- June 30, 2020
The California Consumer Privacy Act (CCPA) became effective on January 1, 2020. For the few of you who have not been bombarded with CCPA compliance checklists and solicitations over the last year, here’s what you need to know: the CCPA is a new privacy and data governance regulation created to protect California residents’ privacy and give them control over their personal information. The CCPA is similar to the EU’s 2018 General Data Protection Regulation (GDPR) privacy regulation but with a couple of major differences. Because of those differences, compliance with the GDPR does not automatically mean CCPA compliance.
In this article we’ll be addressing the following question: how can CISOs/CSOs, CPOs meet the tough new privacy and data governance requirements imposed by the CCPA as soon as possible?
Several months ago, at the International Association of Privacy Professionals (IAPP) conference in Northern California, an industry analyst stated that less than 50% of companies were “fully prepared” for GDPR. At that same conference, it was estimated that only 2% of respondents from a recent IAPP study considered their organization fully compliant for CCPA. CISOs now have the opportunity and the need to raise their overall CCPA compliance before the State of California starts to make examples of non-compliant companies.
Hopefully, your in-house counsel has already drafted your company’s GDPR privacy policies for use on your website and other collateral. But, your CISO should also be pushing for additional investments and assistance from your IT and legal departments. Implementing additional procedures and technology needed for the CCPA that compliantly handle and store user data while allowing companies to respond to user requests can take time
CCPA readiness preparation actually creates a big challenge from a technology and process perspective. How do you make sure that you can not only comply with the complex privacy requirements but also ensure that you will have the needed scale and the ability to comply cost-effectively? Meeting challenges are where CISOs will have the strongest possibility of success.
The CCPA applies to all for-profit entities that do business in the State of California, including companies with over $25 million in revenue, outside of California (world-wide) and that collect personal information - PI - on California residents. The CCPA protects all California residents (based on their residency).
At this late date, the lack of preemptive planning by many organizations has already put them at risk. The current version of the CCPA includes two specific areas CISOs should take note of. First, the security of the customer’s personal information is a major requirement, with strict fines if PI leakage/breach occurs. Security and privacy are closely related and while the CCPA does not expressly require the implementation of specific security measures, it does note a company’s duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”- without describing what those reasonable processes are!
To prepare, CISOs should conduct an inventory and risk assessment that reviews the types and sensitivity of customer PI – across all data repositories - as well as potential risks to the security and privacy of this sensitive information.
If organizations have questions about specific safeguards for maintaining security, they can refer to the California Attorney General’s February 2016 Data Breach Report, which discusses best practices for safeguarding data.
The CCPA allows California consumers to sue businesses when their nonencrypted or nonredacted/anonymized PI is subject to unauthorized access and movement, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. In other words, companies will have a major liability if a breach does occur.
CISOs will need to educate themselves and rely on their experience, their department’s expertise, and their internal/external legal representatives to ensure CCPA compliance.
In reality, most companies have already adopted appropriate enterprise security capabilities. However the CCPA introduces an additional requirement that will cause heartburn for most CISOs.
In the advent of a breach (including potential data access), individual notifications need to be made in the “most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Obviously, this notification requirement raises the issue of breach recognition and notification timing - which will be open to interpretation by the California Attorney General’s (AG) office as well as opposing counsel if litigation occurs. In fact, a CISO may think they’re compliant while the California AG does not. Because of this compliance grey area, CISO’s should be diligent about detecting data breaches quickly – and be in a position to alert California residents of the breach in a “timely manner.”
Because the CCPA is primarily a security and privacy regulation, CISOs should take the lead in driving corporate CCPA planning and preparedness. In most cases, the burden to react to CCPA requests will fall on the IT department, which, if the company is not prepared, will cause additional costs (including large fines) for the company.
CISOs should address the following topics/actions as soon as possible:
Much of the CCPA requirements are composed of processes and procedures versus technology, which in many cases, are out of the CISOs control. However, CISOs should take control when it comes to CCPA compliance by signing up to be the main executive sponsor for company CCPA compliance.
According to industry analysts, approximately 2% of companies are fully prepared for the CCPA, which is now in effect. Depending on how aggressive the California AG will be in pursuing non-compliant companies, your company’s lack of compliance could cost your organization big time in both fines and negative PR.
To ease and speed the path to CCPA compliance, the CISO, CIO, CTO, GC, and IT Department should be working toward CCPA compliance now.
One of the biggest challenges of meeting the CCPA is that of unmanaged data – including dark data. Archive360’s Archive2Azure intelligent information management and archiving platform allows you to:
All from the security and cost-effectiveness of your organization’s Azure tenancy.
For more information on how the CCPA could affect your company, please check out these additional blogs:
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.