CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
The CCPA requires ‘reasonable security.’ What exactly does that mean?
On Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
The CCPA, which goes into effect Jan. 1, requires companies that serve California residents to have “reasonable security” in place to protect sensitive consumer information. Trouble is, the term reasonable security is amorphous. But the potential consequences are not: The CCPA provides a very structured “private right of action” that allows consumers to sue businesses that mishandle their private data.
While California has not issued prescriptive safeguards for reasonable security, it earlier pointed to a set of guidelines that frames its thinking on the matter. In a 2016 report, the state attorney general endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet. It’s a great initial check against the measures that matter, including authentication, administrative privilege, mobile device security, incident-response plans, and data-protection policies, among 15 others.
If you haven’t addressed CCPA yet, now’s the time to act. Using the 20 CIS Controls as a guide, your first step should be a risk-based assessment of your cybersecurity and privacy threats and safeguards. This evaluation will help you define your organization’s specific risk sensitivity, and then tailor security and privacy controls to meet (or exceed) that level. In particular, you’ll need to take a hard look at the lifecycle of data covered by the CCPA, including customer, corporate, regulatory, and third-party partner information. It will also be crucial to document how these different types of data are collected, stored, accessed, processed, transmitted, and protected.
Next, compare how your assessment stacks up against the CIS guidelines. This exercise will help you understand your current and future-state security maturity, as well as chart an implementation roadmap that can be used to demonstrate that your security is, in fact, reasonable.
While the 20 CIS Controls is a solid start, particularly given its endorsement by the California attorney general, the framework doesn’t address all CCPA provisions. Among the thorniest is the ability to access and delete consumer information on demand, known as a consumer fulfillment request. When a business receives a verified consumer fulfillment request, it will be required to provide access to and/or delete the requester’s personal information. Satisfying these consumer requests is all but certain to require new or updated processes, workflows, and technologies. Failure to do so can result in costly financial penalties, lawsuits, and, of course, negative headlines.
Another major risk category missing from the 20 CIS Controls is due diligence of third-party partners. Your organization’s security, after all, is only as strong as your weakest vendor’s. That’s why it’s essential to conduct a comprehensive risk assessment of business partners that the company shares information with. This evaluation should identify in detail specific vendor security controls in place to protect personal information.
Also note that you’ll need to review all contracts with third parties with whom you share, sell, or otherwise process consumer data. Most organizations will need to renegotiate contracts to cover data safeguards and controls mandated by the CCPA. Large organizations with hundreds, or even thousands, of vendors will be hardest hit.
The CCPA goes into effect in a matter of weeks, but it remains a work in progress. Over the past year, a flurry of amendments has been introduced; some have been signed into law and others have languished in the legislature. Some of the most significant potential changes are likely to include:
- Personal data of employees, contractors, and applicants will be exempted by most provisions of the CCPA. But organizations will be required to educate employees on data-privacy procedures, including written policies published in employee handbooks. Significantly, this exemption is due to expire Jan. 1, 2021, which means that employee data could later be brought into scope. Keep an eye on this one over the next 15 months.
- Similarly, most personal information generated by B2B transactions will be exempt. But like the employee provision, this exemption is due to sunset Jan. 1, 2021.
- Online-only businesses that have direct relationships with consumers can simply provide an email address for contact with data requestors. Other companies will be required to offer two or more methods for submitting requests for information.
As amendments are added and provisions are sunsetted, the concept of reasonable security is likely to evolve. There’s no way to predict how it will morph over time, but we do know that security and business leaders will need to proactively build a CCPA-compliant cybersecurity and privacy program to prepare for changes and deflect risks.
Another unknown among many businesses is that they don’t fully grasp the liability implications of the CCPA. That’s understandable, given that the CCPA is the first law of its kind in the U.S., and that California will not begin enforcement until July 1, 2020.
But here’s one thing you can bet on: If you continue to back-burner the CCPA, you may be putting yourself, your board, and your CEO at risk.
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
On-Demand Webinar: California Consumer Privacy Act (CCPA) Update
Watch now
Related Insights
-
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
-
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
-
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
-
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.