The California Consumer Privacy Act (CCPA) is as much about process administration as it is about data security. Systems must be compliant, for both data security and administration, and offer a reasonable verification method such as audit trails.
Often described as a mini-GDPR, CCPA is the State of California’s effort to tighten laws around information sharing and the privacy of personal data. And just like GDPR, violating CCPA can cost you in fines and legal fees. Now, there’s an easy way to avoid that.
Our vulnerability assessment and management platform, beSECURE, now includes a CCPA report specific to CCPA standards. If you’re a CIO, CISO or compliance auditor, you can use this detailed vulnerability report to identify risks and quickly understand which specific remediation steps you need to take to address them.
But what is CCPA?
CCPA was signed into law on June 28, 2018, came into effect at the start of 2020 – and last month, the Office of the California Attorney submitted the final text for the proposed CCPA regulations.
It broadly applies to companies with revenue of over USD 25m and to some smaller businesses too.
Similar to GDPR, any company affected by the law must declare what information it collects, what it does with it and whether it is sent to third parties. Furthermore, companies must comply if a customer officially requests that their data is deleted while allowing customers to opt-out of the resale of their data.
While it is a law of California, CCPA affects companies across the U.S. and the globe because CCPA covers all California residents. In other words, if your business deals with the personal details of anyone who lives in California, you’re affected by CCPA – no matter where your business is registered or located.
California authorities have the power to fine companies who violate CCPA laws. These fines are nothing to sniff at: GDPR has proven to have teeth, with British Airways subject to a massive USD 240m fine in 2018, while Marriot was fined USD 130m under GDPR. Simply put, companies can’t afford to ignore CCPA.
CCPA impacts your cybersecurity responsibilities
The main tenets of CCPA appear to center around data collection and data sharing, but the practical implications are more complex. In fact, it is an extensive law, and the one clause companies should be most concerned about is this one:
Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to anunauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
Unfortunately for businesses, the phrase “reasonable security practices” is very open-ended.
One point that is not up for debate is that a security-related data breach may fall under the CCPA remit. With 48% of data breaches the result of a malicious or criminal attack, there is without a doubt a link between potentially expensive CCPA fines and a security vulnerability.
Providing a detailed situational awareness of system vulnerabilities like that available from the beSECURE report, and acting on that information to mitigate the risks, would certainly be considered a reasonable security practice.
From a security practice perspective, what exactly does the CCPA mandate?
A mandate for security best practice is arguably the only clear conclusion one can draw from the CCPA law. By consequence, it can be argued that any company that does not make use of cybersecurity best practices will risk falling foul of CCPA.
So CCPA does not explicitly require companies to use security techniques and assessments such as fuzzing, website vulnerability scanning and network vulnerability assessment. Instead, by implication, companies who ignore essential security techniques and assessments such as these will be at risk of a data breach, and as a result a heavy fine – never mind the costs of clearing up after the breach.
Outlining a comprehensive approach to cybersecurity is beyond the scope of this article, but we can propose that, in order to minimise exposure to CCPA-related fines, companies should consider these five steps:
- Catalogue data held and processed. Companies can only effectively secure customer data if they know what data is held, at what risk it is and how it is processed. The nature of data matters too – a database of pet names is a far lower risk than intimate healthcare records.
- Get certified or employ a partner. Whether it is an ISO standard or PCI DSS, make sure your company complies with a security standard that is widely recognised, or get a security partner to get you up to speed.
- Put in place good practice. From vulnerability assessment and penetration testing through to multi-factor authentication and comprehensive encryption, ensure your company applies cybersecurity good practice.
- Monitor and react. The severity of fines is often related to the severity of the breach, and the response to a breach. Companies that catch intrusions quickly and mitigates damage while notifying immediately are less likely to be fined heavily. A basic process for security helps too.
- Map out third-party sharing. You’re only as safe as your most vulnerable technology partner, so make sure you know who you are sharing customer data with. In fact, this aspect alone warrants a regular, thorough audit.
If you want to avoid the wrath of CCPA violations, at the very least you must be able to demonstrate you’ve done due diligence to understand your organization’s security posture, your vulnerabilities and what you’ve done to address them.
Reach out to Beyond Security to learn more about how beSECURE can help you reduce your risk of a CCPA violation.