can put into place before the deadline. Feel free to contact H+H about scheduling assessments with your clients. 

Click here to select a time slot for an H+H Tech Risk Assessment