Following the GDPR, the CCPA quickly presented additional and different requirements that organizations must include in their privacy programs if they are subject to the regulation. With more disclosures surrounding personal information required, privacy is not limited to a designated office - stakeholders from various departments must be aware of and take ownership of activities within their functional realms.
Now, more than ever, we are seeing a blend of the privacy and security roles, and it is not uncommon to see Chief Information Security Officers (CISOs) heavily involved in privacy risk activities. Whether it’s taking data inventory and assessing risk to having a rock solid data breach response plan in place, CISOs provide the security component that is critical for a successful CCPA compliance plan.
-The CISOs role in CCPA compliance
-Potential risks to the security and privacy of sensitive information
-Mapping CCPA requirements to security processes and procedures
2. Thank you for joining the webinar CCPA for CISOs: What You Need to Know
2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit
any questions for the speakers
3. Speakers
3
Abhishek Agarwal
CISO
Fresenius Medical Care North
America
Tom Birdsall
VP Information Technology
Macerich
K Royal
FIP, CIPP/US / E, CIPM
Associate General Counsel,
Privacy Intelligence
TrustArc
4. Agenda
4
● The CISOs role in CCPA compliance
○ The Foundation of CCPA
● Potential risks to the security and privacy of sensitive information
○ Specific Aspects for Consideration
● Mapping CCPA requirements to security processes and procedures
○ Tips & Recommendations
● Q&A
5. Poll Question #1
5
● What is your role in data privacy?
○ Data privacy is my entire job
○ Data privacy is between 50-75% of my job
○ Data privacy is between 25-50% of my job
○ Data privacy is less than 25% of my job
○ None of the above
7. CCPA Basics
7
California Consumer Privacy Act
● Passed in June 2018 and revised later in September
○ then revised in October 2019
● Broadest privacy law in the U.S.
● Impacts any business with data on California consumers, households, or devices
● Still awaiting regulations and potential amendments
○ on third draft
Top Provisions of the CCPA:
● Expanded scope: people and data
● Transparency and notice
● Individual rights and “Do not sell my personal data”
● Private right of action
8. Key Differences from EU GDPR
8
● Vendors are not subject (processors) unless qualify independently
● More exceptions to right to erasure
● Turnaround times for individual rights
● No breach reporting under CCPA
● Data inventory – must capture source and sales / disclosures of data
● Does not require DPO
● Does not specifically address protections for sensitive data
9. Poll Question #2
9
● Is CCPA the first privacy law you are subject to?
○ Yes
○ No, I was involved with other major regulation (GDPR, HIPAA)
○ No, I have been involved in many
○ None of the above
11. Private Right of Action
11
Any consumer whose nonencrypted or nonredacted personal information, is
subject to an unauthorized access and exfiltration, theft, or disclosure as a
result of the business’s violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to the nature of
the information to protect the personal information may institute a civil action
for any of the following:
● To recover damages in an amount not less than one hundred dollars
($100) and not greater than seven hundred and fifty ($750) per consumer
per incident or actual damages, whichever is greater.
● Injunctive or declaratory relief.
● Any other relief the court deems proper.
12. plus . . .
12
In assessing the amount of statutory damages, the court shall consider any
one or more of the relevant circumstances presented by any of the parties
to the case, including, but not limited to,
● the nature and seriousness of the misconduct,
● the number of violations,
● the persistence of the misconduct,
● the length of time over which the misconduct occurred,
● the willfulness of the defendant’s misconduct, and
● the defendant’s assets, liabilities, and net worth.
13. Poll Question #3
13
● Approximately how much has your company spent in CCPA-related
privacy compliance expenses?
○ Less than $100,000
○ Between $100,000 and $500,000
○ Between $500,000 and $1,000,000
○ More than $1,000,000
○ I don’t know
14. Personal Information
14
Means information that identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or household.
Personal information includes . .. if it identifies, relates to, describes, is capable of
being associated with, or could be reasonably linked, directly or indirectly, with a
particular consumer or household…
15. Personal Information Includes...
15
● Identifiers such as a real name, alias, postal address, unique personal identifier, online
identifier, IP address, email, account name, SSN, DL #, passport #, or other similar identifiers.
● Characteristics of protected classifications under California or federal law.
● Commercial information, including records of personal property, products or services
purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
● Biometric information.
● Internet or other electronic network activity information, including, browsing history, search
history, and information regarding a consumer’s interaction with an Internet Web site,
application, or advertisement.
● Geolocation data.
● Audio, electronic, visual, thermal, olfactory, or similar information.
● Professional or employment-related information.
● Education information
● Inferences drawn from any of the information identified in this subdivision to create a profile
about a consumer reflecting the consumer’s preferences, characteristics, psychological trends,
predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
16. Deidentified & Pseudonymized
16
Deidentified: information that cannot reasonably identify, relate to, describe, be capable
of being associated with, or be linked, directly or indirectly, to a particular consumer,
provided that a business that uses deidentified information:
○ Has implemented technical safeguards that prohibit reidentification of the consumer to
whom the information may pertain.
○ Has implemented business processes that specifically prohibit reidentification of the
information.
○ Has implemented business processes to prevent inadvertent release of deidentified
information.
○ Makes no attempt to reidentify the information.
Pseudonymized: the processing of personal information in a manner that renders the
personal information no longer attributable to a specific consumer without the use of
additional information, provided that the additional information is kept separately and is
subject to technical and organizational measures to ensure that the personal information
is not attributed to an identified or identifiable consumer
19. Upcoming Webinars
19
Past Webinars
Third-Party Risk Management: How to
Identify, Assess & Act
May 20, 2020 @ 12:00 EDT
Privacy Frameworks: The Foundation for
Every Privacy Program
Free Download
Assessing Risk: How Organizations Can
Proactively Manage Privacy Risk
Free Download