Aloha CCPA - CCPA Hawaii Businesses

California is a pioneer in the frontier of data privacy.  In 2003, California was the first state to pass a law requiring commercial websites to post a privacy policy.  Last year, California did it again by passing the first comprehensive data privacy law in the U.S.  Like the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act of 2018 (CCPA) imposes restrictions on the collection, use, and sale of personal information of consumers that previously did not exist under law of any state.  The law is set to take effect on January 1, 2020.

Should Hawaii businesses be concerned about the CCPA?  The CCPA will apply to many companies that do business online.  Any Hawaii business with an Internet presence should evaluate if it must comply with the CCPA.  In addition, the CCPA has inspired many copycat laws.  In Hawaii, a bill proposing CCPA-like privacy protections was introduced in 2019 legislative session (SB 418), and although it did not pass, it would not be surprising if similar measures will be introduced in the future.

Applicability of the CCPA to Hawaii Businesses

Maybe you think the CCPA doesn’t apply to you because you don’t deal much with California customers or clients.  If so, you might be in for a rude surprise.  The CCPA is a hastily drafted law full of ambiguities. These ambiguities make the law potentially applicable to small businesses outside of California.  The International Association of Privacy Professionals estimates that the CCPA will apply to more than 500,000 U.S. companies, most of them being small to mid-sized companies. 

Consider this hypothetical scenario.  You own a Hawaii-based business selling high-end bikinis.  Your retail stores are located only in Hawaii, but you also sell your products on your website.  Approximately 3% of your online sales are to California customers.  Your website attracts 60,000 unique visitors per year.  Under these facts, the CCPA as written probably would apply to your business. 

Who Must Comply with the CCPA?

The CCPA applies to a “business,” which has a specific meaning under the law.  Figuring out if you are a “business” that must comply with the CCPA is a two-step process.  A “business” must be a for-profit entity that collects “personal information” of California residents and “does business in the State of California.”  The Hawaii-based bikini business in the above scenario above is a for-profit entity that collects personal information of California residents.  Whether it “does business in the State of California” is a murkier question because the CCPA does not define the phrase.  However, it is highly likely that engaging in business transactions on the Internet with individuals living in California is considered “doing business in the State of California.”

If you meet the requirements in the first step, the second step is to determine if you meet one of the three thresholds:

  1. you have annual gross revenues of more than $25 million,
  2. you buy, receive for commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices residents, or
  3. you derive 50% or more of your annual revenues from selling personal information of California residents.

The first threshold is straightforward – your annual gross revenues either total $25 million (or more) or not.  The third threshold is also fairly discernible, but what “selling” personal information means is not entirely clear. 

Businesses should especially be concerned about the second threshold because it’s a trap for the unwary.  The term “consumers” refers to California residents, so the second threshold is met if you buy, receive, sell, or share the personal information of at least 50,000 California-based consumers.  But the “households” and “devices” referenced in the statute are not limited to those located in California.  As currently written, the CCPA counts personal information collected from any household or device – not just those located in California or owned by a California resident – toward the 50,000 threshold. 

Reaching the 50,000 mark also isn’t difficult given the broad definition of the terms “personal information” and “device.”  Personal information includes IP addresses and cookies.  A device refers to any physical object connected to the Internet.  If your website tracks web traffic with a tool like Google Analytics, a person who visits your business website once each with a desktop computer, mobile phone, tablet, and laptop would add 4 hits toward the 50,000 threshold.  Future regulations could clarify that the CCPA applies to households and devices with some nexus to California, but no such limitation exists now.

What Does the CCPA Require?

If the CCPA applies to your business, you and your service providers must honor certain rights that the law gives to consumers.  These rights include:

  • Right to access – the consumer is entitled to get a copy of the personal information that the business has collected about the consumer
  • Right to deletion – the consumer may require a business to delete the personal information that it has collected about the consumer
  • Right to knowledge – businesses must disclose what personal information about a consumer it has collected how it uses that information
  • Right to control – before a business may sell personal information that it collects about a consumer, it must first obtain the consumer’s consent, and the consumer may at any time direct the business not to sell his or her personal information.
  • Right to equal service – a business may not discriminate against a consumer for exercising rights granted by the CCPA

What Must I Do to Comply?

What a Hawaii business must do to comply with the CCPA is highly dependent on the nature of the business and its operations.  Compliance means more than just revising the terms of use or privacy policy posted on a business website.  Review and modification of internal processes could be required to enable a business to honor the consumer rights granted by the CCPA.  Hawaii businesses should consult with IT professionals and legal counsel experienced in data privacy to determine the specific steps  necessary to meet the requirements of the CCPA.

Get Physical (Set Physical Controls)

This is the fifth and final post in a blog series in honor of National Cybersecurity Awareness Month. 

Cybersecurity might seem like technical stuff, but don’t overlook the role of physical vulnerabilities in security incidents.  The 2018 Verizon Data Breach Investigations Report found that 11% of breaches involved physical actions.  The 2016 Verizon Data Breach Investigations Report identified physical theft or loss as the third most common type of security incident. 

Even more disturbing is a 2016 study that found that most people have no qualms about connecting unknown devices – which could contain malicious software – to their computers.  The researchers dropped unidentified USB drives around the campus of the University of Illinois.  Approximately 98% of the drives were removed from their drop-off location; 45% of those who took a USB drive opened at least one file on it. All it takes is one curious but unwitting employee to introduce a vector into your IT system!

Physical security should be part of any cybersecurity program.  Here are some physical safeguards to consider adopting:

  • Secure your servers and other storage devices – Any area that houses data storage media needs to be secured.  That means locking doors or installing other access control devices like biometric scanners.
  • Surveillance cameras – Install closed-circuit surveillance cameras in areas where critical IT infrastructure or data are located.  If a physical breach ever occurs in the area, the camera recordings can help you identify the perpetrators.
  • Mind the trash – Paper records containing sensitive information should be disposed of properly, such as by shredding.  Be careful not to leave material for shredding out in the open, where passerbys could see or even steal them.
  • Prohibit unapproved devices – Adopt and enforce a policy against connecting unapproved devices to the organization’s hardware such as USB drives, external hard drives, smartphones, and tablets.
  • Mitigate consequences of lost or stolen devices – Lost or stolen laptops and mobile devices are a common occurrence.  Having a contingency plan against this security risk is a must.  Installing mobile device management (MDM) software on devices that carry company data can help.  MDM software can help you remotely locate, lock down, or even delete data from lost or stolen devices.
  • Encrypt your data – This is a repeat of Tip #1, but its importance can’t be overemphasized.  Encrypting data on a device makes it unintelligible to anyone without the encryption key even if they improperly gain control over the device.

And that rounds out our series of practical cybersecurity tips for small businesses.  We hope you’ve picked up a few ideas to keep your data safe!

Stand Guard (Control Access)

This is the fourth in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Cybersecurity attacks might conjure up images of hackers in hoodies clacking away in the shadows, but did you know that your own employees pose as great of a security threat if not more?  According to CA Technologies’ 2018 Insider Threat Report, 66% of the organizations surveyed consider malicious insider attacks or accidental breaches more likely than external attacks.  A 2018 Ponemon Institute report found that of the 3,269 insider incidents it evaluated, 64% were related to negligence, 23% resulted from a criminal or malicious insider, and 13% resulted from stolen credentials.  Findings like these raise the question: Does everyone in your organization really need access to all your data?

Probably not.  Employees should have the information they need to do their job, of course.  But granting unlimited access to information is dangerous.  Employees need not even have malicious intent to pose a threat.  If an employee’s credentials are compromised, all the data to which the employee has access rights is at risk. 

A similar risk applies to third-party contractors with access to company data (web developers, freelancers, bookkeepers, outsourced HR administration services, etc.).  Contractors should have no more access to information systems than necessary to perform their scope of work.  Some mistakenly believe a non-disclosure agreement is a substitute for limitations on access.  A NDA could provide you a remedy if a contractor misuses company information, but it isn’t as effective as access controls in preventing information from falling into the wrong hands.

Limiting access to data has another benefit.  If you want to claim that certain information is protected as a trade secret (note that trade secrets are often the subjects of NDAs), you’ll have to demonstrate that you took precautions to keep the information secret.  As an example, the definition of “trade secret” in Hawaii’s trade secret protection law requires a showing that the information at issue “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”  Similarly, technical limitations to access may be necessary to enforce claims under the Computer Fraud and Abuse Act (CFAA), as the Ninth Circuit Court of Appeals ruled in a recent decision.

Access controls should be one of the considerations in structuring and organizing your data systems.  A well thought out system segregates data so that granting access isn’t an all-or-nothing proposition.  “Internal gatekeeping” of data goes a long way toward preventing loss from cybersecurity incidents.

Sort It Out (Organize & Centralize)

This is the third in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws recognize that individuals have certain rights in data that organizations collect from them.  Compliance with such laws often requires the ability to respond quickly to requests to exercise privacy rights like the right to access and correct personal information, the right to have personal information deleted, and the right to limit usage of personal information.  Yesterday, we saw how data mapping facilitates regulatory compliance.  Today, we look at a related best practice: centralizing and organizing your data.

Data can live in many places within an organization.  Structuring your information systems –specifically, your data storage systems – to fit your business and compliance needs will help you exert control over your data.  The amount of control you have over your data affects your ability to handle the data to meet specific objectives.

Consider this scenario.  You’re a startup and you realize that encrypting personal data of customers would be a good idea (maybe you read our post about the value of encryption).  However, customer data is stored haphazardly throughout your organization.  Customer data mainly sits on your main server and your CRM vendor’s cloud server, but it’s also stored on local backup storage media and on laptops and mobile devices owned by your executives and a few key employees.  Customer data is also stored in different formats, including in your CRM vendor’s proprietary database and in spreadsheets.  Wouldn’t the encryption program be easier to implement if the customer data lived in only one or two databases?  Having an organized and streamlined data structure lays the foundation for executing information governance policies.

Here’s another hypothetical scenario.  A customer submits a request to access the personal data  your business has collected about him because he wants to verify that your records accurately capture his middle initial.  The difficulty of responding to this request depends on the organization and complexity of your database and storage systems. 

Certain privacy laws set deadlines on responding to requests to exercise privacy rights.  For example, the CCPA generally gives organizations 45 days to respond to privacy requests, with one 45-day extension allowed under certain conditions.  Organizing and centralizing data enhances your ability to respond to customer privacy requests within regulatory deadlines.

Below are a few considerations for exercising control over your data:

  • Be intentional in designing the architecture of your database and storage systems.  Take into account physical considerations (e.g., proximity and accessibility of storage/database sites, ability to physical restrict access) and non-physical considerations (e.g., speed of internet connection for cloud databases, interoperability of databases with software).
  • Give thought to the hierarchy of your databases.  Will you need to look in multiple folders to find certain categories of information, or is information stored in folders or subfolders organized by category or some other methodology?
  • Consider whether your organizational structure lends itself to segregation of certain data sets from others. For example, if your business has two operating units, is the data pertaining to one unit segregated from data for the second unit? Segregation makes it easier to impose limitations on access should you need to do so.
  • Minimize the number of places where you store data except as necessary to build redundancy for backup purposes.   
  • Make your data easily searchable.  There are various ways to do this, ranging in sophistication from adopting file-naming conventions to deploying document processing software with artificial intelligence technology.
  • Develop and enforce information governance policies such as restrictions on off-site data storage.

Keep Track (Take Inventory)

This is the second in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws require organizations to respect certain rights of individuals from whom they collect personal information.   Under privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), individuals have the right to access and correct the personal data that organizations collect from them, to require organizations to delete such collected data, and to limit the purposes for which the data may be used.  Organizations that do not honor these rights can face enforcement action, penalties, and lawsuits.

As a starting point to complying with laws like the GDPR and CCPA, businesses need to keep track of the data they have, now and in the future.  Taking inventory of data is an often overlooked step, but so very important.

Suppose a customer submits a request to your business to delete all the data that you have collected from her.  Sound like a simple request?  Would you be able to readily identify all the locations where that data about that customer is stored?  You might look in the typical data repositories – a central server, cloud accounts – but what about not-so-obvious places, like backup media, individual workstations, or removable media like thumb drives?  What about third-party vendors?

Knowing where your data lives is also essential to securing it against unauthorized access or cyberattacks.  What types of security controls are necessary for a business to implement depends on the kind of data in question and how it is stored.  For example, data access privileges should vary based on the needs of different users and the risk that such users will misuse or mishandle such data.  Different security controls are appropriate for data stored in the cloud versus data stored on a hard drive.  Evaluating the factors that affect which cybersecurity measures to implement is difficult if you don’t know what data you have or lose track of where it goes.

That’s why data mapping is a crucial component of a cybersecurity program.  Data mapping is the process of cataloguing the data that’s collected, how it’s used, where it’s stored, and where it goes.  A data map could be as simple as a spreadsheet or diagram, or it can be an extensive document created with special software.  The scope of your data map depends on the nature of your business and how you collect, use, and store data.

Most data maps should at least address the following subjects:

  1. What data you collect – the types of data collected; the sources of collection; whether the data is sensitive
  2. Storage of data – where the data is stored; the formats in which it is stored; how long it is stored; the custodians of stored data; and the conditions under which it is stored
  3. Usage of data – why the data is being collected; the purposes for which the data is used
  4. Flow of data – where the data moves after it is collected, both inside the organization and outside of it (third-party recipients); the protocols in place to protect data transfers

For a tool to help you get started with data mapping, check out the Data Protection Commission’s Self-Assessment Checklist.