The forced changes in office culture and environment induced by the COVID-19 pandemic are likely to stay. This has led many industries to create virtual collaboration platforms to ensure remote connectivity. Companies like Facebook have also recently introduced a mixed virtual reality concept, allowing users to fully immerse themselves in a digital 3-D workplace through the use of an Oculus VR system. However, with increasing remote connectivity comes the question of securing collected personal data and conforming with existing data privacy and protection laws like the California Consumer Protection Act (CCPA).
In an alert issued by California General Attorney Xavier Becerra, he stressed that our increased “dependency on online connectivity [has made it] more important than ever for Californians to know their privacy rights.”
The CCPA, which went into effect on January 1, aims to provide transparency through disclosure requirements for personal data collected. It also targets opt-out/delete options that allow consumers to withdraw their consent to the processing and sale of personal data. The CCPA is applicable to businesses that satisfy a threshold of annual gross revenue in excess of $25 million; annually buy, sell, receive for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or derive 50 percent or more of its annual revenues from selling consumers’ personal information. Despite the focus of the CCPA being more driven to the consumer interaction during the point of sale, guidance for civil action is provided under 1798.150 when personal information of consumers is subject to unauthorized access and exfiltration, theft or disclosure as a result of a violation of the duty to maintain reasonable security procedures and practice appropriate to the nature of the information.
In a breach, the resulting damages can range in between $100 and $750 per consumer per incident or actual damage. Thus, the burning question arises of how businesses can fulfill their duty to maintain reasonable security procedures and practices in a remote working environment. The CCPA remains silent in this regard following an ex post evaluation approach.
For guidance, the Office of the California Attorney General released its California Data Breach Report, which offers insight into the most common types of data breaches between 2012 to 2015 and security recommendations. Further, the attorney general’s office supports a set of 20 cybersecurity defensive measures that all organizations that collect or maintain personal information should meet at the bare minimum. These measures were outlined by the Center for Internet Security. However, despite stipulating a minimum level of protection, it remains questionable what concrete steps individuals, working remotely in a home office environment, can take to provide an additional layer of security.
The General Data Protection Regulation (GDPR) of the European Union may provide some clarity to this matter. Despite the CCPA and the GDPR being separate legal frameworks with different scopes, definitions, and requirements, Art. 32 of the GDPR also addresses the security of processing personal data. Unlike the CCPA, the GDPR follows a risk analysis approach to implement appropriate technical and organizational measures to ensure security by evaluating the likelihood and severity of violation of the rights and freedoms of natural persons. Inter alia, as appropriate, this may include the pseudonymization and encryption of personal data; providing ongoing confidentiality, integrity, availability, and resilience of processing systems and services; timely restoring of personal data; and regular testing of the technical and organizational measures for ensuring security of the processing. As an interpretation, the following guidelines were released by the German federal data protection officer exclusively for companies to follow in a remote work setting:
- Access to personal information shall be safeguarded by Multi-Factor Authentication
- Connectivity shall be exclusively channeled through a Virtual Private Network (VPN)
- End-to-end Encryption (E2EE) of personal data including filing encryption
- Blocking of USB and other access to mobile work devices
- No device connectivity to external printers
- No private use of mobile work devices
- Regular workshops and certifications to cybersecurity and data privacy and protection law with mobile devices
Further suggested security measures that companies shall consider under the GDPR in remote workspaces are:
- Appointment of designated contact for data protection
- Required validation by employer when using private mobile devices
- Adequate workspace with an enclosure that can be locked by door and key
- Hardware files should be kept in a sealed enclosure
- Data shall be saved on provided cloud servers, no physical copies shall be kept by employees
- Immediate destruction of hard copies containing personal information using a shredder
- Activation of automatic screen saver upon leaving the workspace
- Banning the forwarding of work emails to private mail accounts
Some of these measures may seem extreme and costly to implement, but with the enforcement of CCPA beginning it is crucial for companies to evaluate their need for compliance with the CCPA and maintenance of reasonable security practices and procedures.