Ask the Experts: Data Privacy & Breaches
|
By: Mark Burzych
Q: What major industry trends should concern members of the restaurant and lodging business?
A: During the last twelve months, a significant amount of legislative activity in the area of data privacy and data breaches has taken place.
In California, the legislature enacted and the governor signed the new California Consumer Privacy Act (“CCPA”). The CCPA is designed to regulate data collection, and provide consumers with information (and the ability to opt out), related to the sale of their private information. Although probably originally intended to apply to the data giants, like Facebook, Google, or Amazon, the statutory definition may have unwittingly included businesses that are not in the business of selling customer data, but nevertheless have a presence in California. Businesses that collect personal information of 50,000 or more California consumers, households, or devices must comply with the CCPA. If your business has a website that uses cookies visited by 50,000 or more California “devices” (computers, phones, tablets, etc.), you must comply with the CCPA. Compliance includes the requirement that your website must disclose the personal information you collect and provide each California device the option to opt out of the sale of their personal information. The CCPA went into effect on January 1, 2020.
Q: What major industry trends should concern members of the restaurant and lodging business?
A: During the last twelve months, a significant amount of legislative activity in the area of data privacy and data breaches has taken place.
In California, the legislature enacted and the governor signed the new California Consumer Privacy Act (“CCPA”). The CCPA is designed to regulate data collection, and provide consumers with information (and the ability to opt out), related to the sale of their private information. Although probably originally intended to apply to the data giants, like Facebook, Google, or Amazon, the statutory definition may have unwittingly included businesses that are not in the business of selling customer data, but nevertheless have a presence in California. Businesses that collect personal information of 50,000 or more California consumers, households, or devices must comply with the CCPA. If your business has a website that uses cookies visited by 50,000 or more California “devices” (computers, phones, tablets, etc.), you must comply with the CCPA. Compliance includes the requirement that your website must disclose the personal information you collect and provide each California device the option to opt out of the sale of their personal information. The CCPA went into effect on January 1, 2020.
Other states have proposed new privacy laws, including: Connecticut, Hawaii, Illinois, Louisiana, Maryland, Massachusetts, Minnesota, New Jersey, New Mexico, New York, North Dakota, Pennsylvania, Rhode Island, Texas, and Washington. More states are certain to join the group.
In Michigan, the House just passed HB 4186 and 4187 that may put additional responsibilities on you in the event of a data breach. If you or a third-party agent (your credit card processor), collect sensitive personally-identifying information (name, and a financial account number such as a credit card, for example), you must adopt reasonable security measures to protect the sensitive personally-identifying information. In addition, in the event of a breach, you will have new and significant notice obligations, including notice to any Michigan resident affected by the breach, and possibly the Michigan Department of Technology, Management, and Budget. There are also significant fines related to the failure to follow the notification obligations.
Although the Michigan Data Breach Notification Act has not yet become law, the national legislative activity in the area of cybersecurity and data breaches are cause for you to visit your credit card vendor contracts to determine the data security and data breach coverage the vendors will supply. It is also an excellent time to discuss cybersecurity insurance coverage with your insurance agent. Please be careful out there!
In Michigan, the House just passed HB 4186 and 4187 that may put additional responsibilities on you in the event of a data breach. If you or a third-party agent (your credit card processor), collect sensitive personally-identifying information (name, and a financial account number such as a credit card, for example), you must adopt reasonable security measures to protect the sensitive personally-identifying information. In addition, in the event of a breach, you will have new and significant notice obligations, including notice to any Michigan resident affected by the breach, and possibly the Michigan Department of Technology, Management, and Budget. There are also significant fines related to the failure to follow the notification obligations.
Although the Michigan Data Breach Notification Act has not yet become law, the national legislative activity in the area of cybersecurity and data breaches are cause for you to visit your credit card vendor contracts to determine the data security and data breach coverage the vendors will supply. It is also an excellent time to discuss cybersecurity insurance coverage with your insurance agent. Please be careful out there!