Is the New California Privacy Act the Next GDPR and Why Should I Care

June 13, 2019 posted by

and there we go so welcome everyone and thanks for attending today's session is coffee with carol is the new is CCPA which is the california consumer privacy act of 2018 the new gdpr and with me today I have Donny McCall who's our director of amia technical services and health systems and Carol Woodbury who is the vice president of global security services and the team lead for all of the people that work for me I'm your host good day my name is John Vander Waal I am the vice president and business unit manager for global security services and what I'm going to do is now pass it over to Carol and let her begin this webinar last thing is if you do have a question during the course of this webinar use the question drop down I'll be monitoring that during the course of the webinar and try and feed any questions to the presenters and if that doesn't work we'll try and catch them at the end and if that doesn't work somebody will follow up with an email and an answer to your question so Carol take it away tawny and Carol thanks John I just wanted to thank Donnie McCall for joining me this morning Donnie and I go Diane John and I go way back and so we always have a good time so if we again seen a little irreverent at times it's just because we've had a lot of and shared a lot of good times in the past but I asked Donnie to join me today because the California Consumer Protection Act has been rumored to look an awful lot like gdpr so since Donnie is our resident gdpr here at expert at help systems I thought it would be appropriate that he explained the gdpr side of things and with it we can kind of compare and contrast and you can see where the California act falls relative to GDP our so with that the very first slide I thought that might be appropriate would be to explain what is GDP our so Donnie could you do that yeah absolutely I know thank you John and Carol and Carol and John and Donnie John and Carol it's a great working with everybody Carol so we go back a long way genuine friends so pleasure to be here today and thank you very much everybody for taking the time out your busy day to join us now let me start with what is the GDP are there's an important aspect of this slide you can see the very first sentence it says it replaces the data protected Protection Directive 95 46 you see a European data protection law the important part is the 95 in the 1946 1995 so the Data Protection Act in the UK and in Europe to protect personal data came into effect 24 years ago and imagine how data change since then it was about time there was a new regulation that came out and the GD P R is here to protect personal data and it means it's good for people like you and I it just means that our personal data is our data should be looked after properly and anybody who uses it organizations or otherwise are now duty bound by law and that's the difference with an act or directive we now have the GDP arts regulation – the law can actually break the law you don't look after data properly and all it means is you have to make sure that any personal data that you're the custodian of that you process that you look after it you keep it secure if you transfer outside in my case the European Union as I do on a daily basis I'll work for an American employer my data gets transferred outside the European Union aback again a daily basis we need to make sure that secure as well it defines because it's the law what happens is personal days breach occurs or suspected data breach occurs it also says we must have a legal basis to contact prospects ourselves a marked and massively impacted and if you break the law that is a law there's a consequence which is a massive fine and it's something that I think we're going to see coming in from what counsel ain't about the CCP I don't see that coming in yep so and we will talk in more detail about each of these aspects and again here and contrasts on to the California lot in a few slides so okay what's CCPA then so it's better known well better known the formal law number is a B 375 and it's California consumer privacy act of 2018 and just like anything that I talk about from a law or regulation or standard I encourage you to read it yourself you know it's just because of the law and we may not be lawyers doesn't mean that you should actually read the law so I've put the link into the actual law so that you can see what it actually says and the reason it's important from more of a global perspective is because as California goes so goes the rest of the United States typically so if you think about the first state that did anything with a breach notification laws that was California California was also the first one to do more with protecting private data so it's not surprising that they have come up with yet another law and it's expected that other states across the United States will have this effect so it was passed last year it is to go into effect January 1st of 2020 and it's similar but not exactly the same as gdpr which went into effect last year as Danny said so let's look at a few more details so who does CCPA apply to it applies to organizations that do business in California and meet at least one of the following criteria now let me stop there before I go into this to do business that doesn't mean that your business is headquartered in California that means you do business with a California resident so even though you might not have an outlet in California if you have their data you're doing business in California okay so the growth so you do business in California and meet at least one of the following criteria gross annual revenue greater than twenty five million dollars you collect or buy personal information of at least fifty thousand consumers because a lot of what the CCPA is about is about like Donny said for gdpr protecting personal information so this really came about after the selling of all of the private information that Facebook did and so the California Legislature got together and developed this act so it's all about protecting personal information so the other thing so that's why there's emphasis on collecting or buying personal information and then the other emphasis is on whether it you derive 50% of or more of your annual revenue from selling consumer information okay so that's who's CCAP a it applies to now let's look at GDP our Darney okay so it's really interesting when Carol first showed me the information on the CCPA and the way that I would kindly describe it is that when Karen explained to the CCPA applies to it's almost like somebody had said