Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


08:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

California's CCPA Law: Why CISOs Need to Take Heed

The recently enacted California Consumer Privacy Act, while hardly a sweeping reform of the state's privacy laws, changes the playing field for IT risk and liability where California residents' personal information is concerned.

California's controversial new privacy law, despite not being especially burdensome, presents a few need-to-knows for CISOs and others IT executives who are helping to manage enterprise security risk.

On June 28, Gov. Jerry Brown of California signed into state law the California Consumer Privacy Act of 2018 (CCPA). The bulk of the CCPA's requirements have to do with disclosures and forewarnings about the selling and sharing of California residents' personal information (although most of these requirements are focused on "categories" of information instead of the actual information).

Fines under the CCPA will cap at $7,500 per violation -- and even that maximum penalty is reserved for only intentional violations of the CCPA; violations lacking intent will remain subject to the preset $2,500 maximum fine under Section 17206 of the California Business and Professions Code. Of course, cumulative fines for large and systemic abuses may add up to be costly, but they are unlikely to be bank-breaking.

Of greater financial concern to businesses is that the CCPA expressly paves the way for the right of natural persons to bring lawsuits for the breach of their "nonencrypted or nonredacted personal information" -- even in the absence of evidence of actual damage. The CCPA allows individuals to recover between $100 and $750 per such incident -- or greater in the showing of actual damages exceeding $750.

In the absence of such clearly elucidated rights, individuals have had difficulty in lawsuits over egregious mega-breaches where they could not yet show that their compromised data had actually been used to their detriment or otherwise caused them actual and quantifiable damage. The issue remains a general legal uncertainty as US courts struggle with the issue and even disagree with each other. Therefore, upon this provision going into effect, businesses have greater incentive to deploy encryption where they have not done so already -- even for data that organizations have not traditionally encrypted. (See: Seamless Cloud Security Depends on Encryption Done Right.)

At the same time, the CCPA places a number of bureaucratic hurdles in the path of would-be CCPA plaintiffs -- mandating that they first "provide a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated," allowing the business the opportunity to "cure" the problem if possible. While hardly best practice, this provision -- arguably -- effectively gives CCPA-subject businesses some degree of opportunity to slack off on their reporting requirements and data requests, allowing businesses to wait and see who among the activist consumers in their inboxes are really serious.

This may be a dangerous game, however, when played over the long run because the CCPA dictates that judges are to consider such factors as "the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, [and] the willfulness of the defendant's misconduct" in awarding statutory damages.

Meanwhile, as the CCPA purports to place the realm of data breaches under its own purview, it is difficult to see what a "cure" would look like in such a situation. It is unclear if, for example, such a thing as Uber paying $100,000 for hackers to promise – on their honor -- to delete stolen data would represent a real cure. (See: Uber Loses Customer Data: Customers Yawn & Keep Riding.)

Additionally, within 30 days of filing a CCPA action, a CCPA plaintiff must notify the California Attorney General -- who, the CCPA makes clear, can delay or block such individual litigation.

Finally, smaller businesses and startups may find further CCPA relief by virtue of being so small. In determining statutory damages, judges are also to consider defendant businesses' "assets, liabilities, and net worth" (note that the word "valuation" does not appear in that laundry list).

Emphasis on "may". Even a relatively small judgment can hurt a startup or small business substantially -- while multi-billion-dollar penalties against Silicon Valley giants like Google are viewed as little more than a hiccup on a quarterly earnings report.

Still, smaller businesses are further protected from CCPA liability in that the CCPA may not consider them "businesses" to begin with. The CCPA indicates that it only applies to for-profit businesses that:

  • Have over $25,000,000 in statutorily adjusted gross annual revenues
  • Derive at least half of their annual revenue from selling California residents' personal information, or
  • Buy, sell, receive, or otherwise trade "the personal information of 50,000 or more [California residents], households, or devices"

The CCPA also applies to entities that control or are controlled by such a business (such as, for example, a parent company or a subsidiary).

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...