Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


02:00 PM
Anurag Kahol
Anurag Kahol
Connect Directly
E-Mail vvv

Considerations for Seamless CCPA Compliance

Three steps to better serve consumers, ensure maximum security, and achieve compliance with the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) went into effect at the beginning of the year, and the enforcement date of July 1 is just around the corner — with no signs of an extension. Organizations are beginning to feel the pressure to comply with the strict requirements that are designed to ensure that the collection, storage, and processing of personal data is consistent, secure, and noninvasive. Unfortunately, many are not ready to take on this new level of consumer privacy regulation, with 63% of respondents from a recent survey stating that working remotely has complicated maintaining compliance with the mandates that are applicable to their organization.

Similarly, many companies delayed reaching General Data Protection Regulation (GDPR) compliance, which resulted in multimillion-dollar fines for companies including Marriott and British Airways. Enterprises that are not CCPA compliant ahead of the enforcement date may face even heftier fees as it calls for fines "...not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." This means that if CCPA had been in effect at the time of Marriott's breach of 383 million guest records, then the company could have been subjected to fines totaling nearly $280 billion. The regulation affects more than just organizations that have headquarters in California; it extends to all that collect or sell consumer information relating to California residents. The following are considerations all companies should keep in mind to reach and maintain CCPA compliance.

CCPA Is More than Just California's Version of GDP
Organizations may assume that they are compliant with CCPA by virtue of their being compliant with GDPR. The two regulations are designed to offer strong protections for data subjects, and they do have some overlap in terms of overarching goals and specific requirements. However, the two also have significant differences. For example, CCPA's compliance requirements are applicable to information at the household and device level — it is not just about individuals directly.

To stay secure and compliant, enterprises should have a thorough understanding of all applicable regulations and make them an organizational priority. Note that this emphasis will not be without its benefits. Security and compliance can lead to a competitive edge as 87% of consumers are willing to take their business elsewhere if they don't trust how a company is handling their data.

How Companies Can Prepare to Comply and Secure Consumer Data
To better serve consumers, ensure maximum security, and achieve compliance, businesses should follow these steps:

  • Have an accurate inventory of data. According to CCPA, if you don't know what data you have, then you can't ensure you're protecting it. Comprehensive activity logs should track all file, user, and app activity, revealing everything that is happening with individuals' data. Furthermore, companies going through M&A deals should conduct a thorough IT audit so they know what data they're inheriting. It's also critical to have security solutions, such as data loss prevention, that will prevent data leakage.

  • Protect information and access. Beyond keeping track of data, businesses should know how the data is stored and destroyed, how it moves throughout the company, and who has access to it. Organizations that migrate to the cloud allow data to be accessed on numerous applications from various devices, such as employees' personal phones. Employees that access data should authenticate through single sign-on and multifactor authentication to ensure that only authorized employees handle data.

  • Know data jurisdictions. Under CCPA, data may only be stored or transferred where the state has jurisdiction — or where an agreement is in place. If data is stored or transferred without an agreement, organizations should turn to solutions that can encrypt cloud data and give organizations direct control over their own encryption keys. This will ensure compliance under data residency rules, as the data only exists outside of acceptable regions in indecipherable ciphertext format. Tools like selective wipe also allow administrators to remove sensitive information from any device in any location, protecting data from unauthorized users.

If a company were to suffer a data breach, CCPA mandates that it provides detailed documentation on the causes and effects of the breach, as well as security measures taken to address it. As data privacy has increasingly become top of mind for consumers, enterprises must protect data with the proper tools and comply with relevant regulations if they are to avoid security incidents. Moving forward, it would also be wise of companies to stay ahead of regulation enforcement dates as the unexpected can occur at any moment, causing delays in their compliance plans. 

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/8/2020 | 12:21:48 PM
Changing risk landscape
Great, actionable tips here for businesses that haven't yet taken the necessary steps to comply with CCPA. Thanks for sharing.

You mention in your piece that organizations should stay ahead of regulation enforcement dates since the unexpected can occur at any moment. In my opinion, one of the biggest challenges with the ever-changing risk landscape is the immense likelihood a new regulation will pop up at any moment. Take for example the fact that California is already considering passing a second privacy law yet in 2020 - the California Privacy Rights Act.

What's your best advice for organizations to stay ahead of and/or adapt to these changes?
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.