International law firm Dorsey & Whitney LLP announced today that it is offering three levels of assessment and compliance packages to help businesses comply with the enacted California Consumer Privacy Act (CCPA). The packages, called BASIC, BASIC+ and READY, provide options for legal services based on clients’ particular needs in preparing for the CCPA, which goes into effect on January 1, 2020. 

This new law marks a dramatic sea change in American privacy law as it imposes significant new burdens on organizations that collect data on California residents. In addition to requiring businesses to update privacy policies and processes for dealing with personal information, the CCPA also, for the first time in US history, imposes class action statutory liability against organizations that suffer a data breach after failing to implement reasonable security practices and procedures.

In response to the requirement that organizations develop “reasonable security practices and procedures” to help prevent data breaches and defend themselves from forthcoming class actions in California, Dorsey has developed a suite of packages to help businesses move toward this standard. Dorsey will work side by side with leading technical security industry organizations to offer comprehensive assessment and remediation advice and services for businesses. Included in those cutting-edge offerings are the services of edgescan, which provides vulnerability assessments with each package level. Dorsey also offers custom packages that align with an organization’s budget and goals.

Chair of Dorsey’s Cybersecurity, Privacy and Social Media Practice Group, Jamie Nafziger, said, “Given the large financial risk CCPA poses for companies interacting with California residents, we designed these packages with a risk-based approach. Security practices and procedures will be of the utmost importance under the CCPA due to the risk of class actions with per-record statutory damages. After helping numerous clients comply with GDPR, we were inspired to offer some fixed-fee options for CCPA-related compliance projects. We look forward to working with our clients to reduce their risk under this new law.”

Dorsey’s entry-level package is designed to provide clients with an initial assessment as to their existing information security and privacy gaps for not only CCPA compliance, but also for their overall posture. This fixed-fee package includes the essential components of what an organization would need to determine its next steps toward building an information security program that will meet emerging legal requirements.

Dorsey’s primary assessment package will provide clients with a more complete understanding of their existing compliance gaps while also providing clients with several key deliverables to put them on the path toward full CCPA compliance.

Dorsey’s full CCPA compliance package is designed to fully operationalize compliance with CCPA imperatives, remedying issues identified as part of the CCPA Basic and Basic+ assessments. This package includes all items contained in the Basic+ package and is custom-tailored to equip individual businesses to meet the demands of CCPA compliance.

Eoin Keary, CEO of edgescan, stated, “We are excited to be working with Dorsey & Whitney in bringing such innovative and comprehensive CCPA offerings to their clients. At edgescan, we provide fullstack vulnerability management to protect the clients' assets with expert validation, providing both peace of mind and tools that promote compliance with CCPA.”

For businesses that need to determine the extent to which the law applies to them and assess their current CCPA compliance posture, Dorsey will be launching an on-line assessment tool on its website in June 2019.

Dorsey also continues to publish timely CCPA updates on its website. Updates can be accessed here.

Dorsey’s Cybersecurity, Privacy & Social Media practice group advises clients on a wide range of issues including compliance with state and federal laws, data breach responses, and litigated matters. The firm continues to advise numerous clients on the European Union’s General Data Protection Regulation (GDPR), another sweeping change in the privacy landscape that went into effect in 2018.