The CCPA requires ‘reasonable security.’ What exactly does that mean?
On Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
The CCPA, which goes into effect Jan. 1, requires companies that serve California residents to have “reasonable security” in place to protect sensitive consumer information. Trouble is, the term reasonable security is amorphous. But the potential consequences are not: The CCPA provides a very structured “private right of action” that allows consumers to sue businesses that mishandle their private data.
While California has not issued prescriptive safeguards for reasonable security, it earlier pointed to a set of guidelines that frames its thinking on the matter. In a 2016 report, the state attorney general endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet. It’s a great initial check against the measures that matter, including authentication, administrative privilege, mobile device security, incident-response plans, and data-protection policies, among 15 others.
If you haven’t addressed CCPA yet, now’s the time to act. Using the 20 CIS Controls as a guide, your first step should be a risk-based assessment of your cybersecurity and privacy threats and safeguards. This evaluation will help you define your organization’s specific risk sensitivity, and then tailor security and privacy controls to meet (or exceed) that level. In particular, you’ll need to take a hard look at the lifecycle of data covered by the CCPA, including customer, corporate, regulatory, and third-party partner information. It will also be crucial to document how these different types of data are collected, stored, accessed, processed, transmitted, and protected.
Next, compare how your assessment stacks up against the CIS guidelines. This exercise will help you understand your current and future-state security maturity, as well as chart an implementation roadmap that can be used to demonstrate that your security is, in fact, reasonable.
You’ll need more than 20
While the 20 CIS Controls is a solid start, particularly given its endorsement by the California attorney general, the framework doesn’t address all CCPA provisions. Among the thorniest is the ability to access and delete consumer information on demand, known as a consumer fulfillment request. When a business receives a verified consumer fulfillment request, it will be required to provide access to and/or delete the requester’s personal information. Satisfying these consumer requests is all but certain to require new or updated processes, workflows, and technologies. Failure to do so can result in costly financial penalties, lawsuits, and, of course, negative headlines.
Another major risk category missing from the 20 CIS Controls is due diligence of third-party partners. Your organization’s security, after all, is only as strong as your weakest vendor’s. That’s why it’s essential to conduct a comprehensive risk assessment of business partners that the company shares information with. This evaluation should identify in detail specific vendor security controls in place to protect personal information.
Also note that you’ll need to review all contracts with third parties with whom you share, sell, or otherwise process consumer data. Most organizations will need to renegotiate contracts to cover data safeguards and controls mandated by the CCPA. Large organizations with hundreds, or even thousands, of vendors will be hardest hit.
It’s not set in stone: Pending amendments
The CCPA goes into effect in a matter of weeks, but it remains a work in progress. Over the past year, a flurry of amendments has been introduced; some have been signed into law and others have languished in the legislature. Some of the most significant potential changes are likely to include:
- Personal data of employees, contractors, and applicants will be exempted by most provisions of the CCPA. But organizations will be required to educate employees on data-privacy procedures, including written policies published in employee handbooks. Significantly, this exemption is due to expire Jan. 1, 2021, which means that employee data could later be brought into scope. Keep an eye on this one over the next 15 months.
- Similarly, most personal information generated by B2B transactions will be exempt. But like the employee provision, this exemption is due to sunset Jan. 1, 2021.
- Online-only businesses that have direct relationships with consumers can simply provide an email address for contact with data requestors. Other companies will be required to offer two or more methods for submitting requests for information.
You have to prepare for reasonable
As amendments are added and provisions are sunsetted, the concept of reasonable security is likely to evolve. There’s no way to predict how it will morph over time, but we do know that security and business leaders will need to proactively build a CCPA-compliant cybersecurity and privacy program to prepare for changes and deflect risks.
Another unknown among many businesses is that they don’t fully grasp the liability implications of the CCPA. That’s understandable, given that the CCPA is the first law of its kind in the U.S., and that California will not begin enforcement until July 1, 2020.
But here’s one thing you can bet on: If you continue to back-burner the CCPA, you may be putting yourself, your board, and your CEO at risk.
On-Demand Webinar: California Consumer Privacy Act (CCPA) Update
InsightFed chief: Cyberattacks are the greatest risk to the financial sectorBhavesh Vadhani, Jeremy SwanCybersecurity is the responsibility of everyone participating in the economy. Read about the current risks and top threats financial institutions should watch for.
InsightVirginia’s new privacy law offers a preview into the future of privacy and complianceBhavesh Vadhani, Deborah NitkaRead how the new data privacy legislation compares with the CCPA and GDPR, what affected companies should do moving forward, and more.
InsightSupport rapid delivery of secure software with DevSecOpsBhavesh Vadhani, Thomas McDermott, Tauseef ShaikhThe DevSecOps software development model has security built into all phases of its lifecycle, which can help reduce flaws and the costs of fixing them. Learn more.
InsightHow to assess risk for emerging technologies – before you use themBhavesh Vadhani, Thomas McDermottDon’t start using artificial intelligence, robotic process automation, and other newer tools without taking these steps to protect your organization and data.