Sign Minnesota Banking Permission Slip Later

Industry sign banking minnesota permission slip later

welcome everyone to today's compliance webinar these are alta's presentations we offer um issues imported to title assignment professionals i'm jared mcneilly alta's vice president of communications and today we've got a great webinar lined up to help you understand the latest laws regarding consumer privacy rights as well as reaction trends before starting i do need to touch on a few housekeeping items first if your audio is choppy you may have a weak internet connection so you may want to try and select the telephone option a uh copy of today's presentation can be can be downloaded from the handout section there in the webinar window on your computer screen you'll also get an email put a link to the access presentation afterwards all participant lines are needed for today's discussion at any time you have a question go ahead and submit them through the questions box will hold a little bit of time for a q a also as a reminder the presentation is being recorded a link to the recording will be sent to everyone and you can always find the archive all of our recorded webinars on baltimore's website at alta.org webinars again that's alta.org i do need to extend a thank you to old republic national title insurance company for sponsoring our compliance webinars this year so thank you all republic now let me introduce today's speakers and then we'll get to the presentation joining us today is elizabeth riley liz is senior privacy council as well as regulatory and compliance council for fidelity national finance financial and we also have steve jayden steve is senior vice president and chief privacy officer for older public title uh liz co-chairs alca data privacy work group and uh steve is also a member of the work group and uh also joining us today is alca's elizabeth flosser elizabeth is also vice president of government affairs she leads alca's data privacy efforts and coordinates with many other groups on this issue and uh i definitely want to take a moment here just to recognize a little elizabeth recently promoted for her dedication to industry on many fronts so uh congratulations elizabeth and uh with that i'll turn the presentation over you guys thanks jeremy so we've got a lot of information to go through today um as we go along feel free to submit your questions in the chat box and we'll hopefully have some time to answer those towards the end of the presentation also want to give a shout out to liz and steve for taking the time to join us they do so much work on behalf of the industry on this issue and it's fantastic to have such really knowledgeable subject matter experts to work with so one of the first things that people ask when you start talking about the issue of data privacy is how did all of this sort of come about what is driving this push to data privacy legislation both on the state and the federal level and i think one of the answers is we've sort of clicked our privacy away over the last handful of years and now it doesn't really matter if you're a republican or a democrat people tend to agree that they want their their data privacy back and so that's kind of how we start the conversation but liz i'm hoping you can kick us off by talking a little bit about some of the data on the slide because there's some really fascinating numbers sure i can um and and thanks everyone for joining us today um to start off yeah you look at the numbers they're you know they're staggering 2.7 billion facebook users and 500 million tweets per day i should mention these are 2019 numbers so with the days of remote work and and i guess remote life essentially amid the pandemic we probably could imagine that these numbers have increased in 2020 but i think the theme is that the internet has brought convenience to our day-to-day life i mean it's brought a lot of connection but privacy advocates are asking and asking you know with more frequency and more attention today you know if if this convenience and efficiency is coming at a price that's too high and and the question is you know is the information that we share knowingly or unknowingly when we avail ourselves of these internet resources that's a commodity and it's got significant value to others including data brokers and retailers and and you know is this really a fair exchange so thinking about the history of data privacy we're going to talk about california a lot today california passed the first in the country data privacy law and that really all started at a cocktail party um these days we have virtual cocktail parties um but it was about data similar to what is on the slide and it came up in a cocktail party conversation and it it led to this huge push in california to get something done on data privacy so steve your home state tell us about the cocktail party and what ensued after that well and thank you for everybody joining this fun call and yeah it did start with a lovely cocktail party and this was um pre-coded it wasn't a virtual it was an in-person cocktail party and there were many news sources that kind of wrote about it at the time but the story goes this way so it all revolved around a wealthy real estate developer from san francisco silicon valley named aleister mctaggart um so he allegedly expressed concerns on the future of consumer privacy at this cocktail party while discussing consumer consumer data practices with an engineer from google and this basically led to the first round of a ballot initiative um and we'll get more into some of this but california lawmakers and privacy advocates got wind of this and met with mctaggart so there was this alleged ballot initiative and it was moving forward it looked like things were going to actually happen and mctaggart met with the lawmakers um convincing lawmakers in california that they if they embrace a true writing of a privacy law he'll remove the ballot initiative which he did at the time um but know that that lovely effort of ballot initiative being removed and ccpa the california consumer privacy act and what is now the law that was written in approximately seven days so when you think about all of the effort all of the angst all of the things that are within the california consumer privacy act this thing was built in a very very short period of time and we'll get back to mctaggart a little bit later in the presentation he's an interesting character and definitely at the center of all of this so steve if you think about data privacy data security as we look to the future you know in the past there was a smaller group of industries that were really regulated and now it's really everybody is in this bucket and every you know these data privacy laws apply to everyone what does that mean for real estate well certainly real estate has expanded in the technology space from social media as our initial slide and you look at all the different social media aspects regarding the engagement in the real estate industry and digital advertising become a big part of the real estate market and operating in these areas requires a really deeper understanding of the privacy laws and regulations associated with space you'll notice on this slide you know there's data brokers and you know there wasn't a lot of conversation regarding data brokers years ago and there certainly is now and that brings on a whole host of things to consider under privacy laws and depending on what a business is doing with their consumer data a business could easily fall into many of these new buckets uh as stated on the slide and really it all boils down to knowing what where and how you were dealing with consumer data and that's that's been a big change in what we have to face today so one of the things that's really interesting to me about data privacy laws is there's been this fundamental shift about who owns data so you talk about data brokers and data aggregators in the past you thought if somebody collects data and houses it maybe adds additional information to it they own that data and they can do with it what they like under comprehensive data privacy laws that all changes um comprehensive data privacy says i own any data that relates to me regardless of where it exists and i have certain rights as it relates to that data whether it's the right to get information on what data is being kept and stored how it's being used a right to have it changed deleted provided to me in a portable format all of these rights related to data and it is a shift in how how we think about the information that we all hold and retain and and who has rights to that um so here on this slide there's some information about some of the core concepts and things to think about as you start to approach data privacy i'll start with you liz could you talk about you know one of these core concepts that you think it's important for our audience to be focused on absolutely and you know elizabeth you're exactly right it's this fundamental shift in the view of who owns the data that's driving you know current privacy regulation and the increasing interest in in privacy regulation and and sort of view it as they're looking at two things you know from the data owner's perspective not necessarily who's custodian of the data who owns the data the data owner and and these core concepts the privacy policies the disclosures um you know they the expectation is transparency on the part of the data custodian the person or entity that possesses the data so that the person who owns the data knows you know whether or not the data exchange is going to be fair or unfair or can make that determination what are the terms of me giving you my data um what are you going to do with that data and i've got to know that up front before that i give you my information so i think that's one big thing it's these these concepts that are sort of rooted in transparency you know and the other um you know i think trend core concept that we're seeing in the privacy regulation is this concept that there are certain terms that are just fundamentally unfair that there are certain uses of the data um that are either unnecessary or where sort of the terms of the bargain is so unfair that the law is going to prohibit those uses and so you're seeing limitations on the use of personal information i know you know steve mentioned ccpa i think that's something that's a big part of cpra is drilling down on sort of limitations on on use of that information um but those are concepts that it's worth mentioning transparency and limited use have been around our industry for almost two decades and you know it's the financial services space has been regulated by glba you know in as insurance entities were regulated by the states and subject to the glba requirements but we have to already adhere to a glba privacy rule which requires the disclosures and limits our use of the information so while these aren't new concepts to our industry necessarily um you know they are new to say the data brokers in other industries out there but i also think as we within the industry sort of look towards steve mentioned digital advertising you know sort of that digital presence um and you know partnerships within the digital realm we will encounter i think more frequently sort of these these expectations um you know in other ways what about you steve anything jump out to you on this slide to highlight well certainly you know the the shift from you know i remember when glba came out and that was such a huge huge shift at the time and that you know oh my gosh we're not going to care about privacy and it was a huge push in industry you know industries beyond even the title industry had to you know in the financial services sector had to apply in and get all compliant with glba um and it was all about not wanting to share personal data and now you look at where we're at now with people sharing the most intimate details on facebook as an example um and here we are in in a very very different shift one of the things in elizabeth touched a little bit on it is the digital advertising um and when you think about website disclosures and how you're operating you know your business it's possible you may be using some digital tools on your website your company's website that may capture some of your visitors data and when you get into the nuance of some of the the laws associated with this you might want to think about what you're doing from a disclosure perspective so tracking some visitors activity as it relates to visiting your website is probably okay as long as you have it appropriate disclosed and what are you doing with that what types of things are you capturing um and it's it's big in the news there's certainly some some large industries out there that have gotten in some trouble in the privacy world in just failure to disclose not actually what they were doing so that's one of the things i'd i'd certainly lift off that slide yeah that's a really important point i think it's easy for us all to think about the data that we collect to do a transaction that sort of active data collection and then there's sort of some this passive data collection that happens in the background and really understanding what uh what what all that entails in your operations so uh we've had data security laws for a long time now we have these comprehensive data privacy laws and a lot of times they're together in legislation but i think it's really important to understand the distinction between the two because they are well well they're often tied together they are two different things so my little trick that i use to remember is data security is all about what happens when you lose data and data privacy is all about happens when you use data so privacy using data security is about losing data um i ask both of you you know do you continue to see this trend moving forward where we'll see both data privacy and security being addressed together in the same pieces of legislation elizabeth my thought is i mean ccpa is an example you know which is clearly focused more towards privacy there's still an expectation of that reasonable security we're not necessarily seeing in the privacy laws sort of the specifics of cyber security regulation we may see elsewhere say in you know new york's red 500 um and you know and i think that's appropriate i mean the concepts can be addressed concurrently but you know we've seen it's certainly a challenge because there's not you know in sort of a full overlap um you've got you know data security also speaks to protecting business assets you know not just necessarily personal information and i think the focus of a lot of these privacy regulations you know to protect personal data there there have to be security controls in place to mitigate against that data loss you know which is you said how you lose data it's falling into the wrong hands but sort of the bigger focus and factor in privacy regulation has been um intentional sharing in compliance with your intentional sharing practices are those disclosed to the consumer um is the consumer on board with that sharing and as steve mentioned you know with regard to digital advertising there may be instances where you know even you know the company may not be aware of some of the behind-the-scenes sharing but now the compliance you know burden is on the company to make sure that sort of every link in the chain is properly addressed from a privacy compliance standpoint in in addition i think it's good to remember technology is generally ahead of laws and regulations and so there's always a little ketchup going on trying to you know plug holes when we've got all this you know cool ideas and technology moves so fast um and and i think these you know as liz even mentioned you can't have good privacy protection without good security controls in place so they really that they're very much more hand in hand and will continue to do so i think lawmakers are going to begin to connect the dots a little bit more as we move down the future of this and certainly the definition of protected data is more broadly defined in what we see in the privacy sector and the security sector is probably going to catch up lots to think about and lots sort of headed everybody's way so let's talk a little bit about the timeline for how things have happened really his whole push started in the european union with their data privacy regulation gdpr it was quickly followed up um with action in california that came out of the infamous cocktail party you saw that the cocktail party got you legislation created in a week so it wasn't surprising that in 2019 and 2020 there were some tweaks and changes made to ccpa uh i had anticipated that 2020 was going to be the year of data privacy law and that we would see a lot of bills passing in states all over the country we had sort of all of these different models people were looking at we were worried about a patchwork of state laws that would be you know coming into effect around this time the beginning of next year but uh covet hit and date of privacy for the time being got pushed to the back burner there's been some conversations about data privacy and how it relates to to covet and um that sort of thing but really comprehensive data privacy has been a little bit of a back burner issue but um you know in 2020 i really wish i had a crystal uh ball we all could have used crystal ball going into this year and so um i'm going to ask you guys what what what you see if you had your little crystal balls going what you see um coming down the road uh liz will start with you and have you focus on what do you think is going to happen in the states with uh david privacy legislation in 2021 i wish i had a crystal ball too you know i mean 20 20 20 took a hard right and you know elizabeth you're right there were so much we were following so much uh the first quarter of 2020 so many different states had introduced privacy legislation and we were watching it all and then you know it there were there was a huge shift in legislative priorities obviously with um with the pandemic and and i think given where we still are sort of within you know the pandemic or it's it's not behind us yet it's likely that we're going to continue to see legislative focus on the more immediate um pandemic related concerns you know budget response um and otherwise you know i think the messaging for a number of states has generally been that there's there's little room on the legislative agenda for anything that is not necessarily a consensus issue or a consensus bill and so for data privacy we we may see a number of states you know introduce legislation especially states that had introduced it in 2019 or 2020 and didn't get it across the finish line but you know the big question will be whether it will actually move because you know there is certainly i think bipartisan interest and support for the concept of data privacy but some of the nuances of data privacy legislation can be quite partisan you know private cause of action um you know other issues that tend to kind of create that divide and not get us consensus so um yeah i don't know if it'll be like 2020 where you have some states a number of states new york or washington texas introduce privacy related legislation but we we may or may not see much much movement there um depending upon you know the legislative interest yeah it's been interesting you know my home state of washington i think we all figured would pass legislation last year it's going to be introduced again next next year i guess that was technically this year that we thought it would pass but um you know there are those issues where people get hung up on and you know we've seen it too with what's happening at the uniform law commission but they're trying to draft model legislation and certainly so many questions around private right of action and preemption um steve i'm gonna ask you probably the harder question because there's a lot of factors that go into it like what do you think is going to happen at the federal level on this issue yeah well i don't know about my ability to predict is is really very solid or not because this is a very very odd environment um it's it's very possible that federal legislation could take the same path as it in 2021 as it did in 2020 what choice it didn't really go very far because uh you know we're still faced with a pandemic um and there's a lot of focus on that i also you know though we um you know we still have a pretty serious runoff election that could shape the senate and um we don't know exactly where that's going to be so i think there's some that believe with the democratic leadership change this could take on a greater level of focus as far as you know some some federal privacy legislation um but it's going to be very interesting uh to see what this thing looks like after the runoff in georgia and it's likely depending on how that goes california good bad or indifferent may be the status quo that might be the baseline that as liz mentioned and and elizabeth mentioned where states may be going um there is some you know federal legislation that um clta has been active and contributing along with u.s chamber um you know most notables the safe act which is setting an american framework to ensure data access transparency and accountability act if anybody didn't know that little mouthful um and there's also the information transparency and personal data control act that or clta and our working group is very active associated with nobody wants a patchwork of different privacy laws across the u.s so certainly nobody in industry the compliance components to have all of these variances is a real challenge um so it's good that we do have a baseline if possible as as elizabeth mentioned the uniform law commission they've been working on their collection and use of personally identifiable data act um where the traction is on that there's been some back and forth between even the glba carve out as most recently which is something we really as an industry need and in addition the naic continues to work on a model they were working on a privacy model and it was moving along and then they decided to kick all of that to the curb and start over um and you never know where that could be so that might not be much of a prediction but that's certainly my observations on the federal firm i think it's safe to say there's lots happening on the field right so you know legislation is coming your way in one shape form or another um one thing quick thing before we move off this slide um a big winner on election night was data privacy and um aleister mctaggart again when california did pass cpra which was sort of another ballot initiative on data privacy and we'll talk a little bit more about that i do want to talk a little bit about ccpa because it is the foundation as steve mentioned of most legislation out there it does give us a sense of what might be coming so steve i'm hoping you can walk us through a little bit of the high level of ccpa and specifically touch base on how it impacts businesses outside of california i think a lot of people hear oh california's law i don't need to worry about that but there are some things to maybe be aware of well as you look at the the details laid out in the slide um and and you need to make a determination whether or not your your business is actually subject to ccpa um and make sure to have processes in place i know uh having worked you know i'm very active with the california land title association um and the way we address this on our faqs because it's a it's a little it's a little daunting to give a whole lot of direction as far as this but this is how clta answers that question so a business based outside of california that is a for-profit entity that collects california consumers personal information as defined by the ccpa or determines the purpose and means of processing personal information does business in the state of california meets any one of those three uh thresholds described which are those three bullets right there um maybe subject to cpa ccpa so it's it's a maybe and you really need to look at this but i think that there's something that is changing and we'll get a little bit more of that into the the conversation on the cpra so today the california consumer privacy acts enforcement is done by the department of justice so it's under the ag and with the with the the election results of cpra there's a new enforcement agency that now comes into play so the california department of justice and how they may look in reaching across state lines that's that's kind of one thing that you can look at and consider um when you're talking about being in a business outside of california still subject to ccpa with this new enforcement agency um i think the jury's out on that and you know could that um have more impact uh to businesses operating that are subject to ccpa outside of the state of california so it's there's there's more to come on that um but it's one to be thoughtful about um if you if you're subject to ccpa and certainly um even if you're outside of the state of california there's a lot of good things that you should have in place and be thoughtful for um because i do think and we probably all agree this is likely coming to a theater near you whatever however that form is i think one of the interesting things on this slide is you know you have these thresholds that you have to hit and you know what i've heard from um businesses in california especially small businesses is that it's easier to hit these thresholds than one might imagine and just to kind of give people an idea estimates are companies that have one to 20 employees are paying about fifty thousand dollars to become compliant with ccpa companies of 20 to 100 employees or about a hundred thousand dollars in compliance costs and beyond that for large companies it's just yeah astronomical the investment um so something to just have on on your radar um we already talked a little bit about some of the rights um that people have under ccpa so we won't get a lot into this slide but i would just throw out there that you know people have the rights to exercise their rights and you cannot um discriminate based on that so that's another important thing to keep in mind and i think probably a key concept you'll continue to see in data privacy legislation um liz one of the big things about ccpa we probably have a whole conversation on it was the definitions and figuring out sort of what every thing meant and it's been a large focus of some of the tweaks made to ccpa the last two years can you talk a little bit about uh personal information and that definition and kind of what all it entails yes i mean for many so for many of us i think in the united states ccpa presents the most expansive definition of personal information that that we've seen um you know gdpr the european um law which has some similarities has an equally expansive definition of personally and from personal information but for those of us you know without a multinational or presence within the eu um this definition sort of brought to us the most comprehensive that were we've seen yet and so how to apply this information and whether or not data that you collect falls within this information and what type point categorization is is a significant exercise but generally ccpa personal information includes any information that identifies relates to describes is capable of being associated with or could be reasonably linked directly or indirectly with a particular consumer or household okay so that that is a lot and that includes you know online information um internet activity internet browsing history you know if you were viewing a website and your um ip address leaves that website and goes to another then that is potentially ccpa personal information so it's it's significant i think in the in the volume of information that is captured and types of information that we didn't necessarily previously assign a sensitivity you know it's it's not information that would necessarily be subject to data breach notification statutes um it's far more expansive than that but but something else that's important to point out you know elizabeth that you mentioned there are a lot of ex or there are some important exclusions to ccpa personal information as well and and some of those you know are very helpful for our industry um you know ccpa definition of personal information does exclude publicly available information so that's information that is lawfully made available from federal state or local government records so your land records your public record information relating to taxes or property appraisers information that would all be considered um public information excluded from ccpa personal information i mean two other exclusions that are important are the employee data and and the business to business um information so even if you're capturing name address phone number email address of somebody who would otherwise who is otherwise a california resident and in in certain contexts that would be considered personal information if you're engaging with them on it from a business standpoint um or you're engaging with them as an employee or prospective employee then that is exempt from the general definition of personal information though there are requirements elsewhere in ccpa regarding how you would treat employee information and there are certain disclosures that are required to be made to employees with regard to how the employer would handle their information but but those are you know helpful exemptions um it rules out some significant challenges that ccpa compliance would otherwise pose but those are exemptions that aren't necessarily fixed in the law um there's a sunset of the exemption i believe in january 1 2023 right when the cpra goes into effect so that's something that i know the california land title association um you know and other associations have been very focused on you know seeking to retain those exemptions on a permanent basis yeah we have to give uh steve and clta lots of props and kudos for their work in this area when you think about having you know privacy relate privacy rights related to things like employee data that raises a whole bunch of questions and steve maybe you can speak to the great work you guys have been doing in the in the state because i know you've been an integral part of those efforts well i can tell you you know the cota efforts first were trying to address the possibility that the california consumer privacy act may not have been voted in um because this uh b2b employment um carveout was due to expire in a few weeks so one of the things we worked very very heavily on um was assembly bill 1281 it's moot now because the proposition did pass but there was an incredible amount of effort and i and and hats off to the the members that i work with at clta um and working with cal chamber uh we really did a lot of the heavy lifting to make that happen and this was for industry um and you can you know the there's a lot of folks that are impacted by this and the title industries wasn't the target um we're just kind of caught up in it but we really did a lot of the heavy lifting on that um so now we have you know uh what was prop 24 the california consumer privacy act where that carve out is extended for two years until january 1 2023 so we're working very very closely again clta with cal chamber we're hearing some positive uh news um even though we have you know obviously a very unusual uh set of circumstances again in sacramento but we do think you know the main obstacle has been labor um and some concerns that they've raised on the in employee carve out and we think we've we've got enough attention to move that forward um i am a glass half full person usually very optimistic anyway for those of you that know me um but this is where we're encouraged uh and while there's a two year span for us to fix this and make it permanent we're addressing this very aggressively right now heading right into 2021 because we don't want to we don't want to be in year two feeling uncomfortable associated with it because this is very very important not only for our industry but others but clta has been very extremely involved in making this effort move forward in sacramento absolutely great a great model for leadership on this topic uh this slide talks a little bit about uh contracts we've left it in here so that it's just in your presentation materials but we're gonna touch on it a little bit later uh this sl de kind of outlines the whole ccpa process but the little box in red is the piece that's really super important um for our industry and so um i'm hoping that uh steve you can maybe talk a little bit about these exemptions in red specifically the glba uh exemption so i i can talk about this a little from you know we're we're a company that's subject to ccpa and so the exemption response is one we face um regularly and you need to have a deep understanding of your operation to determine what may apply when we talk about these exemptions and you know some of the examples in order to complete the transaction for which we collected the personal information that may be an exemption as you look into these things in order to detect security incidences protect against malicious deceptive fraudulent or illegal activity other examples of what could be an exemption as far as the requests that may came come in from a consumer um in order to comply with a legal obligation you know there could be a subpoena there could be all sorts of different legal obligations where when we have this data to handle a transaction how do you how do you manage your requests coming from the consumer and then some of the biggies you know it's a type of personal information that falls outside the scope of ccpa um so we have the gram leech blighly carve out in essence um and we have the hipaa and the copa exemptions as well those are just a few of of how you would look at handling these types of exemptions and i know that we're going to get into this in a little bit but it's really important to know the data that you're bringing in where it's stored um and how you're categorizing it how you're dealing with it because until you have that you really can't understand what exemption something might fall under one thing i'll add to on the glba carve out so you know this is something that we as an industry are pursuing at the state and federal level you should know on the alta website on the data privacy tab there is language to be included in state legislation that provides the glba exemption you should feel free to go download that use that there's talking points all kinds of information there that you can use in your state advocacy but the really key thing for our industry to get included in any state legislation is going to be um the glba language so really encourage people to be taking a look at that um so liz everybody's favorite topic is litigation of course and there have been some concerns about litigation around uh data privacy uh private right of action can you talk a little bit about what that looks like under ccpa since that's kind of a model for other places as well yes and i um you know yeah we all love to talk about litigation but sort of this private right of action within the ccpa um seems you know it sort of was the gift that plaintiff's attorneys and data breach litigation had been hoping for and and looking for and just you know something that has been difficult to prove in in prior data breach litigation has been standing on on the part of the plaintiffs you know the plaintiff has to have suffered an injury in fact that injury has to be traceable to challenged conduct of the the breached entity or the allegedly breached entity and then it has to be um you know that conduct has to be redressed by a favorable judicial decision so sort of the inability to show that a plaintiff had suffered an injury in fact that they were harmed that there was a financial harm some sort of identity theft or something that occurred as a result of the breach has been a challenge to prove and therefore it's been a challenge for a lot of these data breach cases to move forward in litigation because there hasn't been standing you know effectively proven in a number of them so that's so ccpa comes in and it creates a duty to implement maintain reasonable security procedures and practices and those have to be commensurate with the nature of the personal information collected to remedy a violation of that duty ccpa created this private right of action and it is a limited private right of action um for consumers who's non-encrypted or non-redacted personal information is subject to to breach and we're talking about as the slide shows that narrower definition of personal information so it's what we're typically used to seeing in california's data breach law and other states data breach laws social security number driver's license number california id card etcetera you know bank account um but there is no need to show that financial harm that the breach in and of itself is enough to establish standing and the consumer can recover statutory damages between 100 and 750 per violation a big change um is that right now within the ccpa there's a 30-day cure period so the consumer must first notify the allegedly breached entity that you know they've of the the breach and the business has 30 days to cure um i we're not i don't know what cure means um others may have thoughts but the law doesn't really go into what it means to cure a breach but but if the grievance is not cured that's when the ability to to file a lawsuit and seek those statutory damages kicks in under cpra that 30-day cure period is gone so there's no need to notify a business before filing a lawsuit and seeking damages under ccpa in response to a data breach so you know you read the statistics and hear the statistics of how costly data breaches in and of themselves can be um you know of course it's anticipated that having this private cause of action could greatly increase those costs for businesses who fall victim and and and you will talk about preparations for ccpa and ccpr cpra in a minute but you know we can't overlook or underestimate the importance of having an effective security program you know to mitigate against the potential breach given the potential implications under ccpa of of you know private cause of action and statutory um penalties yeah this is really one of those areas where the privacy and the security come come together um so just to touch briefly on cpra the ballot initiative that uh passed last month steve if there's a company that's already complying with ccpa and now they're thinking about cc or cpra um do they need to be worried what do they need to be thinking about this is this is new this is different well i think well one that you know liz pointed out the the 30-day right to cure is removed so there's one change but fundamentally if if a business is subject to cpa today and they're in compliance and they're they've done everything accordingly there's there's really not a lot of change um there's been a in addition to the disclosure requirements um talking about the retention period you may retain a certain category of data so um if things remain the way they are that's probably a real minor change that would need to be made to a company that's subject to ccpa and their disclosure requirement in their ccpa notice but basically it it it pretty much remains the same for our industry so the message is don't freak out yeah exactly it's just you know and there's two years so i you know though this is all kind of put in bed and and it sounds kind of solid um it's california you never you know i mean mctaggart started with this ballot initiative removed it became law we have another one who you know you never know what might happen in the next 24 months you still need that crystal ball apparently yeah in the interest of time because we've still got some other information to cover uh liz can you talk a little bit about preparing as steve said you know this is coming to a theater near you sooner rather than than later so what can you do now to get started yeah and i think we've touched on a number of these things already so just you know reiterating them briefly steve mentioned know what types of information you're collecting know what data you're collecting where it goes how you use it whether you share it i mean that's going to be critical for ccpa compliance cpra compliance and likely any any privacy regulation down the way you know additionally you know i skip ahead to the next slide um you know updating those disclosures and this is something we're used to in the financial services industry we may have our glba disclosure but if you're subject to ccpa you consider whether you need a ccpa disclosure too and if so make sure you're meeting the requirements of the ccpa and in in a couple years the cpra um and then something we've talked a good bit about you know with regard to the operational compliance you know those websites and application notices are important and was also really under you know important to understand is sort of the mechanics of your information sharing what you know and what you don't know especially with regard to your digital presence and if you do have you know digital service providers or partners making sure that any of those contracts one that you have contracts in place and two that all of those contracts adhere to the the ccpa requirements yeah i think contracts are just it's an important part of any of the discussion when it comes to to data sharing steve i don't know if there's other things you would add on that on the contract um piece or obligations that we already have under glba um i can just reiterate how important it is to do this um and know that at some point you know when we look at the cpra and the the fact that enforcement has moved from the department of justice to a new agency that's being formed um it's it's the the new agency's got about a 10 million dollar cost associated with it and they're going to be funded for enforcement actions that's how they're that's how they're going to be paid so we talk about the importance of having these structures in place making sure you've got notices make sure your contracts are in place all of those things we have a new enforcement agency that we don't know we don't know how they're going to operate and i think it would be better to think from a super risky perspective and that they're going to be really difficult and they're going to bear down on these types of you know show me your contract show me the fact that you have a ccpa disclosure and an information security addendum with all of your third-party vendors i i think we should anticipate that that's coming and if you're prepared and you're thinking about these you're going to be in better shape if it comes so one thing i want to throw out just as we wrap up this section is you know clta has done a great job and if you're in california so many resources on figuring out how to navigate this because as you've heard there's so much to think about um and as we see laws enacted in in other states and potentially at the federal level know that there's a work group led by uh liz and samantha budson and steve is such an active part of that's where to pull together resources for you so that you're not facing this alone right there's a there's a lot to think about and um we're certainly going to be with you every step of the way um i do want to take a few minutes and talk about redaction because this has become a hot topic on the federal and the state level uh i think it's really important when you talk about any policy to understand the landscape around it we talked about kind of everybody wanted to get their privacy rights back and that's why data privacy is so important right now redaction or as we like to call it record shielding it has a really sad story to it right now there's a judge in new jersey whose son was was horrifically and tragically shot um in their home because somebody gained the personal address information of a judge and went to her home to cause harm and so this has brought really this issue into national focus the today show has run a few pieces on this and i would encourage everybody in the industry to go look at those those pieces it is a heart-wrenching story but what it really tells me is that we as an industry have an obligation to come up with a thoughtful approach about how to ensure that people's personal information um is is protected in things like the land records so that it can't be used to do harm to at-risk groups but at the same time how do we approach this in a way that that still allows for people to easily you know transfer real estate um buy sell or or refinance and so um we've got a group together which again steve and liz are super active in and showing a lot of leadership on how to approach this and steve i just like you to kick us off and talk a little bit about how do we as an industry need to to look at this whole issue moving forward well i think one and you mentioned you know judge salah and um and that terrible you know it was you know daniel's law that passed in new jersey um we cannot ignore the current climate and in in the pressure for shielding these records that some states have have addressed this um over time but it is a different climate that we have today and um you know when you when you look at the news and and you you think about um anger and things like that just generally in our population um and then you look at something like that what happened in in new jersey and i i think one of the big concerns and we're working on this at alta liz and elizabeth and trying to put together some tenants to think about but there's unintended consequences that can happen from this and um liz shared with me a really good article late last night um regarding what's going down in new jersey and the fact is everybody understands the passion and the need to be able to protect these types of of records and protect our judges and possibly you know keep people in law enforcement etc and nobody's arguing that but what has to be thought through and where we need to be really good stewards of our industry is how we message that and the fact that you know this was this all happened in new jersey but we've you know the county clerks the county recorders themselves don't have good guidance and understanding of the best way to manage this process so when we can step in when we think this may be coming to a you know state near us or whatever those are the things that we need to think about um and there was there was one piece from this article last night um and bear with me for a minute because it it came from one of the county clerks in the state of new jersey and they had a possible solution to complying compiling a whole list of judges and law enforcement officials have each impacted individual make the request much like the new jersey address confidentiality program allows domestic violence victims to use a post office as a substitute um we need to be as thoughtful and engaged when we when we see these potential laws coming into our in into our states um so we're not having a you know the county clerks having to come up with some novel creative way this actually makes some sense but this is the unintended consequences of a very topical meaningful thing that we need to address um but it has to be thought through if at all possible and we need to be as influential as we can within our jurisdictions yeah um also just in the last few days has reached out to the uniform law commission and asked that they take a look at maybe drafting some model legislation around this i think that would that would be good hopefully they'll make the decision in january to move forward with that uh one thing we can say with certainty is that there has not been a uniform approach to laws um in the states dealing with this and this is a place where we as an industry can really show leadership uh one of the things that our letter to the ulc outlined was that while there hasn't been a uniform approach there's a couple of states that have laws that we like arizona and minnesota liz can you speak a little bit to why this the solutions in these states work well yeah you know when you look at both states and the summaries that the laws are beyond the slide and sort of the summaries look different i mean they're very different concepts but what overlaps both concepts is that there's a means for the title industry and in other industries or industry partners that need legitimate access to the records um to gain access to those records and so so that's critically important you know in ter s of um you know ensuring that information that's essential to our business you know we continue to have access to it and but that means of access is balanced against the need to protect the safety of the protected parties and so in arizona it's it's a redaction process that happens after the record is recorded um and you know so it's a post-transaction event but there's a a process you know by application where certain industries are avail are able to gain access to the unredacted records for those purposes in minnesota the process is sort of the process of redacting or shielding um land record information is actually sort of starts even before somebody's somebody who's in the safe at home program um starts to look at potentially buying a home i mean the whole process is sort of cloaked in secrecy to protect that individual but when when the you know the deed and other documents are made of record a minnesota secretary of state identifier is associated with those records so that access can be gained by tracking through the secretary of state that number and getting the approvals through that pre-ordained process so two very different looking processes but but ones that don't impact you know issues like constructive notice or access to records that can be incredibly problematic for our industry so once again also is trying to pull together information for you to use at the state level we do have a new document out it's faqs it talks about the minnesota arizona approaches and then it has this sort of list of best practices here that are things that should be consideration in your state legislation so this is part of that thoughtful approach of how do we do this you know really the number one thing to think about is that permission to access that liz was talking about in minnesota and arizona where the industry still has access to information it needs for real estate transfer but but the general public does not just one final slide quickly so people are aware uh federal legislation has been introduced on redaction by the senators from the state of new jersey also is meeting with senate staff talking about a few little tweaks we want in in the legislation the big one being that permission to access peace the legislation is really positive and that it might provide some funding for states for implementation which would lead to more uniformity and and help the county recorders and clerks uh that steve was talking about so lots more to come on this topic um we are all here and and available um i know all of us are happy to take questions if you if you reach out but um we appreciate having the time to chat with you all about this important topic today all right there pop back in here out thank you all great information on the update of privacy and redaction it's going to be interesting to see how you know regulators legislators continue to look at this hold holistically and kind of connect all the different pieces of this puzzle together uh we are at the top of the hour maybe if you want to hang out for a few minutes we'll try and get to a few of your questions otherwise everyone's contact information is there on the presentation feel free to to reach out to anyone um one question that we did have come in from todd and it's on on the redaction piece and yes you know how important is it to have consensus and support from state landtime associations for mitigating redaction legislation um yeah i think this is such an important issue for our industry because we're sort of primary on um its importance so there are others who who care about this issue those who are maybe part of at-risk groups or representing those groups obviously county recorders and clerks and lenders but for us you know we live and breathe the land records and constructive notice so it is a vital importance to us so it's an area that i really feel we have to lean on and lead in a really sensitive way and i know liz and steve you're both involved with state ltas on on efforts so i'll let you jump in as well yeah elizabeth echo everything you said i mean we we do have to take the lead on this and so it's important that we lead with consensus with a unified voice and with a message that balances you know appreciation for um the safety risks and and sort of the heightened importance of this issue for those who um are our protected parties and at the same time clarify you know what are sort of what our need to access the records is and and how you know essentially our ability to do that is is ultimately helpful to those same groups um you know in in the transfer financing of real estate so it's it is important to to as one group you know show consensus and strength strength and a unified voice i would just echo both of you it is it is extremely important and that's this is what we do is manage you know access to public records and we need to preserve the you know all the all the records to be appropriate so people can sell their homes and do refi and things like that and it's and it's not it's a very very strong message we need to be engaged with thank you how about when you go to talk about disclosures is that the information that you know a title or southern agent would then be sending out to consumers you know say a transaction they get an order that's open then they start collecting data then is that a disclosure they would then send out to the consumer or is it also the information that you need to disclose on your website i'll take a quick stab at that it's both there's disclosures that need to be on your website um when we mentioned you know liz and i both talked a little about digital advertising and how a website might be capturing certain levels of data you know you go to most websites today you'll see a little privacy pop-up uh and it might say something like analytics are being done or there's some things that we're tracking are you okay that kind of stuff so that's like that that's one you know disclosure there's other disclosures that are legally required to be on your website and then there's disclosures that need to be provided on a transaction basis similar to the grammleage wiley notice um you know when you're first engaging with the consumer so it's kind of all of the above um liz did i miss something there you did not that was perfect nothing to um add guys had some great information for companies on how to get started you know any other suggestions for sources what should a you know a small operation a few people you know do to start this process you know is it talking with their their underwriters you know as far as health preventers on this space they can always go to alca's marketplace and search for vendors that offer data privacy in cyber security but and any other suggestions for people to you know help getting their plan together be very active with alta and your state land title association yeah all of the above have been great resources you know and there's also i mean there's some good law firm you know materials out there that are accessible to anyone some of the regulators have put out you know papers helpful information on how what you know sort of shapes their view of compliance with the law what how they interpret compliance with the law so that can be a helpful and free resource as well i think too it's it's a good first step is just starting the mapping process even if you don't get all the way done with it what information do you collect when do you collect it how long do you keep it where is it stored who do you share it with having all that information sort of gathered on the front end is going to help you get the most out of conversations whether it be with you know underwriters council or others yeah yeah i definitely think it understanding how you uh accept use store share data goes a long way to answering a lot a lot of your questions uh well we're almost 10 minutes past the hour so uh thank you uh to nearly a hundred people out there that's still hanging out with us so hopefully you enjoyed the program and the content if you missed parts of today's webinar or if you think others in your office would benefit from listening as i mentioned before reporting in the presentation uh we'll be emailing out to you again you can always find the recordings on alta's website at alca.org forward slash webinars and uh that will bring us to uh the conclusion of today's presentation to wrap up i do need to thank old republic once again for sponsoring our compliance webinars and just peeking ahead a little bit in january we will be offering a webinar on how to increase engagement in the remote working environment and we will also be providing a presentation forecasting the 2021 housing market and also just need to provide a quick mention of the alta registry just as a reminder being an alta member or a policy form courses forward does not mean your company is automatically in the registry so go to alta.org registry for information on how to get the included impact again thank you to liz and steve as well as elizabeth for joining us today sharing information on data privacy and reaction take care thanks thank you thank you