Settling the Risk Quantification Debate
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
Top 3 Takeaways
[Host Megan Phee] Hi, I'm Megan Phee. And this is GRC & Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends and more. Learn about their methods, solutions, and outlook in the space.
On today's episode of GRC & Me, I have a very special guest. She's the president of Termageddon. More than that though, she's experienced corporate and data privacy attorney. Donata is a Certified Information Privacy Professional, and she has a background working with Illinois State Bar Association in customers to help them create policies to keep their business protected.
So Donata has a really interesting background of why she became a lawyer. She came from an immigrant family. Her father came to the United states from Lithuania when he was in his late 20s, and she came to the US when she was 12. Her father did not speak English and he was getting married. So he asked Donata to come to a meeting with his lawyer to translate. She'd never met a lawyer before, so she asked a lot of questions about how he got into law, more about his profession, his education.
She says that she wishes she could remember the name of that attorney who inspired her, but his openness to answer questions and to speak with someone so young about his profession. And it really inspired her to go to college to study law and now become a practicing attorney.
So Donata, thank you so much for joining us today.
[Donata Kalnenaite]: Hi Megan. Thank you so much for having me. I'm very excited to talk about this stuff today.
[MP]: All right, so let's get into this. So based on your experience, we're excited to hear from you what's been going on with the regulations, whether it's GDPR to CCPA. So I'd love to begin today on a high level, what is the purpose of CCPA?
[DK]: Yeah, so it kind of at least in my opinion, it has a couple of different purposes. So the main purpose would be to further Californian's right to privacy by giving them a way to control their personal information and by giving them certain rights. So the legislature found that Californians were very interested in protecting and safeguarding their privacy. That kind of goes through the rest of the country as well. But since it's Californian legislature, that's what they're focusing on.
So they were interested in keeping pace with technology developments and the privacy implications of those developments and to protect Californian consumers from unauthorized disclosure of personal information and the loss of privacy. So one of the things that I thought was very interesting with the CCPA is that the legislators and the people who actually wrote it, named the Cambridge Analytica scandal. And that's kind of really what I think spurred all of these legislative changes right now, not just in California, but in other states as well, is the whole Cambridge Analytica thing.
[MP]: And regards to CCPA, do you know how long the bill had been in the works and who or what was behind its support?
[DK]: Yeah, so it really wasn't in the works for very long, right? When you think about GDPR and some of the other laws, they were in the works for years to come to an agreement, but California kind of did it a little bit differently. So in 2018, there was a real estate developer who spearheaded an effort to include a new privacy law, the Consumer Right to Privacy Act of 2018 and it was added on the November 2018 valid because there were so many people that were interested in it.
So Californian legislature, they didn't really like the Consumer Right to Privacy Act of 2018 there's a lot of rights that consumers got with that Act. It was very ... Some people would say that it was very unfriendly to businesses. So basically what they did is they negotiated past the CCPA instead it exchange for an agreement to drop the Consumer Right to Privacy Act from the ballot.
So it really wasn't on the ballot for long, it passed on June 28th so it was in the works for approximately three weeks.
[DK]: Yeah. Now those three weeks there's a lot going on, and they had to draft the whole thing and everything like that. And some people are arguing that because it was such a short amount of time, the law itself is a little bit confusing. So there's drafting errors, there's spelling errors, those things that are not clarified is very broad. And it's unclear whether or not the legislature actually intended it to be that way, or whether or not those were drafting errors that were caused by the short timeline of this bill.
So a lot of the people who support this bill are obviously privacy activists, consumers, there are some legislatures. So Ed Chow, who's a member of the California State Assembly and Robert Hertzberg, who's a state senator were the main legislatures behind the law.
[MP]: That is really interesting, and you mentioned it because it was drafted in a broad context. So I think some folks, whether it's businesses or consumers, their question is, who does this apply to? So could you just share, to whom do you think the CCPA regulations apply to?
[DK]: Yeah, so it applies for any for-profit legal entities, so like LLC, corporation, partnership that collects consumers' personal information, that does business in California and then needs one of three different kind of factors. So if they have a no gross revenue above $25 million, if they annually by receiver share the personal information of 50,000 or more consumers, households or devices, or if they derive 50% or more of their annual revenues from selling the personal information of consumers and consumers are defined as California residents.
So it seems like it would apply mostly to really large businesses or businesses that deal in a lot of data on a frequent basis or businesses that sell personal information.
[MP]: And so you mentioned the consumers are defined as California residents. So how does the CCPA affect those consumers today?
