The law calls for companies to “implement and maintain reasonable security procedures”
With the lack of direction in Washington, it’s not surprising that other states have taken a cue from California and drafted their own privacy laws. Before we look at individual CCPA “copycat” laws from New York, Massachusetts, and other states, let’s first review California’s privacy law, which is the envy of the nation and soon to come to your state. Is your practice ready?
In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal is to extend consumer privacy protections to the internet. It’s not an exaggeration to say the CCPA is the most comprehensive internet-focused data privacy legislation in the US, and with no equivalent at the federal level. If you use a cloud based practice management system. It’s looking at you.
It’s no longer just about financial or health related information
A striking innovation within the CCPA is its very broad definition of personal information:
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
In short while you may not think that pet parent and pet patient data is valuable enough to protect. The regulatory authorities do. If you don’t take reasonable security measures to protect that data, your practice will be held liable.
Reasonable Security Procedures
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures…..
A few practices worry about the ramification of ransomware. With the new two stage ransomware and consumer data protection regulations leaves most veterinary practices exposed.
1) Infiltrate the network, steal all and any business related data
2) Request a ransom or the hacker will sell and release the information onto the dark web.
3) Encrypt the entire network so that you can’t access it.
Most practices have very little if any data protections in place. This creates for a double threat.
Losing years of practice data + Fines and legal fees from the state legislators.
The Good News
It doesn’t have to be expensive or complicated to take reasonable measures to protect your data. Here are a couple reasonable measures you can take to start to protect your data.
1) Realize you have data that is valuable
2) Download and follow the steps in our “5 Simple Steps to Protect Your Practice” eBook.
3) Get Cyber Security training for your staff
If you need any help protecting your practice contact us to schedule your IT Security Audit.
Peace Love & Plants,
Clint Latham J.D.