U.S. consumers are no longer surprised by the now-familiar news that their personally identifiable information (PII) has been disclosed, sold, or released by acts of negligence, carelessness, indifference, or malicious activity.
In the wake of data breaches such as those announced by Capital One, Equifax, Wells Fargo, Quest, LabCorp, and the Employees Retirement System of Texas, consumers and organizations are forced to spend multiple hours and dollars recovering from such breaches.
Colorado and California have enacted new privacy laws, through which they join at least 20 other states with similar data privacy acts, all of which are meant to protect privacy. The two acts differ in their scope, application, and requirements, but offer lessons for employers, boards of directors, corporate officers, and executive management on how to best maintain compliance with these types of laws and avoid costly litigation in the event of a breach.
Both state acts are similar in principle and scope to the European Union's General Data Protection Regulation (GDPR). Those entities whose business interests, customers, or data collection practices bring them within the ambit of the GDPR may already be familiar with the concepts, requirements, and duties imposed on an organization under the GDPR. However, those non-EU based companies, who have, up to now, not been affected by the GDPR, will now find, especially with the passage of California's act, that those data retention and protection requirements are hitting much closer to home.
We will contrast and compare these two acts and explain how they may affect your business, even if your corporation or entity is not located in either of these two states.
Colorado Consumer Data Privacy Act (CCDPA)
The Colorado Consumer Data Privacy Act (CCDPA) became effective on September 1, 2018. The CCDPA has broad application, but has some limitations in regard to reporting requirements.
The CCDPA applies to any person or commercial or government entity that maintains, owns, or licenses personal identifying information (PII) in the course of the person's or entities' business, vocation, or occupation.
Those under the ambit of the CCDPA have a statutory duty to protect the PII of any Colorado resident from unauthorized disclosure. They also have a duty to report certain unauthorized disclosures of PII. The Act not only applies to electronic or digital records, but also has provisions regarding hard copy or paper records as well. It is important to note that, unlike other acts, including that of California, there is no minimum number of Colorado resident information, or revenue thresholds of the commercial entity, that must be met before the CCDPA applies. In short, if your organization, no matter the size, maintains the PII of even one Colorado resident, the CCDPA applies.
PII is defined under the CCDPA as a Social Security number or other personal identification number issued by a government, military, educational, or medical entity, and also includes passwords, biometric data, or any financial transaction data, such as a credit card number, security code, or PIN.
Any entity in possession of the PII of a Colorado resident must have a written policy documenting its data retention and destruction policies; have reasonable security practices and procedures in place; and require any third-party service providers to comply with the organization's written data privacy policies.
The CCDPA not only governs the collection and protection of PII, but also mandates disclosure and notification to affected parties in the event of a breach, under certain circumstances.
Under the CCDPA, however, a distinction is made between a breach resulting in the disclosure of digital records and one involving paper ones. Disclosure is only required if digital records containing Personal Information (PI), has been taken without authorization. The Act defines PI as any digitized information, which is neither encrypted or redacted, and which includes the first name or first initial and last name of a Colorado resident, plus one of the following: a Social Security number; employer, student, or military ID number; a passport, driver's license, or government/state-issued ID number; medical information; biometric information; or a health insurance number. Alternatively, PI includes a username or email with the password/security question (with the answer) or an account number or credit/debit card number with a security code, access code, or password.
If your organization becomes aware of the unauthorized acquisition or disclosure of such unencrypted, computerized PI, an investigation must commence promptly and be done in good faith. Unless that investigation determines no misuse has occurred, or is not reasonably likely to occur, in which case no notifications are required, those residents whose PI has been disclosed must be informed within 30 days of the organization's learning of the breach. If the investigation finds more than 500 Colorado residents are affected, the Colorado Attorney General must be notified. If more than 1,000 residents are involved, the consumer reporting agencies, such as Equifax or TransUnion, must be notified.
The CCDPA provides specific guidance on the nature of the notifications, as well as certain notification exceptions. However, the notice in general is designed to be reasonably likely to fully inform the affected Colorado resident. Note that the 30-day time limit applies even if the records involve HIPAA-related documents, which provides for a 60-day notice requirement.
It is of interest to note that the unauthorized taking of paper records does not trigger the disclosure requirements. Although the CCDPA imposes security protocols regarding paper record retention and destruction, the disclosure provisions of the Act are not triggered, for instance, by the accidental dumping of un-shredded, un-redacted paper records into a trash receptacle. However, such actions may nevertheless subject an organization to penalties under other provisions of the Colorado Act, as well as other state or federal privacy laws.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) will become effective on January 1, 2020.
This law takes a different approach. Although in some ways, it is narrower in application than Colorado's, in other ways, it has more potential to affect your organization in that it provides a right to any affected California resident to file a private action, and it has more extensive data retention requirements.
Like Colorado, if your organization collects and retains the personal information of a California resident, the CCPA may apply. Unlike Colorado, however, a second qualifier is in place. Your organization must not only retain a California resident's information, but also must have annual revenues of at least $25 million; retain the personal information of at least 50,000 California residents, households, or devices; or receive more than 50 percent of its revenue from selling personal information about California residents.
