Is California ready for CCPA 2.0?

The organization known as Californians for Consumer Privacy announced yesterday that it successfully secured enough signatures to qualify adding the California Privacy Rights Act (“CPRA”) to the state’s November 2020 ballot. The CPRA seeks to do the following:

  1. Sensitive Personal Information.  The law will add a new category of information known as “sensitive personal information” and provide new rights for California consumers, allowing them to stop businesses from using their sensitive personal information.
  2. Definitions.  The CPRA may further aim to clarify that sensitive personal information includes the person’s health, financial information, and geolocation data for collection of which there was no consent.
  3. Right of Correction.  The law will give Californians the right to ask businesses to make corrections of any personal information that is inaccurate.
  4. Data Breach Liability.  The law seeks to revise and clarify the CCPA as it relates to data breach liability.  Specifically, it states that any breaches in which a consumer’s email is compromised along with (1) their password or (2) a security question and answer—which would essentially provide hackers with unfettered access to the consumer’s account—can result in liability for the company.
  5. Children’s privacy.  The law seeks to enhance children’s’ privacy rights and to triple CCPA’s fines for collecting and selling private information of minors under 16 years of age.
  6. New Enforcement Arm.  The CPRA seeks to establish a new enforcement authority to help protect consumers’ rights, called “the California Privacy Protection Agency.”
  7. Increased Transparency.  With the help of this new agency and redefined legal requirements, the goal is to increase transparency and to give consumers greater control over their data.


The Swedish Data Protection Authority issues fine against the National Government Service Centre

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

It is not so common that a public organization have to pay a fine. It is more symbolic than anything else as it is little money and will go from one pocket to another for the Swedish administration.

ICO intends to fine British Airways for a Data Breach

The british authority, ICO, intends to fine British Airways £183 Millions relates to a cyber incident. It has been notified to the ICO by British Airways in September 2018. It involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. According to the investigators, poor security arragement have caused this breach.

Managed Security Service Provider’s GDPR Liabilities

The growth of MSSP’s sector has resulted in efficiencies of outsourcing data processing. 

Recent legislation in GDPR has created a further demand in compliancy leading to potential confusion on the responsibilities between the IT outsourced provider (called data processor) and the client (called the data controller) who decide what to do and the budget associated.

MSSP’s now need to adapt their model to accommodate the significant changes in GDPR, therefore avoiding the legal consequences of non-compliance to their business.

These changes encompass:

  1. Accountability transparency
  2. Data Protection principles
  3. Security and confidentiality certainty
  4. Governance support and advising on duties

The legislation directs that the data processing community has to be fully conversant with GDPR governance. For example, MSSP’s will need to ensure the process of data collection addresses ‘private impact assessment’ prior to deploying a ‘data leak prevention’ or similarly an advanced web filtering solution.

The remit of the MSSP sector implementing managed advanced threat protection solution, the processing of personal data and more sensitive data categories as defined in article 9 of the GDPR legislation. Providers are directly liable to European regulation to infringements of sensitive information namely political and religious opinion or sexual orientation.

Data Processing/MSSP – Risks of Non-Compliance

·     Damaging loss of reputation of the company.

·     Sanctions from the GDPR authority. These include MSSP’s, Data Collectors and end customers exposing risk of penalisation from the ICO in the UK or the CNIL in France. (Public Warnings up to and including a 10 million Euro fine or 10% of their worldwide turnover penalty)

·     The courts may apply powers of applying prison sentence or significant fines to the data collector or sub-collector.

·     Civil law has legitimacy to cancel contracts and refund customers.

The change in legislation is a major wake up call to the entire managed security service providers. GDPR compliance is now a reality and the priorities need to start with DPO designation and teams training. The consequences of contravening GDPR law is financially damaging with let alone reputation to trust in company branding.

Being compliant is a reality and strengthens overall value propositions, enhances reputation and increases best practice in security.

PS: I tried to summarize this complex subject in one page so if you may have any comments or questions, don’t hesitate to contact me directly.