The Risks of Non-Compliance
While businesses servicing California consumers may be enticed to sit tight and await enforcement actions before developing its privacy and data security framework called for by the California Consumer Privacy Act (CCPA), one must consider Benjamin Franklin’s axiom that “an ounce of prevention is worth a pound of cure.” Businesses take on a significant financial risk for CCPA non-compliance:
- Fines – violations can cost between $2,500 – $7,500 per affected individual. A 20,000 CA prospect list that was improperly processed or breached can lead to a fine from $50,000,000 – $150,000,000 (average size of data breach in the US is >25000 records, and is quite common).
- Private Consumer Actions – consumers have a limited private right of action (and class action) if their unencrypted or nonredacted personal information is somehow disclosed, resulting in damages between $100 – $750 per consumer violation. A class action suit for statutory damages due to a breach of 20,000 CA prospects could be $2,000,000 – $15,000,000 without proving actual damages to the consumers.
- Brand Reputation – reports of data breaches and ill-advised privacy practices often lead to a steady erosion of consumer trust and loyalty for many businesses. Since it can take years to regain consumer confidence, it opens the door for competitors to fill the space.
- Lower Value for Acquisitions – given everything above, no one wants additional costs or bad PR. Period.
CCPA imposes plenty of legal and technical challenges – requiring the adoption of new policies, procedures, disclosures, third party agreements, data mapping, security practices, and operational capabilities that satisfy consumer requests based on their new rights. Businesses can meaningfully reduce their risks under CCPA by taking a principled approach to compliance that is tailored to their organizations’ needs.
Given the newness and nature of CCPA, compliance will require a fair amount of legal work that should be done either by or under the guidance of seasoned privacy lawyers. Also, working within the context of client-attorney privilege often reduces concerns relating to disclosing too much vulnerability, which facilitates becoming compliant more quickly. Although we can work with your existing privacy/legal team, we have found it is wise to involve lawyers who are experienced in successfully litigating privacy cases.
If you want to learn more about CCPA, check out our white paper, “California Consumer Privacy Act (CCPA), Why You Need To Start Now!” We describe the new consumer data rights, obligations, processes and controls to fulfil those rights, and the risk of significant fines and statutory damages for non-compliance.
We can help at every stage of compliance by identifying a business’ compliance gaps and closing those gaps, especially around breach prevention, reduction and mitigation. Since it is expected that there will be far more class action suits next year than prosecutions from the CA Attorney General’s office, avoiding, and reducing the scope and cost of a breach as well as mitigating breaches is often a first focus.
We have built and managed many transactional systems and large data platforms for regulated industries that needed to use analytics and machine learning while still being secure and compliant. For the last 20 years we have helped customers become more secure and compliant. We usually started by capturing known needs but also by performing gap analysis to develop a road map to compliance while incrementally reducing risk and becoming more secure.
There is always a consideration between business value and mitigating risk when working with data, but we have learned that security and privacy doesn’t need to interfere with the ROI obtained from businesses ability to leverage data to learn and optimize businesses decisions.
Enterprise organizations have privacy, security and data protection teams and capabilities, which we augment. In other companies we help to create, grow and augment or sometimes become those teams. However, we are not lawyers. We teamed up with Kaufman Dolowich & Voluck, LLP because they are seasoned privacy litigators and practitioners who routinely assist clients with privacy compliance regulatory advice, developing and drafting policies, assisting in the legal aspects of: audits, policies, contracts, arbitration agreement reviews, security breaches, crisis responses, and litigation.
“EC Wise was a great choice for Kaufman Dolowich & Voluck because they understand how to build in privacy by design and deeply understand CCPA (for non-lawyers). EC Wise is very experienced and excellent at data management including data mapping, securing data, securing the enterprise and implementing and auditing security and privacy. Under CCPA, data without a purpose shouldn’t be saved. With their background in machine learning, they can identify all available data and how it can provide business value, also adding to the top line when performing data mapping services for CCPA “.
Depending on what stage of compliance a business is in, our team (EC Wise and Kaufman Dolowich & Voluck, LLP and) can do it all or augment what’s already in place (existing teams, tools and practices, etc.) to assist businesses become and remain compliant.
Given the changes in that CCPA requires, and the broader definition of PI all organizations will go through all phases.
High level CCPA Implementation Plan – Six Phases
I. Initial Framework: Create the organizational privacy vision and mission statement (or augment what is in place), including defining the scope of the business’ privacy program to include CCPA, and structuring the privacy team with relevant stakeholders. Identify existing privacy and security standards followed, data protection team (identify and/or provide a team leader), develop (augment) the organizational privacy framework, educate the team, and proceed to the next Phase with appropriate members of the team.
II. Discovery, Assessment and Planning: Based on the expanded definition of PI, categorize and conduct data mapping to organize a business’ data inventory including needed metadata (source, type, category, location, retention and uses of data) as it moves across various systems within the business. Review the encryption, redaction, security and other controls used. Review how liability is shared across third party contracts. Based on what is discovered we conduct and produce a gap analysis to assess risks and remediation needed within the current business’ processes, policies, procedures and controls.
III. Develop Privacy Framework and Program: Using the gap analysis of Phase II, after consideration of risk and ROI with key stakeholders, we prepare and plan changes based on new CCPA consumer rights (including incident response and process, remediation, and risk mitigation to drive priorities and order of follow-up activities). Design new processes, policies, controls, practices and tools to mitigate identified risks and enforce controls, and to scale and probably automate needed operational processes. Develop the metrics to measure and monitor both compliance and risk.
IV. Perform/Implement: Put into effect the newly designed framework and program. Test, measure, manage and evolve controls for potential errors and gaps.
V. Continued Compliance: Continually evaluate processes, procedures, and policies. Ensure business and employees have proper certification, insurance, and training. Perform Privacy Impact Assessments (PIAs) as needed.
VI. Cure and Defend: Provide needed technical and legal support in the event of needing to cure a violation or defend against a claim.
Our process is iterative, with the goal of creating a comprehensive solution that is delivered incrementally; we work together to reduce the highest risks and threats first. It is not unusual to discover high-risk low-cost remediation opportunities as early as Phase I, and proceed to perform them while moving in parallel with the rest of the compliance program.
It is likely that adoption of purpose-built tools will be advisable for many aspects, such as data discovery, characterization, satisfying customers’ requests. We are experienced working with both commercial and open source tools to manage privacy, provide appropriate security controls, redact and encrypt data, control access to databases, etc.
We have identified, evaluated, and used several products that facilitate operationalizing the management of customer requests. We will review with you some of these options (tools, products) to operationalize the organization for CCPA once we better understand your needs.
Education, high level discovery, high level roadmap; often fixed bid after questionnaire is reviewed.
Goals are focused on Phase I with a high-level version of Phase II to better understand the effort that is needed to reduce risk as well as to become compliant. Every company is different, with different risks and different policies, processes and controls already in place.
The focus of an initial engagement will be to:
- Review your questionnaire and ask clarifying questions to better understand your gaps and risks
- Get your key stake holders to understand the CCPA
- Identify first quick steps that will reduce your downside risk and help you start on becoming compliant.
- Build a very high-level version of Phase II, without tooling. We try to obtain enough understanding of your security, data mapping, PI management, policies and operational capabilities related to CCPA to create a high-level road map
We start with capacity building and discovery, especially around the areas of PI and risk of breach.
Organizations need to establish cross functional teams, representing key stakeholders, to coordinate their response to CCPA’s elevation of requirements around the management of consumer privacy.
The ideal team should have direct executive sponsorship, very strong management skills, understanding of the applicable privacy laws and enforcement strategies, data management, data encryption, and security expertise and it should be able to work with internal and external authorities as needed. To help launch such a team and undertake the necessary discovery and early Phase implementation, EC Wise and KDV will provide human resources with needed expertise, skills, and training.
It is important to understand that early decisions with respect to how you categorize your data and establish its use, will affect what you may need to delete, what will be exempted, and what additional upsides from the data may be obtained.
- Assist with the establishment and training of privacy team with respect to CCPA Compliance
- Work with key members of the privacy team on CCPA Compliance discovery, particularly PII (based on CCPA’s broad definition) data discovery and classification (including categorization and usage as needed for CCPA compliance), gap analysis to create input into creation of an early risk mitigation plan. This plan will provide a prioritization roadmap and help keep future efforts practical.
- Identify and help define the policies, processes and practices your organization will require to operationalize the execution of consumers rights and disclosures and to enable the organization to become more compliant while reducing the risk of fines and unnecessary costs.
- Carefully document the analysis of not just what we discover and how we plan to comply, but also the decision process, to help demonstrate the organizations reasonable and appropriate behavior.
- Whenever we work on compliance-based activities, especially during discovery, we recommend our mutual efforts be reviewed by experienced privacy attorneys and fall under lawyer-client confidentiality.
- We will start the work with the organization to identify and understand potential impacts, usage, policies and protection of PII (personally Identifiable Information as classified by applicable privacy laws) throughout the enterprise. The privacy team will need to work with and review PII flows, source, usage and sharing in Marketing, HR, IT, Security and provide guidance to legal (especially related to vendor contracts).
- Review and make recommendations on two 3rd party IT providers, potentially transferring risk to third parties
- Initial high-level gap analysis and roadmap
- Enough understanding to identify significant risks and scope
What we learn during our Introductory Engagement usually changes some of our recommendations for early focus as well as the effort needed to reduce risk and become compliant.
We may be able to bring in open source and low-cost tools to facilitate discovery and mapping and our GAP analysis in Phase II. We are familiar with a spectrum of tools that can be brought to bear, to increase automation, but the selection tends to be company situation specific. During each Phase, risk and alternative approaches and costs will be discussed.
We historically have long term engagements with our customers.
We will, if desired, continue to provide all the training (new tools, policies, operational processes and mitigation strategies decided upon), services (legal, data mapping and management, security and privacy controls) and technologies needed to support the data protection team during the execution of Phases II to IV to become compliant, Phase V to remain compliant and VI if needed.
To schedule a complimentary one-hour introduction and obtain our compliance questionnaire, please email email@example.com and indicate your interests.
For more information please contact: Jack Hakim – 415-226-8858
Or click a link below: