Kip Boyle: Welcome to the Cyber Risk Management Podcast! Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cyber security counsel at the law firm of Newman DuWors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security-related legal responsibilities.

Kip Boyle: And if you wanna manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our Cyber Risk Managed Program, which you can do for a fraction of the cost of hiring a single cyber security expert.

Kip Boyle: You can find out more by visiting us at CyberRiskOpportunities.com and NewmanLaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Jake, today we're gonna talk about the California Consumer Privacy Act, or as it's so often called, the CCPA.

Jake Bernstein: So, Kip, as you know, the European Union's General Data Protection Regulation, which is much more commonly called "GDPR", has really transformed the face of security and privacy compliance and regulation, not just in Europe but around the world.

Kip Boyle: And we're just beginning to see those transformations, but okay, so we said we're gonna talk about CCPA, you immediately mentioned GDPR, but GDPR is European, right? So is there some connection here? What is it?

Jake Bernstein: There is, either that or I just completely messed up my script, but no, there is a connection, Kip, and you know, certainly the European law does apply to US companies. But the reason I mentioned it is that today we will be discussing the first US law that I think is really modeled after the GDPR. And it should not be a surprise that California is the first state to dramatically expand consumer protections that are related to privacy and security, here in the US.

Kip Boyle: Well, so California was the first, I think, back in the, I think it was 2003 or 2004, they were the first state in the nation to have a data breach notification law, so that was another first. And now, today, I think, isn't it all 50 states have one?

Jake Bernstein: I believe so, I mean there might be one state that doesn't, but to my knowledge, every important state, not that they're all not important, but every state that's likely to have a, you know, law suits active within it, has a data breach notification statue.

Kip Boyle: Right.

Jake Bernstein: California really is a leader in a lot of these areas, particularly related to technology and that shouldn't be a surprise to anyone. After all, the modern internet was born in Silicon Valley and it makes sense that California would be the first to look at regulating all this. California was the first to mandate a Privacy Policy. That was one of their original acts, there. And in fact, we'll talk about this bit more, but the legislature in California has a lot of work to do. So, let's go ahead and talk about that, the [crosstalk 00:03:28].

Kip Boyle: Okay, now it's less than a month old, right? The CCPA, and so, what are the highlights of this thing? I mean, I don't wanna read it.

Jake Bernstein: Right, well it's long, and I don't blame you for not wanting to read it and I think we'll hit the subset of highlights, but I think first a little bit of background is in order. So, you know, we've mentioned the GDPR and the GDPR just went into effect but, hopefully everyone knows, it was actually passed in 2016, but it had been in development for almost 20 years. Almost as soon as they passed the 1995 General Data Protection Directive, they began work on what became the GDPR. So, the GDPR is not new, although people think it is.

Jake Bernstein: So the California Consumer Privacy Act though, is new, and it was hastily drafted and passed, and you may be wondering, "Well, why?" And the answer is that it was put together practically overnight, as a compromise solution that was made with the sponsors of a proposed initiative measure. Number 170039 that was a citizen ballot measure that would have created the Consumer Right Privacy Act of 2018, and it was, to my knowledge, quite harsh, very, very anti-business. And one of the little interesting legal realities, at least for California, is that a citizen-passed initiative that becomes a ballot measure, that becomes law, is very difficult to amend.

Kip Boyle: Well, don't they have, is it "Proposition 13", which puts severe restrictions on the increase of property taxes? I think that was a valid initiative.

Jake Bernstein: They do, anything that's titled a "proposition" is one of these initiative measures, and those simply under California's Constitution, those are not easily amended.

Kip Boyle: Okay, and so is it common to see this kind of thing where a ballot initiative is set aside in favor of something that the legislature puts together?

Jake Bernstein: Not to my knowledge. I think the reason this was news-worthy, aside from being kind of a topical, on-point piece of news regarding privacy, this is not that common. So ultimately, what did happen, as you alluded to, was that the CCPA was put forth as a replacement for this ballot measure and getting it actually passed was, and by the way they did it at the last minute. It was passed the day before the deadline to remove initiative measures from the ballot.

Kip Boyle: So the tech industry must have really not liked the ballot initiative, do you think that was the motivation?

Jake Bernstein: Yes.

Kip Boyle: Okay.

Jake Bernstein: I mean, that is clearly the motivation, so anyway, here we are with the CCPA, it's honestly a mess. It's a mess internally, and it's a mess in connection, when looked at more broadly with all of California's other privacy-related and security-related laws.

Kip Boyle: Okay, so now we know how the sausage was made, so what does this actually mean for consumers and businesses, and is it gonna affect people outside of California?

Jake Bernstein: So, those are both really important questions. The first thing is to know that it's a lot like the GDPR insofar as you've got a two-year, kind of grace period, if you will. So, in other words, this law well, it's in effect now but it won't go into [crosstalk 00:07:27].

Kip Boyle: Enforcement?

Jake Bernstein: Compliance won't be required, is a way to look at it, until 2020.

Kip Boyle: Okay, two years, alright.

Jake Bernstein: Which is two years. But, of course, as everyone knows who has dealt with last-minute GDPR compliance, that two years goes by at a blink of an eye.

Kip Boyle: Especially when you're ignoring it.

Jake Bernstein: Particularly when you're ignoring it. And then I would say that, you know, the CCPA is of course just the start. California is a leader in this space. California is a leader in many spaces. I mean, it's literally the fifth-largest economy behind only the United States as a whole, China, Germany and I think, Japan. So, you know, California is massive and, as we've mentioned obviously, Silicon Valley is in California. So you might say, okay, so it does technically only apply to California residents, and it focuses on California residents, but it applies worldwide if you're touching California, which isn't hard to do when it's the world's fifth-largest economy.

Kip Boyle: Right, right, so it's just like GDPR follows an EU citizen wherever they go.

Jake Bernstein: Sort of, yes. The GDPR is actually a little bit different. It talks about location, where you are, whether you're a citizen or not, whereas for California it is kind of citizenship residence that matters. So, in any event, the CCPA is going to have worldwide ramifications for sure, it's going to affect everyone.

Kip Boyle: Okay, so even though this is a California law, I think one of the takeaways here is that the scope is at least national, if not worldwide, and then we also have two years to prepare for enforcement to begin or for compliance to become effective, so what do companies have to do? At this point, what does it seem like needs to be done?

Jake Bernstein: So, the big kind of caveat, asterisk, small print, that this is subject to change, here's where things stand right now: ... we've got kind of a first, something that actually is, I think, innovative and new, is this anti-discrimination component of the CCPA. And in its broad, it's not just a protective class anti-discrimination law, those are well established across the country, in the US Constitution, Bill of Rights, etc. This is a prohibition on all forms of discrimination really, related to or based on data.

Jake Bernstein: Whether that's price discrimination based on credit score or, you know, location or where you are, when you think about it, there's a lot going on here, or even price hikes, because let's say you opted out of certain forms of behavioral marketing. Again, it's early, early, early days, but the commentators are basically saying that this component alone is gonna change how the internet works, if it goes through and is enforced, and the reason is that it's a direct attack on the charge-free, I don't wanna say "free services", because you know, a lot of the services that people think of as "free", it's not that they're free, it's just that they don't cost you money. And that's right, so [crosstalk 00:11:14].

Kip Boyle: Yeah, it's that old saying that if you're not paying something then you are the product.

Jake Bernstein: Right. Exactly.

Kip Boyle: So, Gmail, I've got a Gmail account and I've been using that for years and years, and I haven't paid a penny for that, but I think what you're saying is that information about me, based on what's in my email, is bundled up and sold off to advertisers and so forth, and that's what you're getting at, right?

Jake Bernstein: It is, and that's how all these services are supported. I mean that's what makes, Google, you know, everyone thinks Google is an internet search company.

Kip Boyle: No, they're the largest advertising agency in the world!

Jake Bernstein: Exactly, right? It just so happens that they're powered by internet search, but make no mistake, they are an advertising company.

Kip Boyle: Just like Amazon's a retailer, at the end of the day.

Jake Bernstein: Well, Amazon's funny, right, coz it's both a retailer but its web services business, its AWS, that is truly separate and one of its most profitable endeavors. Anyway, that's a non sequitur.

Kip Boyle: Yeah, sorry.

Jake Bernstein: Though this law will affect Amazon, I mean, clearly.

Kip Boyle: Okay. So, anti-discrimination, so this is really interesting, so when I think about, you know, this is called the Cyber Risk Management Podcast, right? And I've typically been thinking about cyber risks as people who are trying to steal your digital assets and that sort of thing, and sometimes I think about it as, regulators being overly harsh on things like data breach reporting requirements or only having 72 hours to report a data breach, but this feels to me like a different type of cyber risk that's coming at people.

Jake Bernstein: It's definitely a new type of cyber risk. It goes to business models and practices. There's just no question, it is what it is, and I think that if it stays untouched it is possible the CCPA will cause a diminishment or possibly death of a lot of these "free" services, including Gmail. You and I both remember that there was life before Gmail and Hotmail, and you had to pay for crosstalk email service.

Kip Boyle: If I squint really hard, I think I can remember that.

Jake Bernstein: It was a long time ago. You know, suddenly those email addresses that come from your ISP are gonna look a little bit less uncommon if Gmail and things like that have to, I don't know, can't use advertising to support themselves.

Kip Boyle: Okay so, this anti-discrimination clause, does that mean that we can opt out of this data trading that's going on out of our sight, with the information about us, or what does that mean?

Jake Bernstein: So, yes, it absolutely means that you can opt out, so a lot like the GDPR, the CCPA has right to access, right to deletion, right to opt out, it's all there, in different phrases, but it's all there, and it is just like the GDPR, it's extremely broad. It applies to all industry sectors, anywhere in the world if personal data of Californians is involved.

Kip Boyle: Wow. So, real quick question here, we do this a lot of times with different cyber security mandates, like you've got PIPA and PCI for example, and we often will map, ask ourselves, what's in PIPA that's also in PCI? How do these two things overlap? Have you been able or has anybody sat down and done a CCPA-to-GDPR mapping yet? What would you think the overlap is?

Jake Bernstein: Oh, well I haven't. Someone may have. Could be a little bit of a foolish exercise today, simply because it could be a lot of effort for nothing if the law changes.

Kip Boyle: Yeah, but if you were to guess, I mean is this 80% overlap, something like that?

Jake Bernstein: Yeah, 75-ish.

Kip Boyle: That's still quite a bit!

Jake Bernstein: It is quite a bit, I mean, obviously there's a lot in the GDPR that's very specific to the European Union, how it operates, whereas California law can just leave all that out crosstalk focused.

Kip Boyle: So, let's get to the part of the CCPA that is probably similar to GDPR, which is penalties, right? So, GDPR, the penalties can be very large, right? It could be a percentage of your gross revenue, so even if you're not profitable, you can still get a hefty fine. What's the situation with CCPA?

Jake Bernstein: So the CCPA uses a statutory damages model, which is pretty common in the US. So US law and European law are pretty different in quite a few ways. One of those is damages, the need to prove harm. Pardon me.

Jake Bernstein: So, what are the major locking points for class-action law suites involving data breaches over the last decade has been this idea of harm. "Although, oh yeah, we've lost all your data, but did it hurt you? Can you prove harm?" Yeah, turns out there's article 3 constitutional-level requirements, to show that something is a case or controversy, is where this comes from.

Jake Bernstein: But there's ways around that, and one of them is the statutory damages provision that basically says, "Okay, we don't know what your harm is and we don't care. This is worth 'x' dollars per incident or per person, or whatever, and you don't have to prove harm." So, California said, "Okay, $750 per consumer, without having to prove any harm at all."

Kip Boyle: That's amazing! That is absolutely amazing to me, to have that provision in there, knowing what you said earlier, which was that this law was considered a more acceptable substitute to the ballot initiative, and yet to have a no-harm proven clause in here, is really stunning!

Jake Bernstein: So, the statutory damages are pretty common, so for example, the California email anti-spam law, which is pretty harsh, is actually $1000 per email statutory damages, so that can add up quick.

Kip Boyle: Yeah, you could send emails all day long, right, millions of them!

Jake Bernstein: Yeah. But, you know, I think this interesting, I think this is a game-changer. Quick math will show just how much leverage plaintiffs' lawyers are gonna have, and the California AG, just take Equifax, probably because it's a ridiculous, it's a huge example. They lost maybe 180 million people, if all of them were able to sue under California law, and that's debatable, but you'd be surprised how this works out. That would be 135 billion, as in 'B', 'B' as in boy, billion dollars in statutory damages. Enough said. That's a huge, huge number.

Kip Boyle: Yeah, that's a game-changer.

Jake Bernstein: It's a game-changer and, we haven't mentioned it, but the law is providing a clear, private cause of action for security failures. Interestingly enough, there is no inbuilt cause of action for "privacy violations", so that's a major shift from GDPR, which is really, GDPR is privacy-first and security as a privacy enabler [crosstalk 00:19:36]. CCPA is arguably prevention of breaches first, privacy second, and even if it doesn't read that way, the economic incentives and the enforcement powers pretty much make it that way. So, your next question, logically is, "Well, what do I have to do?" And, guess what, it is our favorite phrase, "reasonable security measures" that we've discussed on this podcast many times before.

Kip Boyle: Right, now, is there an explicit connection in CCPA to the Federal Trade Commission, because that's kind of where we have been looking to, in terms of trying to understand what reasonable is?

Jake Bernstein: There's not an explicit, you know, California doesn't do that. They're an outlier in terms of the rest of the country into how their code is organized, how it's written, how it's made. They're actually, in a way, kind of a combination of American-English and then Continental European traditions. So that means it's a combination of common law and civil law. They have a lot of statues, a lot of statutes! They're one of the few states that insists, for no obvious reason, to have a completely different set of civil rules of procedure for state courts, compared to most of the states that basically use a variation of the federal rules of civil procedures. So, you know, California is big enough to do its own thing and so, the answer is [crosstalk 00:21:30].

Kip Boyle: But to say, they're not gonna really point to the FTC.

Jake Bernstein: They're not gonna directly point to the FTC, but reasonable is reasonable, and the way that our system works is that, when you're in court, you're gonna be pulling from everywhere you can, and that's what's gonna happen.

Kip Boyle: Okay, so even though they're not gonna make a hard link to the FTC, then it's still okay for us to think about the way the FTC defines reasonable security measures when we think about CCPA.

Jake Bernstein: It is, yes.

Kip Boyle: Okay, that's great. I mean, in the face of all this it's nice to have that anyway, right?

Jake Bernstein: It is, yeah.

Kip Boyle: Last thing we need is more ambiguity.

Jake Bernstein: Right, and you know, let's quickly run through the ways that the CCPA is like the GDPR.

Kip Boyle: Alright.

Jake Bernstein: We got a broad definition of personal data. You've got transparency requirements about the use of personal data, their rights to opt out. Interestingly enough, there is a right to deletion. I don't know if it's going to look like the same kind of right to be forgotten that we're used to from the GDPR, but, you know, it's in there.

Jake Bernstein: And there are deadlines to comply, there's opportunities to cure similar ideas. But there are also a number of pretty stark differences with the GDPR, one of course we already talked about, just the focus is more on security than privacy.

Jake Bernstein: There are exemptions for smaller businesses, so if your revenue is less than 25 million gross, then this law doesn't apply to you, unless there's a couple other, kind of specific things, relating to selling consumer data, number of consumers you do or if 50% or more, your income is based on selling consumer data. So, if you're smaller than 25 million and you have nothing to do with personal data, then it doesn't apply to you. But if you're smaller than 25 million but you're still kind of a data analytics or marketing-type company, then it probably will apply to you.

Jake Bernstein: So, what else does it do? It creates some interesting financial incentives for the California Attorney General to enforce the law.

Kip Boyle: Financial incentives for the State. Interesting. What's that?

Jake Bernstein: Yes, so, basically what it means is, it allows the AG to sue for penalties and use that money for additional enforcement actions, which is not uncommon. What is a little bit interesting about it is that the AG basically, so in order to bring a private lawsuit, you have to alert the AG that you're going to do it. The AG then has a certain number of days - I think it's 60 days - to decide if it's going to sue instead of you, right? Then it can go after the penalties. If the AG chooses not to, then you as a private citizen can move ahead with your lawsuit. What does that look like in practice? I mean, there's no way the AG's gonna keep up with the Private Plaintiffs Bar, which is powerful in California anyway, so I don't see a major issue if you're a plaintiffs' lawyer, I don't see a major issue to kind of, having everything taken by the AG, the AG just can't do that.

Kip Boyle: Okay, we could probably do a whole podcast episode on whether that's a good idea, but, you know, financial incentives to the AG, and then being able to preempt people who've been harmed, or at least people who've been [crosstalk 00:25:06].

Jake Bernstein: Well, so obviously when the AG takes a case, money's still gonna end up going back to those people who were harmed. I can almost guarantee it was compromise to avoid writing a blank check to the plaintiff's lawyers, because really, what happens, really what's going on there is a class-action lawsuit oftentimes is not a very good remedy for the people who are hurt. It's a very good business for plaintiffs' lawyers, so that's probably what we're looking at there.

Jake Bernstein: So one more thing, this is really interesting, because we're still the USA, CCPA specifically allows businesses to offer financial incentives, including the payment of money directly to consumers, in exchange for collecting and selling their personal data.

Kip Boyle: Well, don't they already kind of do that, so like Gmail example, I have free use of Gmail, so aren't they kind of already giving me something of value for collecting and selling my personal data?

Jake Bernstein: And I think that's the argument that people who say it's not the end of charge-free services are gonna use. What may have to happen, but because of the way the law is written, what you may see is, you know, "We have to charge $10 a month for Gmail, but we will pay you $10 a month to collect and sell your personal data and advertise to you."

Kip Boyle: So, if you opt in, you could get a 10%, I'm sorry, a $10 discount on the $10 price.

Jake Bernstein: Right, or put another way, the cost is $10, but they just happen to be paying you $10 a month as well. So we'll see, this is very speculative.

Kip Boyle: Yeah, that's not European at all.

Jake Bernstein: That is not European, no. That is 100% American.

Kip Boyle: Yeah. Well, I don't know what I think about that, being an American, but I think we can conclude that CCPA is a behemoth. There's so much going on here.

Jake Bernstein: It is, there's a lot packed into this law, and you know, the best part, the confusing part is that none of it's set in stone at this point.

Kip Boyle: Well, why is that? I would expect that since it was passed, that this is it, I mean why do you think there's an opening for change before it becomes enforce it?

Jake Bernstein: Well, so one, the ability to change was actually the point of having this passed as a California legislature law, as opposed to the ballot measure, because a legislature can go in and amend its laws easily, right? Whereas they cannot do that procedurally with a citizen ballot measure.

Kip Boyle: Ah, okay, so even when they passed it, they kinda passed it knowing that it was still sort of wet clay, and they could still mess with it later on.

Jake Bernstein: I agree with some comments that have been made that they actually have to mess with it quite a bit. The reason is that it's not really even internally-consistent, and it openly conflicts with other California privacy and security laws, like the Data Breach Notification Law, the Privacy Policy Requirements, so there's no way to get around the fact that the legislature has a lot of work ahead of it to craft some kind of consistent, sensible framework for this topic.

Jake Bernstein: My takeaway, my closing thoughts before we get to yours, are that now that the internet is here to stay, you know, there's really no risk that the internet is going to fade away, right? There were some who may have thought it was a fad, as recently as 20 years ago, and there were a lot of laws passed, specifically to prevent liability and protect internet companies from being sued. The ironically-named Communications Decency Act gets a lot of press about this, and it's the act that Backpage.com used to defend itself when it was pimping, you know, underage girls and victims of human trafficking, right?

Jake Bernstein: What the point of that was, was just to say, "Okay, if you're a third-party, if you're a platform, then you cannot be treated as the publisher or the speaker of content posts by third-parties."

Kip Boyle: Yeah, I think you'd be like a common carrier, I think is the term.

Jake Bernstein: In a sense, yeah. And there were a lot of laws like that, including in California, but I think what's gonna happen now is that we're going to, I think sort of take back control, and we've already seen this happen, right? People have called the internet "The Wild West", right? Well, what happened to the Wild West? It got tamed, it became civilized. And I think it's clear that the internet is becoming more heavily policed and regulated, and so it goes that the Wild West of the internet is giving way to a much more city-like urban feeling, and that's not good or bad, it's just inevitable, it's just how it is.

Kip Boyle: Okay. So we can expect more laws like this, not less. We certainly shouldn't expect that this is gonna be repealed.

Jake Bernstein: Oh, no, it's not gonna be repealed but it will be modified and fixed up and it's not going anywhere.

Kip Boyle: Okay, yeah, interesting. Well, this is great. I really appreciate the opportunity to talk about this new cyber risk that our listeners are gonna have to face and consider how to deal with, but it also sounds like really, what we've got here, is kind of a two-year sort of spectator period, right, because I think what you're saying is, this thing is going to come into effect, it's gonna become enforceable, but we can expect there's gonna be more changes before that happens. So it sounds like we're gonna have some period of time to adjust.

Jake Bernstein: We will, although I would caution listeners to not be complacent about this one, because some of these changes that are coming to the internet as a business model are seismic, right? So one of the reasons you get two years, is you need to figure out if your business model is sustainable and what you're gonna do about it. So, yes, details of execution and little pieces here and there are gonna change, but I do not expect the broad concepts and requirements to go anywhere, which means, get started yesterday!

Kip Boyle: Right, and if you're a provider of what they call "freemium" services, where there's a level of service you offer that's free, but has a reduced functionality with the idea that people are gonna pay and do upgrades, I guess this is really gonna affect those people, right? Because they're probably taking some of the information that they get from people who are getting free service, and maybe even some of the people are paying and they're supplementing their income in a way.

Jake Bernstein: Yeah, so that really depends. I think that some freemium models are advertising-supported, there are other freemium models where they just want to get you hooked on a product and their actual business model is to sell, you know, like Slack, for example. Slack is a good example.

Kip Boyle: Yeah, okay. So obviously, it's gonna have an impact on the tech scene.

Kip Boyle: Okay, well that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about the California Consumer Privacy Act, or CCPA, and thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and it needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber-hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber-hygiene, then please contact us and consider becoming a member of our Cyber Risk Managed Program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and NewmanLaw.com. Thanks for tuning in. See you next time!