Costa Mesa cybersecurity consultant Vishal Oza said businesses need to be ready for California’s new data privacy law.
The California Consumer Privacy Act takes effect Jan. 1. It lets consumers here know what personal data certain-sized businesses collect, and whether it’s being sold or disclosed. California consumers can also now deny the sharing of their information, and request deletion of their data.
Those under age 16 get special protections.
Oza said “clients are asking about this” and his firm is using webinars and working with law firms to get clients thinking about this now.
Health Information
Oza, senior director in the disputes and investigations practice at consultancy Alvarez & Marsal, said classification of data is vital under the new law as the amount of stored information grows and more data moves into the Cloud.
Classification “helps you evaluate the risk of what type of data you have,” such as health information or personally identifiable information, he told the Business Journal.
“If and when there is a breach, what type of reporting do you need to do?” he said, “and what level and type of fine” might be levied.
States Follow
The law follows the European Union’s sweeping General Data Protection Regulation: governments are requiring greater privacy protection as the internet and AI make ever-greater inroads into daily life, such as in the smart home product expansion.
Oza sees other states following California’s lead.
“The tone of the legislation is quite aggressive,” according to a summary of the California law posted on the American Bar Association’s website in July.
There’s also uncertainty: while the law takes effect in three weeks, California Attorney General Xavier Becerra is still drawing up regulations to enforce it. These are due by July 1.
“It’s still very new. It will take some time to get there,” Oza said. “Any significant regulation like this will take time to implement and also to comply.”
Crime Uptick
The new regs’ timing makes sense, based on the growing number of privacy breaches across all industries.
Oza has definitely seen an “uptick” in cybersecurity breaches, which he investigates; A&M also has offices in L.A.
He said his role includes “incident response” after a breach, working with various internal teams, attorneys, and the insurance company.
“After there’s an incident, after there’s a breach, I go in and help the client determine what happened, how it happened, when it happened,” he said.
Questions include, “Is that something we can take into court if there’s a legal action to be done.”
A&M often works with insurance carriers when dealing with breaches, Oza said.
“Many times, we are brought in by the insurance carrier,” he said. Most enterprises now buy “some sort of cyber insurance” compared with just five years ago.
He said risk-level depends on how cautious or careless individuals are.
“The biggest cybersecurity risk still comes down to people,” he said. “People are your biggest asset. People are your biggest weakness.”
