With less than one month to go before the California Consumer Privacy Act of 2018’s (“CCPA”) effective date of January 1, 2020, businesses should be aware of the potential litigation that awaits them.

The CCPA is a California privacy law that gives California consumers the rights to know about and control the personal information that businesses collect about them.  In turn, the CCPA requires businesses to give consumers the ability to effectuate these rights.  For a more in-depth review of the CCPA, please view our previous posts on our Privacy Law Blog

What would companies need to do to comply with the law?

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes requirements in two areas: cybersecurity and data breach notification. The cybersecurity provisions of the proposed SHIELD Act would require companies to adopt “reasonable safe-guards to protect the security, confidentiality and integrity” of private information. The Act provides examples of appropriate administrative, technical, and physical safeguards, such as designating an employee to oversee the company’s data security program; identifying “reasonably foreseeable” risks to data security; selecting vendors that can maintain appropriate safeguards; detecting, preventing and responding to attacks and system failures; and preventing unauthorized access to private information. 

In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. This blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.