In June 2018 California state government passed legislation to protect the data privacy of California’s estimated 40 million residents. The only state boasting a population that rivals California’s is the Lonestar state, Texas, with a total of 28.7 million, but I’ll save privacy issues south of the Red River for another installment. Dubbed the California Consumer Privacy Act (CCPA), the bill we’re tackling this week goes into effect on January 1st2020, and while security and privacy are different, they do intersect in this bill. In fact, few US companies can accurately claim to have an information security program ready to adhere to and operate within the confines of these new regulations.
What Is the CCPA?
CCPA operates similarly to the protections guaranteed to EU citizens by the European Union’s General Data Protection Regulations (GDPR). The intention of the California regulation is to provide California residents with defined privacy rights, including, but not limited to, the right to know when personal information is being collected. The consumer privacy law followed in the wake of the Cambridge Analytica-Facebook incident that played out on a national stage last year and forces companies who deal in personal data to implement significant changes. According to the Harvard Business Review, CCPA endows California state residents with “an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected…[and] the law stipulates that consumers have the right to request the deletion of personal information, opt out of the sale of personal information, and access the personal information in a “readily useable format” that enables its transfer to third parties”.[1] California’s new law will absolutely impact the means and methods of generating profit employed by many organizations operating in the tech sector.
Corporations who, prior to the GDPR and CCPA, have enjoyed unfettered and near un-regulated access to harvest, use, and sell personal data from consumers, are being put on a proverbial, necessitous leash. The business model that traditionally allowed companies to exploit personal data to generate revenue from targeted consumer advertising is finally being called into question en masse. Organizations like Google, Amazon, Netflix, and Facebook, as well as internet service providers AT&T and Verizon, will have to reckon and resign themselves to the fact that consumers do not like feeling watched, scammed, violated, or profited from. The cherry on top of the delicious regulatory sundae is that firms like Epsilon, Experian, and Oracle, who generate profits by collecting hordes of personal data to sell to ad networks, retailers or anyone else who’ll buy it, may suddenly find their bottom-lines bleed into the red. These organizations have been lobbying federal and state law makers for years, trying to protect their ill-gotten revenue streams, but after the GDPR passed, security and privacy experts saw this legislative storm brewing a mile away–an Atlantic Pond-sized mile. Mark Zuckerberg’s pretentious and mendacious attitude and actions during his Congressional hearing and statements made regarding the recent revelation that Facebook profited from selling private health data did not win him any new friend requests.
CCPA Compliance Requirements
Knowing the CCPA will go into effect January 1, 2020, organizations now have to quickly put new technical and procedural security measures in place to meet compliance requirements – unless they relish facing massive fines and multiple civil action suits. In a report released by TrustArc, a privacy compliance firm out of San Francisco, only about 14% of affected companies are fully compliant and 16% of responding organizations have not even started preparing.[2] These numbers are highly reminiscent of the industry-wide panic in June 2018 when the PCI-DSS due date to upgrade to TLS 1.2 came around. Compliance efforts can require several months to even a few years to complete, especially when most security teams are under-funded, under-staffed, and overworked. The CCPA is the most stringent data privacy law to pass in the United States, and businesses cannot–and definitely should not–ignore its wide-reaching implications. As reported by Cheddar, the California Senate has now passed an amendment to strengthen the CCPA and “gives consumers the right to personally sue companies that misuse their data and removes the statute that originally gave noncompliant companies 30 days to remedy their violation prior to punishment.” If this is an indication of the future of privacy in the U.S., security departments should start prepping now like they are on Season 5 of Doomsday Preppers.
Impact on Future Legislation
It is a fair assumption that other states will pass similar legislation in the months and years to come. Historically, once enough states start passing the same laws to protect or guarantee the rights of their residents, the federal government will inevitably succumb to the demands of the people. Women’s Suffrage, Civil Rights, and Gun Control regulations are just a few examples – and legislation regulating tech and data privacy is not likely to be the exception. So, even if your organization does not cater to California residents, it is probable that similar consumer privacy laws will be passing in other states. Organizations that are fully compliant with the GDPR will have much less up-front work to do. Most major organizations in the United States are likely to have Californian customers and, like the GDPR all over again, these companies will face a similar choice. They will have to strengthen their data protection infrastructure and change their global data protection policies, procedures, and controls to adhere to CCPA–or treat Californian customers one way and everyone else another, by implementing a veritable patchwork of data protection procedures and controls that are simply dropped in as an afterthought in an attempt to meet compliance. The latter option will be more expensive, resource-intensive, and time-consuming. It is also very possible that any business that elects a divided infrastructure will ultimately lose customers, and while we all like to point to enterprise organizations, those are actually the organizations that may be able to drop massive, lump sums into their security programs all at once. What about smaller enterprises, who are struggling to fill security positions and may have thinner budgets? The fact is that it’s time for mid-size to small businesses to start investing in their security and compliance programs now, rather than procrastinating. It will save time and money in the end. Privacy law is not going anywhere, so we all might as well get started.
California State Attorney General Xavier Becerra said it best, “California, the nation’s hub for innovation, has long led the way to protect consumers in the digital age” and they are already leading the charge. Security experts, analysts, and leaders should slip into our war kilts, smear on some blue face paint, and advocate for change now. Security professionals have the privilege and duty to leverage privacy’s overdue moment in the spotlight – from the congressional antechamber to the corporate boardroom.
How To Prepare For Potential Changes
There are a few ways organizations can be prepared.
- The first step is to identify the types of personal data that is collected by your organization and the purpose it serves. If personal data serves little to no operational purpose, the organization should absolutely develop a strategy to eliminate that data stream. All data, but particularly sensitive, regulated, or PII data, should absolutely be classified, labeled, and inventoried throughout an organization.
- Second, identify third-parties that interact with any personal data being collected, and understand how the responsibilities for protecting it are divided between your organization and a third-party entity. It is vital that a business recognizes their contractual obligations to protect personal data in conjunction with third-parties.
- Thirdly (a suggestion TRUE has shouted from the top of our lungs since our inception), invest in security as a rule and not as a reaction. Strategically developing and maturing a strong security program, scoped for specifically for your business needs and budget, is the only way to generate absolute assurance that future data privacy laws will not affect operations and long-term growth.
What if you are just a concerned citizen who was led to this article from the wormhole that is a Google search? We have an article for you as well. Locking Down Your Accounts was written by one of our top security consultants - penetration tester and pizza lover, Steven Anderson. This will give anyone plenty of reasons why everyone should make the effort to secure their own private data until every state in the union upgrades its privacy laws.
As for me personally, I know I will definitely be changing my VPN connection to Cali.
[2]TrustArc Privacy Compliance, “TrustArc CCPA Readiness Benchmark Report”. March, 18, 2019.