In July 2020, The California Attorney General’s Office began enforcing the privacy protections enacted in the California Consumer Privacy Act (CCPA), a first-of-its-kind law for the US,. Businesses — many of which were focusing on the COVID-19 pandemic — had called on California’s attorney general to delay enforcement, citing limited resources because of the pandemic and uncertainty about the law’s final regulations.
However, CCPA enforcement commenced as planned on July 1. Therefore, organizations — including those not based in California but with customers in the state — must prepare for what could be significant financial implications, including potentially severe penalties for noncompliance. Risk professionals and others must quantify their organizations’ exposure to the CCPA and other privacy regulations to articulate potential losses and manage financial risks.
While quantifying all risks in financial terms should be a priority, calculating even approximate financial exposures from the CCPA is bound to be complicated due to lack of historical data. Still, companies can assess their potential exposure by taking the following three actions.
1. Build or Reinforce a “Privacy by Design” Program
Similar to preparing for compliance with any privacy regime, the first step in CCPA preparation requires a company to confer with its legal and privacy counsel to consider a “privacy by design” approach to data collection, management, and retention. Such an approach would incorporate privacy into technology and systems by default. By integrating this approach into broader cybersecurity and information security programs and controls, you can establish a baseline culture of privacy readiness.
There is no one-size-fits-all approach; companies should tailor their privacy programs to their unique data needs and business models. At a minimum, a privacy program should account for information flows, existing data inventory and future data collection, and data retention. It should also incorporate appropriate policies and procedures for purpose-driven data retention. For example, a data inventory can reveal all data assets held by a company that fall within the CCPA’s purview. A comprehensive data inventory is also useful in setting the foundation for compliance with future regulatory regimes in other states.
Data inventories often exclude the information flow and data shared with third parties and vendors. As part of their inventory process, companies should consider re-examining their data sharing practices, contractual relationships, and obligations that either they or their vendors have with regards to data.
By challenging and assessing current data practices, a by-design approach can help companies to shift their privacy culture away from a compliance checklist and instead move toward a holistic understanding of data. This deeper understanding lays the groundwork for a more accurate assessment of regulatory risk, one that takes into consideration not just the CCPA but also other potential future regulations that may address the growing concern over corporate monetization of private information.
2. Calculate Maximum Penalties
The CCPA includes two distinct categories of financial losses that could result from noncompliance: private right of action damages, either individually or as part of a class action, and regulatory fines and penalties. As organizations quantify the potential financial impact of the CCPA, they must consider both possibilities.
For comparison, the EU’s General Data Protection Regulation (GDPR) — a landmark privacy regulation enacted in 2018 — also has a private right of action provision. However, some suspect that the risk may be greater under the CCPA because of the litigation environment in California. While consumer class actions resulting in large settlements or judgments are commonplace in the US, European jurisdictions do not generally provide US-style class-action rights. Companies should confer with their legal counsel in assessing the likelihood and severity of this risk.
Organizations can start to calculate potential damages from a private right of action by measuring CCPA exposures based on the letter of the law. For example, since a private right of action can lead to statutory damages of up to $750 per incident, per consumer, an organization handling data of 200,000 California consumers could see damages of $150 million for a single privacy violation incident.
Other consumer protection laws in California also provide useful insight. By analyzing litigation arising from other statutes that allow for a private right of action in California and their frequency and severity, businesses can better estimate their potential exposure under the CCPA.
3. Examine Exposure to Cybersecurity Events
The likelihood of an enforcement action or lawsuit under the CCPA closely aligns with the likelihood of a data or technology breach. Thus, in order to calculate the financial exposure arising from the CCPA, you should consider quantifying your overall cyber risk.
Cyber risk quantification starts with basic math: What assets or records do you have, and what would be the first- and third-party costs you would incur if these were lost, stolen, or jeopardized? What types of events are you most susceptible to given your specific threat environment and internal practices? And what areas of your business and data are vulnerable to disruption or damage?
Quantification can also include an honest assessment of an organization’s cybersecurity posture: What controls and security measures do you have in place, and how effective would they be in preventing a breach or cyber-attack? Additionally, it is a good practice to analyze your cyber event history.
Breach modeling can also include a range of potential cyber event scenarios tailored to your specific organization, rather than industry generalizations. It should consider the potential financial impact of events of different severities and frequencies — for example, what would be the cost of a one-in-two-years event? What about the cost of a one-in-100-years event?
Once you have a clear view of the potential cost of your cyber exposures in general, you can layer on the further risk exposures presented by the CCPA, GDPR, or potential future regulations. The specific metrics and components of risk quantification will be different for every organization, but all companies should consider engaging in it — especially those subject to the CCPA or other privacy regulations.
Determining your exposures to cyber risk in general and privacy regulations specifically can help you make appropriate, data-driven investments and to prioritize technology, risk transfer, and other cyber risk management practices. However, given the fast-evolving cyber threat and privacy regulation landscapes, that measurement should not be a one-time exercise. Instead, cyber risk assessment should be a continuous and frequent practice that incorporates changes in your own cybersecurity efforts as well as the external environment.
Finally, it’s imperative to remain aware of changes in privacy regulation that could affect your organization, and be proactive in learning what consumer data protections are required by law. Focus on the reason behind the regulations and factors driving their implementation, including consumers’ growing desire for privacy protections, and increasing expectations by consumers, regulators, and others for increased corporate accountability and responsible privacy stewardship. Organizations that understand the principles behind privacy regulations, conduct a thorough assessment of their exposures, and adapt their data practices and culture will position themselves ahead of the curve of new privacy regulations rather than constantly playing catchup to comply with new regulations.