Potential Pitfalls of the CCPA Exemptions: Ensuring Reasonable Security Measures

Financial services entities regulated under the Gramm-Leach-Bliley Act (GLBA) and healthcare entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) may be exempt from the provisions and requirements of the CCPA, but for most organizations the coverage provided by the CCPA exemptions is not complete, and concrete steps will be required to ensure compliance.

This webinar brings a diverse panel of leading security and legal professionals to examine potential exemption pitfalls, the extent of GLBA and HIPAA coverage compared to the CCPA and share real-life examples of steps organizations have taken to demonstrate reasonable security.

This webinar covers:

• Key differences in how the CCPA defines “personal information” vs the GLBA and HIPAA
• The impact of the CCPA’s employee exception
• How the HIPAA Security Rule aligns with the CCPA mandates – and how it doesn’t
• Real-life examples of “reasonable” security measures
• How to strengthen your security incident response plan and security measures to defend against CCPA class action lawsuits

Moderator: Jonathan Fairtlough, Managing Director, Cyber Risk, Kroll

Speakers

• W. Reece Hirsch, Partner, Morgan Lewis
• Yvette Gabrielian, Senior Director, Cyber Risk, Kroll
• Keith Novak, Associate Managing Director, Cyber Risk, Kroll
• Cole Manaster, Senior Associate, Cyber Risk, Kroll

Notable Passages from the Presentation

What Is Reasonable Security?

“Well, the reality is it's not defined. There is no definition for what reasonable security means within the CCPA. Yet, a lack of it is a prerequisite to the private right of action for security breaches. Under the current CCPA proposal, you must show that you have reasonable security measures in transmitting personal information, in response to a consumer's request to know or to delete, and you must be using reasonable security measures to detect fraudulent identity verification activity, and to prevent unauthorized access or deletion. A lack of it triggers the private right of action. “

“Where we're focusing is the California Data Breach Report put out by the attorney general (AG) back in February of 2016, where the AG looked at this issue and tried to give us a definition. What they did is they took one standard, the CIS Top 20, the 20 Critical Security Controls, and said that meeting these identified, a minimal level of information security that all organizations that collect or maintain personal information should meet, and that failure to implement all of the controls that apply constituted a lack of reasonable security. Right now, absent additional guidance and there's nothing in the attorney general's proposed guidelines, to indicate that we're getting any more, the CIS Top 20 becomes our benchmark for working with what constitutes reasonable security” – Jonathan Fairtlough

“It's useful to know that in August 2016, the FTC stated that the NIST Cybersecurity Framework core functions and the FTC's approach to data security are fully consistent. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC's longstanding jurisdiction under Section 5 of the FTC Act. […] Also, it's worth noting that the GLBA Safeguards Rule speaks in terms of reasonable and appropriate security. So, there's a lot of room for interpretation, but there are guidelines for what constitutes a reasonable security program.” – Reece Hirsch

On Demonstrating Reasonable Security

“As far as building a security program, the NIST Framework does a really good job of outlining really five domains. Here what we're looking at is six core functions of a security program. When you're trying to understand, "Hey, where are we today?", a lot of organizations maybe have been sort of following along with HIPAA guidelines, or they have federally regulated ITAR data, and they've sort of focused on one set of criteria. I would say take a step back and do a formal risk assessment. Understand where your data lives. Your program really needs to be rooted in understanding where your data lives. [...] Then you need to be looking at sort of where those threats are to that data. Those threats come in varying ways today. We see a fair amount of ransomware in the news, and that for many organizations may be the top threat.” – Keith Novak

On CIS Top 20 vs NIST Frameworks

“[…] one specific category here, Category 20, where you see penetration tests and Red Team exercises. I talked a little bit earlier about where NIST is in some cases less prescriptive, and CIS is far more prescriptive in certain areas. This entire category, number 20 here, doesn't actually exist in NIST. So if you were to follow NIST and not the CIS controls, you wouldn't necessarily be doing annual penetration testing and Red Team exercises. Hopefully you are. Every good organization needs to be measuring their controls, testing their controls, and ensuring they're actually working as expected”

“[…] where CIS’ focus is on highly technical prescriptive controls, it falls down is that governance. It doesn't focus on risk management. It doesn't focus on governance. It doesn't focus on third-party risks. […] That's why having the two frameworks is really one of the most critical pieces here to make sure that you have a mature program. A gap in either one of these could potentially put you at risk from civil litigation or not meeting the CCPA requirement. – Keith Novak

How Differently Does the CCPA Define Personal Information When Compared to GDPR, GLBA or HIPAA?

“The broad definition is personal information includes any information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. But then when you look at these 11 elements, some of them are things that you would expect, like name, address, email address. But then we also have number seven here, electronic network activity such as browsing history or search history. Number 11 is particularly interesting, because it picks up inferences that are drawn from any of the information listed above, to create a profile examining an individual's characteristics, psychological trends, behavior, attitudes, buying habits, that sort of thing.

So yeah, that presents new challenges for companies complying with, let's say, an access request, where they might now have to share information about how they're viewing a particular consumer in a way that they never have before. This definition differs from GDPR's definition of personal data, which is defined as information relating to an identified or identifiable natural person or data subject.

[…] the definition of personal information differs once again between what's available under GLBA, that definition of non-public personal information, and HIPAA's definition of protected health information (PHI). The HIPAA definition of PHI is best understood by looking at the de-identification standard, the list of data elements that you have to scrub in order to remove data from HIPAA regulation. But that list is also not as robust as the CCPA's list of personal information data elements” – Reece Hirsch

How Does the CCPA Employee Exemption Works?

“AB 25, which was signed into law just a couple of weeks ago, amends the CCPA and requires that employees, applicants, officers, directors and contractors receive a privacy notice describing the personal information collected and its uses. It's a more limited privacy notice than the more general notice that is mandated by the CCPA. But I think the focus in the press has been largely about the employee issue, but it's also important to remember that this notice requirement applies to applicants, officers, directors and contractors as well where personal information of individuals is being collected. […] You should remember that the employee notice will often be separate from the applicant notice because there are definite differences in information collection and use. The use of applicant data is going to be more limited.” – Reece Hirsch

Real Life Examples of Reasonable Security Implementations

“[…] two of the most common attacks that we are seeing today are the ransomware attacks and business email compromises. These occur in nearly every industry, and we're seeing, as these attacks continue to be profitable for attackers”

“[…] one of the biggest prescriptive measures that can be taken from a preventative standpoint is ensuring that backups are available. This feeds into both the incident response plan that a company needs to have, as well as the business continuity or disaster recovery perspective. The importance of having backups not only being taken at a reasonable cadence but ensuring that those are protected and configured in a way that actors aren't able to also impact those as well. […] Another area that we see, both from an initial infection vector for any type of attack, but the biggest one being the business email compromise, is the lack of multifactor authentication. This is a measure that can be taken across many different applications and services, really anything with credentials that can be accessed, especially email or other staff services.” – Cole Manaster

Download webinar slides.