we're going to give you a nudge we're going to push you in the right direction the GDP on the other hand was somebody hit with a hammer I said they're family now if it's it's quite different so the when you talk about the CCPA and their turnover companies and the amount of people involved to GDP is much stricter now the reason I've gotta mention this and really label the point is for what I've seen for what happened in Europe we've had non-european countries Argentina I've had to start adopting the rules and regulations of the GDP are we've seen companies in countries such as Canada and California and various other places that are bringing in rules very similar gbbr I think this year to start I think it's going to get worse so the GDP are the Hitler's with a hammer it affects any controller or processor established in the European Union that process we personal data now what that means similar as Carol mentioned if you if you interact with any European citizen or do business with them and do business could be anywhere in the world you might just have a website based in the US on the US server but you target somebody in England or in Poland or something like that even if there's not service they have to pay for that data for exams rules of the GPR so anybody who's controlling data or just processing unless but in other words using data of any European citizen just based in the European Union falls under the rules of the GDP are and you can see the second line any non EU controller or processor offering goods and services to you type subjects so basically that the rule of thumb is if you do anything with any European based residence then you have to fall under the full rules of the GDP are even if it's only one person so it's really strict okay and Donny if I'm not wrong that that applies to people in the United States organizations in the United States right you said that briefly upfront but I want to emphasize if people are retaining EU citizens personal data they fall under this right absolutely right you don't mind Calvin just give one example of something that actually happened so we had a actually a friend of mine here in England who worked for a u.s. Bank lived out the u.s. worked for US bank for a number of years retained his european citizenship he worked for the bank he had a bank account with them he then returned to the UK by him returned to the UK and still having a us-based bank account that meant that bank would have to fall under the rules of the GBP are the easier ones close the bank account but that's how easy and far easier it is to be caught if you like by the rules with the gdpr but also how far-reaching it is it's really is a something that everybody has to them be aware of example oh I had John it's timely Donnie with brexit do you foresee England changing its law from gdpr yeah I don't it's a really very very topical question with brexit is we leave Europe there's a good chance we will I think it will make no difference whatsoever because we'll still be dealing with European citizens so we'll have no choice but to continue with the full force of the GDP are another question here so if I have a dot-com site not targeted to any particular country and you go to my site and ask me to send you a newsletter and my subjective GDP are if you're in if you're a European citizen resident in the EU yes you are yeah and that's how easier to get caught we've got some examples later on the presentation of companies and individuals and that's important that individuals who've been caught under the rules of the GBP are but yes you would be the best way there is to block access to any European residence if you don't want them to be able to come in and do that thank you carry on thank you all right so let's get into more of the details of both CCPA and UDP are so Donnie why don't you go ahead and explain the eight rights of the gdpr yeah so we'll count thanks very much I'm very much aware that I'm talking quite a lot here there's a lot for me to try and get across to in a short space of time I think it's important either up from one more we have another questions okay and I think it's important before you get started here has there ever been enforced gdpr against a company in the u.s. yes it has yes as yeah so I mean Facebook for example Google and those those US companies have fallen foul on to GDP are erroneously and the whole idea of the GDP is not to force companies and it's not just to find people and punish them to make sure they take it seriously so our question quite often get followed up with is well okay only came in and May last year is a grace period no and the reason they say no a bit like with the CCPA characters it comes in and 2020 so we all you know it's coming in we've got time to prepare for it if we choose not to prepare for it and be ready that's helpful so there'd be no grace period so companies have been fined the one thing I'll say about Judy card there this scale of the fines hasn't been as huge as I expected but there's been some pretty large fines and we'll cover some of them and we'll also show you provide your link later on where you can go to have a look to see every person and every company that has been fined since the GDL became effective last year thank you knowing sorry for interrupting carry on so this is great I know from working on Carroll myself the questions will get fantastic like keep it interactive and it means people are interesting right so that's great absolutely yeah absolutely oh thank you now go to labor the point on some of these rights for the GDP are the first page doing the most important page that you need to look at there are eight there's two pages because some of them are really similar under the CCPA and I think the CCPA sexy direction that we the GDP are sexy direction of the CCP is going in so I think these will affect people more as it goes along the first one right to be informed now Carol is going to explain how similar and the CCPA this is really straight kind of mentions we've been here by hammer the right to be informed this is at the first point of contact the first point of contact for the company for the metric telephone call or it's a visit to a website you have the right to be informed of what we're going to do with your data now in the illicit form what that really means is in real life is that's a privacy policy and the xxx policy that has been updated on the website for example or it can be during telephone conversation to say thanks for contacting health systems so spawn contact did you know we will be gathering your personal information to store in it here's a link to our privacy policy you don't