Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Are You CCPA Compliant? Here’s What Security Professionals Need to Know

In what many have deemed the year of data privacy, 2018 featured incidents which raised the data consciousness of businesses and consumers around the world. There were headline-grabbing breaches impacting hundreds of millions of individuals, Facebook’s Cambridge Analytica scandal which elevated the data privacy discussion, and the introduction of the European Union’s General Data Protection Regulation (GDPR), which empowers EU citizens to take control of their data.

Events like this prompted a domino effect that has made governments, citizens, and businesses much more privacy-aware, resulting in increased attention into how personal information is stored, managed, and protected. Once the GDPR came into effect, many knew it was only the beginning, and soon other countries would follow suit. It didn’t take long before the United States had its version.

Although not a comprehensive federal privacy law, the California Consumer Privacy Act (CCPA), AB 375, was passed on June 2018. Considered one of the most significant privacy developments in the U.S. to date, the CCPA goes into effect on January 1, 2020, and is expected to impact organizations far beyond the state of California. With the fifth-largest global economy, California’s new consumer privacy act is similar to the GDPR in many ways, but some of the significant differences include:

  • A broader view of what constitutes private information.

  • Granting individuals the right to opt-out of the sale of their personal information, requiring businesses to feature a “Do Not Sell My Personal Information,” link on websites.

  • Fines are applied per violation, featuring a fine of up to USD$7,500 per violation.

To accurately highlight what security professionals need prepare for, we caught up with Thad Mann, managing partner, infrastructure and endpoint security (IES), at Trustwave. Mann works closely with organizations to implement preventative security strategies that appropriately protect data centers and cloud operating environments. Naturally, data privacy plays a significant role in the guidance he provides security leaders.

Q: Many say that the CCPA is the beginning of America’s GDPR. Would you say that’s the case? 

Thad Mann: The reality is that there have already been several privacy-related regulations that American companies have had to comply with, such as Children’s Online Privacy Protection Act (COPPA), Massachusetts Reg 17.03, and the New York State Tech Law.  With that in mind, CCPA is simply an extension of previous privacy regulations that includes stiffer penalties and expand on the concept that a person’s identity is theirs to control and any company that collects or processes their personal information is responsible for maintaining adequate protection. 

Of course, one of the significant changes with GDPR is the level of fines and the reporting requirements for data breaches of personal information to 72 hours. Fortunately, CCPA does include the extra-territoriality clause that is included in GDPR, therefore, limiting the number of companies that must comply with CCPA to entities that conduct business in California versus anyone that processes California consumer information.

Q: How does this regulation impact the security organization?

TM: Like GDPR, CCPA does not identify specific security controls; however, to meet their processing obligations, entities covered by CCPA must implement adequate data security to protect covered information that can be linked to a particular California consumer.  With that in mind, organizations need to assess their current security controls, especially controls that deal with personal data, and determine if they are adequate to identify covered data once it is created or stored and protect and track how the data is transmitted and processed until it is deleted. The security controls will most likely include new technical controls, such as database activity monitoring, data loss prevention (DLP), and data encryption. There’s also a need for non-technical controls such as assigning access on a least privilege basis to resources that have a right to know and recertifying access periodically. For example, new technical controls may be needed to handle pseudonymous and aggregated data to ensure that these data have been properly de-identified from the consumer.

Q: What about the new regulation sticks out to you the most? 

TM: I was surprised that although CCPA does give consumers the right to have their data deleted, there are no provisions that require a company to correct data that is either inaccurate or incomplete.

Q: What primary areas of this regulation overlap with GDPR requirements? 

TM: There are a number of areas in CCPA that are similar to GDPR, such as including a consumer’s ability to:

  1. Have businesses inform them on how their personal data is used (Privacy Notice Right);

  2. Request a copy of the personal information that is stored by the company (Data Portability Right);

  3. Request disclosure on what personal information is stored and shared with third parties (Disclosure Right);

  4. Not be discriminated against for exercising their rights (Non-Discrimination Right);

  5. And how a business responds to their requests (Responding to Requests Right).

Q: How can security leaders leverage their current investments to align with the new requirements? 

TM: Organization’s that have taken a risk-based approach to protect their IT environment and have already invested in building out a relatively mature security program that includes data protection and identity management can extend the coverage to the newly classified CA consumer data. 

These organizations will most likely need to update the various policies and procedures to make sure they adequately cover the CCPA’s specific requirements. However, this effort should not require extensive rework. 

However, organizations that have taken a compliance-focused approach to security or have not made investments in data protection and implementing privacy-by-design concepts should consider undertaking a comprehensive review of their security and data protection programs that focus on identifying the risks associated with CCPA that yields a prioritized roadmap.

Before the regulation goes into effect, Mann advises security leaders to prepare by making sure they check off the following items:

  • Work with a legal counsel that has the necessary data privacy experience and expertise.

  • Determine if you’re regulated by CCPA by finding out if your for-profit organization is based in or does business in California and falls into one of the following:
    • Has annual gross revenues above24 USD$25 million.

    • Purchases, sells or shares for commercial purposes the information of more than 50,000 consumers.

    • Fifty percent or more of the organization’s revenue comes from selling personal information.
  • If you are regulated by the CCPA, identify if you currently store or process California consumer information.

  • If you process consumer information, understand its data lifecycle, such as how you receive it, where it is stored, how it is processed, if it is shared with third parties, when is it deleted, and how you manage consent.

  • Review existing contracts and policies, such as a web application’s Acceptable Usage Policy (AUP) or data privacy policy to ensure that they are consistent with the CCPA regulations.

Being CCPA compliant will require you to close the data protection gaps within your organization. Here’s how Trustwave can help get you there.

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More