The California Consumer Privacy Act (CCPA) is Now: Are you Prepared?
The California Consumer Privacy Act (CCPA) became effective on January 1, 2020. For the few of you who have not been bombarded with CCPA compliance checklists and solicitations over the last year, here’s what you need to know: the CCPA is a new privacy and data governance regulation created to protect California residents’ privacy and give them control over their personal information. The CCPA is similar to the EU’s 2018 General Data Protection Regulation (GDPR) privacy regulation but with a couple of major differences. Because of those differences, compliance with the GDPR does not automatically mean CCPA compliance.
In this article we’ll be addressing the following question: how can CISOs/CSOs, CPOs meet the tough new privacy and data governance requirements imposed by the CCPA as soon as possible?
Several months ago, at the International Association of Privacy Professionals (IAPP) conference in Northern California, an industry analyst stated that less than 50% of companies were “fully prepared” for GDPR. At that same conference, it was estimated that only 2% of respondents from a recent IAPP study considered their organization fully compliant for CCPA. CISOs now have the opportunity and the need to raise their overall CCPA compliance before the State of California starts to make examples of non-compliant companies.
The GDPR does not equal CCPA compliance
Hopefully, your in-house counsel has already drafted your company’s GDPR privacy policies for use on your website and other collateral. But, your CISO should also be pushing for additional investments and assistance from your IT and legal departments. Implementing additional procedures and technology needed for the CCPA that compliantly handle and store user data while allowing companies to respond to user requests can take time
CCPA readiness preparation actually creates a big challenge from a technology and process perspective. How do you make sure that you can not only comply with the complex privacy requirements but also ensure that you will have the needed scale and the ability to comply cost-effectively? Meeting challenges are where CISOs will have the strongest possibility of success.
Who and what does the CCPA affect?
The CCPA applies to all for-profit entities that do business in the State of California, including companies with over $25 million in revenue, outside of California (world-wide) and that collect personal information - PI - on California residents. The CCPA protects all California residents (based on their residency).
At this late date, the lack of preemptive planning by many organizations has already put them at risk. The current version of the CCPA includes two specific areas CISOs should take note of. First, the security of the customer’s personal information is a major requirement, with strict fines if PI leakage/breach occurs. Security and privacy are closely related and while the CCPA does not expressly require the implementation of specific security measures, it does note a company’s duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”- without describing what those reasonable processes are!
To prepare, CISOs should conduct an inventory and risk assessment that reviews the types and sensitivity of customer PI – across all data repositories - as well as potential risks to the security and privacy of this sensitive information.
If organizations have questions about specific safeguards for maintaining security, they can refer to the California Attorney General’s February 2016 Data Breach Report, which discusses best practices for safeguarding data.
CCPA’s “Reasonable” security requirement
The CCPA allows California consumers to sue businesses when their nonencrypted or nonredacted/anonymized PI is subject to unauthorized access and movement, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. In other words, companies will have a major liability if a breach does occur.
CISOs will need to educate themselves and rely on their experience, their department’s expertise, and their internal/external legal representatives to ensure CCPA compliance.
In reality, most companies have already adopted appropriate enterprise security capabilities. However the CCPA introduces an additional requirement that will cause heartburn for most CISOs.
In the advent of a breach (including potential data access), individual notifications need to be made in the “most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Obviously, this notification requirement raises the issue of breach recognition and notification timing - which will be open to interpretation by the California Attorney General’s (AG) office as well as opposing counsel if litigation occurs. In fact, a CISO may think they’re compliant while the California AG does not. Because of this compliance grey area, CISO’s should be diligent about detecting data breaches quickly – and be in a position to alert California residents of the breach in a “timely manner.”
How does this affect CISOs?
Because the CCPA is primarily a security and privacy regulation, CISOs should take the lead in driving corporate CCPA planning and preparedness. In most cases, the burden to react to CCPA requests will fall on the IT department, which, if the company is not prepared, will cause additional costs (including large fines) for the company.
CISOs should address the following topics/actions as soon as possible:
- The CISO should create a CCPA team comprised of stakeholders, which includes not only IT, but Legal, Records Management, and Compliance to ensure full regulatory compliance. This team should also be involved in implementation as well.
- IT should create a data map, so they know where all PI-related data resides, including PI stored within individual employee control.
- The CISO should determine if the company is actively managing all data that contains California resident’s PI. A best practice is to consolidate all PI (not just Californian’s) into a single repository to ensure proper security, faster - more consistent search results, and ideally, single-instancing to ensure no additional copies are floating around which would violate the CCPA “right to be forgotten.” Also, IT should ensure the data repository(s) is set up to fully index and search for data based on state residency.
- The CISO and GC should know what types of personal information is stored.
- This data is important when responding to the requesting individual about all forms of their PI stored in the organization’s repositories - the data map mentioned above will help with this.
- Know if your company has purchased PI from another company and who that company is. A process to ensure the PI supplying company can contact you when they receive a PI request will speed the process timing and reduce overall risk.
- Know if the PI your company collected has been given/sold to another company and have a process in place to quickly alert the purchasing company so they can also react to the information they request.
- Know how PI is deleted from your systems when requested via the “right to be forgotten” provision. Simply hitting the delete button or conducting a simple computer (soft) delete is not a true secure deletion, which ensures data is unrecoverable. Companies should install data deletion technology that ensures PI is completely unrecoverable. Without tested processes/technology, a data handling mistake could be considered by the AG in violation of the CCPA's right to be forgotten requirement.
- Be able to connect a California citizen’s PI to their consent authorization. Consent does not last forever, so it must be re-authorized at regular intervals – approximately every two years if the data has not been used for the intended purpose.
- The timeframe to react to a PI request is limited, so having a tested comprehensive response process will greatly reduce non-compliance liability and ease requirements on IT resources.
- Ensure your company documents security practices/technology and that they are tested regularly by a third-party.
- Put in place the ability to search, tag, export, and potentially delete requested PI based on requestors name or other identifying PI, e., email address, etc.
- Be able to quickly recognize and document when a breach has occurred, and which California citizens could be/are affected.
- You should be able to generate a report on the breach incident and describe your security processes/procedures/technology in use – for the California AG and opposing counsel.
- Ensure you can quickly respond to a breach by sending out notifications to all affected California citizens.
- And I can’t stress this enough, preemptively encrypt or provide obfuscation and pseudonymization for all PI in transit and at rest.
- The best insurance policy to ensure against CCPA breach non-compliance is to utilize encryption/anonymization technology with all stored PI. Many privacy laws, including the GDPR and CCPA, take the position that if PI is encrypted and the encryption keys were not accessed, then even if the data was accessed, it could not have been usable and therefore not in violation.
- Keep encryption keys separate from the PI data repository.
Much of the CCPA requirements are composed of processes and procedures versus technology, which in many cases, are out of the CISOs control. However, CISOs should take control when it comes to CCPA compliance by signing up to be the main executive sponsor for company CCPA compliance.
The bottom line
According to industry analysts, approximately 2% of companies are fully prepared for the CCPA, which is now in effect. Depending on how aggressive the California AG will be in pursuing non-compliant companies, your company’s lack of compliance could cost your organization big time in both fines and negative PR.
To ease and speed the path to CCPA compliance, the CISO, CIO, CTO, GC, and IT Department should be working toward CCPA compliance now.
How Archive360 can help
One of the biggest challenges of meeting the CCPA is that of unmanaged data – including dark data. Archive360’s Archive2Azure intelligent information management and archiving platform allows you to:
- Find all of your unmanaged dark data within your enterprise
- Consolidate that data in a single cloud repository
- Secure that data with industry-leading cloud security capabilities including encryption/anonymization of data before it moves to your Azure cloud – while you keep the encryption keys
- Geographically replicate the data for safety
- Manage the data with retention disposition policies
- Search, view, tag, and delete PI based on individual data-subject requests
- Create and export audit and processing reports for action certification
All from the security and cost-effectiveness of your organization’s Azure tenancy.
For more information on how the CCPA could affect your company, please check out these additional blogs:
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.