On Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
The CCPA, which goes into effect Jan. 1, requires companies that serve California residents to have “reasonable security” in place to protect sensitive consumer information. Trouble is, the term reasonable security is amorphous. But the potential consequences are not: The CCPA provides a very structured “private right of action” that allows consumers to sue businesses that mishandle their private data.
While California has not issued prescriptive safeguards for reasonable security, it earlier pointed to a set of guidelines that frames its thinking on the matter. In a 2016 report, the state attorney general endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet. It’s a great initial check against the measures that matter, including authentication, administrative privilege, mobile device security, incident-response plans, and data-protection policies, among 15 others.
If you haven’t addressed CCPA yet, now’s the time to act. Using the 20 CIS Controls as a guide, your first step should be a risk-based assessment of your cybersecurity and privacy threats and safeguards. This evaluation will help you define your organization’s specific risk sensitivity, and then tailor security and privacy controls to meet (or exceed) that level. In particular, you’ll need to take a hard look at the lifecycle of data covered by the CCPA, including customer, corporate, regulatory, and third-party partner information. It will also be crucial to document how these different types of data are collected, stored, accessed, processed, transmitted, and protected.
Next, compare how your assessment stacks up against the CIS guidelines. This exercise will help you understand your current and future-state security maturity, as well as chart an implementation roadmap that can be used to demonstrate that your security is, in fact, reasonable.
You’ll need more than 20
While the 20 CIS Controls is a solid start, particularly given its endorsement by the California attorney general, the framework doesn’t address all CCPA provisions. Among the thorniest is the ability to access and delete consumer information on demand, known as a consumer fulfillment request. When a business receives a verified consumer fulfillment request, it will be required to provide access to and/or delete the requester’s personal information. Satisfying these consumer requests is all but certain to require new or updated processes, workflows, and technologies. Failure to do so can result in costly financial penalties, lawsuits, and, of course, negative headlines.
Another major risk category missing from the 20 CIS Controls is due diligence of third-party partners. Your organization’s security, after all, is only as strong as your weakest vendor’s. That’s why it’s essential to conduct a comprehensive risk assessment of business partners that the company shares information with. This evaluation should identify in detail specific vendor security controls in place to protect personal information.
Also note that you’ll need to review all contracts with third parties with whom you share, sell, or otherwise process consumer data. Most organizations will need to renegotiate contracts to cover data safeguards and controls mandated by the CCPA. Large organizations with hundreds, or even thousands, of vendors will be hardest hit.
It’s not set in stone: Pending amendments
The CCPA goes into effect in a matter of weeks, but it remains a work in progress. Over the past year, a flurry of amendments has been introduced; some have been signed into law and others have languished in the legislature. Some of the most significant potential changes are likely to include:
- Personal data of employees, contractors, and applicants will be exempted by most provisions of the CCPA. But organizations will be required to educate employees on data-privacy procedures, including written policies published in employee handbooks. Significantly, this exemption is due to expire Jan. 1, 2021, which means that employee data could later be brought into scope. Keep an eye on this one over the next 15 months.
- Similarly, most personal information generated by B2B transactions will be exempt. But like the employee provision, this exemption is due to sunset Jan. 1, 2021.
- Online-only businesses that have direct relationships with consumers can simply provide an email address for contact with data requestors. Other companies will be required to offer two or more methods for submitting requests for information.
You have to prepare for reasonable
As amendments are added and provisions are sunsetted, the concept of reasonable security is likely to evolve. There’s no way to predict how it will morph over time, but we do know that security and business leaders will need to proactively build a CCPA-compliant cybersecurity and privacy program to prepare for changes and deflect risks.
Another unknown among many businesses is that they don’t fully grasp the liability implications of the CCPA. That’s understandable, given that the CCPA is the first law of its kind in the U.S., and that California will not begin enforcement until July 1, 2020.
But here’s one thing you can bet on: If you continue to back-burner the CCPA, you may be putting yourself, your board, and your CEO at risk.
Webinar: California Consumer Privacy Act (CCPA) – Let's break it down!
For an update on the CCPA and reasonable security, register here for a CohnReznick CCPA webinar on Oct. 15 at 1 p.m. ET.Register here
Webinar: California Consumer Privacy Act (CCPA) Update
Press ReleaseCohnReznick expands Cybersecurity and Privacy Practice; Forms Privacy Advisory GroupCohnReznick LLP, one of the leading advisory, assurance, and tax firms in the United States, announces a strategic expansion of its Cybersecurity and Privacy practice with the establishment of the Privacy Advisory Group.
On-demandHow to effectively align your cybersecurity program to your business strategyShahryar Shaghaghi, Doug Grindstaff, Greg WitteAs cyber-attacks and data breaches continue to make headlines and shake whole industries, organizations are learning that an effective cybersecurity program must be aligned with the company’s business strategy and board expectations. Strategic alignment needs to occur between the board, the infrastructure investment, and the actions being taken at the very front lines of the organization.
InsightNew Nevada privacy requirements go into effect Oct. 1Alison Bird, Judy SelbyWhile the California Consumer Privacy Act (CCPA) has attracted a lot of media attention, when it comes to privacy compliance, companies selling consumer information should keep their eye on the state of Nevada. Beginning on Oct. 1, 2019, amendments to NRS 603(A), Nevada’s existing privacy law, will allow consumers to direct operators of internet websites and online service providers to refrain from selling consumers’ personal information.
InsightNew DOD requirements – supply chain, risk management, and Cybersecurity Maturity Model CertificationKristen Soles, Bhavesh VadhaniAs the number of ingress and egress points to applications and networks expands, cybercriminals are discovering new gateways to exploit government contractors and agencies. The supply chain is especially vulnerable: Attacks on global supply chains soared 78% in 2018, according to a recent report by Symantec Corp.