Dealing With Service Providers The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA. What are the Risks of Noncompliance with the CCPA? Where personal information is breached as a result of a business’s failure to maintain reasonable security procedures and practices, an affected employee may sue for damages of $100-$750 per employee per incident or actual damages, whichever is greater. The statutory damages provision will likely incentivize plaintiffs’ lawyers to pursue large class actions every time a security breach exposes the personal information of California residents. Where a business is in violation of any provision of the CCPA— including the privacy provisions as well as the data security obligation— for more than 30 days after notice of noncompliance, the attorney general may bring an action for civil penalties of up to $2,500 per violation or $7,500 per intentional violation. Data Privacy – Review and update privacy notices to verify they meet the CCPA’s requirements – Review and update the methods for submitting requests to your business for access to, deletion of, or to opt-out of the sale of personal information, to verify they comply with the CCPA – Review and update policies or procedures for authenticating individuals that make access, deletion or opt-out requests – Draft a “play book” that provides standard communications that can be sent to individuals that make access, deletion or opt-out requests – Train employees on the handling of access, deletion or opt-out requests – Verify that the policies and procedures in place facilitate the timely fulfillment of access, deletion or opt-out requests Data Security – Memorialize security policies and procedures in a written information security plan or “WISP” – Review whether your WISP conforms to a known industry standard or framework, and add any missing policies or procedures – Conduct periodic risk assessments to identify the primary risks to information – Train employees on your security policies and procedures Service Provider Agreements – Review existing agreements with service providers, including payroll vendors and employee benefit plan providers, and review potential gaps – Make sure all service providers with access to information about Californians have agreements in place – Update all agreements to ensure they meet CCPA requirements (Jennifer Jackson is the co-leader of Bryan Cave Leighton Paisner’s Commercial Dispute Resolution Practice Group. She also co-leads the firm’s Agribusiness and Food Litigation Team. Her practice includes class action defense, commercial litigation, and product liability defense. She can be reached at (310) 576-2360 or jjackson@bclplaw.com) What Actions Should Your Business Take Now?
23. Search history 24. Audio information 25. Electronic information 26. Visual information
27. Profiles of an employee’s behavior 28. Profiles of an employee’s attitudes 29. Profiles of an employee’s intelligence 30. Profiles of an employee’s abilities 31. Profiles of an employee’s aptitudes
What are the Requirements of the CCPA? The CCPA’s requirements can be grouped into three buckets – those relating to individual privacy rights; those relating to data security; and those relating to service providers. The following provides a high-level summary of the main issues. Protecting Individual Privacy Rights – Notices to data subjects. A business must provide those employees about whom it has collected personal information notice about the business’s privacy practices. This privacy notice should typically be given at or before the time of collection of the information. – Right to access data. A business must respond to an employee’s verified request that the business confirm whether it has personal information about him or her, the type of personal information that the business keeps about the individual, and/or a copy of the specific information that the business has on file. – Right to be forgotten. A business must, in certain circumstances, delete the personal information it holds about employees. The right to be forgotten, also known as the right to deletion, has several exceptions, such as when the information is necessary to detect security incidents; to protect against deceptive, fraudulent or illegal activity; to enable solely internal uses that are reasonably aligned with the expectations of the employee; to comply with a legal obligation; or to otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided. – Right to opt out of sale of information. A business must follow an employee’s direction not to sell the personal information that it holds about him or her. In the consumer context, this can be accomplished by including a “Do Not Sell My Personal Information” link on a website. In the employment context, many businesses are surprised to learn that allowing a service provider (for example, a life insurance company) to market additional products to employees may be interpreted as a “sale” of their personal information. Maintaining Appropriate Data Security The CCPA requires that businesses put into place “reasonable security procedures and practices” to help protect personal information from being breached. The CCPA does not define “reasonable security procedures and practices.” One possible source of guidance on this subject is the California Attorney General’s 2016 California Data Breach Report, a study of the data breaches reported to the AG from 2012 to 2015 (https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016- data-breach-report.pdf). Though now several years old, the report offers insights into how the attorney general may seek to enforce the CCPA, and what factors a trier of fact may consider in deciding the “reasonableness” of a business’s data security procedures. Most significant is the attorney general’s endorsement of the Center for Internet Security’s Critical Security Controls, a set of 20 cybersecurity defensive measures (https://www.cisecurity.org/controls/).
34 Western Grower & Shipper | www.wga.com MAY | JUNE 2019
Made with FlippingBook - professional solution for displaying marketing and sales documents online