On-Demand Webinar

Is the California Consumer Privacy Act (CCPA) the Next GDPR and Why Should I Care?

February 25, 2020


The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and will be enforced as of July 1, 2020. Much like the GDPR (General Data Protection Regulation) in the EU, California’s law aims to give consumers more control over how their data is used.

This session compares CCPA to GDPR, and discusses why most organizations—not just those from California—are affected. They also discuss the recent trends in both CCPA as well as GDPR.

Don’t miss this timely discussion!

Okay, so what is CCPA? It's the California Consumer Privacy Act, and I've put the link there in case you want to look it up. Now, if you've heard me talk before on any kind of law or regulation, I always encourage you to read it for yourself because that way you don't have to rely on somebody else telling you what it says and whether or not they've told the truth or interpreted it correctly. I really always encourage people to read themselves. So, here's a link to that once you get the hand out. So it was passed originally in 2018, and one of the reasons it came through was because there was, and it came through the California legislature pretty quickly, because there was a movement on, so that in that fall of 2018, there was going to be a referendum on the California ballot to put in a Privacy Law. So, the California legislature pushed this through pretty quickly because apparently it's easier to amend a California law when it comes through the legislature versus having it come through a voter referendum. So, there were quite a few kind of ambiguities and things that really needed to be clarified, and so there were a bunch of, it was five or six, amendments that came through last October, so October of 2019. There are still some ambiguities going on, and there's expected to be a bit more clarification out of the Attorney General's office, but at the moment it is what it is.

So, it went into effect on January 1st of 2020 and enforcement starts as of July 1st, so some of the things that we'll be talking about are actually in effect now, but the penalties can start to kick in as of July 1st. It's similar in a lot of ways to GDPR that went into effect May 25, 2018, but there's also some differences, and so that's what Donnie and I are going to explore today.

So, one of the things that you have to look at and how this is different than GDPR is that this applies to only California residents. So, it will apply to organizations that do business in California and meet at least one of the following criteria. So, it's, these are ors, it’s not ands. So gross annual revenue of greater than 25 million dollars or collects and buys or you collect or by personal information of at least 50,000 consumers, households, or, interestingly enough, devices. Or derives 50% or more of the annual revenue from selling consumers’ information. Now, it was clarified in October that this does not apply to nonprofits nor does it apply to State and local governments, which is part of the controversy over this. California's residences wanted to apply to State and local governments, but it does not.

Okay, so that's who CCPA applies to.

Let's take a look at who GDPR applies to, and I'm going to turn to Donnie for this. 

Thank you. Anytime you want to invite me along, I'm always going to say yes, so thank you for that. And thank you everybody for joining them, as well. 

Very interesting for me learning about the CCPA. Myself, I have been entrenched in the GDPR for a number of years now, about two years prior to it becoming enforceable, so very similar to CCPA. It's been around for a while, we know it's coming, and we have to be ready for the date. There was no grace period for the GDPR. May 25, 2018, people thought I might, I might not, is that okay? Absolutely not. You had to be ready because there was no grace period we had to use to get ready to it. 

So, who does the GDPR apply to? It's a bit more onerous than the CCPA. In fact, any controller or processor, anybody that ends with personal data established in the European Union, the processing of personal data, and also, as you can see on the slide, any non-EU controller offering goods and services to the EU, they subject them to clarify that if you are a European Union resident, then your data, you own that data, and anybody who’s dealt with that data or could potentially dealt with it will have to comply with the GDPR. If you are an American company based in the US only with servers based in the US and web service based in the US, but you're offering Services paid or not to any EU residents, you have to comply the GDPR, very very onerous indeed.

Thank you. It's similar but different. There are eight rights to the GDPR. What's been very interesting with the GDPR since it’s became enforceable almost two years ago now is seeing regulations such as the CCPA and other regulations in the world who are really looking at the GDPR and taking bits of it. So, I think the regulations really get stronger regardless of where you are. The eight rights of the GDPR bearing in mind this is all about personal data.

This is about my data as an EU resident. Just touching on that. I'm in the UK. I'm actually Scottish, living in England and part the UK. Guess what, we're not part of the EU anymore. Does that mean that GDPR doesn't apply to me? Absolutely not. It applies to me fully until the 31st of December this year, and this is the transition period. After which, very interesting point, every single component of the GDPR is being taken into the old data protection act.

So, we still effectively have GDPR anyway, so I think we'll see that in other countries, as well, regulations getting stronger and stronger. So, the eight rights that EU citizens have that the GDPR gives it is, one, the right to be informed. Now, this is really at the first point of contact with any company, I have to be told how any personal information I provide them with will be used, so why they’re gathering it, what they're going to do with it, how long are they going to keep it for, why they need it, the legal basis that they have to gather information, store it, and who they're going to share it with, and how I can get rid of it and tell them I don’t ever want them to use it anymore. So, typically that takes the form of privacy policy, either on the website or on a contract or in the statement or even verbal, it could be on the telephone call. You could say I’m going to gather your information, this is a summary of what we're going to gather, here's a link that you can go and look at to see everything that we're going to be using of your personal information.

