DOES IT APPLY TO YOU? Do you do business in California, or otherwise collect personal information from California residents? (Hint, if you operate a website, this likely applies to you). Note that the CCPA does not apply to non-profits. It has been a year since California passed the most comprehensive data privacy laws in the U.S., and those laws go into effect in January of 2020. Is your business ready for this??? Many have been waiting for amendments to pass, but as this hasn’t happened yet (and may not for many months) the time has come to make sure your business is in compliance. Even if it applies to you, the CCPA has some important exceptions, designed to keep small businesses exempt from what can be pretty significant compliance requirements. CCPA only applies to businesses that fall into one of these three categories: 1. Buys, sells or shares personal information of 50,000 consumers [or devices]; or 2. Has gross revenue in excess of $25 million; or 3. Derives 50{a0c01d20c42349884e67ff80c137866b0a9fe47aaae8f8a86a605a369ae487c3} of its annual revenue from sharing personal information Under the law a California “consumer” has the right to: (1) request access and details about the personal information that has been collected about him or her over the last year; (2) request that this data…
Read More“No”, you say, “they are great business people, and we have an IT department!” That answer could cause you trouble. With all due deference to your IT department, it is quite possible that its expertise does not include the legal aspects of cybersecurity. It will no doubt ensure appropriate encryption and firewalls, but does it have the authority (or expertise) to advise you on data privacy laws and breach notification requirements? Can it develop compliant notices and work with your insurance company on any claims? It will know how to stop the breach (assuming it is an electronic one) but what then? Do not rely on your IT department to provide legal advice on cybersecurity. This is one of the many tasks that should be handled by your company management, including your board (if you have one). And what if the board fails to do this? Before answering that, consider the obligations of those who operate the company. Your company officers and board have the ultimate responsibility for running the company. Decisions are made based on the best available information at the time, and as long as this is true the individuals who run the company will generally be protected from claims by the company and its owners. This rule (called the “business…
Read MoreOn October 11th BGS attorney Carole Clark Isakson presented a seminar on data privacy issues to a large audience of Anoka County Bar Association attorneys. The seminar, entitled “Basic Electronic Data Security Issues”, addressed the professional and ethical obligations of attorneys in dealing with client (and employee) data in addition to covering privacy laws and how to implement them at law firms and businesses in general. Associate Attorney Nicole Wiebold spoke on the GDPR (General Data Protection Regulation) which became effective in May of this year. [maxbutton id=”1″ ] Data breaches strike almost a third of US businesses each year, according to one source, and the costs of remediation (coupled with the loss of business and reputation) can result in the failing of many businesses. Protecting client and customer data requires focus on three areas, and Ms. Isakson discussed all three, taking questions from the audience throughout the presentation. Protecting data requires three things: 1. Technical controls (such as up to date computers and software); 2. Physical controls (like locked offices and elevators); and 3. Administrative controls (teaching all technology users to use cell phones and other devices in a safe way, and implementing firm wide data security assessments and policies). Ms. Isakson also offered practical advice on public wi-fi use (don’t!) and…
Read More