Julia Huddleston, CIPP | US, CIPM, CCSFP

What will the CPRA passing mean to anyone doing business with Californians?

With the California Privacy Rights Act (CPRA) passage (aka Prop 24), the CCPA, already strict in its interpretation of PII, expands consumer rights and places new requirements on businesses. A few loopholes close, definitions gain clarity – and it becomes even more imperative to educate and notify consumers on data use, personalization, and so forth. Social media and other tech-related businesses will need to double down on how they collect and use information, particularly when you consider ad personalization.

The somewhat good news? You have a couple of years to get your ducks in a row for the CPRA. January 1, 2023, is the current effective date. In the meantime, you still need to comply with CCPA as it stands, while preparing for the California Privacy Rights Act.

Are you a CPRA Covered Business?

Here’s how to know if it applies to you and your business. The first one is the biggest change.

  1. Does your business buy, sell, or share personal information (PI) of more than 100,000 California consumers or households? Note – the increase of 100,000 from 50,000 means more small businesses are exempt from compliance – after January 1, 2023.
  2. Do you have gross revenue of more than $25 million?
  3. Does your business get at least 50% of its yearly revenue from the sharing or selling of California consumer PI?

If you answer “Yes” to any of the above, you’ll qualify as a Covered Business and will need to comply with the Act by January 1st of 2023.

Going away: the “Share” vs “Sell” Loophole.

Yep. That squirmy definition is going, going, gone. The Act goes beyond the CCPA to include “sharing” PI. You will need to understand the full context of how “sharing” is defined, however. Here’s the legalese of that excruciatingly qualified term:

“cross-context behavioral advertising . . . whether or not for monetary or other valuable consideration, including transactions between a business and third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

Also because of this loophole closure, California consumers must be able to opt-out of both the sharing or the selling of PI. As I mentioned above, companies and websites – like Google, Facebook, etc. – do a lot of ad personalization. As “free” platforms, that’s how they make money is through advertisers, third-party data collection, and so forth. Prop 24’s passage potentially impacts their bottom line negatively.

There’s more that we can dig into in later articles, such as how digital marketing will need to change, what happens should federal privacy laws change that would pre-empt CPRA, even how AI or automated procedures could be affected.

In the interim, begin looking at what affects your business. It’s never too early to begin preparing.

Apgar & Associates’ Julia Huddleston, CIPP/US, CIPM, CCSFP  works with clients on certification prep, such as for SOC2 and HITRUST, as well as compliance assessments, security risk analyses, policy and procedure review, and implementation. Contact her at 503-384-2538 with questions about your company’s certification and compliance situations.


What’s the California Assembly’s Course Correction mean to CCPA?

Well, remember the issues around what the “HIPAA exemption” in the California Consumer Privacy Act (CCPA) really applied to?  We wrote about it here all the way back in May 2019.

Turns out our impression was correct – so correct that California just passed a law to correct it! Here’s the skinny:

On September 5, 2020, the California Legislature passed Assembly Bill 713, which amends the CCPA. The business associate exemption creates a new exemption for business associates in parallel to the 2018 CCPA health care provider exemption.  It covers not only PHI but also the processing of a wide range of “patient information.” That is, as long as it is protected in the same manner as medical information or PHI.

AB713 could be effective as early as September 30th

Because AB713 has an emergency clause, if Governor Newsom signs the bill by September 30 it will go into immediate effect.

However, if you’re a business that’s proactively planning for the California Privacy Rights Act (CPRA) ballot initiative, be aware that AB713 does not directly conflict with CPRA’s provisions. That means that the business associate CCPA exemption is likely to remain in effect regardless of whether or not California voters approve the CPRA this November.

Worried about how to deal with your business’s data privacy policies & procedures in the wake of CCPA? Talk to Julia Huddleston, CIPP, CIPM about your concerns. You can reach her at 503-384-2538.

How the SHIELD Act Expands Legal Reach on Breaches

Interested in some (thankfully) non-pandemic related news? New York State’s SHIELD Act is in effect as of March 21, 2020. The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) takes several actions, including:

  • broadening the definition of “Private Information”,
  • expanding the definition of breach, and
  • expanding the reach of the law to include “any person or business that owns or licenses private information of a New York resident.”

In our view, the most important thing that the SHIELD Act does is require companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. Companies must implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal. The New York state attorney general can bring action to compel compliance and seek damages.

Organizations regulated under HIPAA, and in compliance with the Rule, are exempt from this requirement. 

The establishment of a data security program resembles the Massachusetts state law that requires employers to develop and document a written information security program – a WISP.  Massachusetts added teeth to the law last year when it required that an Organization’s WISP be submitted to the state whenever an organization reports a breach.

In the end, call it a data security program or a WISP, these requirements equate to having current, thorough policy, procedures, and plans – that your organization lives up to.  If you want to rely on your HIPAA policies and procedures, make sure that they comply with the HIPAA Security Rule.

For example, 45 CFR §164.316 requires organizations to review their security policies “periodically.” Your policies themselves may define “periodically” as annually, or at material changes but no less frequently than once every 24 months, let’s say.  In either case, if you last reviewed your policies at their adoption in 2013, you’re not in compliance with the Rule. 

Written security programs aren’t complicated.  You get to define how you will meet information security requirements – go ahead, write it down, and then walk your talk!

Did this article remind you to update your policies and procedures? We can help you get those essentials current. Contact Apgar and Associates at 503-384-2538 today to talk about your privacy and information security project. 

HIPAA in the Time of Pandemic

First and foremost, a sincere thank you to healthcare providers out there stepping up for all of us in this pandemic. We’re doing what we can here at Apgar and Associates – working remotely and following state directives. We’re also doing what we can to support other small businesses.

For all of us business associates – nothing about HIPAA changes except that a large part of your workforce, if not all, are working remotely. (If you thought the HIPAA Limited Waiver applied to us BAs, it didn’t. More on that here.)

Even though employees are working remotely, it’s still your responsibility to help them follow basic, common-sense rules around information security. Now is the time to review your policies around:

  • Remote work
  • Acceptable Use
  • Personal Device Use
  • Workstation Security

When we say review, we mean really read them to be sure they make sense. For instance, if your personal device use policy still talks about pagers, it’s a pretty good sign that you haven’t really reviewed it since 2010 or 2011. Same goes for any policy that contains the term “floppy disks.”  Assure that your policies talk about how to work in your information technology structure as it exists today – not as it existed way back when, or as you hope it looks in the future.

Share your policies with your workforce!

Write your policies clearly enough that your team knows what they mean. Given the levels of boredom and stir-craziness we’re all experiencing, the policies may actually get read (gasp!).  And please, remind your people that phishing scams and other cyber craziness doesn’t stop just because everything else does.

This wave will crest!  Let’s all hang in there till it does.

Not sure where to start with updates? We can help. Whether you’re updating current policies and procedures, or you’ve never finished the ones you have. Give us a call at 503-384-2538 to get things moving. While so many of us are working remotely may be the best time to work through the action items checklist.




What does the CCPA have to do with Policies & Procedures?

Compliance with CCPA is entwined with how you do business. Your business operations (the “how and what”) directly link to company policy, controls, processes: policies and procedures. You could say that the CCPA has everything to do with policies and procedures. Which is why you need to update yours – yesterday. Not convinced?

Let’s go back to a post I wrote last year on Who Needs to Comply with CCPA. There were three questions to consider:

  1. Does your business’s worldwide annual gross revenues meet or exceed $25 million?
  2. Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
  3. Does half or more of your annual revenue come from selling the personal information of California residents?

Be mindful that your answers to these questions could be “No” yet you could remain subject to the CCPA. Because it all has to do with understanding exactly what the law means by “personal information” and “touching” personal information.  It also means you need to know how many of your website’s visitors are California residents. Because those little things like an IP address? That may well be considered “touching” personal information. The law is that picky.

Once you understand the definitions of all those things, you’ll want to revisit your company’s policies and procedures. See if they take into account all the permutations and interpretations that they should. You’ll likely have legal counsel involved. The penalties of non-compliance are big.

Remember, your policies and procedures need to say what you will do, not just what you can do. It’s like the video short on our P&P page says “If you say it, do it. If you do it, write it down.” Policies and procedures underpin how your business operates. It’s how you mean to go forward once the technology is aligned with all of the regulatory intricacies. It shows how and what you’ll train your workforce to do.

Not sure where to start? We can help. Whether you’re updating current policies and procedures, or you’ve never finished the ones you have. Give us a call at 503-384-2538 to get things moving.

The CCPA and the Iffy Territory of the “HIPAA exemption”

A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to be affected.

The CCPA was amended in September 2018 to include an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to HIPAA (aka the “HIPAA exemption”).  At the same time, the Act was amended to also exempt  “Medical Information” already covered by the state’s Confidentiality of Medical Information Act (CMIA).  Medical information as defined in the CMIA is identifiable information about a patient’s medical history or condition that is held by a healthcare provider, healthcare service plan, pharmaceutical company, or contractor.  This is not your garden variety “contractor” that’s also a business associate under HIPAA. It’s a much narrower definition, and essentially equals a health-related organization that is not a service plan or provider.

Before you celebrate being “HIPAA exempt…”

Where’s the problem?  Well – the CCPA regulates the types of personal information that are to be protected, and not the types of businesses to be regulated.  The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.  Examples of personal information provided in the text of the law include:

  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.

On the other hand, to the extent that PHI is actually defined in HIPAA, it’s defined as “individually identifiable health information” that’s maintained or transmitted electronically or in any other form or medium. Individually identifiable health information (IIHI) is information that a covered entity creates or receives. IIHI relates to the past, present, or future physical or mental health or condition of an individual; treatment of the individual; or the past, present, or future payment for health care to an individual. IIHI also can be used to identify the individual.

Still wondering “what’s the issue?”  Let’s say that you’re a large health system that collects information from people who access your web sites in order to gauge what those visitors use your website(s) to do.  Let’s say that you’re a business associate that provides services to a health plan – and its members – through a mobile app.  In both of those cases, you’re collecting personal information as the CCPA defines it.  And in both cases, you may be hard pressed to make the argument that the information you are collecting is PHI.

What can you do? What should you do?

  1. Pay attention to California’s General Assembly and Attorney General. The California General Assembly is considering a number of bills that make clarifying changes to CCPA text. To date, none of them address the issue identified above. The California Office of the Attorney General is engaged in a rule-making process, with an initial notice of proposed rule-making anticipated in Fall 2019.
  2. Start developing an inventory of personal information that you collect that isn’t protected health information.

Check in here for the next CCPA-related post, a more in-depth discussion of personal data and other unexpected challenges the regulation brings.

Talk to Julia Huddleston, CIPP, CIPM about your data privacy concerns, including regulations like the CCPA. You can reach Julia at 503-384-2538.

Who needs to comply with the CCPA? Hint: Not only California.

The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you have to consider the factors involved, all of which are more likely to make you subject to, rather than exempt from, the CCPA.

If you answer yes to any of these 3 questions, you’re probably subject to the CCPA – and its requirements for personal information protection.

  1. Does your business’s worldwide annual gross revenues meet or exceed $25 million?
  2. Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
  3. Does half or more of your annual revenue come from selling the personal information of California residents?

Before you gleefully answer “No” to all three, here’s the catch. You need to understand the definitions applied to the qualifiers in the questions.

Start with the definition of personal information – guaranteed to blow your mind. If we include the full definition here, you’ll throw your hands up in disgust and not read any further. Essentially, it’s “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or device.” That’s extremely broad.

Let’s move on to “touching” personal information. An Internet Protocol, or IP address, can be considered personally identifiable information – yes, you read that correctly. That means a visit to your company website where IP information is automatically collected (think about your handy dandy Google Analytics always running in the background). You’ve just touched personally identifiable information.

To get even more granular: Do you know which of your website visitors are considered California residents?

I know 50,000 annually sounds like a lot of website visitors. Especially if you don’t consider yourself to be enterprise-level. But it breaks down to only 137 visitors from California per day. Now wrap in the personal information definition. It includes households and devices. It’s pretty hard to have a website as a company of any size and not have that number of touches per year.

Then there’s “selling” the personal information. Many wouldn’t consider the everyday interactions with client and consumer data as selling. However, the definition of “selling” in the CCPA stretches all understanding. It can mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

How does a business comply with the CCPA? The very thought of what it will take overwhelms. As both a certified information privacy manager and professional who regularly attends regulatory seminars, I can tell you that every CCPA-related event is thick with corporate legal counsel – a fair number from those great big companies that we all know. We’re all impatient to understand how compliance can happen. Stay tuned as I share more insights and commentary on the CCPA in the weeks to come. Topics include: the “HIPAA Exemption”, the various interpretations of “selling” personal information, the “opt out” option, and more.

Julia Huddleston is a Certified Privacy Manager and a Certified Privacy Professional through the IAPP (International Association of Privacy Professionals). She’s deeply involved in privacy compliance activities with clients and how policies and procedures are implemented to protect data privacy. You can reach her at Apgar & Associates: 503-384-2538.

Resource(s): IAPP CCPA Comprehensive Seminar 2019

How can your Third Party Vendor help or hurt your SOC 2 status?

Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the underlying theme is organizational risk management where vendor risk management figures prominently.

The updated criteria delves into the many joys of maintaining and assuring “commitment” and “competency.” Under the evolving TSPs (yes, still called TSPs), “system and organization controls” expand to include cybersecurity risks, such as those that come with third party vendors.

In fact, nearly every mention of risk profile components includes vendors. Their reliability, the need to assess external threats, the ongoing relationship. So how do you begin to manage the risk they bring to your organization?

Vet them at the outset as part of due diligence prior to contract. Well, of course, you say. Wait for it: vet again, and again, at timely intervals.

All too often, we see the opposite. When going through a proposal process, organizations may be all over the potential vendor partner with a microscope. Once the contract is complete, crickets. As long as the service is fairly smooth, vendor privacy and security audits are rare, if they happen at all.

However, an organization that’s considering any certification (HITRUST, ISO) or a successful SOC report won’t have that option. And increasingly, to be competitive, you need to make the extra effort to demonstrate your data privacy and information security competency. So what’s the plan?

Tips for Third Party Vendor Risk Management

  1. Vet vendors early and often. Because it bears repeating, make due diligence a repetitive activity. Regular re-assessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.
  2. Make them prove that they train their workforce on issues you think are important. Isn’t your third party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way. A TSP.
  3. Mitigate risks immediately. You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.

For those of you who are happy SOC 2 Report achievers, keep up to par on those TSPs. Remember, the AICPA is only one organization honing in on vendor risk management. Whether you’re going for a certification or simply trying to stay on top of regulatory requirements, the risk is real.

Are you considering a certification or readying for an assessment? Chris Apgar and Julia Huddleston have helped numerous clients prep for a successful assessment to achieve certification or a SOC 2 report. Call Apgar and Associates today to learn more: 503-384-2538.


Informational source includes: American Institute of Certified Public Accountants, Inc. “Trust Service Criteria.” Issued by the AICPA Assurance Services Executive Committee (ASEC). Copyright © 2017. Available at https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf


Data Privacy & Security: 2018 Reflections & the Year Ahead

It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019.

We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations reported breaches affecting fewer than 1000 individuals, reminding everyone that not all breaches make headlines. Some of them are small organizations in your own backyard.

Buyer Beware re CCPA Cool Tools

The California Consumer Protection Act (CCPA) has reaped much hoopla. And the sales push on the trade show floors shows it. At conferences nationwide, we’ve seen “solutions” for CCPA compliance. Yet the Act isn’t yet in its final codified form.

Our recommendation on CCPA: don’t put the cart before the horse. Spend the time between now and the CCPA’s 2020 date getting your data privacy and security house in order. Go back to basics and pay attention to how the law evolves before spending money – and  implementation time – on a “cool tool” that ultimately, may not be what you need.

Not All Certifications are Created Equal

On that note of cool things, are you looking at how your vendors are certified? People will peddle that they’re certified in this or that, like saying “We’re ISO certified.” That’s great. But we can’t stress enough that not all ISO certifications mean the same thing. The ISO 27001 certification is the one that relates to information technology security standards. So if you have a potential vendor touting their certifications, do a quick online search to be sure that it’s the one(s) that matters to your business. Oh, and make sure the certifications are still active. Just because a vendor was certified once doesn’t mean they are still certified.

In fact, just because you’re in the healthcare business doesn’t mean you necessarily need to rush out and buy a regulatory-specific solution or need the certification that your competitor is getting. Examine what type of business you do, where you do it and who your customer is before making a financial and time commitment that may not be needed, or that may not be needed right now.

When it comes to you and your business, be strategic. And keep in mind that not all business strategies call for the same certification. We can help you figure out which certification makes the most sense for your organization (HITRUST, SOC 2 and ISO 27001 are the most commonly pursued).

Now that you have all the information that matters (ho, ho, ho!), kick back and let’s toast 2018 out and 2019 in! We wish you and yours a happy, healthy holiday season and a prosperous new year. Thanks for making 2018 such a great year and for trusting us to help you with your data privacy, security, compliance and certification preparations!

Policy Controls: Why The Whole World Wants You to Write Policies

As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an infomercial to be found!

Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.

Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.

Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.

One of the speakers at a session I attended focused on policy writing – European style and United States style.  The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):

  • Data Protection Authorities (DPAs) are likely to read policies
  • DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.

From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.

The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:

  • reasonable for the organization’s size,
  • the complexity of what it does, and
  • the sensitivity of the information with which it deals.

ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:

  • risk assessment,
  • risk treatment plans, and
  • the Statement of Applicability.

SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.

Privacy & Policy Controls Success Tip: Walk the Talk

With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.

You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review.  There may be a call for an organizational chart that depicts that management really is management, too.

You get to design and implement the policy controls that your organization will follow.  Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!

For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.  

*More information about the 2018 Privacy & Security Forum can be found here