Now that the California Consumer Privacy Act has officially taken effect, follow these 5 steps to ensure compliance, even if your organization is outside the Golden State.
According to the Identity Theft Resource Center, more than 164 million consumer records containing personally identifiable information (PII) were exposed in data breaches in 2019. Seemingly every week there is another massive consumer data breach reported and people the world over are increasingly concerned about how businesses are handling their PII. On the flip side, organizations are biting their nails, knowing that if they do not have the right data privacy and security policies and procedures in place, they too can become subject to brand-crippling breaches and resulting fines.
Constant headline-making events has prompted a domino effect that has made governments, citizens and businesses much more privacy-aware, resulting in increased attention into how personal information is collected, stored, managed and protected. The introduction of the European Union’s General Data Protection Regulation (GDPR) was a start, enabling EU citizens to take control of their data. Now we are seeing the United States closely follow suit with the new California Consumer Privacy Act (CCPA), which officially went into effect on January 1 of 2020.
The CCPA is designed to give California residents more rights over how their personal information -- such as social security numbers, bank account numbers, home addresses and birthdates -- is gathered, shared, sold and protected by the organizations they do business with. Failure to comply with the CCPA could cost an organization civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Although the Attorney General cannot officially bring an enforcement action under the CCPA until July 1, 2020, organizations -- even potentially outside of California -- need to implement preventative security and data privacy strategies now. To that end, following are 5 steps towards ensuring CCPA compliance.
5 Steps to Ensure CCPA Compliance
- Determine if the CCPA applies to your organization. Even if your organization does not physically sit in the state of California, keep reading.The CCPA actually applies to any for-profit entities that both collect and process the personal information of California residents. Therefore, if your organization meets any one of the following criteria, it must comply with the regulation: If the business generates annual gross revenue in excess of $25 million; if the business receives or shares personal information of more than 50,000 California residents annually; if the business derives at least 50 percent of its annual revenue by selling the personal information of California residents
- Review existing data privacy policies and contracts. If your organization meets one of the CCPA’s criteria for compliance, you will need to ensure you have a complete inventory of all of your policies and contracts and ensure any desired CCPA language is included. These documents include privacy policies, policy training, acceptable use policies, and even employee handbooks. Services or web applications provided over the Internet will likely include privacy statements in your user privacy policy, acceptable use policy, and online services agreements. You’ll also need to make sure the language covers all other applicable regulations as well such as the GDPR.
- Assess current technical security controls. Like the GDPR, the CCPA does not identify specific security controls; however, to meet their processing obligations, entities covered by the CCPA must implement adequate data security to protect covered information that can be linked to a particular California consumer. With that in mind, you should closely examine all security controls and identify any gaps in the data lifecycle. On the technical side, this means making sure the controls can identify covered data once it is created or stored, and properly protect and track how the data is transmitted and processed all the way until that data is deleted.
- Ensure non-technical security controls are considered. There's also a need for non-technical controls and procedures, such implementing least privilege user access and recertifying access rights periodically. You may also want to incorporate a yearly data security awareness training to ensure employees retain the most recent information and protocols for compliance. CCPA requires you to make sure that users are who they say they are. You’ll want to have strong procedural mechanisms in place to ensure you verify user identities and have a strong authentication process.
- Leverage current investments. If you have already invested in building out a relatively mature security program that includes data protection and identity management, you can extend that coverage to the newly-classified California consumer data. You will need to update the various policies and procedures to make sure they adequately cover the CCPA’s specific requirements, however this effort should not require extensive rework. If you have not yet made investments in data protection and implementing privacy-by-design concepts, you should consider undertaking a comprehensive review of your security and data protection programs so you can develop a prioritized roadmap towards compliance.
Becoming CCPA compliant will require some work in order to close the data protection gaps within your organization. However, through this process, you will strengthen your data security procedures, which will ultimately better protect your valued customers and mitigate your organization’s risk of a future data breach.
Darren Van Booven, Lead Principal Consultant, Trustwave
