Tag Archives: ccpa

Vast Implications of the CCPA

The California Department of Finance recently wrote a Standardized Regulatory Impact Assessment (SRIA) of the California Consumer Privacy Act of 2018 (CCPA). The SRIA was prepared for the Department of Justice, the primary regulatory body, whose work is hoped to provide some clarity over what remains a confusing array of obligations for most California businesses. The Department of Finance is required by law to do these assessments when the proposed regulation has an economic impact of over $50 million.

The Department of Finance went to great lengths to separate the cost of compliance with the CCPA as opposed to the costs generated by possible regulations from the Department of Justice. As to the former, per a letter dated Sept. 16 from the Department of Finance to the Department of Justice, “The SRIA estimates that the initial cost of compliance may be up to $55 billion.”

As noted in the report, “Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.” The definition of small business in the full report appears to be based on an estimate of how many employees would need to generate the revenue necessary to constitute a business as defined in the CCPA. As a result of this calculation, it is estimated that a “small” business would have at least 250 employees.

This analysis, however, does not take into account the impact of the CCPA on a small business that acts as a service provider to a business but does not itself qualify as a business under the CCPA. Using the Finance methodology, this would mean any service provider with fewer than 250 employees that receives personal information from a business. These service providers will need to respond when their business customers start asking for revisions in contracts to meet CCPA obligations, and to show they are otherwise compliant with the obligations of service providers under the act.

See also: Keys to California’s Consumer Privacy Act  

The report also notes, looking to the experience of the European Union (EU) and the General Data Protection Regulation (GDPR): “Conventional wisdom may suggest that stronger privacy regulations will adversely impact large technology firms that derive the majority of their revenue from personal data, however evidence from the EU suggests the opposite may be true. Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs.”

The Department of Finance makes the assumption there will be a fairly static compliance environment after Jan. 1, 2020. That may not be a correct assumption. Alastair Mactaggart, the father of the California Consumer Privacy Act of 2018 (CCPA), announced recently he will be going back to the ballot in 2020 with the cleverly named California Consumer Privacy Act of 2020. At least part of the motivation behind this, according to Mactaggart, is to keep the legislature from weakening privacy protections – a much more difficult task when a law is enacted as an initiative measure. Following his initial filing with the attorney general on Sept. 25, Mactaggart filed a slightly edited version of the proposal – now titled the California Privacy Rights and Enforcement Act of 2020 (CPREA) – on Oct. 2. The new moniker for this may have something to do with messaging in anticipation of a campaign next fall.

While the business community is attempting to negotiate with Mactaggart and his coalition in an effort to ameliorate the impact of this initiative, in the rapidly changing world of technological innovation nothing is static. The initiative process in California, however, is public process cast in quick-set concrete. Regardless of what is put into this ballot measure regarding future amendments in the legislature, the proponents of this law will invest in themselves the prerogative to decide what is “in furtherance of” their grand scheme. Their self-serving bureaucracy, the California Privacy Protection Agency (CPPA), is an effort to create a semi-autonomous state within but unaccountable to any of the apparatus of state government. While disdainful of the legislative process, this agency would be governed by a decidedly political five-member panel, two appointed by the governor, one by the president pro tem of the Senate, one by the assembly speaker and one by the attorney general.

No mention of the insurance commissioner — just in case you missed that omission.

See also: In Race to AI, Who Guards Our Privacy?  

Regardless of the fate of a ballot measure on privacy, we are now in an environment where multibillion-dollar compliance costs are table stakes. For those who can afford it, it will be business as usual, even if slightly disrupted. For those who cannot, compliance is a death knell to innovation. Promising technologies that are dependent on personal information will be stifled unless Big Tech can grab it and afford the cost of putting such innovations to market. This affects all aspects of California’s economy.

But when Big Government and Big Tech are the only easily identifiable winners in a public policy debate, can we expect anything more?

Keys to California’s Consumer Privacy Act

On June 26 of this year, Connecticut Gov. Ted Lamont signed HB 7424, the state budget bill. Among the provisions in this over 200-page piece of legislation: “The bill repeals the state’s information security program law, replacing it with provisions substantially similar to the National Association of Insurance Commissioners (NAIC) insurance data security model law.”

This is remarkable for two reasons. The first is Connecticut doing something no state west of the Mississippi has done – adopt the NAIC Model Law. The second is the Connecticut legislature actually repealed outdated laws before it adopted the new ones. Clearly, these people have never been to California.

Which brings us to the California Consumer Privacy Act of 2018, or what is now affectionately known as the CCPA. Insurance companies are anxiously anticipating the outcome of several assembly bills amending the CCPA that are awaiting action by the Senate, now that the legislature has returned from summer recess. Regardless of the changes, it remains likely – even though unnecessary – that the CCPA will “go live” on Jan. 1, 2020.

Given the number of cans kicked down the road by the legislature this year on important CCPA issues, it will be difficult for regulators to provide much needed clarity by the July 1, 2020 rule-making deadline. What regulations are adopted will likely be subject to quick change once the Jan. 1, 2021, iteration of the CCPA takes shape during next year’s legislative session. It will also be difficult for the attorney general to provide advice to businesses or third parties on how to comply with the CCPA, a requirement the attorney general feels, correctly, is a bit at odds with his obligation to enforce the CCPA. Maybe that, too, will be part of the 2020 agenda.

In the meantime, insurance companies are faced with an increasing number of privacy and data security requirements not associated with the CCPA. For insurers doing business in New York or states that have adopted a form of the NAIC Insurance Data Security Model Law, compliant practices are being developed right now. In the case of New York and its Cybersecurity Requirements for Financial Institutions, 23 NYCRR 500, the “go-live” date was March 1 of this year. The New York regulation became effective one year after publication but also had a two-year transitional period before full compliance was required. That implementation process could have been emulated for the CCPA. Instead, there appears to be a hard effective date of Jan. 1, 2020 even as key amendments are still being negotiated.

And remember, while the attorney general cannot bring an enforcement action until the earlier of July 1, 2020, or the adoption of regulations, lawsuits can happen right away. More accurately, lawsuits can commence after the 30-day notice and right-to-cure provisions are triggered.

The CCPA has a series of “data exceptions” that are evolving. While entities such as insurance companies are not exempt from the new law, certain personal information (PI) of “consumers” is. Among those exemptions is PI collected that is also subject to the Gramm-Leach-Bliley Act (GLBA), 1999 legislation that ushered in privacy protections and rules for the safeguarding of PI by financial institutions when the merger of banks, investment firms and insurance companies became authorized. GLBA also required states to undertake certain actions in terms of privacy of PI; if they did not, the information practices of insurers (and others) would be subject to federal regulation. States could provide greater protections than the federal law but not diminish them.

See also: First of Many Painful Privacy Laws  

So, the NAIC and the California Department of Insurance sprang into action. California adopted portions of NAIC model regulations governing privacy of financial and health information, and additional regulations governing the safeguarding of that information. While the Department of Insurance was adopting portions of these models, it also provided additional privacy protections and conformed the new privacy regulations to already existing statutory protections in the Insurance Information and Privacy Protection Act (IIPPA). In addition, the legislature adopted the California Financial Information Privacy Act (CFIPA) as part of providing greater privacy protections for California residents and customers of financial institutions (including insurers) than required under GLBA.

As part of the expansion of privacy protections beyond those contained in the federal law was the characterization of a workers’ compensation claimant as a “consumer” under certain circumstances. While this activity was going on, the Federal Trade Commission (FTC) adopted the Privacy Rule – relating to information practices and providing the ability for consumers to “opt out” of having their information shared. It also adopted the Safeguards Rule, requiring a financial institution to develop, implement and maintain a comprehensive information security program.

After this great rush of legislative and regulatory activity in Sacramento and Washington, D.C., during 2000-2002, the pace of new regulation of privacy practices of insurers slowed. Newer iterations of the NAIC model regulations were not adopted in California, and neither was the later iteration of the IIPPA. The legislature continued to push out privacy-related bills at a dizzying pace, including the California Online Privacy Protection Act (COPPA), 2003 legislation requiring operators of websites and online services that collect PI about the users of their site to conspicuously post their privacy policies on the website and comply with them. The COPPA has been amended several times to keep up with technology. It is not in conflict with the existing requirements of entities that fall under GLBA. Indeed, analyses of Assembly Bill 68 (Simitian), 2003 legislation creating the COPPA, suggest that part of the intent of this legislation was to have other businesses operating on the internet adopt the same policies and practices as financial institutions under GLBA.

The CCPA does not amend the COPPA, or even refer to it. Instead, the CCPA adds even more content on business’ websites so the new rights allowed under it can be exerted by consumers. Both the CCPA and COPPA want their notices to be “conspicuous” and on the business’ home page. It’s going to get crowded on home pages.