have to read it out the privacy policies you had be updated for every single European company in it you have to say amongst other things the data that we are going to use data that could identify you as a person why we use net what we're going to use it for how long we're going to keep it for who we're going to share away from amongst other things and we have to tell you that by law and if we don't we can be fined and really really important that we can tell you that the first point of contact and you can find that easily the GBI even goes to say it needs to be in plain language so it needs to be understanding understandable by a person who doesn't have a law degree for example that's another really good thing the two most onerous parts of the GBP are is the right number two the right number four which are fairly similar the right to access and you have a similar thing sue CPA the right to access is anybody at any time can ask and this should happen to number times already froze your health systems to access their data and what that really means is in other words can I please have a copy of it can I please have a copy of all the personal data you store on me it's really far-reaching now we have a process that took us about nine months in the makin with two years to get ready really really very great process that works really well and the right tact is semi can asking that we have a link on the website they could just ask an employee so that means all you employees need to know about the rules regulations as well things they kind of copy of all my data we then have 30 days to comply by law to provide a copy of their data we can not charge for that they can ask us for copy their data now the data we can shoot from a screen we can provide it in an Excel spreadsheet we provide it however we like but we have to give more their data listen to this including every single email that they may be mentioned in it's a huge ownerís task now to do that you don't know where that data is in the first place we'll come to that in the point it's massive I can't underestimate what a huge task this has been for companies over here the right rectification is if you believe that any personal data that we store on you is incorrect or incomplete we can ask you to put it right this is slightly different some of these rules were around in the previous Data Protection Act and to enforce it was difficult because it wasn't a lot we could say can you put it right I believe the data you saw me is incorrect can you please put it right we could go yeah we'll put it right for you in the reasonable amount of time and two years later you could ask again was it a reasonable amount of time yeah we've been busy there's nothing to say otherwise it's not now you now have a maximum of 30 days from request to put it right and the onus is on the company to prove its wrong if you don't want to put it right the easiest way is just to change it Twila poke people sites so number two says on the hard one number four is the other really hard one the right to Asia I can ask for you or I can ask any company to remove all my personal data where there's no compelling or legal reason to store it now that could be an employee's leaving the company and because I'd like to read my data it could be comforting you just might don't want to work with the most common thing we found is well we've been marketing to people and they're like don't remember Son Nhut parenting can you remove all the information cover me we have to by law within 30 days and we have to confirm it to them in writing that we've removed every single piece of data don't first to them so there are some I wouldn't say gray is that some things that we become technically impossible to do so for example if I had to move an email that something is in can I remove all the backups now I can't knock down going through months worth of work however long time remove them from the system and note what be grandfathered off that's okay as long as I tell them they are really really difficult procedures to implement so the CCPA what I can see I'm like well you got it easy to start off with but be prepared it but yeah it's not as onerous for sure yeah yeah and next slide please okay these are not too bad so two and four they're kind of a copy of my data can you delete me very hard words to comment theme is you need to know all that data in the first place okay so that's that's a really big task in this cell look at option five right restriction and processing now this page this is a page where the first pages use the lock the second mode isn't use very often and but they're there for a good reason so the right restriction of processing typically if you think that the data that somebody holds in yours incorrect you can ask and put it right they've got 30 days to do that the alternative is or as well as you say can you two stop processing it don't you enter with it don't delete it just stop processing it it does mean that you're not allowed to use any data you have stored on a particular e citizen but it also means you need to notify any third parties who may shared that work that they can't use it either they've just got restrict using it quite a neat little one is the right to take portability so we know can be have a copy of our data we can ask them for a copy of the data in a portable format now really strangely restricted the rules of the gdpr are that we've recommend that a suitable portable format is a CSV file or Excel so you can download other data to that why would you like to port your data somewhere else typically this is used for financial or the insurance industry if I've applied to borrow some money to buy a house or to buy a car or I put out some insurance life insurance or car insurance or home insurance or whatever I might want to compare prices with six different companies rather than fill it in six times I can do it once then I can ask the unfortunate company attendant when first give me a copy of it and then I can in an in their format I can share with all the other companies the GB to actually say preferably the company you asked and share with the other companies with your permission preferably electronically so that's why that's going seven to neat one really neat here honestly don't know if it's such a big problem in the I don't know so I'm Carol make a list but the right to object to procession this is really from a marketing perspective so I get telephone calls to my home phone saying oh you're in a car accident no I well then how do you know so or would you like to put the claim no you please stop bringing me and they don't it can be marketing material I can