Although an organization may initially think it generates insufficient business revenue to qualify, note that one of the triggering provisions involves the collection of resident data, which includes the collection of IP addresses from websites or cookies used to collect browsing information on 50,000 or more California residents or devices. Even small-to-midsize companies with an internet presence may cross that threshold quickly. An organization's website that collects the IP addresses of only 139 California residents a day will collect 50,000 such data points in a year, thus triggering the application of the Act.
The PII information to be protected under California's CCPA includes not only the usual (ex. Social Security numbers, passwords, ID numbers, etc.) but goes further. Protected PII also includes data containing inferences which could be drawn from personal information (such as preferences, behavior, intelligence), and further includes information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
There are additional exceptions with regard to which entities the CCPA covers. One broad exception is that, unlike the Colorado Act, the CCPA does not apply to nonprofit corporations. Further, if your industry is already regulated by HIPAA, the Gramm-Leach-Bliley Act, or consumer-reporting agencies regulated under the Fair Credit Reporting Act (FCRA), the specific information collected pursuant to those laws is not subject to the CCPA. Medical information collected pursuant to HIPAA is governed only by HIPAA, and not by the CCPA. However, any information collected by that same organization, which is not protected by HIPAA, will, arguably be covered by the CCPA.
One important aspect of California's law is the imposition of "reasonable security" measures to protect data collected on California residents, including employee information. Compliance with this provision is especially important because both the California Attorney General and California residents will have the right to sue and enforce these provisions when an organization fails to employ reasonable security measures to protect the collected personal data. Although the Act has yet to take effect, the California Legislature is already considering broadening the rights of California residents to privately sue, not only under the CCPA, but also under other already existing consumer protection acts. The penalty for a violation of the CCPA includes an injunction, and the penalty is currently capped at $7,500 for each intentional violation and $2,500 for unintentional violations.
One of the expanded rights given under the CCPA is the right of a California resident to request disclosure, deletion, and portability of their personal information from an organization collecting it. Such disclosure requests can go back twelve months, meaning document retention, location, and retrieval protocols must be implemented and kept current.
Finally, it should be noted that, although the CCPA is not yet in effect, several amendments are being considered which might further change the scope of the Act. Careful monitoring of this and other acts must be done by your legal counsel to ensure compliance.
Bottom Line: What These Laws Mean To You
No matter your type or size of organization, data privacy protection laws are coming to your jurisdiction and/or your business operations, if they are not already in effect. It is not hard to imagine that they will become more far-reaching and impose more data retention, security, and disposal requirements, which will affect not only digital, but paper, records as well.
Further, as many such laws will no doubt permit at least government, if not private, causes of actions against an organization found in breach of these laws, organizations would be wise to get ahead of such trends by acting now to be in compliance for the future.
Written policies regarding data collection, retention, storage, retrieval, and destruction must be in place and updated regularly. This includes not only digital data, but also paper or non-digital materials. All devices capable of retaining customer, client, or employee information, such as PCs, laptops, tablets, or phones, storage drives, USB sticks, or flash cloud storage, should be addressed by the policy.
Written policies regarding the training of all employees in best practices for network security should be disseminated and followed by repeated and updated training sessions on how to detect unauthorized access to records.
Written policies should be in place regarding destruction of data or data storage devices. This should include topics such as the shredding of paper records; the destruction of hard drives; flash drives; or any storage devices, whether done in-house or by third-party service providers.
Written policies and protocols should be implemented regarding the physical security of all devices capable of retaining PII, whether in the form of paper or digital records. These policies should address the use of locked filing cabinets or rooms; encryption protocols; inventory of keys; the use of two-factor authentication; and the requirement of a VPN for off-site access to your organizational services from locations with unsecured Wi-Fi.
The relatively short time allowed in which to complete the investigation of an unauthorized disclosure of data means having either an in-house IT forensic team ready to perform a forensic investigation or at least a pre-identified third-party team to conduct a timely and thorough investigation.
If you comply with another state or federal data protection requirement, such as Gramm-Leach-Bliley Act or HIPAA, you will be deemed in compliance with the Colorado Act and in certain situations, the California Act as well. However, note that if the data retained by your organization does not come within the ambit of those other acts, you must comply with the state act applicable to that data.
Because a privacy act may require an organization to comply with a consumer request for their PII within 45 days of receiving it, this look-back provision means entities coming under the reach of this Act should already be assessing data location, identification, retrieval, and transmission of that data to its owner. A written policy regarding the retention and retrieval of such requested data is necessary.
These Acts, especially that of California, are in a state of flux as the practical impact of them on business interests and privacy advocates is evaluated. Amendments and revisions of these Acts should be expected; therefore, it is imperative that your legal counsel regularly reviews the Acts and any amendments so that your organization's policies and protocols are changed to reflect current compliance requirements.