In March of this year, the Federal Trade Commission (FTC) announced it was proposing to revisit both the Privacy Rule and the Safeguards Rule under GLBA. The changes as they relates to the Safeguards Rule will closely track the NAIC Insurance Data Security Model Law and the New York Cybersecurity Regulation. Once adopted, the changes may result in more action from the NAIC. None of this will occur in 2019, and maybe not even in 2020, but the landscape for privacy protection and data security for insurers and insurance organizations will be in a state of flux at least through 2021.

The authors of the CCPA acknowledged that, within the patchwork of state and federal laws governing PI, some safeguards are adequate. The initiative measure upon which the CCPA is based provided data exceptions for PI covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These data exceptions were expanded to include other laws, including GLBA and the CFIPA, during the legislative negotiations in 2018 that resulted in the initiative being withdrawn. In the rush to forestall an initiative and pass something to send to then-Gov.r Jerry Brown before the end of June last year, the California legislature did what it all too often does: add new laws without regard to existing ones addressing the same issues but in a different way.

Because only certain PI is exempted from the requirements of the CCPA, businesses that collect and disclose exempt data must nevertheless maintain the architecture of the CCPA for non-exempt data. Consumers who seek to exercise their rights – assuming they will read properly crafted notices on business websites – will access a series of links only to be told that the PI they are seeking to control or delete really isn’t PI, even though it includes the consumer’s name, address, Social Security number, etc. It’s just not CCPA PI. Well, that’s certainly enlightened public policy, isn’t it?

See also: In Race to AI, Who Guards Our Privacy?  

It is difficult to claim the current and evolving laws and regulations governing consumer control over and data security of PI collected by insurers is inadequate. Yes, there have been security breaches among financial institutions covered by GLBA. That, however, is not the exclusive measure of effective security. The CCPA acknowledges that “reasonable” security efforts will protect a business from liability if unencrypted or unredacted PI is improperly accessed. Clearly, that also sends a message as to what the legislature thinks is a minimum standard for what is “reasonable.”

Not good enough.

The IIPPA, GLBA, the Privacy and Safeguards Rules of the FTC, the Department of Insurance Privacy Regulation and continuing initiatives by the FTC and the NAIC demonstrate a decades-long history of developing strong laws to protect the privacy of insurance consumers. Advocates for the CCPA would do well to remember that not every business is unregulated when it comes to information practices and give the IIPPA and subsequent laws a level of earned deference in today’s digital debate. Or, to quote Jacob McCandles (John Wayne) in the movie “Big Jake,” “If you can’t respect your elders, I’ll just have to teach you to respect your betters.”

The CCPA gathers headlines because it is intended to empower individuals and their efforts to control their own PI. When PI is shared, policymakers want to make certain it is shared transparently and securely regardless of where the PI goes. This is a response to the use of PI by very large international companies that occupy an outsized space in what is purported to be a competitive digital marketplace. They are also the companies most able to afford the increasingly complex data security environment throughout the world and who can pay very large penalties for non-compliance. Good for them. This new and complex environment is where policymakers in Sacramento should focus for the remainder of 2019 and next year, when CCPA 3.0 will roll out. Unfortunately, they won’t.

CCPA: First of Many Painful Privacy Laws

The California Consumer Privacy Act (CCPA), which becomes law on New Year’s Day, is to this point the most important and influential piece of privacy legislation in the U.S. It’s designed to protect the privacy of consumers, and its effects far exceed the borders of the nation’s largest state—and the country, for that matter—by dictating how organizations around the world are allowed to collect and handle the data of Californians. Specifically, the law will give Californians the right to know what data of theirs is being collected and with whom it is being shared. It also gives them the right to refuse or opt out of any agreement that would allow their data to be collected (with a few exceptions) and to request that their data be deleted in the event that they do so.

Beyond those general considerations, the law aims to address demands for stricter regulations for businesses that collect customer information and stronger enforcement practices when those businesses improperly handle sensitive personal data. In this regard, the law is not unique but rather only the beginning of what’s become a nationwide crackdown on data collection and privacy. Nearly 20 states have passed or are in the process of passing comprehensive privacy legislation. Once enacted, these regulations will create a veritable minefield of privacy measures that vary from state to state, and the organizations whose business purposes compel them to trudge through it will need to protect themselves against the possibility of fines and other penalties. As a result, the need for cyberinsurance, specifically as it relates to fines for regulatory noncompliance, has never been higher.