So that’s good, at least I know what people are doing with my information. The most onerous task that I have as a data protection officer and of the GDPR is the Right to Access. Now, it's good for me as a person, but as a company processing personal data, it's quite a task in the right access. If anybody asks me for the right to access their personal data, I have to be able, within 30 days, to provide them every single piece of personal data that I use.

Basically, I'm going to have to give them a copy of it. Now that includes every single email that they may be mentioned in. Now you can imagine that every single email they’re mentioned in that they’re not allowed to see, I have to redact that. I also have to go to any third party who I shared that with, I also have to take it for my CRM system. Anywhere or anything that I do with anybody's personal information, I have to give them a copy of it within 30 days, and it's a law. I've no choice. If I don't give them in 30 days, I can get fined. 

I also have the right to replication. If the data that is stored, and let's take this for me as I'm going to a company that is using my data, and I believe it's wrong, I can ask them to change it. Now, I had that right before under the Data Protection Act, which was not a law, it was just an act. I could say, I think the information you hold for me is incorrect. Can you please change it and put it right? And they could, and they had to do it in a reasonable amount of time. Now two years is reasonable amount of time, if it's not a law.

Again, Right to Rectification is 30 days. You have no choice. We have to rectify it in 30 days, and it's up to the company that’s using my personal data to put it right and prove that I'm wrong, so I'm in full control. 

Now, I mentioned that the right to access or a copy of the information is really difficult, similarly the Right to Erasure.

I can ask to be forgotten about, and I’ve quite often referred to it as the Right to be Forgotten. So, I can say to anybody who has my personal data, almost anybody who has my personal data, I want you to forget about me. If I'm no longer a customer and there's no legal basis, maybe no financial loads or stuff like that, where they have to have my data, I can make them remove it. Now, I couldn't, for example, erase your criminal record, but I've got that right so people will have to remove it. So, they have to know where all that information is. We’ll touch on that again in a moment.

Now if you go onto the next slide, there's four more rights we can go through these rather quickly. The Right to the Restriction of Processing. Now, this is where I can say to people don't use my data at the moment. Don't erase it, just do nothing with it. I want you to store it but don’t process it for any reason in particular that you may already be doing it, they have to comply. they also have to notify any third party they may share that with to do the same thing. 

Typically, this is something that rarely happens. The Right to Access and The Right to be Forgotten About are the most common ones. This rarely happens. This might be because you think that your data is incorrect, so you want them to stop using it until you can prove it.

And the Rights of Data Portability is another one that's not very commonly used, but it's very useful. So, this is if you've provided your information to a particular company, you can ask them to give you a portable copy of it. Now really strangely, I think this is a bit of a weakness for the GDPR. The GDPR specifies areas of technological reasons, such as encryption, so very good. The Right to Data Portability, they say that you can have a copy of all your information.

You can transfer it using Excel, which is actually one of the areas that they say you can use. I don't really agree with that. I do it in a much more secure manner. You don't have to do it that way, I always do it in a much more secure manner. Typically, I may have applied for a loan or a mortgage or providing information to an insurance company for example, now I could say that rather me do that all over again, can you give me a portable copy? I could provide to another company to give me a competitive loan, for example. Or preferably, can you transfer it across automatically electronically with my permission?

The Right to Object to Processing. This is a very common one, and this really refers to marketing. This is where you can say to a company, I want you to stop using my data. Now, it's not a deletion, it’s just to stop marketing to me, and you have to do that within 24 hours. Now, it never really happens in 24 hours, but you can tell people you're doing it because to a certain extend it takes 2-3 days. As long as you comply with it and do it immediately within 24 hours and notify people it will take a day or however long it’s going to take to stop marketing to them, you can do that, as well.

And then the final one, in the two years that the GDPR has been effective, I've never come across this, and I don't think I will in my particular company, but this is where you can say that you don't want to be subject, your data to be subject to an automated decision maker, basically you want to talk to a person as a human being involved.

This could be for example, I mentioned finance, you may apply for a loan for example, and it could be a computer program that determines whether you're going to get that loan or not, and it may not be perfect. So, you could say well there's some other circumstances that may mean I may get that loan, let me talk to a person. The other example might be LinkedIn. You may apply for a job or a role via LinkedIn, and it may be a program that determines whether you get put forward or not. You can say no, I'd like to actually talk to somebody and then actually have to talk to a human being, so quite like that but rarely used.

Okay. So, thank you Donnie for explaining those eight rights. So, California differs in that it's not eight, it's five and they're slightly different. So just like GDPR, you have to know that one of the rights is that you know what information is being collected at the time it's being collected and why it's being collected.

