Here Comes the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is new privacy and cybersecurity regulation that went into effect in the United States on January 1st, 2020. this is a development that all business leaders should pay attention to. The CCPA contains several requirements that require significant attention. Organizations subject to the CCPA should start their compliance efforts immediately.
For years, security professionals have been jumping up and down at our law makers to create accountability for the protection of consumer data. Irrespective of your political views or dealings, there is a clear need for cybersecurity legislation. The problems with the creation of such legislation are largely complex. Marred with technical jargon and problems, it isn’t exactly as simple as writing a law making it illegal to have a data breach. Further underscoring the challenge, security isn’t a straightforward science. Security often requires subjective decision making based on a litany of factors. First, let’s explore context around this subject.
The Fundamentals of Security
Cybersecurity legislation has historically been controversial and by extension political in nature because of the constant tension between privacy and security. Ultimately, until quantum computing becomes a mainstream reality, computing is linear in nature. The screen you’re reading these words through is powered by limitless layers of abstraction which boil down through bits traveling through a processing unit. These bits, the ones and zeros of this world, underscore the difficulty of cybersecurity. Securing computing requires the application of subjectivity to objectivity. Computers will process the instructions being sent to them, objectively speaking. If you tell the computer to add 2 + 2, the computer has no choice in the matter. The process is black and white.
What if, however, during that same instruction to the computer to add 2 + 2, the computer was asked by another party to add an additional 2. You’re not aware of this party and the additional command. The computer’s output is 6, and you expected 4. The computer did what it was asked, but it did not behave how you expected it to. This is an illustration of the fundamental problems that underscore the security of modern computing. Like cancer in the body, cybercriminals use our own mechanisms against us. On the technical level, security tooling must be able to discern against real traffic and potentially malicious which introduces subjectivity. If the security tooling “guesses” wrong, or the security analyst misses the signs, then cybercriminals are in. Worse even, in most situations, even large organizations with a large amount of resources do not have “eyes” on everything, nor the resources to watch each system.
The Cybersecurity Legislation Challenge
It is in this context that legislators must write. The rule of law in the United States is written by the letter, opposed to the spirit of the law. This is a double-edged sword, in that if you are in compliance with the exact letter of the law you must do no more or no less. That fact is handy for organizations that are attempting to maintain compliance. This is also a nightmare for legislative bodies. If you write legislation that is too specific or too broad, you create loopholes or laws that are ineffective in regulation. With the simultaneous subjectivity and objectivity of security, you can imagine why progress has been slow. Further underscoring the challenges, most of our representatives in these bodies do not understand the specifics of security at a level to write effective legislation. This is not a knock on them or our government in general. Security is a very complex, nuanced topic.
Existing Cybersecurity Legislation
Although it is very difficult to write legislation, several legislative bodies have successfully written legislation over the past few years. In The Penn Group’s home state of Ohio, the state legislative body wrote Senate Bill 220. This law allows organizations who adopt specific security frameworks to a reasonable degree to have a legal safe harbor. This is a brilliant approach to security legislation in that, organizations are incentivized to adopt security frameworks and introduce policy and procedures that increase the security posture of the organization. Throughout conversations with leaders of organizations as The President & CEO of The Penn Group, I’ve referenced this legislation as a key motivator for organizational leaders to take action and secure their organizations and their customer’s data. The California Consumer Privacy Act (CCPA) also contains a similar provision.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a new cybersecurity law that goes into effect on January 1st, 2020. As security professionals, one of our many duties is to remain in compliance with local, state, and federal regulations. Any new security legislation that goes into effect must be carefully studied and understood to maintain compliance.
At a high level, the CCPA enforces privacy protections for consumers.
Privacy is a rather broad term that refers to the assurance that some secret will not be exposed without the explicit permission of the originator. From a cybersecurity standpoint, privacy means the assurance that a person’s private data will not be disclosed without authorization by a first or third party. The assurance of privacy is accomplished through a complex web of security techniques. Woven into the foundation of cybersecurity, the three goals of cybersecurity are to enforce the confidently, integrity, and availability of data. These goals are affectionately dubbed the security triad. These goals are core to the assurance of the privacy of your data. How does this relate to the CCPA?
CCPA Requirements
Notice Requirement:
At or before the time of collecting personal information, the organization must provide notice of the categories of personal information to be collected, and the purposes for which they will be used.
Disclosure Requirements:
Upon request of a consumer, the business must disclose the following:
· categories and specific pieces of the consumer’s personal information the business has collected;
· categories of sources from which personal information is collected;
· business or commercial purpose for collecting or selling personal information; and
· categories of third parties with whom the business shares personal information.
Delivery of Personal Information: Upon request of a consumer, up to twice in a 12-month period, the organization must deliver to the consumer all of the consumer’s personal information collected.
Right to be Forgotten: Each organization must notify consumers of their right to request the organization to delete all of the consumer’s personal information. Certain exceptions permit the business to retain personal information for specific purposes.
Non-Discrimination: With limited exceptions, organizations are prohibited from discriminating against a consumer because the consumer exercised any of the consumer’s rights under the Act, including denying goods or services, charging different prices, providing a different level of quality of goods or services, or suggesting that the consumer will receive a different price or level of quality of goods or services.
This is not an all-encompassing list of the provisions, but a core representation of the privacy protections the act attempts to enforce. What is of particular note is the penalties for non-compliance:
· Companies, activists, associations, and others can be authorized to exercise opt-out rights on behalf of California residents (Cal. Civ. Code § 1798.135(c).
· Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
· A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).
· Privacy notices must be accessible and have alternative format access clearly called out.
What Does This Mean?
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data. Failure to do so will result in a framework of penalties that could result in large class action lawsuits, or extremely large fines for any organization that isn’t in compliance. Further, the law now provides a foundation for enforcing strong cybersecurity practices within organization that do business with and inside the State of California.
What Should You Do?
If you are a leader within your company, or a business owner, immediate steps should be taken to understand which aspects of your business apply to the CCPA. Consider hiring a security company to perform a risk assessment on your organization. Understanding your risk and having a plan to remediate the risk is an essential factor in the defense of your organization in a breach scenario. If you’re able to prove that you’re making progress towards securing your organization and have a documented plan on improving your security posture, you may receive a lessor fine/penalty.
Ultimately, no system is 100% secure. It is not a factor of if; but when will a breach occur. Even if you do business in California or not, future regulations like the CCPA and Ohio’s Cybersecurity Safe Harbor law will continue to fuel the fire on the importance of adopting an industry recognized cybersecurity framework and moving towards the implementation of that framework. Data breaches will continue to happen. It is up to us to do everything we can to limit their impact and keep our customers and organizations safe.
Receive Security Insights Right In Your Inbox:
