EP 45: CCPA regulations and the New York SHIELD Act
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
January 21, 2020
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, give an update on CCPA and the New York SHIELD Act.
Kip Boyle: Hi everyone. Before we get started, Jake and I have a small request. You see, we're coming up on our 50th episode and that got us thinking about the next 50 episodes and to do a great job with them, we need your help. So please go over to b.link/survey50, that's b.link/survey50 and tell us what you want to hear. Thank you. Okay, here's the next episode.
Speaker 2: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com andfocallaw.com.
Kip Boyle: So Jake, what are we going to talk about today,
Jake Bernstein: Today Kip, we're going to talk about the California Attorney General's CCPA regulations and some amendments to the California Consumer Privacy Act. And we're going to make it a twofer and take a look at the New York SHIELD Act.
Kip Boyle: All right. So this is sounding like a very lawyerly episode and you're doubling up on us. What's going on? Why?
Jake Bernstein: Well, it is definitely a lawyerly episode and the reason that I am doubling up is really because the regulations and the amendments and the SHIELD Law, they're all connected and none of them are actually new, they're updates. So I figured why use an entire episode on just one of these when we can cover both and give people an extra efficient listening experience.
Kip Boyle: All right. So, that makes sense. But you did say one thing that I think a lot of people on the surface would not agree with, which is that they're all kind of the same. I mean, this is California versus New York. There's nothing similar about these two states, except you're saying their privacy laws are?
Jake Bernstein: Well, you know exactly where this is going and anyone who's listened to us for any length of time knows that it's all about reasonableness.
Kip Boyle: True. True, okay. All right. Well then I guess we better dive in here. So CCPA and then SHIELD Law. So where do you want to begin?
Jake Bernstein: Well, let's go ahead and talk about the SHIELD Law first. And I know it sounds like something out of the Avengers, but in this case it is New York's overly clever set of amendments that they have made to their data breach notification loss and SHIELD stands for, Stop Hacks and Improve Electronic Data Security. Pretty good, right?
Kip Boyle: Our stalwart legislators are never for the want of a really great acronym.
Jake Bernstein: No, I agree. Well, I wish ours had done that here in our state of Washington. We amended the Data Breach Law too, but we didn't have a cool acronym for the name, so.
Kip Boyle: Okay. All right. Okay, but the CCPA regulations and amendments, didn't this thing already get passed and what's going on here? Why are we still talking about it? I thought it was a done deal.
Jake Bernstein: So you remember grade school and Schoolhouse Rock, right? How a bill becomes a law?
Kip Boyle: I am a man of a certain age. I remember that.
Jake Bernstein: You remember that? Good. I suspect that perhaps some of our listeners don't, but is it really-
Kip Boyle: Did we license the clip? Are you about to play it?
Jake Bernstein: I am not. We did not license the clip. I will just say instead in my own words that a bill is a proposed law that goes before the legislature and when it gets passed, it becomes a statute. And a statute is the actual law that the legislature has passed. And sometimes, statutes will contain instructions to other government agencies like the Attorney General, for example, that their agency should pass regulations. And regulations are yet more rules that are designed to help you follow a specific law. I phrased that funny. They are additional rules that you must follow in order to comply with a given law.
Kip Boyle: Oh okay.
Jake Bernstein: And I think for purposes of our audience, regulation should just be considered more rules, follow them. And so with the CCPA, yes, the original CCPA was passed back in 2018, but they have been amending it down in California. In fact, it's supposed to go into effect on January 1st, 2020, which is-
Kip Boyle: Just around the corner.
Jake Bernstein: Around the corner. And here it is, at the time this episode is recorded in October of 2019, they were still amending the law. It's kind of crazy.
Kip Boyle: It's very confusing. As a practitioner, I very much dislike this. Please tell them to stop.
Jake Bernstein: And you are not the first person to have said that exact same thing. And we can't, because they are going to do what they want. And here's what's even better, the CCPA for as consumer friendly as it is, there are citizens down in California who don't think it goes far enough and guess what? They have a ballot measure coming as well. So just when you thought it was safe to think about operating the privacy, some kind of privacy program, you may have to start over.
Kip Boyle: It's interesting. We talk to customers about how cyber is a dynamic risk and that's because the nature of the risk is always changing. It's morphing and mutating because the criminals and the other people causing trouble on the internet are always changing their tactics. And now I'm starting to feel like privacy is a dynamic risk to our customers as well.
Jake Bernstein: It definitely is. And it's going to remain that way for quite some time, because the fact is that we don't yet have a good handle on what we really, as a society, want the law to be. And I think you see that very clearly in the California amendments and regulations, which are just totally confusing.
Kip Boyle: Okay. But we're going to try to put a little clarity into the situation, right?
Jake Bernstein: Yes, we are. And we're going to go ahead and start with the New York SHIELD Act. So the first thing that any business should know is that, this is New York state, but because New York's law covers all employers, and individuals, or organizations, regardless of how big they are or where they're located, if they collect private information on New York state residents, this law applies. So-
Kip Boyle: It sounds very European.
Jake Bernstein: It is, of course.
Kip Boyle: Because the GDPR, it's citizen focused, right?
Jake Bernstein: It is. And technically, so is the CCPA. So is the hypothetical Washington Privacy Act. All of these basically trigger off of citizenship or location. And-
Kip Boyle: These people have just got to stop moving around. They just need to stay still for a while.
Jake Bernstein: Or we could do away with the internet and make it back, we could go back to when in order to affect someone really, you had to be next to them.
Kip Boyle: Oh, I can't wait to bring out my bound Encyclopedia Britannica I knew one day it would be worth hanging on for.
Jake Bernstein: So anyway, this New York Law, the SHIELD Act, goes into effect March 21st, 2020 so mark your calendars. And what it does is, requires the implementation of an information security program to protect private information. And this private information, it's expanding. The definition is expanding. It used to be five years ago, that when an American statute, and I mean, whether it was federal or state said private information, it was probably something like your name with a social security number, or driver's license, or something like that.
Kip Boyle: Yeah, bank account number.
Jake Bernstein: Yeah, and that's still the case, of course. And there's still the idea that things have to be coupled with other items, but what those items are is expanding. So under New York's new law, a username or email address in combination with a password or a security question, that's going to be personal, that's going to be private information. Any kind of individually identifiable information that comes with an account number or some kind of financial access account, that's personal information. And then any kind of name, number other identifier, if it also comes with any kind of social security number, driver's license, identification card number, account number, creditor, debit card, access code, password, and including biometric information, it's all private.
Kip Boyle: Would you say that the list of private information here is the same as the GDPR definition? Is there a lot of overlap? Is it the same list?
Jake Bernstein: So it is not the same list and that's, of course, where it gets confusing. The GDPR remains the broadest definition. Personal data under the GDPR is basically any piece of information that can be used alone or in conjunction with another piece of information to identify a natural person, which is a huge, very broad definition. This New York-
Kip Boyle: Yeah, that's a lot.
Jake Bernstein: Yeah. This New York law is much more specific, which in some ways makes it easier to comply with.
Kip Boyle: All right. All right.
Jake Bernstein: So now what does the New York SHIELD Act do? Well, it builds in a lot of what people should be used to who've listened to us at least is, it talks about reasonable administrative safeguards, reasonable technical safeguards, reasonable physical safeguards, all of which need to be designed to prevent the basically foreseeable external and internal threats.
Kip Boyle: Okay. So, so far, really very little that you've been talking about is net new. And doesn't New York state already have a Financial Services Division law that essentially says, "Hey, you need to have a reasonable information security program." Is this duplicating anything?
Jake Bernstein: So here's the thing, that law, or I should say the New York Department of Financial Services cybersecurity rule, that's actually a regulation that only applies to financial institutions in New York. So what the SHIELD Act does is basically expand that cybersecurity rule to every business in the state. So you're right. It's not- What I'm saying isn't new, but what is new is the scope of this law and who is covered under it under New York law.
Kip Boyle: Oh, okay. That helps understand it, okay.
Jake Bernstein: Yeah. So, in fact, the language of the SHIELD Act is pretty close to the language of the New York DFS cybersecurity rule and there's a lot of- It's interesting because unlike other laws, the New York one actually goes into some detail about what your data security program has to look like. It says that you need to do risk assessments, you need to have workforce training, and you need to have incident response planning, and testing. So to me, I find that actually helpful, particularly, when you and I are trying to get clients to take seriously these rules and requirements, that kind of specificity is helpful. It's also helpful for the companies who want to comply early, because they're not doing so much guessing.
Kip Boyle: Yeah. It's funny because on the one hand, I don't want a law to be prescriptive. I don't want a regulation to be overly prescriptive. I need some room to maneuver, but then the other side of that coin is when it's not specific, people just don't really take it as seriously as when it is prescriptive. It's strange. I can't decide which I want.
Jake Bernstein: Yeah. And it's- I mean, I think for me, New York is doing a pretty decent job of walking a line between too specific and not specific enough. And I kind of like where they've ended up. Time will tell as to how effective it really is.
Kip Boyle: So you like a little from column A, and a little from column B, and you're good.
Jake Bernstein: Yeah.
Kip Boyle: All right.
Jake Bernstein: Well, I just think it's helpful for people who don't know where to start to get some idea. And by the way, failure to implement a compliant information security program will be enforced by the New York state Attorney General. And the civil penalties are up to 5,000 for each violation. So, it-
Kip Boyle: So in other words, not having a reasonable information security program will cost you $5,000 or does it get more granular than that?
Jake Bernstein: It's unclear. Hypothetically, there have been cases where Attorney General will take this type of language and say that every record lost in a data breach is a violation. So, this could be anywhere from 20 to $25,000, which does not seem like a lot, all the way up to unimaginably large amounts of money. So it will just depend on what the New York AG does with it.
Kip Boyle: Okay, so remains to be seen.
Jake Bernstein: It does remain to be seen. And I think there's some good points made in various articles about this, that look, even if they are not finding you very much, getting investigated, sued, and signing some kind of consent decree with the New York Attorney General is not going to look good. And it's going to raise supply chain issues with your business partners. Imagine trying to get through a due diligence process, and you have to disclose that, "Oops, I had to sign a consent decree with the New York Attorney General." Just not good.
Kip Boyle: Yeah, okay. All right, cool. What else do we need to know about the SHIELD Act?
Jake Bernstein: I think for the moment, that's all we need to talk about. The SHIELD Act is not a crazy new thing. What is different about it is the scope.
Kip Boyle: And don't forget, it's super fun name, unlike the other one.
Jake Bernstein: It does have a great name, yes. And there are even exemptions for small businesses. You've got less than 50 employees, less than 3 million in gross revenue, then you can scale your data security program. So there's a little bit more to it, but ultimately this is something that is, in my opinion, is a good thing. And it's not that different than the existing Department of Financial Services Regulations other than inaudible.
Kip Boyle: So we were saying a few moments ago that CCPA is continuing to be monkeyed with. What about the SHIELD Act? Is it pretty much... Is it now pretty much what it's going to be once it comes into enforcement?
Jake Bernstein: So yes, the SHIELD Act is what it is. And I should be clear, the way the CCPA has evolved is not... It's kind of abnormal for a law. A lot of it goes back to the history of how the CCPA was drafted and passed. It basically got done in a couple of days. And so, because of the speed with which the first version was passed, it was kind of known that this would happen. Most of the time, and the SHIELD Act is a good example, legislatures will take their time. Sometimes it takes years to pass. And so that's kind of what happened with the SHIELD Act is that it had come and gone. And this version of it is what eventually popped out the other side. So sausage making is-
Kip Boyle: Well, I'm just going to go back to my previous comment that New York and California couldn't be more different in this case.
Jake Bernstein: It's true. Yep, it is true. So-
Kip Boyle: Okay. So nothing more to be said about New York SHIELD at this point-
Jake Bernstein: We'll have to revisit after there's some enforcement action, but let's move on to the fun stuff, which is the California Consumer Privacy Act. So-
Kip Boyle: All right. Let's dig in. Confuse me some more, sir.
Jake Bernstein: So as I mentioned, you've got two different things here. You've got the CCPA amendments, which most of those went to the governor's office in September 2019, and as of the recording date have been signed. You also have draft regulations. Now, when I say draft, I truly do mean that these regulations were released by the California Attorney General in mid October, 2019 and they will be available for public comment up until early December, 2019.
Kip Boyle: Have you looked at them?
Jake Bernstein: Oh, yes, I have. And the regulations are supposed to be finalized by July 1st of 2020. So that's kind of your timeline on these.
Kip Boyle: So we've got time to register our displeasure.
Jake Bernstein: Yes and no. You've got about a month and a half to put your two cents, but you do not have until July to become compliant. That's just-
Kip Boyle: Okay, so we've got to move a little quicker than that.
Jake Bernstein: Move at little quicker-
Kip Boyle: Okay, what do you want to share with us?
Jake Bernstein: So I'm going to share some of the amendments that were done. There were, gosh, there were probably half a dozen to a dozen different bills that were talked about and thrown around over the summer. And the ones that have gone through basically, create some exemptions and clean up the California Consumer Protection Act in some pretty interesting and important ways. Kind of the... One of the main one is this employee kind of job application, internal exemption. Basically, someone who's giving you information as part of a job, attempting to get a job. There's just some different rules around that, but-
Kip Boyle: It's still personal information, right?
Jake Bernstein: It's still personal information, but the level of notice and there's... So, I can rephrase that. Yes, it's still personal information. And what they chose to do was give a one year grace period. So the collection of personal information is being exempted for one year-
Kip Boyle: For people who are collecting job applications.
Jake Bernstein: Yes. Provided the information is collected and used solely within the person's role. Like all of this stuff with California and the CCPA, it still isn't particularly clear because guess what? The regulations which are supposed to help clear the of stuff up don't yet take into account these new amendments.
Kip Boyle: Great. Oh, as a practitioner, I'm just tingling with anticipation.
Jake Bernstein: Yep, yep. So there, there's also some exemptions for business to business context and information collection. There are exemptions for personal information that reflects a written or verbal communication and different types of communications within the business to business context. Things that you would expect, like during a due diligence about the company, you're going to collect a bunch of information about it. And a lot of that stuff is going to be exempt from the CCPA. And you might say, "Well, why is that the case?" And-
Kip Boyle: Why is that the case?
Jake Bernstein: And I think a lot of this is the result of a bunch of disparate lobbying. And I think it's the case because this is ultimately about consumer privacy and not so much about kind of making it administratively challenging just to conduct a business. The app does that enough with respect to consumers that we don't need to tack on business to business communications and business to business information as well.
Kip Boyle: Well, that's interesting, because when I hear you talk about business to business, I can't help but to think about HIPAA and the way the regulation talks about business associates and actually lashes together a lot of business to business transactions to bring it into scope of HIPAA's requirements. So it's interesting how this one seems to be focused on carving that out of-
Jake Bernstein: Well, so it's... We could spend hours kind of going through the details of the CCPA. Stuff like HIPAA is already accounted for elsewhere. And these obligations, I guess it helps to kind of mention that what the CCPA does is create about eight consumer rights that range from a right to have certain types of notice, and a right to deletion, and a right to access. And it is those rights that are being kind of restricted with respect to some of these business to business communications. You still can't sell the data and there's still a private right of action for data breaches. It's just basically saying that in the business to business context, we don't want individual people to request that information be deleted from business systems. It just gets very... It's very messy.
Kip Boyle: Yeah, don't we know it, right? I mean, these are some of the conversations we're having even today with our customers.
Jake Bernstein: It is, it is. So here's one of the interesting ones is that, the definition of personal information under the CCPA is a lot broader than the New York SHIELD Act and-
Kip Boyle: And compared to GDPR?
Jake Bernstein: It's pretty close. So here's what it-
Kip Boyle: Okay, so wait a minute. So as a practitioner, I cannot follow multiple different discreet definitions of personal information and it probably isn't a good idea for me to just adhere to the lowest common denominator. So should I just pick the most expansive definition of personal information and just use that? I mean, what would you suggest?
Jake Bernstein: Well, that is an ongoing debate within a number of legal circles. Usually, what I would say is, start with the most stringent rule that you have to comply with and then also pay attention to your kind of locally applicable one. So let's say you're in California doing business as a global company. You probably aren't going to focus too much on New York's definition, particularly because it's weaker, but you should pay attention to GDPR and you have to pay attention to CCPA.
Kip Boyle: All right, all right. Well, okay so there's at least a little algorithm for everybody in the audience.
Jake Bernstein: There is, yes. And maybe a better example, or just a different example would be, if you're a Texas company and you're a global company, you're probably going to be paying the most attention to the GDPR and that's going to get you most of the way to these regimes.
Kip Boyle: Oh, that's actually really helpful. So if you're GDPR, if you're paying attention to that, then this episode is not really going to cause you a lot of fuss in terms of having to do a lot of extra stuff.
Jake Bernstein: Not a lot of fuss. And I want to be very, very careful and clear on one thing, it's not because there is some kind of special exemption or rule that says, "If you are GDPR compliant, then you don't have to worry about these other laws." It is simply that the process that you go through in order to be compliant with GDPR happens to also highly compliment the same process that you have to go through to be compliant with the CCPA or the SHIELD Act.
Kip Boyle: Okay, well then, actually that's a little bit of good news because in general, what I find is that anytime somebody's requiring cybersecurity, there's so much overlap between one regulation versus the next, HIPAA versus PCI, whatever. And so as these new things come along, you can just sort of look for the differences.
Jake Bernstein: You can. And I think the hardest part for practitioners in this case is where these laws differ in the affirmative privacy rights and the exemptions, because a business can decide to just follow, for example, GDPR for everything, but that can get really expensive and not every business is going to want to do that. The flip side of that is that if you're going to be law by law, then you have to keep track of a lot of specifics.
Kip Boyle: Okay.
Jake Bernstein: So moving on with just a few more examples here. I think one of the more interesting revisions here- Oh, sorry. Personal information, what they did is they added reasonably. So now under California law, personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. How do you like that?
Kip Boyle: My head is swimming. Congratulations.
Jake Bernstein: Yes. So that is-
Kip Boyle: What does that mean? Please put that in normal language for me.
Jake Bernstein: So the tough thing about the way that CCPA does things is that it creates an almost meaninglessly broad definition and then starts carving chunks out. So here's a fun one that we can kind of talk about, the amendments... There was a definition of personal information about publicly available information being exempt. And you're probably thinking, "Wait, what? How does that even work?" And there was this weird and difficult to apply standard that required interpretation of a purpose related to public records collective by the government. I'm serious, the way that this law read, it does not do... I'm not honestly sure how many different people must have tried to write this at the same time, but it does not come across very well. And so what they did is-
Kip Boyle: Understatement.
Jake Bernstein: Exactly. So the amendment actually does help. What the amendment did is they said, "Okay, hold on. This is ridiculous. What we're going to say is that personal information does not include information that is publicly available, and for purposes of this paragraph, publicly available means any records that are lawfully made available by a state, local, or federal government body."
Kip Boyle: So that doesn't mean somebody who posted a whole bunch of passwords on Pastebin, that doesn't mean that those passwords are no longer private under the law?
