On January 1, 2020, California will step on the world stage of privacy when the California Consumer Privacy Act (CCPA) takes effect. It follows the European Union's General Data Protection Regulation (GDPR) and other regional legislative controls that are designed to protect the personal data of consumers.
The CCPA legislation may apply to your business if it's a for-profit entity and collects or processes the personal information of Californian residents. And one of the following needs to apply: the business has an annual gross revenue in excess of $25 million; the business annually trades the personal information of 50,000 or more consumers, households, or devices; or the business derives 50% or more of its revenue from selling consumers' personal information.
There may be requirements to update privacy policies, third-party, and service provider contracts and any other terms that cover the collection, retention, and protection of personal data held by the company. It's important that all businesses review their status and establish if they need to comply with the legislation.
As with other privacy legislation, the fines for noncompliance could be significant. Under GDPR, we have recently witnessed British Airways being fined $230 million and Marriott Hotel Group $123 million for data breaches. The CCPA legislation allows for fines by the attorney general of up to $7,500 per incident and gives individual consumers the right to file a lawsuit for up to $700 each. I expect once the legislation takes effect that we will see some considerable legal action with class action lawsuits filed against companies that suffer data breaches
Complying with the legislation requires companies to adopt policies for the collection and retention of the data. It also requires companies to provide "reasonable security" to protect the personal data. The word "reasonable" can be interpreted in many different ways and the extent of what is deemed reasonable will not be clear until we see the legal cases being brought once the legislation takes effect.
To assist companies in taking proactive steps to address the requirement for reasonable security, companies could leverage the requirements of other legislation such as GDPR. The following are starting points for companies that need to comply; note, however, that these are just starting points, and I recommend seeking professional and legal advice to ensure compliance.
Privacy Basics: Single Point of Responsibility
Appoint a data protection officer (DPO). This is a requirement under GDPR and is an essential position for any company holding personal data. A DPO's main tasks should include understanding where the data is, the business purpose of why it was collected and is being retained, controlling access to the data, and deleting data no longer required. Consumers may request a copy of their data or require it to be deleted, and a dedicated DPO facilitates a single point of contact to deal with such requests.
Having this single point of responsibility is essential so that businesses can operate in a professional and compliant environment. The DPO can organize regular risk assessments, penetration tests, and security policies. While these do not provide a 100% guarantee that no breach will happen, they are steps that provide evidence that the issues have been taken seriously in the organization, providing a defensible defense should the need occur.
Limiting access to the data will reduce the risk of an inadvertent breach and reduce the number of employees that will need specialized training in the management and handling of personal data. It does not, however, reduce the need for all employees to be subjected to cybersecurity awareness training.
The data should be considered the crown jewels of the organization. Without customer data, or with a lost reputation due to a data breach, the company is likely to suffer financially. Treating the personal data of consumers like the crown jewels and placing it in its own protected segment of the network will create barriers and layers that can thwart the attempts of cybercriminals to gain access. We deal with layers in everyday life: The important possessions we own personally may be in a home safe or a safety deposit box. We then secure our homes with alarms and several locks on doors. With every layer, we add more complexity for the burglar.
Securing personal information should include, at a minimum, encryption and multifactor authentication. When asked, "What should I encrypt?" the answer is everything. Encryption is no longer the resource overhead it once was and by having whole-device encryption on devices, the risk of data being breached due to a stolen or lost device is reduced. Encryption of the personal data being held, including the hashing of customer passwords, will also demonstrate that significant steps have been taken to secure the data.
It would seem unprofessional not to include the following recommendations:
- Make sure all devices connected have been patched and updated.
- All devices should be protected with an up-to-date endpoint anti-malware product.
- All devices and data should have a backup and recovery policy that is tested from time to time.
The need to have privacy legislation is just another step in the evolution of the digital and connected revolution that is transforming humanity. As consumers, we need to engage in understanding the value of our data, who we allow to collect it, and what we allow them to do with it. Without this engagement or legislation to protect us, we allow companies wishing to monetize by using our personal information to have free rein.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Gamification Is Adding a Spoonful of Sugar to Security Training."