On Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
The CCPA, which goes into effect Jan. 1, requires companies that serve California residents to have “reasonable security” in place to protect sensitive consumer information. Trouble is, the term reasonable security is amorphous. But the potential consequences are not: The CCPA provides a very structured “private right of action” that allows consumers to sue businesses that mishandle their private data.
While California has not issued prescriptive safeguards for reasonable security, it earlier pointed to a set of guidelines that frames its thinking on the matter. In a 2016 report, the state attorney general endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet. It’s a great initial check against the measures that matter, including authentication, administrative privilege, mobile device security, incident-response plans, and data-protection policies, among 15 others.
If you haven’t addressed CCPA yet, now’s the time to act. Using the 20 CIS Controls as a guide, your first step should be a risk-based assessment of your cybersecurity and privacy threats and safeguards. This evaluation will help you define your organization’s specific risk sensitivity, and then tailor security and privacy controls to meet (or exceed) that level. In particular, you’ll need to take a hard look at the lifecycle of data covered by the CCPA, including customer, corporate, regulatory, and third-party partner information. It will also be crucial to document how these different types of data are collected, stored, accessed, processed, transmitted, and protected.
Next, compare how your assessment stacks up against the CIS guidelines. This exercise will help you understand your current and future-state security maturity, as well as chart an implementation roadmap that can be used to demonstrate that your security is, in fact, reasonable.
You’ll need more than 20
While the 20 CIS Controls is a solid start, particularly given its endorsement by the California attorney general, the framework doesn’t address all CCPA provisions. Among the thorniest is the ability to access and delete consumer information on demand, known as a consumer fulfillment request. When a business receives a verified consumer fulfillment request, it will be required to provide access to and/or delete the requester’s personal information. Satisfying these consumer requests is all but certain to require new or updated processes, workflows, and technologies. Failure to do so can result in costly financial penalties, lawsuits, and, of course, negative headlines.
Another major risk category missing from the 20 CIS Controls is due diligence of third-party partners. Your organization’s security, after all, is only as strong as your weakest vendor’s. That’s why it’s essential to conduct a comprehensive risk assessment of business partners that the company shares information with. This evaluation should identify in detail specific vendor security controls in place to protect personal information.
Also note that you’ll need to review all contracts with third parties with whom you share, sell, or otherwise process consumer data. Most organizations will need to renegotiate contracts to cover data safeguards and controls mandated by the CCPA. Large organizations with hundreds, or even thousands, of vendors will be hardest hit.
It’s not set in stone: Pending amendments
The CCPA goes into effect in a matter of weeks, but it remains a work in progress. Over the past year, a flurry of amendments has been introduced; some have been signed into law and others have languished in the legislature. Some of the most significant potential changes are likely to include:
- Personal data of employees, contractors, and applicants will be exempted by most provisions of the CCPA. But organizations will be required to educate employees on data-privacy procedures, including written policies published in employee handbooks. Significantly, this exemption is due to expire Jan. 1, 2021, which means that employee data could later be brought into scope. Keep an eye on this one over the next 15 months.
- Similarly, most personal information generated by B2B transactions will be exempt. But like the employee provision, this exemption is due to sunset Jan. 1, 2021.
- Online-only businesses that have direct relationships with consumers can simply provide an email address for contact with data requestors. Other companies will be required to offer two or more methods for submitting requests for information.
You have to prepare for reasonable
As amendments are added and provisions are sunsetted, the concept of reasonable security is likely to evolve. There’s no way to predict how it will morph over time, but we do know that security and business leaders will need to proactively build a CCPA-compliant cybersecurity and privacy program to prepare for changes and deflect risks.
Another unknown among many businesses is that they don’t fully grasp the liability implications of the CCPA. That’s understandable, given that the CCPA is the first law of its kind in the U.S., and that California will not begin enforcement until July 1, 2020.
But here’s one thing you can bet on: If you continue to back-burner the CCPA, you may be putting yourself, your board, and your CEO at risk.
Webinar: California Consumer Privacy Act (CCPA) – Let's break it down!
For an update on the CCPA and reasonable security, register here for a CohnReznick CCPA webinar on Oct. 15 at 1 p.m. ET.Register here
On-Demand Webinar: California Consumer Privacy Act (CCPA) Update
InsightREAL ESTATE: How coronavirus will shape the smart workplaces of the futureVincent DermodyIn a post-pandemic world, office building design priorities will need to shift from function to the purpose of the space and the behavior of the people occupying it.
InsightRISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policiesShahryar ShaghaghiEfforts to limit coronavirus contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks.
InsightRISK MANAGEMENT: Companies need proactive, continuous contingency planningThe COVID-19 outbreak should serve as a driver to increase organizational efforts related to contingency planning for all organizations and their vendors.
InsightA place for humans in real estate data architectureThe people living and working within a building’s four walls not only generate data, but they also bring it to life. Without people occupying and using its spaces, a physical building provides significantly less usable information on its own. No people equates to no leasing information, no occupancy data, no utility usage, no foot traffic reads, no sales generated, no amenities needed, no services provided, no maintenance requests, no qualitative feedback given.