The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. Any merchant or company doing business in California – the world’s fifth-largest economy – should be CCPA compliant.
However, many businesses are finding it difficult to navigate through the requirements necessary to be compliant.
To help clear up the confusion companies are feeling about another set of privacy regulations, on June 25th, 2020, experts from RSI Security, Darktrace, and Procopio Legal, hosted an information webinar.
For an hour, the panel of experts covered some of the CCPA compliance regulations businesses have been struggling to meet.
Any business with gross annual revenue of at least $25 million that buys, receives, or sells any personal information of 50,000 or more consumers, devices, or households in California must meet CCPA regulations by July 1st, 2020. Starting from this date, the state attorney general can charge businesses for being out of compliance with.Consumers are also permitted to file civil lawsuits if they believe their privacy was breached.
Businesses are expected to have reasonable security protocols in place to protect consumers’ data. The definition is broad though the framework used to create cybersecurity protocols to protect, for example, patient health information or cardholder data can be the baseline to meet CCPA regulations.
California’s consumer privacy law is different from other cybersecurity acts in one important way. It gives consumers more rights over who sees and how their information is used. CCPA gives consumers five specific rights,
- Consumers must be informed if a business is collecting information on them.
- If asked by the consumer, businesses must let them know what personal information has been collected, where it was gathered, how the data will be used, and who sees it.
- Businesses cannot sell a consumer’s data to a third-party if the consumer denies their request.
- Consumers can require businesses to delete their personal information.
- If a consumer exercised their privacy rights, a business cannot refuse them service or charge a higher fee for goods and/or services.
If a consumer feels the business is guilty of violating any of these five rights, the company could face a civil lawsuit and penalties issued by the state A.G.
Protecting Consumer Information
The Center for Internet Security (CIS) is working on the framework for the laws that will apply in both state and consumer suits against businesses not compliant with CCPA regulations. Some lawsuits have wound their way through the courts but these applied to data breaches regarding other types of protected personal information.
CIS can also supply businesses with cybersecurity best practices. In total, there are twenty controls that range from basic and foundational to organized. While it’s impossible to cover all twenty CIS controls in a short timeframe, technical security is one that every company affected by CCPA should pay immediate attention to.
Technical security covers a broad range of controls.Starting by protecting the system and networks will help keep consumer information safe from hackers. From there, companies can start working on other cybersecurity practices that apply to their business.
Data Mapping Requirements Under CCPA
While not required under CCPA regulations, businesses must provide consumers with their requested information within a set timeframe – 45 days. Most businesses have a lot of data moving around and stored and don’t know where it is.
Data mapping is simply being able to find the data when it’s needed. It can be done manually, but this will often be labor-intensive, even for the best IT department. A machine learning approach will simplify data mapping and dramatically shorten the timeframe to complete it, even for international companies.
Machine learning to map data involves tracking the flow of information between systems. It recognizes patterns and will classify new data according to what it has previously ‘learned’. The data is tagged and can now be easily found when access is needed. This helps ensure the business is meeting at least one CCPA standard.
Potential Problems with CCPA
CCPA affects businesses around the globe. This has led to some problems in the early weeks of the act being enforceable.
One issue concerns employees. It often comes down to the employees’ maturity and commitment to their job. All information a company has on a California resident must be available at their request. If it is lost or missing, this is not an excuse that will keep the company from potential fines and litigation.
Employees can lose their daily digital logs and other online documents. Another issue deals with over-reporting from third-party vendors to the main business. While early warnings of potential problems can prevent cybersecurity breaches, some businesses are finding it difficult to keep up with the responses.
Whether this is due to immature employees having fun or the uncertainty that still exists over what should and shouldn’t be reported.
Even though there are issues with CCPA and businesses becoming acclimated to the new regulations in the end it provides consumers with rights over their personal data.
Risk Assessments and Due Diligence
As the legal standards for CCPA cybersecurity codes are still in the early stages and what is considered ‘reasonable security’ does not have specific controls, businesses must perform due diligence when it comes to their cybersecurity and the best way is with regular risk assessments.
This is especially important if third-parties have access to the network.
CIS is lacking one cybersecurity control that covers third-party suppliers. If a data breach happens on the vendor’s end, the company is still held responsible. A risk assessment is a tool that will help businesses identify if there are any potential cybersecurity vulnerabilities in the system and/or network.
A third-party risk assessment must take into account several aspects. Does the vendor share the data with fourth or even fifth-parties? If so, what cybersecurity protocols are in place? If this question can’t be answered, the business should decide if that third-party is vital to the company.
Sharing data outside of the company network can make it vulnerable to a hacker, along with viruses and malicious code that can eventually affect every connected network.
When it comes to due diligence and CCPA requirements, third-party risk assessments are crucial.
Key CCPA Compliance Takeaways
The key points that were made during the CCPA compliance webinar are as follows,
- The legal standards are still evolving regarding cybersecurity controls.
- Most regulations will require you to know where your sensitive data is and having protocols in place to prevent malicious use.
- Consider risk and industry when creating privacy and cybersecurity programs.
- While lacking specific controls, ‘reasonable security’ is considered to be a good framework to build cybersecurity protocols.
- Due diligence includes third-party risk assessments.