In 2018, the California Consumer Privacy Act (CCPA) was signed into law and went into effect last January. The final draft of the regulation was submitted to the California Attorney General in June 2020. Originally, the CCPA would be enforceable starting July 1, 2020, but due to the COVID-19 pandemic, the California Office of Administrative Law has 30 working days, plus an additional 60 calendar days, to approve the current draft.
Many organizations are late to the game in compliance with the CCPA while others have been trying to keep up with the draft and all of the comments from supporting organizations. Regardless of where your organization is in the process of compliance with the CCPA, there are a few critical items that everyone must keep in mind.
First, and this is a potentially unpopular opinion, security does not equal privacy.
Security systems, processes and technologies can support a privacy program, but security (the conventional Confidentiality, Integrity, Availability triad) may not directly impact the privacy requirements of your organizations Personally Identifiable Information (PII). The other objectives and capabilities to support your privacy program are predictability, manageability and disassociability. It’s the combination of these six factors that protect PII data and reduce risk to your organization.
Privacy risks are not only risks to the organization—the risk to the consumer is paramount. While the CCPA provides, and protects, certain rights to the consumer it does not directly impact the risks to the consumer. Every organization needs to assess both the risk to the consumer as well as to the organization. The impact to the consumer can vary greatly, from embarrassment or loss of dignity all the way to identify theft or put them physically in danger (example, EXIF data in photographs that share GPS information). Risks to the organization, in regards to CCPA, start with noncompliance costs such as fines or litigation, but extend into direct monetary costs, loss of revenue, loss of reputation and can also impact the internal culture of the organization and cause a loss of productivity.
The most critical item that organizations must address is that a compliance gap assessment cannot be performed if the organization has not fully identified and addressed their data ecosystem.
Over the past several months many clients have requested gap assessments to establish their compliance status to their internal stakeholders or board of directors. Unfortunately, these clients have not identified the context of the PII in their organization, how that data is used, and where it’s located. When asked “what controls apply” the short answer is that ALL of the controls (requirements for adherence) must be in-place, but that you must know what data is in the environment so you can appropriately comply with the regulation.
Compliance with the CCPA is achievable for many organizations.
Prioritizing a data privacy mapping to identify the data ecosystem is paramount to achieving compliance. Once the data mapping is performed, either an internal auditor or consultant can perform a gap assessment to determine the likelihood of compliance with the regulation. From a strategic standpoint, the organization must identify and implement additional controls to reduce privacy risk to the consumer and the organization but also look beyond the CIA-triad and address the predictability, manageability and disassociability objectives of the organization.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.