[DK]: Yeah, so the CCPA provides certain rights to consumers or California residents. The rights are knowing what personal information is being collected about them. To having proper and clear disclosures in like privacy policies and things like that, know whether that personal information is sold or disclosed, and to who California consumers have the right to say no to the sale of their personal information. They have the right to access their personal information and then they also have the right to equal service and price, even if they exercise their privacy rights. So you can't discriminate against somebody because they asked you not to sell their information.
[MP]: Okay. Yeah. So it sounds really similar to GDPR legislation and the requirements there. So what would you say are the fundamental differences between CCPA from GDPR?
[DK]: So the laws are ... They're pretty similar. GDPR was created to protect the fundamental rights and freedoms of people and the right to the protection of personal data, which is very similar to CCPA, but the GDPR was also created to provide a single set of rules that apply to every country in the EU to reduce confusion over different regulations. And that's obviously not the case in the United states or what the CCPA kind of follows just Californians and it doesn't prescribe a larger set of rules for the whole country. But there's a couple other larger differences in that.
So the CCPA has a limitation on how it applies to you in terms of revenue or sale of personal data or collection of personal data. GDPR is a lot broader in application than the CCPA. GDPR also does not include a specific right to opt out as sale of personal data and CCPA does. But under GDPR you could probably get a similar fact by exercising other rights such as the right to restrict processing.
GDPR also includes the right to have your data transferred to another data processor as CCPA only requires businesses to provide access to their data. I think that's actually a very interesting concept because I've been reading a lot about people saying if you have the right to data portability, that would mean that you could actually leave services that abuse your rights.
So you could take all the data that Facebook has on you and you could have them transferred onto another social networking platform and then you could have Facebook delete that data that they had on you and you could effectively easily move to another service which I think is interesting.
[MP]: Yeah, that really is.
[DK]: Yeah. And the CCPA does not include a right to correct data that is incorrect and GDPR does have that. CCPA does not include the right to restrict processing except for the sale of data, and GDPR does include such a right. So I think what the CCPA, it's kind of a lot more narrow in terms of what you can prohibit a business from doing with your data. CCPA does not have the right to object to automated decision making and GDPR does have that. And then the approach to calculating fines and penalties are different between the two laws.
So the CCPA is a lot more clear cut about exactly what penalty applies in what context. And GDPR is a lot more broad, there's a lot more room for decision making in terms of what kind of a fine should apply to this business.
[MP]: And now when it comes to penalty provisions, what types of penalty provisions would you say the CCPA holds today?
[DK]: Penalties under CCPA are $2,500 per violation and 7,500 per intentional violation. So it's kind of interesting that there is a set number that's applied to the loss of your data or to the misuse of your data. Now the CCPA also provides a private right of action for anyone whose data has been breached as a result of poor security practices. But it does not have a private right of action for just data abuses, which is also a very hot topic right now to talk about private right of action. And some states have proposed laws that have a private right of action, but a lot of business interests are fighting against that. So it'd be interesting to see if a law does pass with a private right of action and then what enforcement of that looks like and how quickly data privacy lawyers or corporate lawyers kind of start suing under that.
[MP]: So what do you think in practicality, what would be the top three to five things a company might want to do today to ensure compliance?
[DK]: One of the most important things, and maybe we won't count this as one of the three, is to actually start thinking about this stuff. So the law goes into effect January 1st, but enforcement starts on July 1st, 2020. And that seems like a very far away kind of, but it really isn't preparation should be started now because it does take a long time to do all of this. But I think the first thing people should do is make sure they're providing clear and adequate disclosures as to what information they collect, who they share that information with, and what they do with that information.
And there's something that they do actually really care about now, which is a huge shift. And I think you should make sure that you have a full and complete understanding of who you share information with. So you have to disclose who you share information with. So you do have to make sure that you're not sharing information with somebody who is using that information questionably or has had a track record of privacy violations.
So understanding the practices of each vendor that you use, compiling risk assessments and making sure that your contracts adequately cover those risks is something that I would say would be extremely important because you don't want to be held liable for a vendor who misuse data because if you didn't vet them properly, if you didn't do the right risk assessments, or continuously to them that's something that can fall back on you.
And then also preparing for data subject requests. So make sure that your IT infrastructure is set up correctly so that you're able to access the full amount of data provided to you by a person and then you can easily provide that person with access to their data. There's something that GDPR covers as well, and I know that some companies that dry runs before the effective date of GDPR, so basically someone in your team at a random date, random time sends you like a fake data subject request and your team has to respond to that subject request promptly and accurately and kind of during a dry run exercise to that, I think would be really helpful for businesses because they can see where they're failing, they can see which staff need more training, they can see if they need additional software that they can use and things like that. So that's something that I would definitely recommend as well.
[MP]: That's great Donata, and those are really good tactical tips, I think that people could start doing now to be prepared for that. So that's great. Thanks for sharing that with our listeners. And now when I came to the EU regulators to really impose GDPR, we'll say punishment, it took a while. So do you think it'll take the same amount of time for US regulators and the CCPA for action to be applied? Do you think action will be swifter for their punishment or their fines to be affecting the companies that are outside of compliance?
[DK]: So it really kind of depends right on what the public opinion is at the time. I know with GDPR it took a while to actually find companies and then do all of that. But on day one of GDPR there's actually a lot of complaints filed, and you can tell that was public opinion things change, right? So if the public opinion on data abuses is what it is now, I would say that the attorney general is going to have to act swiftly in terms of bringing enforcement. So there's a lot more interest of consumers in terms of protection their data right now. So it is possible that people would be submitting requests early on, which means that infringements are going to happen early on and then the attorney general is going to have to force a law early on as well. So that kind of goes back to your previous question as well.
I think companies should be ready to receive and answer data subject requests on July 1st or actually January 1st because that's when it goes into effect. So I really would say that public opinion is what it is right now, it's very against data abuses, it's very against the collection and sale of private information. So I really hope that this is not a law that's going to be sitting on a shelf and collecting dust. But considering the current data and privacy climate, I would say that, that would be unlikely that it's just going to sit there and nobody's going to enforce it for a while. I would say that enforcement is likely early on.
[MP]: Yeah, that's really interesting. I would hope so too. Now do you think that the CCPA is a bellwether for broader federal regulations to come? This is just the beginning of a wave of future regulations, I know there's been talks of SB 220 and NYPA, what do you think? Is this a trend that'll be happening?
[DK]: Yeah, so a lot of states are copying CCPA in their proposed laws. So there's actually, I believe it's 10 states right now that have their own proposed bills on the books that are being considered. I do think that a lot of states will go that way. I think in terms of the federal government, federal regulators, they're taking notice as well. So some of the proposed federal laws cited the need for a blanket regulation concern in privacy. They cited California passing CCPA, they've cited other states proposing their own bills or passing their own privacy laws, and they're kind of moving towards the idea that we need a general federal law that applies to all states and possibly preempts the laws of the other states as well. And there's also the industry interests that are kind of rebelling against the CCPA because they believe it's really harsh towards the industry and really restrictive and will stifle innovation, which I'm not sure how much I'd buy that arguments.
So they're pressuring the legislature to pass a more industry friendly bill, whether that be on a state level or a federal level, which I think would be interesting. I just read an article the other day saying how federal regulators are working through recess to try to come up with some kind of federal privacy law, which I think is really interesting. I mean, you'd never see them working through a recess for anything, so kind of really shows just how much the public cares about this and how much the public is pressuring them and how much industry interests are pressuring them as well.
[MP]: Yeah, that's really interesting. Are there any other trends that you predict that we will see at either at the consumer level or at the organization level?
[DK]: Yeah, so I think there's the overall trend is state laws versus federal laws, what is going to be the law of the land? Is each business going to have to somehow cobble up compliance considering 50 states privacy laws or is there going to be a federal law that kind of blankets all of that? There's a very clear trend towards a disclosure and notice requirements. There's a trend away from the sale of data, I think that's something that people are especially upset about is the sale of their data for profit, not for actual need and a lot of the laws and the bills that are being proposed named the sale of data very specifically as something that a consumer should have the right to opt out of.
And the trend towards accountability and responsibility and towards giving personal data some value, there used to be ... There's still kind of is that way, the saying that your personal data has no value to you unless it was breached. You can't collect damages on a privacy breach unless it was used to steal your identity, unless there was actual damages. And there's a lot of cases that site that with actual damages in terms of identity theft and things like that, we're saying that people can't get compensation if their data is just breached and not used by anyone for something bad.
So I think we're moving away from that, we're moving more towards your data has value regardless if it's stolen, regardless if something bad is done with it. So I think that's interesting. And I think very interesting thing that I've been seeing is the provision of rights that would normally apply to the consumers above all states and applying those rights to all consumers.
So when you run a website, it's kind of difficult to parse out who's from California, who's moved there, who's moved away from there, and then some residents of let's say Illinois, might not be very happy about residents from California in getting all these privacy brides from a business, but then the residents from Illinois don't get it.
