If it’s not already, security should be a top priority for all companies that collect and hold personal data. Companies subject to the California Consumer Privacy Act (CCPA), effective since January 1, should be even more concerned given the new consumer right of action in the event of certain security incidents, and the increase in class actions to which this will inevitably lead (more on that below).
And yet…
During a recent discussion with friends in the hospitality/travel industry, I was surprised to hear of shockingly poor security practices when they described how travelers’ information was shared and transmitted on a daily basis. I learned, for instance, that travelers’ information – especially when it comes to groups – is often sent in unprotected, unencrypted documents, such as excel spreadsheets or pdfs, to equally insecure email addresses, with multiple recipients copied. These documents, which circulate freely among various players in the ecosystem, contain hyper-sensitive information, such as passport numbers, credit card information, location, and travel dates and addresses. We are not talking about a name and a device ID, here, but troves of data that hackers would love to get their hands on.
To be fair, not all companies have such cringe-worthy practices. The industry is comprised of big players, who themselves are not immune to breaches (Marriott, for one), but have (sometimes forcibly) invested in privacy and security, and smaller players that do not always have the resources – or in some cases prefer to look the other way – to beef up their privacy and security. What’s more, this is a VAST industry: it also encapsulates “ancillary” companies, such as those that plan events, group tours, conferences, not to mention the myriad marketing and advertising providers who have maximized their reach online. Yet, as automation increases daily, travel still requires sensitive data such as government-issued IDs, payment information, location information, and other data that most travelers would hope is securely held and transmitted by those to whom they entrust it. Nonetheless, many companies are still operating the “old-fashioned” way without any proper security practices, policies or checks, and potentially exposing sensitive client data.
Coming back to CCPA, the private right of action is not an unlimited right (nor is it automatic). It requires:
the unauthorized access and exfiltration, theft, or disclosure …
(+)
of a California resident’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) social security number; (ii) driver’s license number or California ID card number; (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (iv) medical information; or (v) health insurance information …
(+)
as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
In other words, it stems from breaches of more sensitive types of personal information that is not encrypted or redacted, and it takes more than just unauthorized access to a device ID and email to trigger the right. But some industries such as the hospitality and travel industries – by the very nature of the services they provide – have to collect the type of sensitive data that triggers this section of CCPA if other conditions are also met. Many of these companies are also probably themselves subject to CCPA (based on one of the three thresholds) or may be servicing companies that are. As such, they should be even more “incentivized” to take all necessary precautionary measures when collecting, processing, transferring and sharing personal information that can trigger a private right of action under CCPA. If not, with statutory damages up to $750 per individual per incident, it is time to really invest in getting security right, beginning with STRONG internal practices, including encryption, and, most importantly, educating employees such that the mere thought of transmitting or receiving passport numbers, names, addresses and payment information in an unencrypted, unredacted spreadsheet immediately raises a BIG red flag.
CCPA is the first in the United States to introduce this private right, but all 50 states have data breach notification requirements, and some states, like New York, have recently strengthened laws relating to data security. Meanwhile, consumers are becoming savvier about data privacy in general and wearier of data breaches, meaning that increasingly, the opportunity to file a class action will not fall on deaf ears. Having solid security-driven policies, systems and software is one piece of the puzzle: also implementing best security practices within an organization and ensuring through diligent oversight that those practices are followed by employees and contractors is crucial, now more than ever.
And leaving the potential fines and damages aside, one would be hard-pressed to find anyone, anywhere, who is comfortable with having their name, passport information, location information and financial information floating around unprotected in a world where hacking is a sport. This is where privacy truly meets ethics.