Jake Bernstein: Correct, because Pastebin is not-
Kip Boyle: That was not lawfully?
Jake Bernstein: Is not a government agency. It's not a public record. So-
Kip Boyle: Okay. So I can't argue that just because I got hacked and the passwords for all my customers were exposed, I can't say "Well, who cares? Because all those passwords are over there on Wiki Leaks anyway. So, I shouldn't get in trouble."
Jake Bernstein: You definitely cannot argue that. In fact, I think it goes further. I think that what this really means is that if you get your personal... If you get information from a public record, that particular information is not personal information, but if you get the exact same information directly from the consumer, it is personal information.
Kip Boyle: So if a consumer gives me their home address, I have to protect that. But if I get their home address by going to the county courthouse and looking at their deed on their mortgage, then that's different.
Jake Bernstein: I think so. And to be totally honest, Kip, I'm not sure because I can't figure this out quite yet.
Kip Boyle: All right. Stump the lawyer.
Jake Bernstein: I just had this conversation with a colleague in real life, a client asked this question. I don't think I have a great answer because let's think about that for a second before we wrap up this episode, which is, I think what you said is correct. Now, if you say... What if we say that, "No, that's crazy, it can't mean that." Instead, we just say that, "Well, your name and address are in that public record, so therefore your name and address aren't personal information." Well, doesn't that kind of gut the entire concept of this privacy act?
Kip Boyle: Well, you know what? It probably... It certainly weakens it. And the reason why I pose that question to you is because I am sure that there are going to be entrepreneurs and people leading businesses who are going to try to figure out ways to lighten their burdens on this stuff. And if they can say that, "Hey, this data's not subject to these regulations and laws because I abided by their exemptions, and this is how I got that information." So it's like, I'm just trying to predict the kinds of things I'm going to hear in the not too distant future.
Jake Bernstein: No, I think you're right. I mean, and to be honest, it was a group of industry Lobbyists who got this particular bill passed. And I don't know that it's going to stay around because it really is very confusing. I think what will be interesting is when the Attorney General gets around to updating the draft regulations to take into account these new amendments, I mean, this whole episode is a confusing morass of gobbly-gook. And I think the reason for that is that, that's what we're actually dealing with out of California.
Kip Boyle: Okay, so noted. Did you want to add anything else confusing or otherwise to the episode before we wrap?
Jake Bernstein: I would say that, anyone who needs to comply with the CCPA definitely needs to be looking at those draft regulations. They are... Let me see here. At least this PDF I have is 24 pages of draft regulations. And there's a lot, unlike the law itself, there's a lot of specific detail in here. That's one of the things that regulations are often used for. A good example is environmental law. There's no statute that says you can only have 1/1000 or 0.006 parts per million of lead in the water. That number comes in a regulation that the expert agency comes out with. So-
Kip Boyle: Okay. So we're going to have to hold a vigil, I guess, is what I'm hearing you say over CCPA to find out where it actually all ends up at- crosstalk.
Jake Bernstein: We probably will end up doing multiple episodes on just certain sub parts of these regulations. For example, as a sneak peek, there is an entire article on business practices for handling consumer requests. And you might think, "Well, how hard can that be?" But Kip you and I have talked about the challenges of authentication, identification online. How are these businesses going to know who is submitting valid requests? And that's what this whole, what is this three or four pages worth of text is about. So there's a lot to do here, and it's going to involve both privacy professionals and cybersecurity professionals to help put this all together.
Kip Boyle: Well, it seems like our podcast was tailor made to help decode the CCPA. God help us all, but that's what we're going to do if that's what needs to be done.
Jake Bernstein: Yep that's what we'll do. And we'll do it for our listeners, because that's how much we care.
Kip Boyle: All right, everybody. That wraps up this episode of the Cyber Risk Management Podcast. Today, we talked about the California Attorney General's CCPA regulations and the New York SHIELD Law. Thanks for being with us. We'll see you next time.
Speaker 2: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunitiesdotcom and focallaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities