by ·1 Comment
Aloha CCPA - CCPA Hawaii Businesses

California is a pioneer in the frontier of data privacy.  In 2003, California was the first state to pass a law requiring commercial websites to post a privacy policy.  Last year, California did it again by passing the first comprehensive data privacy law in the U.S.  Like the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act of 2018 (CCPA) imposes restrictions on the collection, use, and sale of personal information of consumers that previously did not exist under law of any state.  The law is set to take effect on January 1, 2020.

Should Hawaii businesses be concerned about the CCPA?  The CCPA will apply to many companies that do business online.  Any Hawaii business with an Internet presence should evaluate if it must comply with the CCPA.  In addition, the CCPA has inspired many copycat laws.  In Hawaii, a bill proposing CCPA-like privacy protections was introduced in 2019 legislative session (SB 418), and although it did not pass, it would not be surprising if similar measures will be introduced in the future.

Applicability of the CCPA to Hawaii Businesses

Maybe you think the CCPA doesn’t apply to you because you don’t deal much with California customers or clients.  If so, you might be in for a rude surprise.  The CCPA is a hastily drafted law full of ambiguities. These ambiguities make the law potentially applicable to small businesses outside of California.  The International Association of Privacy Professionals estimates that the CCPA will apply to more than 500,000 U.S. companies, most of them being small to mid-sized companies. 

Consider this hypothetical scenario.  You own a Hawaii-based business selling high-end bikinis.  Your retail stores are located only in Hawaii, but you also sell your products on your website.  Approximately 3% of your online sales are to California customers.  Your website attracts 60,000 unique visitors per year.  Under these facts, the CCPA as written probably would apply to your business. 

Who Must Comply with the CCPA?

The CCPA applies to a “business,” which has a specific meaning under the law.  Figuring out if you are a “business” that must comply with the CCPA is a two-step process.  A “business” must be a for-profit entity that collects “personal information” of California residents and “does business in the State of California.”  The Hawaii-based bikini business in the above scenario above is a for-profit entity that collects personal information of California residents.  Whether it “does business in the State of California” is a murkier question because the CCPA does not define the phrase.  However, it is highly likely that engaging in business transactions on the Internet with individuals living in California is considered “doing business in the State of California.”

If you meet the requirements in the first step, the second step is to determine if you meet one of the three thresholds:

  1. you have annual gross revenues of more than $25 million,
  2. you buy, receive for commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices residents, or
  3. you derive 50% or more of your annual revenues from selling personal information of California residents.

The first threshold is straightforward – your annual gross revenues either total $25 million (or more) or not.  The third threshold is also fairly discernible, but what “selling” personal information means is not entirely clear. 

Businesses should especially be concerned about the second threshold because it’s a trap for the unwary.  The term “consumers” refers to California residents, so the second threshold is met if you buy, receive, sell, or share the personal information of at least 50,000 California-based consumers.  But the “households” and “devices” referenced in the statute are not limited to those located in California.  As currently written, the CCPA counts personal information collected from any household or device – not just those located in California or owned by a California resident – toward the 50,000 threshold. 

Reaching the 50,000 mark also isn’t difficult given the broad definition of the terms “personal information” and “device.”  Personal information includes IP addresses and cookies.  A device refers to any physical object connected to the Internet.  If your website tracks web traffic with a tool like Google Analytics, a person who visits your business website once each with a desktop computer, mobile phone, tablet, and laptop would add 4 hits toward the 50,000 threshold.  Future regulations could clarify that the CCPA applies to households and devices with some nexus to California, but no such limitation exists now.

What Does the CCPA Require?

If the CCPA applies to your business, you and your service providers must honor certain rights that the law gives to consumers.  These rights include:

  • Right to access – the consumer is entitled to get a copy of the personal information that the business has collected about the consumer
  • Right to deletion – the consumer may require a business to delete the personal information that it has collected about the consumer
  • Right to knowledge – businesses must disclose what personal information about a consumer it has collected how it uses that information
  • Right to control – before a business may sell personal information that it collects about a consumer, it must first obtain the consumer’s consent, and the consumer may at any time direct the business not to sell his or her personal information.
  • Right to equal service – a business may not discriminate against a consumer for exercising rights granted by the CCPA

What Must I Do to Comply?

What a Hawaii business must do to comply with the CCPA is highly dependent on the nature of the business and its operations.  Compliance means more than just revising the terms of use or privacy policy posted on a business website.  Review and modification of internal processes could be required to enable a business to honor the consumer rights granted by the CCPA.  Hawaii businesses should consult with IT professionals and legal counsel experienced in data privacy to determine the specific steps  necessary to meet the requirements of the CCPA.

by ·0 Comments
Keep Track (Take Inventory)

This is the second in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws require organizations to respect certain rights of individuals from whom they collect personal information.   Under privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), individuals have the right to access and correct the personal data that organizations collect from them, to require organizations to delete such collected data, and to limit the purposes for which the data may be used.  Organizations that do not honor these rights can face enforcement action, penalties, and lawsuits.

As a starting point to complying with laws like the GDPR and CCPA, businesses need to keep track of the data they have, now and in the future.  Taking inventory of data is an often overlooked step, but so very important.

Suppose a customer submits a request to your business to delete all the data that you have collected from her.  Sound like a simple request?  Would you be able to readily identify all the locations where that data about that customer is stored?  You might look in the typical data repositories – a central server, cloud accounts – but what about not-so-obvious places, like backup media, individual workstations, or removable media like thumb drives?  What about third-party vendors?

Knowing where your data lives is also essential to securing it against unauthorized access or cyberattacks.  What types of security controls are necessary for a business to implement depends on the kind of data in question and how it is stored.  For example, data access privileges should vary based on the needs of different users and the risk that such users will misuse or mishandle such data.  Different security controls are appropriate for data stored in the cloud versus data stored on a hard drive.  Evaluating the factors that affect which cybersecurity measures to implement is difficult if you don’t know what data you have or lose track of where it goes.

That’s why data mapping is a crucial component of a cybersecurity program.  Data mapping is the process of cataloguing the data that’s collected, how it’s used, where it’s stored, and where it goes.  A data map could be as simple as a spreadsheet or diagram, or it can be an extensive document created with special software.  The scope of your data map depends on the nature of your business and how you collect, use, and store data.

Most data maps should at least address the following subjects:

  1. What data you collect – the types of data collected; the sources of collection; whether the data is sensitive
  2. Storage of data – where the data is stored; the formats in which it is stored; how long it is stored; the custodians of stored data; and the conditions under which it is stored
  3. Usage of data – why the data is being collected; the purposes for which the data is used
  4. Flow of data – where the data moves after it is collected, both inside the organization and outside of it (third-party recipients); the protocols in place to protect data transfers

For a tool to help you get started with data mapping, check out the Data Protection Commission’s Self-Assessment Checklist.

by ·0 Comments

High-profile data breaches have become common in the headlines, but it’s not just big businesses that are the targets of hackers.  According to the 2018 Hiscox Small Business Cyber Risk Report, 47% of small businesses had at least one cyber attack in the past year.  Yet, barely 52% of small businesses have a clearly defined strategy for cybersecurity.   Even more alarming is the fact that 65% of small businesses failed to act after experiencing a cybersecurity incident.

Cyberattacks are costly.  The Ponemon Institute reported that average costs in 2017 related to a malware attack on small and medium-sized businesses  were $1.03 million due to damage or theft of IT assets, and $1.21 million due to disruption of business operations. 

The good news is that free resources are available to small and medium-sized businesses to beef up their cybersecurity.  The Global Cybersecurity Alliance (GCA), a non-profit organization backed by the New York City District Attorney’s Office and the City of London Police, recently released a free cybersecurity toolkit.  The toolkit is great for business owners who want to reduce common cyber risks. 

The GCA Cybersecurity Toolkit is built around the Center for Internet Security Controls framework.  GCA claims that addressing just the first five CIS Controls can reduce the risk of cyberattack by 85%.  Geared toward a nontechnical audience, the GCA Cybersecurity Toolkit takes users through six “toolboxes,” each one designed to address an aspect of cybersecurity:

  1. Know what you have – take inventory of hardware and software
  2. Update your defenses – updating systems, applications, and security settings, and securing your website
  3. Beyond simple passwords –selecting strong passwords and implementing two-factor authorization
  4. Prevent phishing and viruses – preventing malware and phishing attacks
  5. Defend against ransomware – using backup tools to guard against ransomware infection
  6. Protect your brand – preventing others from spoofing your brand name and email addresses

If you’re a business owner looking for a user-friendly way to begin building a cybersecurity program, the GCA Cybersecurity Toolkit is a good starting point.