object I want you to stop processing my data you have to do that to 48 hours so you have to stop marketing to people immediately if you don't even get find the very last one very rarely used and I struggled even two and a half years ago when I started looking at this defining example the right to not be subject or to make decision making again it's in it's to look after people say it's a good lot to look after individuals this is the way and then the phrase how it uses I want to have put my opinion cross to human being and the two examples we came across was one of mentioned if I applied to borrow some money or if I went on to LinkedIn for example and applied for a new job new role and it's a computer program that decides whether I go through to the next round of being interviewed for a job role or computer program that decides whether I could be accepted or denied a loan I can say I don't want that I want it to be a person and configure utilities and the company has to provide that as well it's never happened in the almost a year that the GB file has been in effect the only things we've had here is a right to copy of the data to delete the data and to stop marketing so there are three main ones we've had thanks all right so gdpr as you can tell it's pretty far-reaching I think Donnie might have kind of characterized it as being a nudge so it's the California law is going the right direction but it's not as far-reaching so again the five rights of CCPA for California residents the first one is to know what information is being collected at the time it's being collected that's the exact same thing as the first right of gdpr so again it could be I don't know if if you haven't paid attention anytime you go to a website there's a little pop-up that says we use cookies okay it's gdpr and the california law that's caused that to happen so right at the front right at the point of collection you have to tell people you're collecting data not just that you're collecting dated but exactly what you're collecting what personal information you're collecting and how it is to be used okay so number two just kind of follows on with that you have the right to know whether your personal information is being sold or disclosed and to whom so again the the California law really originated out of the Cambridge analytical Fiasco of Facebook information that's kind of the impetus behind it so you can kind of see the flavors of that impetus in the actual law and and step number two is kind of that one thing so the other thing that you can do as a California resident is say no to having your personal data sold so you can prevent it from being sold so again if you're a Facebook user you can Facebook it's going to have to provide the capability for you to say do not sell my data all right the next one is to access their personal information so again just like GDP are you have the right to know what is being collected about you and the company must be able to present that back to you again just like GDP are in several different formats electronic or or visual on the screen so they don't say exactly how it has to be presented back to you California law says that you can't charge for that as an organization when people ask for it as long as they are not well put words in the mouth of the law being obnoxious about it so they gave the example that if somebody asked twice a year twice annually for their information that would not be considered obnoxious or an imposition but if they start to ask more frequently then the organization can start charging individuals for that but you get at least as the example in the law you get up two to three times a year to ask organizations hey how are you what information about me are you storing and how are you using it so that's what the report is for you and then number five says if you opt out of any of these things so if you opt out of your data being sold or being used by the organization in some way shape or form then you must still continue to have equal treatment by that organization so they can't discriminate against you and say well we're not going to let you do this that or the other thing or have this that or the other option everybody has to be treated equally whether or not their personal data is stored or not or allowed to be sold so again I like the way Donnie described it it's kind of a nudge where gdpr is definitely a hammer when it comes to what you can do with personal data question mm-hmm with number five equal service price even if they exercise their privacy rights what if we cannot provide that service unless they authorize us I easily find on the use of cookies on the web's on a website but we have features which require a login it then becomes let me slide down a little further here see it all of that it then becomes impossible to provide equal service yeah I'm not sure that a technology reason would stand under the law you know obviously this hasn't gone into law it goes in January 1 so I don't know the case law for this one but I don't I'm guessing that the law would say we'll find a different technology reason to do this this is more like go ahead Donnie if you have an examples of that something similar has been happening over here in that term one of the things I mentioned is that you have to have a legitimate reason so you have to have a a legal basis to use their data now if they want to exercise their rights but they hadn't given you they still wanted to service but they'd request they tell you we can't use certain information about me then we would use a basic called legitimate interest in that they want to they say they want to use a service but they said we can't give you enough information to use it we can still provide it the genotoxic will allow you to do that because there's a legitimate interest between us as a company and the person that sequestered it in the first place is that that kind of makes sense yeah I think a lot of it is like you know you have to provide your information like to get health care or something like that so I mean certainly a health provider could say well I can't provide you a care if you're not going to give me your personal information I just don't know that there's if you're saying it's not possible from a technology perspective that it would stand up so one other question here and I think we're starting to get into sort of a bit of special cases here but well then we'll I'll go with this question and then we'll just kind of keep rolling here so does write five and CCP a say that a company that takes my DNA for Jenna genealogy reporting from me can this prevent them from selling my DNA to a life insurance