[DK]: So I think that's something that'll be very interesting to watch.
[MP]: Yeah, I agree. And how folks stay proactive in the face of some of these changing legislations. So [DK]: would you share with us, how do you work with organizations today with Termageddon?
And the way we work is basically you just sign up for an account, you answer a few questions. So for example, what information do you collect on your website? Who do you share it with? And then our system populates an embed code, which is then put on your website. And that basically shows your policies and allows us to automatically update them whenever the laws change.
So we're a technology company, but I'm the one who actually wrote all the policy questions and the text and I'm the one who keeps up to date with all the laws and tracks them and all of that. So that's been a really interesting job lately. A couple of years ago, there really wasn't anything going on. I mean you had GDPR, but that was pretty much it. And now like I have a privacy law tracker on a state and federal level, and that's on our website too, which lists all the laws and everything, and then it's a lot.
[MP]: I can imagine. I can imagine and share with us, what was the origin of creating your company? What led you to say there should be a technology offering for folks to have policies that are updated and what was the impetus behind beginning Termageddon?
And we were just kind of chatting over dinner and kind of saw the need for that. I saw a lot of generators that would charge you extra if you wanted to put your policy on your mobile website, or charge you extra if you wanted to do limited liability. And I'm like, "Well this isn't fair." And he saw a lot of generators that were kind of getting some free money from web agencies and for referring their clients. It's like, "Well that's not fair either." So we kind of just combined the two and it just happened.
[MP]: Awesome. That's fantastic. And I know you today with the Illinois State Bar Association, you speak and kind of hold courses on this type of topic, whether it's GDPR or educating other attorneys on the importance of privacy and what privacy policies should contain. Tell us a little bit about, why you do that and what you believe the value to be and should other state associations be doing this as well?
[DK]: Yeah, so a lot of attorneys focus on their area, right? So if you're a medical malpractice attorney, you're going to focus on medical malpractice. If you're a corporate attorney, you're going to focus on the law on forming LLCs or corporations. A lot of attorneys that I've spoken to actually don't even think about privacy or data or privacy policies and don't know that they actually need one, which I think is interesting. Right? But at the same turn, like I wouldn't know what a medical malpractice lawsuit looks like. As an attorney you kind of have to know what you're good at and then leave the rest to the rest because that's just the way the law works. There's too much to know and too much to understand.
So I decided to do a course on GDPR for lawyers because that's something that a lot of lawyers had questions about and their clients had questions about them too and a lot of times you'll ask your corporate lawyer about technology questions or privacy policies even though that's not kind of their area of focus. And we held a course with the ISBA and actually the ISBA actually just created a Privacy in Technology Law Group, which I joined, which I think is really interesting.
But I think that other groups like the American Bar Association and places like that should consider holding courses on things like privacy because it's something that's very, very important right now. And not just from a legal perspective, from a personal perspective too. Mean people are always losing their privacy rights now and getting their information infringed upon and breached and all of that. And that's something that's a very important topic in the legal community. I do hope to see more courses like that and more people get involved and be interested in this kind of stuff.
[MP]: Okay, great. So Donata, I thank you so much for taking some time to explain to us a little bit about CCPA, the origin of it, the direction of where legislations might be going. In summary, I have some takeaways just from our discussion today. You'd mentioned to the listeners, one preparation should be started now, I think that's great tactical advice. You mentioned to prepare for those data privacy subject requests today, it'll allow you to see gaps in your IT infrastructure, your process challenges, to make sure that you're responding to those requests in a timely manner. So I think that was really helpful.
So do you have any other tactical advice that you would recommend or any other takeaways that you'd share with the listeners today?
[DK]: Actually, I have a clear understanding about how it impacts you on whether or not it impacts you. I mean, it's very easy to say, “Okay, $25 million, I'm not making that amount of revenue, or I'm not collecting the data of that many people.” But if you really actually look at what you collect, you might be surprised. So really make sure that it doesn't apply to you and make the conscious decision with that. And don't just say, “Oh, well, I'm just small potatoes, and it's not a big deal."
[MP]: Yeah. I think that's an excellent point. All right, well wonderful thank you so much for sharing your expertise and your experience with CCPA. Until next time, this is [MP]: Phee with GRC & Me.
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
We sat down with Shannon Harrison, LogicGate’s Senior Director of User Experience, to learn why we’re making accessibility…
On this episode of GRC & Me, we explore business resilience and the differences between proactive, reactive, and…
Build a Centralized View of Assets, Risks & Cyber Controls
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.