Much is made in cybersecurity circles about the United States not having a coherent, universal cybersecurity and privacy law. To this day, the US employs a patchwork of industry specific regulations that were all created reactively sort of willy-nilly at different points in the last few decades. It’s all rather chaotic and confusing. Adding to the mess are the several state laws that have been enacted to fill the gaps, making compliance even more complicated.
Well, in 2017 there was a bill introduced to the House of Representatives called the “Consumer Privacy Protection Act of 2017” (CCPA). To be clear, the CCPA has only a passing similarity to the well-known GDPR of the EU. It has no significant bundle of personal rights like the “right to be forgotten,” or to access your own personally identifiable information (PII). Instead, it is focused on protecting PII from unauthorized access, and provides a fairly straightforward and robust set of mandates to effect that protection.
TO BE CLEAR – The CCPA is not a law yet, and may never be a law (it has been stuck in the House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations since 2017). However, now that the composition of the Executive and Legislative branches are more regulation friendly, this law might yet see the light of day sometime soon.
So, what exactly would the CCPA require?
1. Security breach notifications (including possible criminal penalties for willfully or intentionally concealed breaches).
2. Certain commercial entities must implement a comprehensive consumer privacy and data security program.
a. This means ALL commercial entities that engage in interstate commerce, and collects uses, accesses, transmits, stores, or disposes of *SENSITIVE PII of at least 10,000 US “persons” during any 12 month period.
b. Exceptions are:
i. Certain network service providers;
ii. Financial institutions that come under the purview of the Gramm-Leach-Bliley Act;
iii. HIPAA and HITECH regulated entities.
What constitutes a comprehensive consumer privacy and data security program?
1. Appropriate technical, physical and administrative safeguards given the size, complexity, nature and scope of the entity’s activities;
2. Ensure privacy and security of Sensitive PII;
3. Protect against anticipated vulnerabilities;
4. Protect against unauthorized access;
5. Risk assessments;
6. Access controls;
7. Incident management;
8. PII destruction;
9. 3rd Party due diligence;
10. Data retention and minimization;
11. Awareness training;
12. Vulnerability testing; and
13. Periodic assessments.
All in all, it really would be a significant improvement were it to be signed into law and strikes a certain balance between personal privacy and business interests. What is not entirely clear is whether the law as is currently written would preempt the entire field of state made cybersecurity laws rendering them void in part or in whole. That’s a complicated question. But the answer should be that any comprehensive cybersecurity law should preempt all the state laws. The federal government is drawing its power to make the law in the first place from the Commerce Clause of the US Constitution that gives it the right to regulate interstate commerce. Cybersecurity is at the core of such a right and it is very much in the interests of all businesses that cyber policy be the same throughout the country with a uniform set of requirements. Otherwise, the CCPA would just be another regulation to plop on top of other regulations, leaving the real, de facto regulation as all the most onerous parts of all the possible regulations added together.