If you have been following data privacy, you probably already heard of California’s new landmark privacy law, the California Consumer Privacy Act, or CCPA. The CCPA went into effect on January 1st, 2020, and the Attorney General will begin enforcement on July 1st, 2020.
Who will enforce the CCPA?
One of the critical features of the CCPA is that it empowers the California Attorney General to bring suits for violations of the CCPA with penalties up to 7500 per violation. The Act also provides a private right of action for consumers to bring claims for data breaches with statutory damages up to $750 per consumer. Despite the potentially enormous penalties, the CCPA contains a 30-day cure provision, which provides companies an opportunity to cure the alleged violation and avoid litigation.
How can incident response policies help reduce the possibility of fines?
To mitigate liability under the CCPA, the ability to cure a claimed violation shortly after receiving notice will be critical. Practically speaking, this means businesses must have incident response policies and teams have in place to minimize the impact if and when a breach occurs. In general, incident response plans should have three main goals.
First, the data allegedly exposed should be identified so the business can adequately assess the potential risks. For example, did that data include any “personal information” as defined under the CCPA? Was the affected data encrypted? Are your encryption keys still secure and intact? And so on. Second, if data was exposed, it must be determined where and to what extent that data was disseminated.
And third, remediation should begin as quickly as possible. This includes restoring and securing affected systems, recovering data, mitigating harm, and preventing further compromise.
It’s not too late, prepare your CCPA program today
Despite the uncertainty surrounding what constitutes an adequate cure under the CCPA, a failure to respond within 30 days will waive a key opportunity to manage litigation risks moving forward effectively. With the January 1st CCPA deadline getting further behind us, the July 1st enforcement deadline imminently approaching, and customer attention to privacy growing, now is the time to get started on a robust CCPA compliant program.