California will be ringing in the new year of 2020 with a brand new bit of legislation. When the California Consumer Privacy Act (CCPA) takes effect on January 1, the US will see the strictest guidelines to date on the collection and processing of personal information. Dubbed “California’s Mini-GDPR,” CCPA began as a 2018 ballot initiative that went from draft to law in less than a week, looking to address the ongoing issue of inadequate cybersecurity among companies, including the absence of a rigorous vulnerability management program addressing software risk. CCPA legislation also seeks to enhance privacy rights and consumer protection of all California residents.
Since 2015, more than three in five Californians have been victimized by some type of data breach, making the demand for “reasonable security” now a critical measure. And it’s not just retail businesses being affected by CCPA—no industry is risk free when it comes to the reality of malware, hacking (especially with regards to card data) and general digital maleficence. Because California has close to 40 million residents and is considerably larger than most states, it’s time for regional businesses to get fired up for CCPA compliance. This new standard applies to any company with annual gross revenues in excess of $25 million and in possession of the personal information of 50,000 or more consumers, households or devices.
Compliance in California
As the most comprehensive privacy law in the country, CCPA will now require companies who collect and/or sell personal information to comply with a number of legal obligations. By definition, “personal information” relates to anything that “identifies, describes, or is capable of being associated with” a particular consumer, household or individual.
For businesses already walking the road of GDPR compliance, this road will be smoother, but not simple. First and foremost is general compliance, which will require a blend of new approaches to achieve more robust data security. For starters, companies must consider an upcoming shift in consumer requests. When CCPA kicks in, all businesses must have mechanisms in place to successfully respond to any customer demands for access to or deletion of their personal data. Because consumers also have the right to request their information from the 12 months leading up to the new legislation, companies must be prepared to provide data dating back one full year.
CCPA compliance also requires companies to make it easier for consumers to control their own data, such as opting out of the selling process to third parties. This means businesses will need to revise all related policies and platforms to reflect these new options, if they do not already exist.
This is great news for California consumers, who now have the right to know what personal data is being collected about them—and equally as important, to whom it is being sold or disclosed. Companies can no longer maintain opaque data-related practices, as transparency becomes the new normal.
One of the most important controls being affected by CCPA is the need for continuous vulnerability management. According to recent studies, almost 60% of recent data breaches were the result of unpatched vulnerabilities. While CCPA cites vulnerability patching as “critical,” the truth is many companies do not meet their obligations in this area. The reason why is multi-faceted. Organic tool growth has led to more complex and diverse scanning, classification and remediation workflows on the technology side.
On the personnel side, time-crunched security experts spend more time wrestling with findings from these disparate tools than on facilitating the remediation activities necessary to reduce risk. Nonetheless, vulnerability management remains essential to the quick identification and remediation of software bugs and flaws, as attackers are often working to exploit patches with the same momentum as developers are implementing them.
For organizations looking to comply with CCPA, attention to vulnerability management will be paramount. Although scheduled patch rollouts seem simple enough, the challenge lies in the scale of the company, how the patch affects their systems and how quickly an attacker is able to respond with weaponization ideas. To bring true vulnerability management to life, businesses in this realm will need to identify, prioritize and manage these vulnerabilities, across applications and infrastructure, to reduce risk and meet compliance demands.
Non-compliant companies who suffer data breaches or theft may face monetary penalties of up to $750 per affected Californian—or to pay the actual damages, whichever is greater. Further, CCPA requires organizations to pay any other relief a court deems appropriate. Whether or not non-compliance issues are prosecuted as negligent depends on the discretion of the Attorney General’s office; however, a fine of up to $7,500 for each intentional violation—and $2,500 for each unintentional violation—can (and likely will) be implemented.
Whether or not this demand for more reasonable security will become an explicit standard remains to be seen; however, companies should already be focusing on how to comply with new CCPA requirements—otherwise, they face significant liability. But on the positive side, CCPA also offers ethical, ambitious companies the opportunity to distinguish themselves in their industry as proponents of strong data governance and ethics programs. CCPA compliance will help companies bolster their commitments to honoring consumer choices as well as demonstrating transparency and trust, which is now even closer to the new normal.