The California Consumer Privacy Act (CCPA) is one of the most sweeping acts of legislation in the U.S. relating to the protection of personal consumer information collected by businesses. But what does CCPA mean for cybersecurity and risk leaders? In this post, we explore the key compliance requirements of the CCPA and what actions businesses need to take from both a data privacy and cybersecurity standpoint.
Officially called AB-375, the CCPA is designed to afford residents of California with more power over the collection and use of their private data, such as financial information, social security and passport numbers, household information, online identifiers and email addresses, and more.
A key premise of the law is that, as of January 1, 2020, Californians will have the right to know what personal data is being collected about them and why, the methods used to collect that data, and if that information is sold or disclosed to a third-party.
Once stored by a business, consumers must also be able to access their personal data and request that a business delete any personal information collected.
Organizations are required to comply if they meet any of the following criteria:
1) They are a for-profit entity that does business in California (even if they don’t have a physical presence) and collects the personal information of more than 50,000 or more consumers, households, or devices
2) They have gross revenues over $25 million
3) They derive 50% of their annual revenue from selling the personal information of consumers
Non-compliant companies can be fined $7,500 per data record that violates the data privacy requirements of the law.
Europe’s General Data Protection Regulation (GDPR) blazed a trail for consumer data privacy protections when it became law in 2018, and many view the CCPA as the U.S. equivalent of it. However, there are several key differences.
Chief among these is that the CCPA excludes data acquired through third parties, as opposed to directly from consumers. Furthermore, in addition to lending itself to the expectation of increased consumer data privacy, GDPR contains very specific requirements as to how organizations protect that data, monitor for cyber incidents, and report any breaches – the CCPA does not. Which leads to our next point.
The CCPA puts consumer data privacy front and center – giving consent to data collection, allowing consumers to know where their data is stored, when it’s accessed by third parties, and more. The flipside of that coin – data protection and security – is where the California law falls short on specifics.
Indeed, the language of the law only specifies that business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” – yet what those “reasonable” procedures are is left undefined.
When it comes to penalties for cybersecurity violations however, the CCPA includes greater clarity. If a company becomes the victim of data theft or other breach as a result of non-compliance with the law, they could face civil class action lawsuits and pay up to $750 in fines per California resident and incident, or actual damages, whichever is greater.
No company wants to face the financial and reputational damage associated with regulatory non-compliance. But how can businesses comply with such a vague security standard as defined by the CCPA?
We’d premise that achieving a “reasonable” measure of security starts with understanding how your current security program is performing against industry standards.
Unfortunately, security performance management is often something that organizations only address when they’re asked to facilitate a cybersecurity audit by the Board of Directors or a business partner. Typically conducted by third parties, these audits can be costly, time-consuming, and only provide a snapshot of your cybersecurity posture – not a view into ongoing cyber health.
Audits also don’t necessarily mean that a security control is effective. For example, an audit may confirm that you have a firewall or intrusion detection system in place, but it won’t tell you if that control is properly configured and therefore effective.
Audits have their place, but for a broader and more continuous view of cyber risk, only security ratings can help reveal the true effectiveness of your security controls – and how they compare to your peers.
For example, BitSight Security Ratings provide real-time access to broad and objective data and metrics on industry-wide security and peer-level performance across multiple categories of vulnerabilities and incidents. This allows you to compare your security posture to configurable groups of your peers so that you can discover the cybersecurity performance standards that typify what’s “reasonable” in your industry.
From here you can mitigate performance gaps and identify a security performance target that makes sense for your organization in relation to those groups. This will help you create effective improvement plans and make better decisions about where and how to prioritize your cybersecurity resources.
But don’t limit your efforts to internal security controls. Third, fourth, and even nth parties such as partners, vendors, and service providers can also have a direct impact on your security posture. Because IT ecosystems are increasingly interconnected, vulnerabilities or malware on another party’s network can put your security at risk. In fact, studies show that 59% of breaches originate with a third-party.
For this reason, CCPA compliance should also encompass a robust third-party risk management program (TPRM). While you can never fully prevent a third- or nth-party data breach, it’s important that you work collaboratively, not combatively, with your vendors to reduce risk and fix security issues quickly. There are several features in BitSight that support this process so that you can gain visibility into cyber risk within your supply chain and quickly mitigate your exposure.
Furthermore, with a comprehensive TPRM program in place businesses can create the framework to demonstrate to future regulators and lawmakers that they have visibility into what kind of data is stored where – and show a standard of care in safeguarding it.
With the CCPA, the wave of increased regulation around consumer data privacy and security has broken. There’s little doubt that other states and even federal regulators will follow suit. In light of this, it’s imperative that all organizations take steps now to adopt a “reasonable” security posture. One that establishes a baseline of security performance management and continuously monitors for risk internally and across the supply chain.