The California Consumer Privacy Act is now in effect and one of its more complex issues pertains to the extent to which financial institutions must adhere to the mandates of the act.
The law provides a partial carve-out for financial institutions, but it does not provide a complete “get out of jail free” card for the financial services industry. By following the best practices described below, financial institutions can ensure they are in compliance with the CCPA to minimize potential liability risk for noncompliance.
Data Mapping and Inventory
To comply with the CCPA, the first preliminary step financial institutions must take is to conduct a data mapping and inventory exercise to determine what personal information is not exempted by the financial institution carve-out and, in turn, is “in scope” for purposes of the CCPA.
To accomplish this task, institutions must map and inventory every piece of personal information that is collected, used, and sold by the institution, as well as all of the institution’s data processing practices. From there, institutions should determine—dataset by dataset—whether the entity’s personal information is covered by the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (CFIPA), which would remove it from the scope of the CCPA.
Compliance With Consumer Rights Requests
Second, financial institutions must maintain systems and procedures to ensure adherence with the myriad of broad consumer rights that have been afforded to consumers under California’s new privacy law, including the following:
- right to know;
- right to access;
- right to opt-out;
- right to deletion; and
- right to equal service and pricing.
In particular, institutions must maintain the operational capabilities to provide information to consumers upon request in the event a consumer seeks information regarding the data that is collected and sold by the institution, including the specific pieces of information that the institution has collected concerning the requesting consumer.
Privacy Disclosures and Notices
Third, institutions must also provide the mandated privacy disclosures and notices that are required by the CCPA. Here, institutions must include in their privacy policies the information that is required to be affirmatively disclosed to consumers pertaining to the institution’s data practices and consumers’ rights under the CCPA.
This includes a toll-free number and a website for consumers to submit requests, as well as a link on the institution’s web page titled “Do Not Sell My Personal Information” to facilitate the opt-out process.
‘Reasonable’ Security Measures
Fourth, as the financial institution carve-out does not apply to the CCPA’s “reasonable” security requirement and private right of action provision, financial institutions must have in place the necessary data security measures and controls that are required to comply with the CCPA.
Specifically, the CCPA requires that institutions put in place “reasonable security procedures and practices” to safeguard personal information. However, the law does not offer any description of this duty nor any insight as to what satisfies the threshold for maintaining “reasonable” security measures.
In the absence of any formal CCPA guidance, financial institutions can consider implementing the data security measures previously endorsed by the California attorney general in its 2016 Data Breach Report. In the report, the California AG endorsed the Center for Internet Security’s Critical Security Controls (CIS Controls), which sets forth a set of 20 different data security safeguards that were viewed by the then-AG as constituting reasonable security measures.
In addition, financial institutions should also consider supplementing the CIS Controls by incorporating other well-accepted information security frameworks into their security programs—such as the International Standard Organization’s 27001 Series and the National Institute of Standards and Technology’s Cybersecurity Framework—which can aid in further demonstrating an institution’s satisfaction of the “reasonable” security requirement so as to avoid class action litigation under the CCPA’s private right of action provision.
Cyber Insurance Coverage
Finally, financial institutions should ensure that their cyber coverage policies extend to cover the full range of CCPA-related liabilities. While privacy liability is ordinarily a staple in most cyber insurance policies, this coverage is oftentimes triggered only in the event of a data breach.
Importantly, however, under the CCPA a wide range of privacy violations can still take place outside of the data breach context. As such, many financial institutions may find that their current cyber coverage does not adequately shield them against the CCPA’s broad statutory liabilities.
To avoid any gaps in coverage, financial institutions must ensure that their policies provide coverage for acts or omissions stemming from the collection, use, disclosure, and storage of “personal information,” as that term is used in the CCPA. In addition, cyber policies should also afford coverage for legal fees associated with regulatory investigations, regulatory fines, data breach response costs, and liabilities stemming from class action litigation.
Watch for Final Regs
Although the CCPA affords some level of relief to financial institutions from the onerous obligations placed on covered businesses under California’s new privacy law, financial institutions are not completely exempted from the scope of the law. As such, financial institutions that fall under the scope of the CCPA should be in full compliance with the law at this juncture.
At the same time, financial institutions should also remain on the lookout for the finalized version of the CCPA regulations, which may impose additional compliance burdens that would require covered institutions to further tweak their privacy compliance programs to align themselves with any new wrinkles in the CCPA that may arise with the promulgation of the final Regulations.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
David J. Oberly is an associate at Blank Rome LLP and is a member of the firm’s Cybersecurity & Data Privacy group. Oberly focuses his practice on counseling and representing sophisticated clients in a wide assortment of complex cybersecurity, data privacy, and biometric privacy matters.
Tanweer Ansari is head of compliance, Bank Secrecy Act, and Community Reinvestment Act operation at First National Bank of Long Island, a leading local community/commercial bank in the New York metropolitan area. Ansari is a leader in banking legal and compliance issues and presents nationwide and locally on a host of topics through various forums, including the New York State Bar Association and the American Bankers Association.