Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

7/2/2020
02:00 PM
Anurag Kahol
Anurag Kahol
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Considerations for Seamless CCPA Compliance

Three steps to better serve consumers, ensure maximum security, and achieve compliance with the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) went into effect at the beginning of the year, and the enforcement date of July 1 is just around the corner — with no signs of an extension. Organizations are beginning to feel the pressure to comply with the strict requirements that are designed to ensure that the collection, storage, and processing of personal data is consistent, secure, and noninvasive. Unfortunately, many are not ready to take on this new level of consumer privacy regulation, with 63% of respondents from a recent survey stating that working remotely has complicated maintaining compliance with the mandates that are applicable to their organization.

Similarly, many companies delayed reaching General Data Protection Regulation (GDPR) compliance, which resulted in multimillion-dollar fines for companies including Marriott and British Airways. Enterprises that are not CCPA compliant ahead of the enforcement date may face even heftier fees as it calls for fines "...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." This means that if CCPA had been in effect at the time of Marriott's breach of 383 million guest records, then the company could have been subjected to fines totaling nearly $280 billion. The regulation affects more than just organizations that have headquarters in California; it extends to all that collect or sell consumer information relating to California residents. The following are considerations all companies should keep in mind to reach and maintain CCPA compliance.

CCPA Is More than Just California's Version of GDP
Organizations may assume that they are compliant with CCPA by virtue of their being compliant with GDPR. The two regulations are designed to offer strong protections for data subjects, and they do have some overlap in terms of overarching goals and specific requirements. However, the two also have significant differences. For example, CCPA's compliance requirements are applicable to information at the household and device level — it is not just about individuals directly.

To stay secure and compliant, enterprises should have a thorough understanding of all applicable regulations and make them an organizational priority. Note that this emphasis will not be without its benefits. Security and compliance can lead to a competitive edge as 87% of consumers are willing to take their business elsewhere if they don't trust how a company is handling their data.

How Companies Can Prepare to Comply and Secure Consumer Data
To better serve consumers, ensure maximum security, and achieve compliance, businesses should follow these steps:

  • Have an accurate inventory of data. According to CCPA, if you don't know what data you have, then you can't ensure you're protecting it. Comprehensive activity logs should track all file, user, and app activity, revealing everything that is happening with individuals' data. Furthermore, companies going through M&A deals should conduct a thorough IT audit so they know what data they're inheriting. It's also critical to have security solutions, such as data loss prevention, that will prevent data leakage.

  • Protect information and access. Beyond keeping track of data, businesses should know how the data is stored and destroyed, how it moves throughout the company, and who has access to it. Organizations that migrate to the cloud allow data to be accessed on numerous applications from various devices, such as employees' personal phones. Employees that access data should authenticate through single sign-on and multifactor authentication to ensure that only authorized employees handle data.

  • Know data jurisdictions. Under CCPA, data may only be stored or transferred where the state has jurisdiction — or where an agreement is in place. If data is stored or transferred without an agreement, organizations should turn to solutions that can encrypt cloud data and give organizations direct control over their own encryption keys. This will ensure compliance under data residency rules, as the data only exists outside of acceptable regions in indecipherable ciphertext format. Tools like selective wipe also allow administrators to remove sensitive information from any device in any location, protecting data from unauthorized users.

If a company were to suffer a data breach, CCPA mandates that it provides detailed documentation on the causes and effects of the breach, as well as security measures taken to address it. As data privacy has increasingly become top of mind for consumers, enterprises must protect data with the proper tools and comply with relevant regulations if they are to avoid security incidents. Moving forward, it would also be wise of companies to stay ahead of regulation enforcement dates as the unexpected can occur at any moment, causing delays in their compliance plans. 

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MK_LogicGate
50%
50%
MK_LogicGate,
User Rank: Author
7/8/2020 | 12:21:48 PM
Changing risk landscape
Great, actionable tips here for businesses that haven't yet taken the necessary steps to comply with CCPA. Thanks for sharing.

You mention in your piece that organizations should stay ahead of regulation enforcement dates since the unexpected can occur at any moment. In my opinion, one of the biggest challenges with the ever-changing risk landscape is the immense likelihood a new regulation will pop up at any moment. Take for example the fact that California is already considering passing a second privacy law yet in 2020 - the California Privacy Rights Act.

What's your best advice for organizations to stay ahead of and/or adapt to these changes?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.