Beyond Security Blog
CCPA text on blue map vector-1920x1309

beSECURE Provides a Quick and Easy Way to Assess Your Risk of a CCPA Violation

beSECURE now includes a CCPA vulnerability report to address CCPA security procedures and practices.

The California Consumer Privacy Act (CCPA) is as much about process administration as it is about data security. Systems must be compliant, for both data security and administration, and offer a reasonable verification method such as audit trails.

Often described as a mini-GDPR, CCPA is the State of California’s effort to tighten laws around information sharing and the privacy of personal data. And just like GDPR, violating CCPA can cost you in fines and legal fees. Now, there’s an easy way to avoid that.

Our vulnerability assessment and management platform, beSECURE, now includes a CCPA report specific to CCPA standards.  If you’re a  CIO, CISO or compliance auditor, you can use this detailed vulnerability report to identify risks and quickly understand which specific remediation steps you need to take to address them.

[ Learn about IEC 62443 compliance. | Want to see how it works or try 30-day free trial? Request a demo  today. ]

But what is CCPA?

CCPA was signed into law on June 28, 2018, came into effect at the start of 2020 – and last month, the Office of the California Attorney submitted the final text for the proposed CCPA regulations.

It broadly applies to companies with revenue of over USD 25m and to some smaller businesses too.

Similar to GDPR, any company affected by the law must declare what information it collects, what it does with it and whether it is sent to third parties. Furthermore, companies must comply if a customer officially requests that their data is deleted while allowing customers to opt-out of the resale of their data.

While it is a law of California, CCPA affects companies across the U.S. and the globe because CCPA covers all California residents. In other words, if your business deals with the personal details of anyone who lives in California, you’re affected by CCPA – no matter where your business is registered or located.

California authorities have the power to fine companies who violate CCPA laws. These fines are nothing to sniff at: GDPR has proven to have teeth, with British Airways subject to a massive USD 240m fine in 2018, while Marriot was fined USD 130m under GDPR. Simply put, companies can’t afford to ignore CCPA.

CCPA impacts your cybersecurity responsibilities

The main tenets of CCPA appear to center around data collection and data sharing, but the practical implications are more complex. In fact, it is an extensive law, and the one clause companies should be most concerned about is this one:

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to anunauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

Unfortunately for businesses, the phrase “reasonable security practices” is very open-ended.

One point that is not up for debate is that a security-related data breach may fall under the CCPA remit. With 48% of data breaches the result of a malicious or criminal attack, there is without a doubt a link between potentially expensive CCPA fines and a security vulnerability.

Providing a detailed situational awareness of system vulnerabilities like that available from the beSECURE report, and acting on that information to mitigate the risks, would certainly be considered a reasonable security practice.

From a security practice perspective, what exactly does the CCPA mandate?

A mandate for security best practice is arguably the only clear conclusion one can draw from the CCPA law. By consequence, it can be argued that any company that does not make use of cybersecurity best practices will risk falling foul of CCPA.

So CCPA does not explicitly require companies to use security techniques and assessments such as fuzzing, website vulnerability scanning and network vulnerability assessment. Instead, by implication, companies who ignore essential security techniques and  assessments such as these will be at risk of a data breach, and as a result a heavy fine – never mind the costs of clearing up after the breach. 

Outlining a comprehensive approach to cybersecurity is beyond the scope of this article, but we can propose that, in order to minimise exposure to CCPA-related fines, companies should consider these five steps:

  • Catalogue data held and processed. Companies can only effectively secure customer data if they know what data is held, at what risk it is and how it is processed. The nature of data matters too – a database of pet names is a far lower risk than intimate healthcare records.
  • Get certified or employ a partner. Whether it is an ISO standard or PCI DSS, make sure your company complies with a security standard that is widely recognised, or get a security partner to get you up to speed.
  • Put in place good practice. From vulnerability assessment and penetration testing through to multi-factor authentication and comprehensive encryption, ensure your company applies cybersecurity good practice.
  • Monitor and react. The severity of fines is often related to the severity of the breach, and the response to a breach. Companies that catch intrusions quickly and mitigates damage while notifying immediately are less likely to be fined heavily. A basic process for security helps too.
  • Map out third-party sharing. You’re only as safe as your most vulnerable technology partner, so make sure you know who you are sharing customer data with. In fact, this aspect alone warrants a regular, thorough audit.

Conclusion

If you want to avoid the wrath  of  CCPA violations, at the very least you must be able to demonstrate you’ve done due diligence to understand your organization’s security posture, your vulnerabilities and what you’ve done to address them. 

Reach out to Beyond Security to learn more about how beSECURE can help you reduce your risk of a CCPA violation.

Beyond Security

Beyond Security is a global leader in automated vulnerability assessment and compliance solutions – enabling businesses and governments to accurately assess and manage security weaknesses in their networks, applications, industrial systems and networked software at a fraction of the cost of human-based penetration testing.

Contact Us
Want to learn more? Fill out the form below and we'll be in touch shortly.
By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Advertisement

Vector image of purple colored handshake icon

Affected by Covid-19? Get free vulnerability scanning.

Before You go

Take a second to book a demo. Learn how to secure your networks & applications.

We'll be in touch!

We now have the ability to scan at any time...like having sonar on our own network. We always know what is going on around us.”

man-img

Mike Gutknecht, Spectrum Brands