In what many have deemed the year of data privacy, 2018 featured incidents which raised the data consciousness of businesses and consumers around the world. There were headline-grabbing breaches impacting hundreds of millions of individuals, Facebook’s Cambridge Analytica scandal which elevated the data privacy discussion, and the introduction of the European Union’s General Data Protection Regulation (GDPR), which empowers EU citizens to take control of their data.
Events like this prompted a domino effect that has made governments, citizens, and businesses much more privacy-aware, resulting in increased attention into how personal information is stored, managed, and protected. Once the GDPR came into effect, many knew it was only the beginning, and soon other countries would follow suit. It didn’t take long before the United States had its version.
Although not a comprehensive federal privacy law, the California Consumer Privacy Act (CCPA), AB 375, was passed on June 2018. Considered one of the most significant privacy developments in the U.S. to date, the CCPA goes into effect on January 1, 2020, and is expected to impact organizations far beyond the state of California. With the fifth-largest global economy, California’s new consumer privacy act is similar to the GDPR in many ways, but some of the significant differences include:
- A broader view of what constitutes private information.
- Granting individuals the right to opt-out of the sale of their personal information, requiring businesses to feature a “Do Not Sell My Personal Information,” link on websites.
- Fines are applied per violation, featuring a fine of up to USD$7,500 per violation.
To accurately highlight what security professionals need prepare for, we caught up with Thad Mann, managing partner, infrastructure and endpoint security (IES), at Trustwave. Mann works closely with organizations to implement preventative security strategies that appropriately protect data centers and cloud operating environments. Naturally, data privacy plays a significant role in the guidance he provides security leaders.
Q: Many say that the CCPA is the beginning of America’s GDPR. Would you say that’s the case?
Thad Mann: The reality is that there have already been several privacy-related regulations that American companies have had to comply with, such as Children’s Online Privacy Protection Act (COPPA), Massachusetts Reg 17.03, and the New York State Tech Law. With that in mind, CCPA is simply an extension of previous privacy regulations that includes stiffer penalties and expand on the concept that a person’s identity is theirs to control and any company that collects or processes their personal information is responsible for maintaining adequate protection.
Of course, one of the significant changes with GDPR is the level of fines and the reporting requirements for data breaches of personal information to 72 hours. Fortunately, CCPA does include the extra-territoriality clause that is included in GDPR, therefore, limiting the number of companies that must comply with CCPA to entities that conduct business in California versus anyone that processes California consumer information.
Q: How does this regulation impact the security organization?
TM: Like GDPR, CCPA does not identify specific security controls; however, to meet their processing obligations, entities covered by CCPA must implement adequate data security to protect covered information that can be linked to a particular California consumer. With that in mind, organizations need to assess their current security controls, especially controls that deal with personal data, and determine if they are adequate to identify covered data once it is created or stored and protect and track how the data is transmitted and processed until it is deleted. The security controls will most likely include new technical controls, such as database activity monitoring, data loss prevention (DLP), and data encryption. There’s also a need for non-technical controls such as assigning access on a least privilege basis to resources that have a right to know and recertifying access periodically. For example, new technical controls may be needed to handle pseudonymous and aggregated data to ensure that these data have been properly de-identified from the consumer.
Q: What about the new regulation sticks out to you the most?
TM: I was surprised that although CCPA does give consumers the right to have their data deleted, there are no provisions that require a company to correct data that is either inaccurate or incomplete.
Q: What primary areas of this regulation overlap with GDPR requirements?
TM: There are a number of areas in CCPA that are similar to GDPR, such as including a consumer’s ability to:
- Have businesses inform them on how their personal data is used (Privacy Notice Right);
- Request a copy of the personal information that is stored by the company (Data Portability Right);
- Request disclosure on what personal information is stored and shared with third parties (Disclosure Right);
- Not be discriminated against for exercising their rights (Non-Discrimination Right);
- And how a business responds to their requests (Responding to Requests Right).
Q: How can security leaders leverage their current investments to align with the new requirements?
TM: Organization’s that have taken a risk-based approach to protect their IT environment and have already invested in building out a relatively mature security program that includes data protection and identity management can extend the coverage to the newly classified CA consumer data.
These organizations will most likely need to update the various policies and procedures to make sure they adequately cover the CCPA’s specific requirements. However, this effort should not require extensive rework.
However, organizations that have taken a compliance-focused approach to security or have not made investments in data protection and implementing privacy-by-design concepts should consider undertaking a comprehensive review of their security and data protection programs that focus on identifying the risks associated with CCPA that yields a prioritized roadmap.
Before the regulation goes into effect, Mann advises security leaders to prepare by making sure they check off the following items:
- Work with a legal counsel that has the necessary data privacy experience and expertise.
- Determine if you’re regulated by CCPA by finding out if your for-profit organization is based in or does business in California and falls into one of the following:
- Has annual gross revenues above24 USD$25 million.
- Purchases, sells or shares for commercial purposes the information of more than 50,000 consumers.
- Fifty percent or more of the organization’s revenue comes from selling personal information.
- If you are regulated by the CCPA, identify if you currently store or process California consumer information.
- If you process consumer information, understand its data lifecycle, such as how you receive it, where it is stored, how it is processed, if it is shared with third parties, when is it deleted, and how you manage consent.
Being CCPA compliant will require you to close the data protection gaps within your organization. Here’s how Trustwave can help get you there.