company like you know for instance like the way things work with I would think if you're saying no to having your personal data so I would think that that would be the case wouldn't you Danny yeah absolutely and when you get to something like that hang sample Jordan is for exactly are they become under special categories of information and there's additional much stricter rules for anything that might identify it's a genealogy or gender even or your various areas that becomes a special category of information that is stricter and rules applied to it so I would imagine that there the inference or the implication would be the same under the CCPA I would think so Thanks all right let me get this to move there we go okay so again you know let's take some lessons from gdpr and so if you're looking at this going oh oh we've got to figure out what we're going to do about this where do we start so to me we have to figure out what actually defines personal data and the obvious ones to me our bank accounts credit card number Social Security Social Insurance numbers if you're outside of it the US but Donny maybe you can speak to some of the not so obvious things that fall under what the definition of personal data is yeah definitely it's a good experience of this now unfortunately or fortunately so yeah the not so obvious IP addresses or even location services the even video surveillance or CCTV cameras now here in the UK we are healthy certainly be proud of apparently we have more CCTV cameras per person one one video Solaris camera per every 14 people in the UK so litchi everywhere I go is pretty much on the camera camera images CCTV images registration plates are so that they can identify my car in my phone so let me give you a very brief idea of where I could my personal data is used on my 2.1 mile drive to work i drive into the parking lot of work there's a CCTV camera that registers me drives me it's a parking lot extols images of me that's personal information and the recent personal information is because the registration player my car they know belongs to me because it's Rosalyn database saying if I Drive in the parking lot that's one of the cars I'll go I've registered could be my wife driving doesn't matter so it's class of my personal information when I walk to the building I need to I take a key fob at my pocket and I put that key fob against the door that key fob knows it's me that key fobs registered to Tonya Mikkola health systems so it knows it's me walking in as I come up the stairs and you can probably visualize this Carol you've been in the building I come to a different key back into my office and I use a different key fob that identifies me as a walk in when I walk into the building my cell phone connects to the Wi-Fi and because I come in so regularly I got the same IP address and location services identifies me that's all personal information so even photograph IP addresses email addresses they all together become personal information and it means that things like video surveillance if there's a company across the road from where I work that has a CCTV camera they have to display who storing that data and I can ask that company for a copy of that data refers to me so yeah they're not so obvious are things like IP addresses visual images camera images car registration numbers key fobs so there's a there's a lot going on right totally yeah and and that's why I wanted you to stick to that so you know you kind of have to think outside the box when it comes to personal information okay so where do we start Donnie I mean to me it's the biggest challenge I would think would be finding all of the personal information throughout your organization or that be true yeah definitely it's the the biggest task that you have to undertake and I've got to say it's the most satisfying task and it seems overwhelming and it can be but it really means you're going back to day one and working out all the information that you've got all the locations you store in all the companies you share it with and it makes you also say why are we storing it in the first place but that's something that you have to do and that is absolutely step one of anything at all that you do you can't do it's like any good project it's you need to start with that all the information at hand yeah totally right and get rid of it if it's collected and not used or no longer in use or really important than the gdpr and then certainly ously already under the CCPA it's going that way if you have no legal basis to use that data one of the things that has happened is those marking the data and personal information you have to have one of five different legal basis to use it consent is one of them are said you can but with a GDP I became a retrospective law said you can use all the personal date you've already got as long as when you gathered it it would comply with the rules of the GB parnell so it was a great data cleansing exercise and from a from marketing perspective it was like well we can't send emails out to 500,000 people and then we said you can't you can now send out to maybe 120,000 people but the quality of its are better so yeah ugly work at way that it is and why you've got it yeah so if you actually have it and you use it it has to be protected right so Donnie have you seen an increase in the use of encryption or how are people protecting that data there's two ways we say that the the GDP only special you have to use technological processes and procedures – and organizational organizational people known about it technological software and hardware encryption is the only method that we actually specify we've seen an uptake in encryption and unexpectedly and that take in virus checking software for non Windows servers so AIX linux IBM i we've seen so far as check it and encryption for sure really that thing we should have big uptake engines and 2018 and we very talked to this but once it if it's not being used purge it and that's kind of my pet peeve as well people leaving data on the system that just doesn't need to be there anymore and I'm guessing that as you went through the exercise of finding all the information there were probably reports that either included it and didn't need to include it anymore or they didn't even need the report yeah absolutely right now it became a what seemed like just a lot of hard work to work over all the personal data was yeah it became a thoroughly enjoyable company-wide project that meant we ended up with our backups taken longer sorry I'm taking much less time our email databases shrunk massively again meant that you know I can only imagine that performance on the surface was quicker it was great I was out yeah very much callings in exercising be like so yeah absolutely if you're not using it patch it and if you purge it you don't have to protect it because it's not there right so yeah yeah yeah no California law doesn't have this but does gdpr demand like a retention schedule yeah so it says that you have to tell people how long you're going to retain it for now as a very beginning part of the the right to be informed it's in the privacy policy you have to tell people how long you can keep it for however so typically will say but it'll keep the data for two years after the end of any contract that we have with you we can tell people that but we can't enforce it so we could only keep it if there's a legal basis to do so so financing information here's seven years well then we can keep it so they even if people ask to get rid of it if there's a legal basis to get rid of it to keep it we have to keep it if it's a retention period that we've told them we're going to keep it for two years and they no longer a customer an employee and there's no legal base to keep it we have got rid of it before the two years is up so yeah we have to specify a retention period okay all right so again learning from gbbr we have to make sure and this is from that California law we have to be prepared to upon request the organization has to be able to explain and we kind of talked about this earlier the categories of the personal information that's been collected the categories of the sources from which the personal information is collected so how is it collected the business reason for collecting the data or selling the data the categories of the third parties with whom that business that data is going to be shared and then this very specific pieces of that information that has been collected so again this is similar to gdpr but as Donnie said I believe you said Donnie that it took about nine months to develop the process so if your Cal deal with California residents I think one of the things you'd like to tell them is make sure you develop this process to give this information over to the residents not true definitely absolutely right yet if as long to make a start you know as long as long as the the intent is there and you've made as much of the start you possibly can and you're way ahead of the game before it actually becomes comes law definitely all right so here Carol dead go ahead it you know I'm trying to figure out where to inject this one but I'll throw it in here now and you can have a discussion I have it this is from one of our attendees I have attended a few CCPA discussions and each one I walk what it still confused about if my company is required to follow it we do business with residents of California and make more than a dollar limit however we do not sell customer info to anyone can you clarify where the ands and ORS are on the CCPA requirements it seems like you just covered a bit of a slide so okay well it you don't have to all of those are ORS so the requirement at the beginning of the slide they were all ORS so just because you have to make over a certain amount so if you make over a certain amount you have to comply you don't have to make that amount but if you sell 50,000 pieces of personal information then you're required so all of those are ORS none of those are ANDed together so if you are if you retain California residents personal information and your company your organization makes more than the amount stated you must comply all of those are ORS and again read the law yourself you know I put the link in at the beginning for a reason and you can see that all of those are ORS yep good question though all right so again the gdpr allows for the right to be forgotten so the CCPA also requires organizations to be able to delete residents personal information there are exceptions and I I know that Donny and I have had conversations in the past about this there are exceptions you know you do not have to delete that information if it's required to complete a transaction so say that somebody has signed up for automatic monthly credit card payments right so in some way shape or form you have to have that credit card information to be able to submit that payment well if they want to sign up for that service you can't delete that information okay so that's one way so needed to complete a transaction CCPA also it has an interesting one that I don't know if gdpr does but you don't have to delete the information if it can be used to track malicious activity so they very specifically state that in CCP a which is kind of interesting and then of course if it's required for legal purposes so like if you're a financial organization or do any kind of financial transactions typically those stick around for somewhere around twelve seven years so I thought that the track malicious activity was kind of an interesting one all right and again you have the ability to opt out so you have to provide a way for users to specify that their data is not to be pulled and again as Donny said it has to be in plain English so cgpa the lot literally says that it requires either in the privacy well one of the places in the privacy statement and a box that says do not sell my personal information doesn't really get much more clear than that so it's not just in the privacy statement but also when you first sign up to the information you have to make it very easy for people to not allow their data to be sold and again we've talked office already if the resident opt-out they can't be discriminated against by the business you so see CPAs definition of a breach is a slightly different than GDP are so we'll show that one in a minute but if any consumer is not encrypted or non redacted personal information as defined earlier in CCPA has a whole laundry list of what they consider to be personal information so you'll want to read that or is subject to unauthorized access or exfiltration theft disclosure it's the business's duty to protect that information with reasonable security procedures and if not then they can be subject to a law or wrote to a fine so the penalties and again you'll see a difference here between CCPA and gdpr if the violator is notified that they have been out of compliance they basically have 30 days from being notified to correct the issue and then if they don't you can have a civil action brought by the state of California Attorney General so basically a class action lawsuit prop represented by this all of the citizens of the state of California can be brought against that organization all right so then if it's not a class action sort of thing then any person business and again just like gdpr look at that it can be any person not just businesses any person business or certified service provider that intentionally violates ECPA can be fined seventy five hundred dollars US dollars per violation okay so the one that has the teeth there is that class-action lawsuit so let's contrast that with gdpr was it Donny if you want to cover that oh yeah sure Thank You Cal yeah so yeah the definition the personal data breach fishy's I know Carol mentioned previously read the CCPA eye for people affected by the GTR reader as well 261 pages of lots of words but there's some really interesting stuff in there this is taken straight from that so it's a breach of security leading to the accident unlawful destruction loss alteration unauthorized disclosure of or access to personal data transmitted or otherwise process so people tell you think the data breaches date have been exposed and in this case it's not it's if you lose it or its autos or an unauthorized disclosure now give an example but company helping find somebody left their laptop on the train lovely British railway train we lost a USB key and they got fined because that was subsequently found and reported that we found some data so that's a definition of life examples of post or data breaches if we look at the next slide you'll see the lovely consequences and the fines ah sorry this is what we need to do now the definition of the personal data breach has changed under the GDP GDP are and also the reasonable amount of time has changed as well so it is a suspected data breach so even if you don't know that Germany has happened the processor for the person who has been using the personal data have to without undue delay make the controller aware unjú delay means you have to do it pretty much immediately you can't go go there I didn't know it's there if you just suspected a breach you have to let the data controller know the data controller then has two things they have to or may have to do one of them is compulsory and that's one on the right within 72 hours of becoming aware they need to report it to the DPA that's the dose Protection Authority basically that's the regulation Authority in your European country there's a list of available so within 72 hours or becoming aware of a suspected data breach even if you only know a bit about what the date which maybe you have let a date protection authority know they will help you they'll tell you they'll tell you what to do now what's a good thing by the GTRs you then have to tell affected individuals but only if there's a high risk their rights so if the data that's been exposed has been encrypted and the encryption keys with it you in all likely don't have to tell affected individuals now this is a great thing because previously you'd see on the news of data breaches occurring they take a long time so Yahoo's a good one took over two years to report the data breach and it affected to share a price and those other things now you have to report it then 72 hours but you don't have to tell the individuals ago it probably won't be on the national news if the individuals haven't been told if the data's encrypted so have an encryption virus trans various things are really good things the next slide is the shocking fines that you can get Wow there's two different categories of fines these aren't all the reasons but there are some of the reasons you may get fined the first carries up to 10 million euros or 2% of your total worldwide turnover for the previous year now to give you an example how serious are took their shows as a company help systems are 775 employees in Paris France I have a single employee and if that lady in Paris France accidentally caused a data breach and it could have been only mine she might have lost the USB key if the date on it was personal and it was you know exposed we as a company could be fined two percent of our global money that we had coming in in the previous year huge the second one up to 20 million or 4 percent the first one then there's failure to obtain consent to process the subjects data so here Carol mentioned you can opt out you don't opt out here you have to opt in since this law came in the ability to opt out has become illegal in that not lethal talked out but to pre check a box to say we're gonna do this for your data we're gonna send you this information unless you uncheck the box you can't do that you have to take a positive action to opt in as a Potok down if you don't have consent to somebody's data or it could even be a point of marketing data to them one day you haven't got consent you can get fined up to 4% he's quite scary isn't it yeah it's this one as as you say CCPA oh that is a nudge this is a definite I won't just call it a hammer there's like a sledgehammer oh yeah that's just not what you want to be doing okay so Donnie why don't you we've alluded to a few of these along the way but if you have some others on this clip that you want to talk about where the fines have come in yeah well jobs luleå so these the Information Commissioner's Office that is the regulatory authority the main registry authority in the UK that covers a number of European countries as well find facebook half a million pounds for serious breaches of the take protection law and that that's the one that you did come to see hit the news because now exactly have quite a also globally known one but Heathrow Airport there five hundred and twenty five thousand one hundred and twenty two thousand pounds but tell us your personal data held our networks properly secured that was a USB key that was purely a training course that took court took part at Heathrow Airport and the trainer had a videoed from the people being trained and lost the USB key for the key with the date on it when somebody viewed that for eight seconds there was information on a written pad to pad that listed all the people that were intended rentals took five hundred and twenty thousand pounds just make you've got how sure out incredibly now give that USB kills encrypted Carol wouldn't matter do not a traveling yeah when because you wouldn't know to read the information booper they are the largest health care provider in the UK because they were fined as well so how the effective security measures in place and that was basically that was a internal information that could be viewed but this is quite an interesting one a former admin assistant at youth car dealership be prosecuted for painting and personal day of customers this is basically a lady that was working in administration and she looked up information of customers and other employees we've had other ones for individuals as well we've had individuals for example who had guy who worked at school and when he left he took some information on the pupils with them could he found information interesting for from an educational standpoint took it to his next employer put the information onto a server there careful or you can't do that he didn't have the consent to do that and there's being so that it's even being to the point there was quite famous one because police forces have been fined as well as well as the Crown Prosecution Service safe actually the Queen's government and her law has been fined police force was fired for yeah quite scary and say the I co has override empowers because it's personal data over literally any lawn land though is a police force was fine because one of the police officers was asked to contact 25 different people who may been affected by crime that arrested somebody and identified other people the police officer said the email out to all 25 people with all their email addresses in there too rather than blank them out which then meant all the other people knew of other people and if I email address who may be infected by crime they got fined for that because that's expose impersonal data class through the breach as you very far yeah too easily done right far too easy yes yes there is there's a question to these fines here guys that I'll just throw in here it's like where does all the fine money go where'd you go okay that is a really good okay a goes to regulatory authority to make sure that they can employ more people to enforce the Data Protection Act to make sure that the whole point is it's always a continuing circle John is that money comes in to make sure the Information Commissioner's Office can enforce I don't like use the word police but can enforce the rules of regulation to ensure that personal data is massively properly secured and it becomes a way life it's just that we have to think about all the time exactly where it goes even the government tax it's yeah I came to insurance I secure they're very similar and it's similar to the cat in the California law they have a little bit of wiggle room but they haven't defined exactly where it's going but the illusion is that it's fine back to feed their their themselves well there's some skepticism where you know in the questions as I'm watching the revolt by and they're thinking that the lawyers get most of the money and I'd probably say if this is California and probably agree with that in the UK I'd probably say no yeah I don't know I mean if it's a class-action lawsuit I would say yes but the state of California takes its chunk and that's very specific in the law as to what chunk it takes not what blank in here but we got about three minutes to the top of the hour right so the whole point with trying to do this presentation is to try to get you familiar with the law it's thinking about the law if you do business in California and you retain any kind of personal data you need to start thinking about it and you need to talk to your management and hopefully they'll listen to some things so that you can start to prepare and not just put their finger in their ear and blah blah blah all right so one last plug for the in-depth security training done holding in Las Vegas and July 23rd and 24th if you need more information on that I would like to see the agenda for that you can go to this website or send an e-mail to Sam Vander Waal at help systems you should also receive a link to this event in the follow-up email and with that I will turn it over to Jon one last question for you all and I thought it was an interesting question the person just left was an interesting question a reasonable reasonableness is a bit of a nebulous term who defines that well there there are examples in in the law of reasonableness and if it's not defined then it's going to be defined in the court of law and again from the California perspective you have to think about how it originated it was it was directly derived after the Cambridge analytical reach that you know was using Facebook information Facebook users information without their permission and so that's what sparked this law to come into being and so I think in in that instance you could say that there was not reasonableness on the part of either Cambridge analytical or Facebook with the use the personal information so my guess is that it's going to be defined on a case-by-case basis but the point here is that protect the data and then you don't have to worry about it right gdpr has very specific reporting structure as Donnie showed in his church the California law does not have that except for their previous laws on breach notification but again in that case if the information has been encrypted it then you don't have to notify so the the message here is fine to the personal data if you're not using it get rid of it if you do have it protect it meaning the best way to do it is encrypt it well we've wrote there we go and advertisement other than the security deep dive great suffice it to say that help systems gets involved in professional security services we do a lot of different services ranging from risk assessments to penetration testing to architecture to remediation to manage security services all in the IBM I and then we have a lot of software tools as well that covers security on the IBM I so here's just a listing of some of the various software products that we have available again these will be part of your handout if you look at one of those in the brief description catches your eye give us a call send us an email set it up to Sam won't be happy to get you more information so we do everything from compliance reporting to secure managed file transfer and everything in between as you can see on this particular slide so thank you all we are at the top of the hour actually past the top of the hour Thank You Donny Thank You Carol for a great session enjoyed a lot of the questions we had you know coming through here one one comment I thought was was kind of funny is at the end ease attendee said tell Carol not to hold a IBM I security deep dive in Las Vegas in July nobody wants to go to Vegas in July and I'm going well I think maybe they do because it's Vegas but and it's and it's it is air-conditioned we don't hold it outside [Laughter] thank you everyone I'm going to go ahead and end the recording now we don't seem to have any more questions appreciate everybody's time and attention and thank you all for being a very interactive group and we will see you at the next coffee cup coffee with Carol thanks everyone

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *