The 2020 election season appears to have to end in sight. For states not under vote-counting-scrutiny, there have been many ballot measures around the country that have drawn people's attention. One of these measures is Proposition 24 in California, known as the California Privacy Rights Act of 2020 (CPRA). The measure passed with a majority of people voting to strengthen consumer privacy rights.
The new measure will update existing conditions from the 2018 California Consumer Privacy Act (CCPA) and add some new wrinkles, which regulators and businesses alike will take time to adjust to. Most of the CPRA will not be enforced until July 2023. The group Californians for Consumer Privacy claims this new law will give California the "strongest online privacy rights in the world." What this means for consumers in California is they will now have more protections to their sensitive personal information, fines will triple against companies that violate children's data, and an enforcement arm for consumers will be established, making it much harder to weaken privacy laws in the future.
Andrew Yang, former U.S. presidential candidate and Chair of the Board of Advisors for Californians for Consumer Privacy, was a prominent voice behind the measure. Yang said: "I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act. It will sweep the country and I'm grateful to Californians for setting a new higher standard for how our data is treated."
Mohit Tiwari, Co-founder and CEO at Symmetry Systems, says the impact will extend all the way to developer-frameworks. "CPRA adds more teeth to enforcement and emphasizes additional focus on kids' privacy—both are valuable moves towards incentivizing products that respect consumers' privacy. The initial effect may be that organizations will try to instrument their sprawling infrastructure to measure data risk and add protections where they are needed most.
Longer term, this is a clear signal from the people to entrepreneurs—there is a keen demand for products that complement the ad-driven 'town-square' model, and we should innovate on both respectful products and privacy-centric developer-frameworks to build these products."
Legal firm BakerHostetler issued an initial overview of what the CPRA may mean for organizations. However, it says there are a lot of open ended questions. "The CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level."
However, one thing that is spelled out about CPRA is that California plans to heavily enforce it. This includes:
- Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency)—tasked along with the AG with enforcement of the CPRA—will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature "as may be necessary to carry out the provisions of this title." Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.
- Any "person"—any individual or organization—has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business's privacy practices.
- The Agency may also investigate possible violations on its own initiative, and will have discretion "not to investigate or decide to provide a business with a time-period to cure the alleged violation." There is a five-year statute of limitations for the Agency's administrative actions, which can be tolled if violations were fraudulently concealed.
- Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.
Proponents of Proposition 24 say that it is a huge win for consumers in California, but it is also possible that it is the first step to more consumer privacy regulations around the world. Many experts believe that this law will set the bar for other states to follow, and that federal laws are likely not far behind.
Brendan O'Connor, CEO and Co-founder of AppOmni, agrees with the experts that this will have a much greater impact outside the state of California. "CPRA is the latest chapter in a global trend towards enhanced privacy for consumers, and harsher consequences for companies that fail to put appropriate safeguards in place. This is a 'win' for consumer privacy, but implementing the appropriate safeguards to comply with CPRA can be quite challenging.
Data does not live in one place, it has a footprint that spans many systems and applications throughout the enterprise. The pandemic has greatly accelerated the adoption of Cloud applications, and more data than ever before is stored and accessed outside the corporate perimeter.
This is a lot for security and privacy teams to manage. Successful organizations will invest in technologies that show them who has access to consumer data in Cloud applications, and provide continuous assurance that appropriate safeguards are in place."
The CPRA will usher in the California Privacy Protection Agency (the “Protection Agency”), a five-member board to govern the administration and enforcement of the CPRA. It will assume rulemaking responsibilities on the earlier of July 1, 2021, or within six months of providing the Attorney General with notice that the Protection Agency is prepared to assume such responsibilities. Notably, both the rulemaking authority and enforcement under the CCPA are presently handled by the Attorney General’s Office.
The primary responsibilities of the Protection Agency will be to investigate possible violations of the CPRA and to determine whether additional action is required against a business deemed to have violated the CPRA. If the Protection Agency determines there is probable cause for believing the CPRA has been violated, actions will be brought through Administrative Law Court (as opposed to state court, which is the current enforcement mechanism under CCPA), with potential administrative fines up to $2,500 for each violation, or up to $7,500 for each intentional violation or each violation involving the personal information of minor consumers. The Protection Agency will have the power to subpoena witnesses, compel testimony, and to take evidence as necessary to audit a business’s compliance with the CPRA.
What this means to businesses is that if you have a data breach and information is stolen or lost, your fines can be exponential. If the business loses 1,000 consumer files, the fine could be as high as 1,000 x $7,500 = $7.5 million. Can the average business with 1,000 customers pay a fine of this magnitude? Recent history has shown that new regulations that begin in the State of California can migrate to the other 49 states in a few years.
These new regulations are the signal for all organizations to increase their cyber threat defenses. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. There are extensive reports that can be found at https://redskyalliance.org. There is no charge for these reports and articles posted.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement Multi-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments