CCPA California Consumer Privacy Act and HIPAAIf you haven’t heard of it before there is a thing called the California Consumer Privacy Act (CCPA).  It is considered the first version of a GDPR-type legislation on this side of the pond.   It becomes effective Jan 1, 2020.  There are many folks that think the CCPA isn’t something for them to worry about.  Well…  Maybe you should take a second to reconsider that position.

Shout out to George Fenton, our diligent listener out on the west coast.  He sent us a note about ransomware issues that we should have included in some of our discussions.  We mentioned before that often hackers have been in there a while and ransomware is launched on their way out.  By the time you start getting the ransom messages, they have already done everything they wanted in previous weeks or months.

The more specific thing we should be discussing is what we call “dwell time”.  That refers to how long you could be infected or infiltrated or both prior to your ransom messages displayed.  A recent Dark Reading article that George passed along specifically referenced the UK’s National Cyber Security Centre (NCSC) warning the recent Ryuk strand being known for its long dwell time.  Ryuk is getting nastier in each iteration.  It hangs around and figures out what version works best on your systems.  It can determine what value your data has and sets ransom accordingly, even.

Due to the length of time the ransomware is present prior to the encryption taking place, dwell time, you can’t just nuke and pave to your latest backup.  It will likely also be infected.  In fact, you would need to go back 100 or more days to be certain you aren’t infected.  The most recent dwell time published was 86 days.

Thanks for pointing this out, George.  Well, maybe thanks for pointing out we missed something.  At least, thanks on behalf of our listeners!  

Like us and leave a review on our Facebook page:

CCPA and HIPAA require consideration not assumptions

You may have never heard about CCPA but it is time that everyone gets educated on it even if just a little bit.  If you are a consumer, you should understand the rights that are included in this law.  If you are a business you need to understand the obligations to protect those rights.  While California may seem like something very distant from you, the problems it is trying to address are everywhere we look.

What is CCPA?

This law is considered the first US version of GDPR for a reason.  There are very specific disclosure requirements and rights for consumers to control how their information is used and shared.  Sound familiar?  We told you that HIPAA-type legislation was going to impact everyone.  All the folks that have complained about HIPAA being so hard would be way ahead of the pack if they had done the basic requirements from the beginning.  Now, they are behind just like everyone else.

The law includes statutory fines which is to be expected.  But, the big news is that it allows for individuals to sue businesses directly for certain violations.  The only thing that has allowed companies to continue to violate HIPAA requirements at the level they do today is the lack of a right to sue.

It is unfortunate that the litigious society we live in reflects so many of the bad parts of our system.  But, when you see what happens when the option doesn’t exist it is equally sad.  Without the lawsuits the businesses usually want to do the bare minimum, if anything, to protect the consumer.  Does that apply to all businesses?  No.  But, the litigious society doesn’t apply to all consumers either.  Many people just want to be treated fairly and many businesses just want to do the right thing.

Who does CCPA apply to?

Everyone in California but not everyone in California is the answer (you should really expect that answer from us at this point).  There are several steps you must go through to determine if CCPA applies to your business in the first place.

Do you collect information on any residents of California as part of your “for profit” business?  

There is more to this than you originally think, though.  When they say “collect” the information, there are several things that apply to that “collect” definition.  The term under this law means that you receive, buy, rent or access information even if it is just through cookies.  Plus, the information could be associated (just like HIPAA reasonably associated applies) directly or indirectly to a particular consumer, or household.

Then, you ask if that person or household is in California for other than temporarily OR they live in California and they are outside the state for a temporary purpose.

If you make it past that part, you keep going through the following questions next.  Do ANY of these apply to you?

  1. Annual gross revenue in excess of $25 million in your “for-profit” business
  2. Derive 50% or more of your annual revenues from selling consumers’ personal information
  3. Buy, receive for a commercial purpose, sell or share the personal information of 50,000 or more of these California consumers, households or devices on an annual basis
  4. Are a non-profit but you control or are controlled by a for-profit business then some other things apply.

Note that a small business with less than $24m in revenue could easily collect data on more than 50,000 consumers, households, or devices annually.  Pay close attention to each of the requirements because all it takes is one.

Do you do business in the state of California?

If you are still with us then the next question is, do you do business in the state of California?  That gets a little tricky because you could do business in the state of California.  If you are not sure, it is important that you have an attorney help you sort this one part out.  If you don’t do any business in the state you may be free and clear, for now.  You still have to worry about your business partners, though.  If they do business in the state that could require you to meet the requirements in a trickle-down effect in the same way that HIPAA BA requirements do the same.

What does CCPA require a business to do?

One thing I think many people miss is that a consumer can ask you for details about their information going back 12 months.  I rarely hear anyone mention it.  But, all those folks who haven’t been doing HIPAA for 6 years should know that it is impossible to create documentation that was supposed to be created months ago.

Without getting too deep into the details here.  There are some basic requirements that get people’s attention when they start to understand the rules.

The data applies to anything that could be tied to a person.  That includes things like IP addresses, yes, but also browsing history, geolocation data, and more.  My favorite one I read included this list:  audio or visual or olfactory data.  Olfactory data?  I am sure people are tracking the smells you like based on several things you buy.  But, never did occur to me that people are tracking the things I like and don’t like to smell.

You have to be able to give a list of all the data you collect on a consumer (or a business) if they request it.  Restrict sharing of that information if they ask you to do so.  Plus, and this gets tricky, delete the information if they ask you to do so.  Granted that last bit has several exclusions for data you must keep on file.  But, it does require you to do things that most computer systems today just do NOT want to do.  You are supposed to remove all traces of the information.

Of course, you also have to prove that you have protections in place to prevent the information from getting into the wrong hands.  That means if people shouldn’t have it, you are working diligently to keep them from having it.  That includes all the stuff we are used to dealing with like training, incident response, etc.  You know, what a real cybersecurity program would include.

What about healthcare and HIPAA requirements?

Now we get to the good part, right?  But, HIPAA means I don’t have to do that stuff because it overrides state laws.  Nope.  Not the case.  HIPAA takes precedence over state law only when the state law provides LESS protections to the patient.  If it provides more protection then it doesn’t automatically make the state law irrelevant.

Thankfully, for those in the state, or subject to the law, they did add an exemption, of sorts, for HIPAA.  The data covered under HIPAA for those entities does not have to meet the CCPA standards.  They did NOT say that you don’t have to meet them at all.  They just said that the data you do consider to be PHI does not apply.  Your business probably collects information on individuals that is not considered PHI.  That information now becomes PI under CCPA.  You are required to protect all of that other data under CCPA.

For years, people have made all kinds of arguments about what is and what isn’t PHI.  Now, that doesn’t matter.  If you have any kind of personal information that isn’t PHI then it falls under CCPA.

So many people think HIPAA gives them a free pass.  Clearly, not true.  Also, all those companies that were thrilled that HIPAA didn’t apply to them now have to deal with this requirement without any exemptions for that healthcare data.  Med spas, cash only providers and more should be getting ready right now.

What should you do now?

Figure out if CCPA applies to you or not.  If it may, then get an opinion from an attorney that understands this stuff.  Not your Cousin Vinny.  I love that movie!!

If it does apply then you have to figure out what data you have to protect under CCPA vs data that falls under HIPAA.  Map out your data and get a plan together to address the requirements.  We have a few resources linked below.  Remember, what you have in place for HIPAA will be helpful but it will not meet all the requirements for CCPA.

How to get your organization ready for the California Consumer Privacy Act

CCPA Is Coming: Things You Can Do Now To Prepare

20 Questions (and Short Answers) On The California Consumer Privacy Act

As states continue down this path of developing their own standards for privacy rules, every business must remain alert to the impact these may have on your own operations.  As I heard over and over at SecureWorld Atlanta, until there is a federal privacy law addressing these issues we are basically screwed.  I would wager a majority of businesses in the US today operate in all 50 states in some manner.  If they make anything to sell they can be shipping them worldwide today.  If a state law says collecting any information about their citizens means the law applies to you then you could be on the hook.