Although organizations are exempt from the California law when “assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions”—thanks to Assembly Bill 981, which was passed in May—organizations are still subject to its requirements when the scope and use of personal data exceeds those specific operations. In many cases, the compliance concerns of insurance companies will be solely with that of their policyholders, so it is in the best interest of both parties to ensure steadfast organizational compliance with an emphasis on reducing risk and anticipating future regulations.

See also: Blockchain, Privacy and Regulation  

Of particular importance to these insurers and their insureds is the controversial concept of private right of action, which allows individuals whose privacy has been violated to bring civil suits against noncompliant parties. Originally, this portion of the California law could have exponentially increased the financial consequences of a breach by subjecting violators to class-action claims of damages from victims, on top of the compliance-related fines levied by the state. It has since been limited to injunctive or declaratory relief, but other developing statutes include language similar to the original bill’s treatment of private right of action. Louisiana, Massachusetts, New York, North Dakota and Rhode Island all are working on bills that include a private right of action, with New York’s being especially expansive and potentially heavy-handed toward violators. In addition to including a private right of action, New York’s proposal has no minimum gross revenue requirement, meaning all companies—regardless of size—will be subject to the law’s rules and penalties. This has led critics to question the feasibility of fairly enforcing what they deem to be overly broad regulations aimed at punishing well-meaning organizations that cannot keep up with the evolving privacy space.

In terms of its impact on the insurance industry, the resulting legislative inconsistency will hit the big names the hardest, but it still does no favors for mid-size carriers struggling to keep up with their state or regional laws. In addition to meeting their own compliance obligations, they will have to accurately gauge the risk and potential penalties presented by the difficulty policyholders will have satisfying theirs. Insurers might not have to walk through the minefield, but they will have to clean up the mess inside it once something goes wrong.

As we discussed in a previous post, the difficulty insurance companies already experience when attempting to create reliable cyberinsurance policies is inhibiting the industry’s ability to provide much-needed coverage. The private right of action and other uncertain aspects of these laws further complicate the task of accurately estimating and pricing the cost of cyberinsurance coverage by expanding the potential recompense for breach victims. When coupled with the fact that no federal privacy law exists—allowing each state to establish its own set of rules for what constitutes personal data and how it should be protected—offering cyberinsurance can seem like an almost untenable prospect. However, a risk-reducing, compliance-enabling solution exists in the marketplace: tokenization.

See also: Mobile Apps and the State of Privacy  

Tokenization, such as that offered by the TokenEx Cloud Security Platform, especially excels at reducing risk through its use of pseudonymization and secure data vaults. Pseudonymization, also known as deidentification, is the process of desensitizing data to render it untraceable to its original data subject. It does so by replacing identifying elements of the data with a nonsensitive equivalent, or token, and storing the original data in a cloud-based data vault. This virtually eliminates the risk of theft in the event of a data breach, and, as a result, tokenization is recognized as an appropriate technical mechanism for protecting sensitive data in compliance with the CCPA and other regulatory compliance obligations. Because tokenization satisfies controls concerning the processing of sensitive data, it can prevent losses stemming from fines and other penalties as a result of noncompliance.

As new laws emerge and the privacy landscape in the U.S. continues to shift, it is crucial for both insurance companies and their policyholders to prioritize risk minimization. And tokenization is an essential tool for significantly reducing the likelihood of a cyber event, and as a result, a claim.

When Are CPAs Liable for Cybersecurity?

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021.

Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

  • 1,579 reported breaches, exposing 179 million records
  • 55% of all breaches involved businesses
  • 59% of all breaches resulted from hacking by outside sources
  • 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s my liability?

“That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.”

Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers.

Federal rules and law

The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols.

Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach?

At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Two recent decisions illustrate these differences:

  • The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim’s fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
  • However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow

In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.

See also: 4 Ways to Boost Cybersecurity  

Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

  • Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company’s individualized risks that are approved by senior management;
  • Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
  • Establish multi-factor authentication for remote access of internal servers;
  • Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
  • Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
  • Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
  • Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

  • Right to know what categories of their personal information have been collected
  • Right to know whether their personal information has been sold or disclosed, and to whom
  • Right to require a business to stop selling their personal information upon request
  • Right to access their personal information
  • Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
  • Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms?

Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

  • Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
  • The regulations create a framework for plaintiffs’ attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now

“If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.”

Here are three tips to get you started:

Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

“Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

Implement best practices. At a minimum:

  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

See also: Cybersecurity for the Insurance Industry  

Legal and insurance considerations

CPA firms should consult with their legal counsel to assess the firm’s risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked.

CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.