The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of companies.
In late September, California enacted what some are referring to as the country’s first “Internet of Things (IoT) security law.” The new law requires makers of connected devices (those assigned an IP or Bluetooth address) to have in place “reasonable” security features. This vague qualifier is (somewhat) fleshed out in the law’s description of security feature that are:
- Appropriate to the nature and function of the device;
- Appropriate to the information it may collect, contain, or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
The law states that its requirements are not enforceable by a private right of action, which would prevent class action lawsuits from arising following a major data breach of a connected device. However, the law is enforceable by the California Attorney General as well as government attorneys at the city, county and district level. “As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts….” according to a Davis Wright Tremain LLP bulletin on the new law.
These requirements are currently scheduled to take effect Jan. 1, 2020 – the same day that the state begins enforcing the sweeping California Consumer Privacy Act of 2018 (CCPA). Approved – swiftly – in June, the CCPA is notable for a number of reasons including:
- The law’s definition of “personal information” is broad: Personal information includes a consumer’s Internet browsing history, personal identifiers, geolocation data, psychometric data, biometric data and “inferences drawn” from any of that customer data, according to the bill.
- The CCPA extends a wide collection of companies: While the law applies to the world’s largest technology companies, any business that processes personal data of California residents will have to comply. This includes Internet service providers, data brokers, retailers and other companies that meet any of the following criteria: 1) gross annual revenue north of $25 million; 2) receiving or sharing personal information of more than 50,000 consumers (or households or devices); or 3) earning more than half of annual revenue from the sale of personal data.
- The law affects third party risk management: The law requires companies to update service level agreements (SLAs) with third party data processors, among other crucial vendor risk management considerations.
- The CCPA’s quick passage is noteworthy: The law materialized rapidly in June after the sponsors of a ballot initiative containing similar requirements agreed to withdraw their initiative on the condition that the California state legislature approve a replacement law (one that can be amended to address compliance problems prior to its enactment). California legislators did just that – introducing a comprehensive law that was signed into law by Governor Jerry Brown six days later. Although the conditions that drove the law’s prompt passage are unique, the public’s desire for data privacy regulations and the speed with which these laws can potentially be introduced shows that the early warning systems companies use to detect, shape and prepare for legal and regulatory changes may need updating.
It’s also notable that the law’s language allows for it to be amended. Any changes that do occur appear likely to be made to clarify compliance requirements. Given that a PwC survey finds that only 52 percent of U.S. companies that will need to comply with the CCPA expect to be compliant by Jan. 2020, organizations should immediately begin assessing and addressing their compliance needs.