So, you have to be able to know how your data is going to be used, why it's going to be collected, if it's going to be stored and so forth. So that's right number one. Right number two is kind of the same sort of thing only a little bit deeper to know whether your personal data is going to be sold or disclosed to a different business or organization and the type of business, so that's kind of interesting as it's being sold.

So, perhaps your information is going to be sold to a marketing firm or maybe it's going to be sold to research or you know, you name the company, but at the time it's collected, that has to be disclosed. The next right, number three is saying no to having the data being sold. And again, that's at the time that it’s being collected.

So, for all of you that live in California, all of your websites now have something that will say, “Do not sell my private data,” and it has to be in those specific words, and it has to be at the time that the data is being collected. So, this is not the right to opt out, and like GDPR says that you can opt out and not be marketed to, that's not what this is.

This is don't sell my data, and if you think about the way that this law came into being it was a direct reaction to the Cambridge Analytica Data, where Facebook sold the data to Cambridge Analytica, and they did all sorts of things with it, so this was very much a reaction to that. And so that's why all California residents have the right now to say that their data should not be sold. 

So, some organizations have chosen to just put up that type of option for strictly California residents. Others, especially that are of a more global nature, are doing that for everybody now. So, you're going to see even though I live in the state of Washington, I have seen that option for many of the websites that I have gone to, so that's totally optional, but it is required for California residents.

Right number four is the access to the personal information that's been collected. This is very much again like GDPR, so that if you have it written and they have very prescribed ways of requesting the information, and we'll get into that in just a little bit, but you have the right to put a request in to the organization and ask what information has been collected and to see that data.

The final right that California residents have is equal service and price, even if they exercise their privacy rights. So, if they say do not sell my data, the organization cannot charge them a different price.

Now, that's the first blush, but if you look into the law a little bit deeper, it actually does allow an organization to charge a different price if they are compensating you adequately for the price or the value, I guess the right word is the value, of your data.

So, if they are compensating you, and therefore can reduce the price and that's their compensation for being able to use your data, then that's okay, but it has to be commensurate with the value of the data that they're collecting and subsequently going to stop. So on the surface, it can't be a different price, but if you dig deeper, that's actually what can happen.

Okay, so I said that the law was passed in 2018, but it was fairly ambiguous on a number of accounts. And so there were some amendments that came in last October, so one of them is clarification of the definition of personal information. So again, you really need to look at the law. It is kind of shocking how far-reaching the definition of personal information is both from in my opinion. GDPR as well as CCPA, but the one thing they did clarify is that information that you might think is personal but is publicly available by law is not personal information. So that was one thing. Another thing is there are some exemptions to some personal information. So things like vehicle recalls, so, I don't know if any of you have gotten this but I've gotten a recall notice for my previous vehicle because the airbags were defective, so it’s things like that that there is a clarification that car dealerships can share vehicle information with car manufacturers to facilitate recalls that sort of thing. Also, it does not interfere with the Fair Consumer Reporting Act (FCRA). So, remove that conflict and then interesting is that there is another law going into effect for employee privacy.

So, this exempted from the law for at least a year our personal information given over when you apply for a job, my personal information as an employee, the owner’s information, director officer, and so forth. So, look for a different law that will protect the information from an employee standpoint. And then there's also some exemptions for B2B or business-to-business transactions.

So, there were some clarifications that came in last October. Okay, so Donnie, you know if we are starting to learn some from GDPR, as I was alluding to, to me one of the most confusing and kind of shocking things is the far-reaching scope of what defines personal data.

I agree. There's the obvious, as you've got their bank account numbers, social security numbers people would expect that to be personal data, I think. The not so obvious and this is a very small list, so they're not so obvious things like IP addresses, the geolocation information your browsing history, your biometric. They're the not so obvious, but then it extends even further with the GDPR, so images, even including the social media images, they’re also personal information.

And one of the things that the UK for some reason has more of these than anywhere else in the world I believe are the closed-circuit TV cameras. Now, as a little fun fact for you, if you come and visit our beautiful country and go on one of the lovely red buses in London, whichever route you go on, all those batteries have 16, one six, CCTV cameras on them, recording images 24 hours a day, and they keep those images for 28 days minimum.

You have a right to a copy of that. Now, when I talk, the reason I bring up things like CCTV images, again they’re images, one of the areas that we have particular issues with in the UK at the moment is people have these door bells on their front door of their houses, they’re door bells with cameras on. Fantastic idea! They're not allowed to extend and look at next door neighbors because they capture images of them. You can’t do that. You have to make people aware, you have to have them sign up, saying you're going to do that and you have to be able to provide that information.

So the CCTV images, email addresses, now company email addresses is not personal information, but your personal email address is. And then it gets even more complicated whether saying well, for example, your company email address isn't personal information, but if you combine it with two or three other pieces of information, then there's a hole; it becomes personal information. So, it really does become quite onerous, as well.

Yeah, I think that that's what a lot of people don't stop to think about is that combination of information and not just from a legal perspective, but if you think about how a hacker can use that information if they get it, and they get that aggregated information, you know, that gives them significant power.

Okay, so what should we do with this, Donnie? 

Now, the first line of this slide is, Find all of the personal information throughout your organization. Now, that's not a hint and tip, it is without a doubt the only thing you should be doing to make a start to comply with these regulations. We need to know what personal information we have. We need to know how it's used. We need to know what you do with it. How long are you going to keep it for, who you're sharing it with, how you are storing it. That's the first step to comply with any of these rules and regulations is to really go through and do a discovery process throughout your entire organization to work out what information you've got. Now you probably, like we were, and HelpSystems has been around 35 years, when we started looking four years ago to GDPR, I found personal information that 20 years ago would probably be very relevant and is now totally irrelevant.

So, we say well do we still need it? And we didn't, so we got rid of it. If you get rid of it, there's less data to protect, there’s less data here to share with people, and you have to have a legal basis now with GDPR as to why you’re using my information. It's almost like a retrospective law. So it's really really difficult. If you have got data, I say get rid of it if you don't need it anymore, or if there's no legal basis to have it. And if you're storing it or doing anything with it, encrypt it, and if you can't encrypt it, you need to make sure you have technological processes in place the GDPR specifically says technological and organizational processes in place. Organizational processes to provide the data and tell people what you have. Technological is exactly software and hardware. Encryption is the best thing you can do. If you have any type of personal data, you can encrypt it. Absolutely fantastic.

If you can't, put in other solutions that make sure people can't get to in the first place. As you've seen the slide there, if it's not being used purge it. If it is being used, only keep it for the length of time you have to keep it from and then purge it.

And this is incredibly timely because I was at a client last week, and we found files with unencrypted social security numbers in them and not realizing that they were there. So, the task went on to find all of the instances at least of that one file, so we did that and low and behold there were copies that had been made on production into developer libraries. I'm sure before a change was made, they copied it or they used it for test data, then we find it on the test system, so we found it several places. So, even just getting rid of the copies that were made several years ago, reduced the risk significantly, not to mention needing to figure out how best to protect the production information.

But just getting rid of those old copies is significant reduction. And then we realized that there was some information being used in log files, and we went to look at the log files, and they dated back several years, and the business only requires them for 60 days. So again, there was an easy way to reduce the risk to the data just simply by getting rid of it. So, this is incredibly timely not just from GDPR, not just from CCPA, but from everybody's perspective.

We have a couple questions if you want to interrupt the hour, or we can wait until the end? 


Okay, first of all, in the very beginning you talked about the gross annual revenue. Is that total company or that only sales in California?

I believe it’s gross revenue not just sales in California. 

Okay, and then for Donnie the questions is, did I understand you to say that the work email is not subject to GDPR? It is my understanding that if the individual’s name is part of the email address, then it is protected. 

It's pretty close. So, Donnie.maccoll at HelpSystems.com, is not classed as personal email on its own. Donnie at whatever my personal email address is classed as personal. So, the company address is classed as company information, not personal information. If combined with other things, it's classed personal. So, Donnie.MacColl at HelpSystems.com in combination with the address or location that I work at, which is very easy to find out, that would be classed as personal. So quite right. It's best to presume if you're not sure it's best presume it is personal.

Okay. Thank you.

So, this slide is really referring to that request that gets presented to the organization to see my data. So CCPA has a similar requirement, and so for GDPR, what have you had to do Donnie?

Yeah, so what we have to do if people ask for a copy of their information. What we have had to do is document a well-known process and get it in place. Now, I notice that you said that people can request it under the CCPA. Under the GDPR they have a right, they have a given right to request it.

And what we have to do, our process in place, the first step of it is if people say to us, I would like a copy of the information. I have to make sure that the person asking for it, is who they actually are. So, there's a step before I actually do anything. Now, I can ask them to send me an email from a particular email address, that might be enough.

I can even ask them for a copy of their passport or their driver’s license and have to identify the requester, whether it's for a copy of the information or to be deleted because it could be be a disgruntled employee, a disgruntled ex-partner, a competitive company asking for that information. Now, once we've identified who that person is and then have to initiate a process, there has to be an audit trail that has to go through and prove that I've touched every place that personal information is, get a copy of it, and present it to them in a timely manner. I'll say that timely manner is within 30 days, and then close the process by emailing them securely or writing to them to say this is all the information we have on you at this point in time. We now close the process. It’s typical.

And CCPA has the same thing. They allow you to or they encourage you to verify the person is who they say they are, that they're legally allowed to see the data. It allows you to deny access if you don't think it is right person. And again, there's that timeliness, so I honestly can't remember if it's 30 days or 45 days that CCPA allows, but it is that sort of thing. One thing that CCPA says is that the organization has to provide this information for free up to two times annually. So, if you asked for this quarterly, you could have some sort of reasonable charge, reasonable I'm doing air quotes. The organization could charge you for getting you this information more than twice a year.

So, one of the things that CCPA like GDPR allows you to do is get rid of personal information, but there are definitely some exceptions. Things that have been gathered to complete a transaction. So, think of a credit card, and they needed that credit card information to be able to complete a transaction, or like an ACH payment, or something like that. Also, it’s an exception if it's being used to track malicious activity. So, if somebody needs a piece of your personal information to be able to do forensics, I'm thinking IP address here, or it's required for legal purposes, so a lot of times the financial industry needs to retain information for X number of years and certainly Healthcare information needs to be retained, usually for longer.

So GDPR has similar sort of exceptions, correct Donnie?

Yes, that’s exactly right. If there's a legal reason to keep hold of the data if the people ask for it to be removed, you can keep that and you can tell them that you're keeping it and there’s nothing to do about it, similar as you mentioned there. So, for anything legal such as criminal, you don't get rid of it and for health care, you don’t have to get rid of it. Also, if it’s anonymized, you don't have to get rid of it. So, there are very very similar exceptions there, as well.

That's right. I forgot about the anonymization of the information. So, for example, if your information has been depersonalized or anonymized and then like sold for research. You can't get your information back, or you can't ask for it to be deleted in that case.

So thinking of IBM i Donnie, one of the things is in the audit journal is the IP address, right? For every audit journal entry for the IP address is available. It's logged in the audit Journal. So, what if somebody asked you to get rid of that?

Unless there is a legal basis to keep it, it's very very difficult. 

Well, right! Because you can't modify an audit journal entry, right? I mean it's technologically infeasible to modify an entry.

I think the closest I could give to you on that is that eventually it would be removed and there are, it's not an exception, it's not even loophole, but we can give you an example very similar. People can ask for putting the right to be forgotten. They can say that I want all of my e-mails deleted, including on all of your backups, and we might have said here's what the backups, so that's something  they can ask for; however, because technologically it's so extreme to ask for it, you don't have to because eventually they'll be grandfathered off anyway, because similar rule would apply for the IP addresses in the audit journal in that eventually they would disappear, so you're still adhering to the law. You can tell them that there’s not much you can do about it because technologically it’s such a an impossibility to do, so that that's one of the areas that is unusually slightly gray within the GDPR because it’s very definite about everything else.

That makes sense. Okay, so again like GDPR you can opt out. But again, this is very specific for opting out. CCPA is very specific. You are opting out of not having your data being collected, it is opting out of not having your data being sold. And so there is very specific, if you read through the law you'll see it specifies that you must use this exact wording when the data is being collected: do not sell my personal information.

Kind of interesting that they dictated the language, but there you go. And then again, once again if the California resident opts out, they can't be discriminated in any way shape or form by opting out of this.

So, what have you done, and we've kind of covered this a little bit Donnie, but are there any other kind of things that you can talk about from GDPR in the request to be deleted?

Any request that comes in, whether it's request to be deleted or for copy of information or any of them, we’ve covered it partly, anyway, now the requests coming in can be an email request, it could be a verbal request. Typically, what we’re doing, you'll see on the HelpSystem’s website in the privacy policy, the link to it, as well as if you search for GDPR you'll find it, we provide a secure form that people can fill in and then for any requests coming in, any GDPR requests coming in, can be verbal, can be email, can be form. Now, what's really ornery for us is every single employee must know how to identify a GDPR request coming in, regardless of their role. So, we've had to train every single employee.

We actually have, we've just acquired another company, a security company, we’re making sure that every single employee knows how to identify a GDPR request and what to do with it. So, if somebody could ring up and say to somebody on the on the helpdesk, oh by the way, I'd like a copy of my information, that person taking the call needs to know what to do with it. And I say we've got a form, we've got an email address that is available. We actually have a corporate email address where everybody can send GDPR requests to, we actually have that all ready for CCPA, as well, and I'm looking at it for the Brazilian regulation, as well.

So, we have a process in place for that. So that's something I'd recommend that people start thinking about doing now.

Yeah, and CCPA is kind of interesting because they demand a toll-free number unless the organization operates only online. So, think of an online retailer and then if that's the case then an email address is sufficient, but otherwise if you're something other than an online retailer, you must provide a toll-free number for residents to call, so that's kind of interesting and again organizations can require validation of identity prior to deletion, and I would think that an organization should require that because I would think they would get in all sorts of trouble if they deleted information of the wrong person as you were saying Donnie like from a disgruntled partner or a disgruntled employee or you know, somebody just trying to do mischief. Some interesting things about the request to be deleted.

Now the question. Donnie, do you know of the GDPR article that mandates the education of employees?

Now, there isn't an article within GDPR that specifically states that. It's a given that because of the eight rights applied to people, it's inferred that you have to be able to acknowledge any GDPR request and respond to it within a certain number of days. So it comes down in the least terms to employee education. It's up to the company to be able to recognize a GDPR request coming in. It's not up to the person requesting it to have to work the way through a maze to be able to find out how to do that. It has to be simple. That's why I say the privacy policy on the website or on the contract or even telephone call people say you here's our privacy policy on our website here, state in there just to make it easy for people to be able to exercise their rights under the GDPR.

That's it. Thank you.

Now, one of the other things about CCPA is the definition of a breach. And so any consumer who's, and I'll just kind of go through it, non-encrypted or non-redacted personal information as defined in other parts of the CCPA is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. 

So, if you Google that phrase and CCPA, you will find a discussion on this because there is absolutely zero information about what constitutes reasonable security procedures and practices. If somebody tells you, oh to comply with CCPA, you have to do XXX. That's not the case.

It does not say one word about how you're supposed to secure your data. Now, if I was just to read this one of the things I would look at and say any consumer whose non-encrypted personal information. Okay, so if my data is encrypted then this doesn't apply to me. So right off, you can think encryption, but beyond that what does it really mean reasonable security procedures and practices? So, while it's not stated exactly in CCPA, there was an earlier document a few years prior to this put out by the then Attorney General of California called “Data Breach Report” that talked about complying with the CIS20. So, what is that? That's the Center for Information Security Top 20 Best Practices, basically. So CIS is known for their benchmarks, and CIS, you might hear about the CIS Benchmark for AIX or Linux, red hat, or all these various platforms. What you won’t hear is CIS Benchmark for IBM i because it doesn't exist. There isn't one for IBM i. So, what do you do in that case? So again, if you Google this phrase and CCPA, you'll see some other suggestions one being NIST cybersecurity framework, another one being ISO 27000-series, which is the series that talks about data security and compliance and integrity and then one of the articles that I thought kind of applied to us the most was the article that talked about, look you need to have some sort of indication that you're paying attention to security. You need to have a plan. So, his suggestion was that you start with a risk assessment, get a plan in place, have that plan be part of your business process, so that if something happens you could show the court, this is what we're doing for security. And it would play much better in the court of law rather than just saying, you know I was hoping nothing would happen. We didn't think our users could do this. We thought IBM i was secure.

Okay, that's not going to play in the California laws. So, this article was not specific to IBM i, but I thought it was quite relevant. Start with the risk assessment, get a plan in place, be able to show that you have some sort of processes and procedures in place for security. So, I thought that that was a good definition of reasonable security procedures and practices.

So, the penalties for CCPA for non-compliance, there can be civil penalties, there can also be a class action lawsuit. So, there may be a civil penalty of up to $7,500 per violation, or if it's a class action, it can go up to somewhere between $100 and $750 per consumer. So that's California.

Now, let's take a look at GDPR, but before that, interestingly was in the last two weeks, there was the first lawsuit that was filed and it was against Hannah Andersson, which is a kids clothing supplier, and Salesforce.

So, I thought that this was interesting because Hannah Andersson used Salesforce, and so they're both being sued, which I thought was kind of fascinating. They're being sued for negligence regarding exercising that reasonable care and processing PII data using reasonable and adequate security compliance with industry's best practices and implementing process to quickly detect that breach. So, basically they're saying they had no reasonable security processes and procedures. Now, the thing that is really fascinating about this is that the breach occurred or came to light last November December timeframe, but the breach notification, so that would have been prior to this law going into effect, but the breach notification came out after the law took effect. So, it's going to be interesting to see how this one plays out, to see if the courts will allow it, and what they do with this, but this proves that CCPA is here, and it proves that people are ready to take and prove it in a court of law.

So, here's GDPR’s definition of a personal data breach, Donnie. 

It's interesting to see the previous slide. I'll come to this in a moment. The GDPR, it's not just companies, it’s individuals that have been fined, as well. And if you look at the definition of a personal data breach under the GDPR, it's pretty much the same as it is under the CCPA only it takes a softer tone in the way that it's described. And people typically think of data breach as exposing data.

So, as you can see here it’s accidental destruction, loss, changing it or disclosing it, or just leaving it wide open for people to access, as well as, it’s classed as a data breach or even a suspected data breach. And if we just look at the next slide, there's a reason I have this slide up here, so this is what happens now and just going back to the question about is there an article saying that employees have to understand the GDPR, there is not a specific article, people again have to be able to identify a breach in the first place, and HelpSystems’ employees have been amazing. People have been saying, “oh, this has happened, is this okay? Now normally it is, but the good thing is people know about it. So, it's in your best interest to make sure that there's a mandate, that employees know how to identify a potential data breach. Now in the event of a potential data breach, the processor, so whoever is actually using the data at that point in time, now to put this in perspective, this could be an operator, it could be somebody answering the phone, doing an insurance quotation, it could be anybody at all, so it's not a governing body, anybody who’s using that data. If they believe that a data breach may have occurred, they have to notify their controller, the data controller. So, the controller may be the data processor at your company, it may be a Data Protection Officer. At HelpSystems, I perform the role of Data Protection Officer at HelpSystems. You don't have to have one legally, but lots of companies like ourselves in 25 plus locations, it's worth having one. So, in the event of a potential data breach, data protection laws would be notified, and it's up to them to do a number of things. First one is to look at the extent of the data breach. If they don't know the extent of the data breach or what's happened or how many people may be affected, you still have to report it.

You have to report it in steps. Now in the event of a data breach or a suspected data breach, you have to report it to the supervisory authority in your country within 72 hours of becoming aware. And that's one of the roles the controller will have to undertake. The person or people or team performing the role of controller cannot get in any trouble whatsoever for the employers for doing that. They have to do it, and you have to report it to the supervisory authority.

One of the great things about the GDPR is well, it's this, you have to report it, you have no choice, otherwise, you'll get fined, and the supervisory approach will help you determine whether it's a data breach that you have to do something about or not. That's why I say even suspected data breaches you should report as well. Now there's a bit of a misunderstanding in that if the data is encrypted or anonymized you don't have to report that data breach, and it's almost correct.

You do have to report it, that’s important. You do have to still report it to the supervisory authority even if the data is encrypted, and there's no key stored with it, so it couldn't be decrypted reasonably by anybody who may have access to the encrypted data. What you don't have to do under the GDPR, if it's definitely encrypted and there's no risk to the individuals is report it to the individuals, and this has actually changed since the Data Protection Act was initiated and that if there was a breach, it was hard to prove there was a breach, and you could really take your time and lots are coming to report it, and that’s changed, which is a really good thing. You would see in the news and in the GDPR it doesn't hit the news so often because if you don't have to notify the individuals because the data is encrypted, so there's no risk to them, it doesn't hit the news. So, that's one of the good things. But yeah, there's a process there to make sure it's reported very very quickly.

If you report it, and there's a breach or say that the idea isn't just to find you, the supervisors inside will help you contain it. If it's negligent, if you don't have organizational and technological processes in place such as encryption such as firewalls such as virus protection such as adequate measures in place, and even if you haven’t, if they’re inadequate, then you'll get fined. And you see there are two levels of fines. Up to 10 million euros or 2% of your total worldwide turnover just to put that in perspective. I have, in Paris, I have one employee. She does an amazing job in the support team, and she works from her home office. If that one person caused a data breach, we could potentially be fined two percent of our total worldwide turnover for all of our entities in all 25 locations that were in, so it's quite a lot of money or up to four percent depending on the nature of the breach.

Now if you look at the top, just to two percent, failure to maintain written records and said you have to have an audit trail, you have to have processes in place to recognize a GDPR request coming in, you have to be able to prove when challenged they have those processes in place, you have to maintain audit trails and you have to report breaches in the correct amount of time. On the bottom, I’m just going to pick something out there, failure to obtain consent to process a subject’s data. Now consent is not the only one, you actually have to have a legal basis to actually send information, marketing information, to a particular person. If you don't have consent or a legitimate interest or another legal basis you can get fined 4%, so it's very very onerous indeed. 

If we look at the next slide, for this one I'll touch on some of the fines that have actually been issued since May 2018. Facebook pretty much everybody knows about Facebook being fined. Heathrow Airport was fined one hundred and twenty thousand pounds. It's not actually a lot of money for what happened. They were fined for not ensuring the personal data held on it was being properly secured. This was a USB key that was lost, and somebody found the USB key, they took it to a public library to have look at it, put it on a computer to have a look at it, and it was from Heathrow Airport. Now, the fact that it was unencrypted and it was accessible, that's bad enough, and they open themselves up to a fine for that.

That's not why they were find one hundred and twenty thousand pounds. On that, was a training course that had taken place in Heathrow Airport, and it had been filmed, and it was a recording on the training course. Within that training course, if you stopped at the right place, you could read the personal details of five individuals. That's why they got fined. So just shows how easy it is.

Bupa, again this is another reason why I’m so strict if you like about employees knowing that they have to comply with GDPR. Bupa was slightly different, well very different, an employee who had access, because they could legitimately, took over half a million entries of people who were customers of Bupa and sold it on the dark web. Now that's really difficult to stop because that’s an employee who's allowed legitimate access to that data and decided to go rogue and that's why they only got fined one hundred and seventy-five thousand pounds because they did have processes in place, they just couldn’t stop him from doing that. They could have had processes in place to stop them from putting it on a USB stick. They could have processes in places to stop them emailing it out, a company we just bought does exactly that.

So, you can see the type of science that people are getting and administration assisted. There is a lady who worked in a car dealership, and she copied data of customers, and it's not uncommon. I've seen it so many places. People leaving their roles to go somewhere else, emailing information, people used to do it. I can't do it now, and if you do, you're going to get fined, and that's individuals, as well.

Quite scary, really.

Well it is, and you know, all of those things that you talked about are things that could happen, not just in the EU but really anywhere around the world, right? And so best practices says that we need to protect that data.

I know that one of the challenges has been for CCPA number one what defines personal data, so we've kind of talked through that, but there's also some companies that are delaying implementation because they are claiming they don't sell the data. So, there is no definition of what selling, and again I'm doing the air quote thing, what selling information is because so for example, what if they agree to exchange data and no money or currency is actually exchanged for the data. Is that selling data?

So, you can expect to see some clarification of that come through. I also think that some companies, just like what happened with GDPR, I think that they were just waiting to see if this was real, and so now as you know that we see the first lawsuit, as soon as we see the first fines come out, I think people are going to start to scramble. So, those are some of the challenges that I'm seeing.

Of those, I think that the main challenge that I saw, and I still see even nearly 2 years down the line is something you spoke about already, is know where all that data is, where all that personal data is and people really need to start doing that as soon as they possibly can. And the other major issue that I saw was people have been able to get management to realize, as you just mentioned, that it is real and people will get fined. One of the challenges you have is say, the term I kept using is in the CCPA, it's really a corporate governance problem, but it's typically an IT solution. So, typically it’s IT that’s looked at to solve the issues, but to get management to listen was hard, prior to the GDPR coming in. It was really hard with companies that you would look to to comply with it and the month before it was due to be enforceable people were like we haven’t done too much on it because I can't get my management to listen.

Now, what I said to them was well ask your manager what they're doing about the GDPR. If they don't know, ask their manager and so keep on asking and make it a mission to keep on asking so people know about it, so at least you're covering yourself and try to get people interested in it. I will say, nearly 2 years down the line, it's not that much of an issue because now there has been fines issued, lots of them, and people have realized we really need to do something about this. It's not such an issue anymore, but I can see it being for the CCPA, I can see it being very similar challenge, getting your management to listen. 

Yep. That's it exactly, and if management is going to deny it, there's not a whole lot you can do. You're right. It's a business process issue with looking to IT to solve it, but it's really business.

So, you're absolutely right, Donnie. Well, I think that that's about it. I always try to put more places that you can get more information. You can always search for the CCPA amendments because there are several more coming most likely. NIST is putting out a draft standard of a new privacy standard. NIST did not put that out before, so here's a link to that, and with that I will turn it over to John to see if there are any more questions in the webinar.

I'll do this really quickly because we only have a couple minutes and there are a couple questions. So HelpSystems, we have Security Professional Services that we offer on the IBM i. Here I’ll talk about a risk assessment and putting together a plan, you know for CCPA and that can be a saving grace for you. We do risk assessments for the IBM i, we also do penetration testing, which is really validating the risks, we do architecture where we go a bit more in depth and develop a custom plan for you to kind of approach and figure out how to take care of the risks that maybe you've identified through risk assessment. Then we also have remediation where we help you work through all of the different security issues and correct them as we go along, and then we have two managed services. We have Managed Services, which is, think of it as outsourcing, paying attention to security on a regular basis to us and what we do is we will do monthly reports where we check on 10 key security indicators and give you a summary of what we've discovered and anything that we've noticed and where we go from there. 

Also, we do Single Sign-On (SSO) Managed Services, which we help you implement single sign-on for eliminating passwords to your IBM i, and that I'm just going to suffice it to say that we also have a number of software solutions out there from compliance reporting, to self-service password reset, to privileged access management, to perimeter access control through Exit Point Manager, to Multi-Factor Authentication, secure managed file transfer, native Antivirus protection on the IBM i, we have a lot of software solutions for various problems that pop up when it comes to security on your IBM i, so I'm just going to leave it at that.

And here's the questions that we have. Today people pull tons of data to Excel for analysis. It seems that this could be a terrible liability for corporations, and it seems like it would be almost impossible to track all those instances of personal data. Thoughts on those two comments there.

Yes, and yes.

Well, that was an easy answer. 

I mean that was part of the analysis that we were doing with clients because we know that some of the information was being used for reporting and a lot of the problem with databases especially on IBM i is that these databases were designed a while ago, and a while ago the information that is currently now considered to be personal PII, Personally Identifiable Information, never was thought to have been that like Social Security numbers here in the States, Social Insurance numbers across the UK and Europe, those never were personal information at one point.

And so there's a lot of information in these database files, a lot of different fields with a lot of different information and now it's a combination of general information and PII data that you now have to protect, so you really have no other choice. If you're going to protect your data, you have to identify where that all is and do something about it. So again, it's the multiple layers of defense Donnie alluded to that.

There's an encryption. Encryption gets you out of a lot of things both in the EU, as well as here in the states. A lot of States’ breach notification laws, if the data is encrypted, you don't have to notify the individuals. So, there's encryption, there's object level security, there's exit points that you can control who can do that download into that Excel spreadsheet, so it's really that you have to do that plan.

All right. Well with that, we’re about 3 minutes over our normal time, so I'm going to say thank you everyone for attending today.

Are You Ready for CCPA?

Start preparing for the California Consumer Privacy Act by identifing the security vulnerabilities on your IBM i. Get a free Security Scan to find out where your system is secure and where sensitive data is at risk.

Stay up to date on what matters.