The Legal Brief

Data Privacy/Data Security Laws Are Set to be Enforced - Are You Ready? (First In A Series)

June 4, 2020

By: Jason L. Ott, Derrick L. Maultsby Jr., and Adam Zaccari

Almost all businesses have been impacted in some way by the COVID-19 pandemic. Uncertainty, often coupled with an abrupt business interruption, forced many executives to put their company’s initiatives on temporary hold. The pandemic did not affect the July 1, 2020 enforcement deadline for the California Consumer Privacy Act (“CCPA”) and the Cybersecurity Maturity Model Certification (“CMMC”), two major regulatory provisions affecting hundreds of thousands of businesses.

The CCPA went into effect January 1, 2020, and statutorily defines California residents’ rights on how businesses collect, use, and share their personal information. CCPA applies to any business that operates in California and either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or generates more than 50% of its revenue from selling consumers’ personal data. Failure to comply with CCPA regulations can lead to substantial economic repercussions. Given the present climate concerning data privacy on a global scale, enforcement by the California Attorney General’s Office has indicated that it is fully staffed and committed to enforcing the CCPA beginning on July 1, 2020. The statutory fines are hefty - for each intentional violation, a company may be fined up to $7,500.00 and for each unintentional violation, a company may be fined up to $2,500.00. The “per violation” language creates the possibility for substantial unfavorable fines. Even with the COVID-19 interruptions in business operations, businesses operating in California that fall under the CCPA’s purview should make sure that their practices regarding the collection, use, and sharing of personal information conform to the CCPA’s requirements.

The U.S. Department of Defense (“DoD”) released version 1.0 of its CMMC on January 31, 2020. The CMMC is a unified standard based on several different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, CIS CSC 7.1 and others. Estimates have the CMMC eventually impacting over 300,000 companies in the DoD supply chain. Previously, contractors were responsible for implementing, monitoring and self-certifying the security of their information technology systems and any Confidential Unclassified Information stored on or transmitted by those systems. The CMMC requires third-party certification of contractors' compliance with mandatory practices, procedures and capabilities – a major change. In late March 2020, the DoD announced that COVID-19 will not delay the implementation of the CMMC on contracts beginning July 1, 2020. The consequences of non-compliance include being ineligible to work with the DoD.

In terms of both regulatory measures, there are a plethora of unanswered questions, which we will delve into in future postings. 

Considering the significant impact these provisions may have on your business, Jackson Kelly is committed to providing knowledgeable counsel to help our clients navigate these pending requirements. We have partnered with SecureSky, a leading cybersecurity firm specializing in helping companies meet compliance demands while improving their security posture. Jackson Kelly and SecureSky actively engage with industry leaders that provide technology, tools, and resources enabling companies around the globe to ensure compliance in all facets of business, specifically including the ever-growing world of data privacy and security regulation. We all look forward to exploring the CCPA and the CMMC in more detail in the coming weeks to help your business understand what it might be required to do to comply. Please feel free to contact us any time to discuss your needs in more detail.