Security vendor ESet interviewed 625 business owners and executives to understand their readiness for California’s new privacy law that goes into effect on January 1, 2020. What most businesses are missing is that Nevada’s version of the law goes into effect on October 1, 2019. Most of the respondents were from small businesses, some of whom are exempt from the requirements of the law. Here are the results:
- 44% had never heard of the law
- 11% know whether the law applies to them or not
- 34% say that they don’t know if the law will require them to change the way they collect and store data (it likely does)
- 22% say they don’t care if they break the law (great if you can get away with that)
- 35% say they don’t need to change anything to be in compliance (very unlikely)
- 37% say that they are very confident that they will have the required security in place by January 1. Another third say that they do not know if they will have security in place
- Half said that they did not modify their behavior or processes to bring their businesses into compliance with GDPR (most likely because they don’t know what GDPR requires)
40% of the businesses said that they did not have anyone responsible for security or privacy in their company and another 18% said they didn’t know if they had someone.
9% said they are moving to avoid having to comply with CCPA, the new California law. Those people need to understand that they will also need to block Californians from going to their web site and refuse to ship products or deliver services in California. None of that is realistic for most businesses.
Given the law goes into effect in less than 6 months and Nevada’s version goes into effect in two months, this lack of knowledge is concerning. However, attorneys, especially those that specialize in class action lawsuits, are thrilled.
There is one aspect of the law that should be a cause for concern for these businesses who think they understand the law – and likely do not.
Any California resident can sue any California business that has a breach that compromises their personal information.
They do not have to show that they have been damaged to sue.
The maximum you can sue for is $750 per person. A breach of say 10,000 records – a tiny breach by today’s standards (the Capital One breach last week compromised 106 million people) – would generate a potential lawsuit asking for $7,500,000.
Are you prepared for that?
A one million record breach – still small by today’s standards – translates to a $750 million lawsuit.
My suggestion to small businesses – think again about whether you are prepared. If you need help, contact us. Source: HelpNet Security.