The California Consumer Privacy Act (or “the CCPA” for short) is California’s new data privacy law that came into effect on January 1, 2020.
This is the first of its kind in the US, and it’s going to impact your InfoSec program.
The purpose of this new law from a privacy perspective is to give consumers greater control over their personal information (PI). How? By giving consumers key privacy rights. You may be familiar with some of these rights, including:
But, some rights are new, including:
While it’s essential consumers know their rights, security and compliance leaders need to pay attention, too. After all, failure to comply will result in fines up to $7,500 per violation.
So, if you’re a CISO, here’s everything you need to know about CCPA.
Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR.
The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options.
What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023.
Unlike Europe, the US doesn’t have a federal consumer privacy law. Instead, the US privacy landscape is made up of a smattering of both state and sectoral laws.
As the CCPA ties enforcement to “California residents”, it may apply to services provided outside of California to Californians. Because it’s virtually impossible to know with absolute certainty who or where your customers are, it can become tricky to determine who you offer CCPA rights to and who you don’t.
The result? Many companies have given CCPA rights to everyone.
Indeed, when it comes to security, the CCPA only specifies that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it processes.
Importantly, though, what those “reasonable” security procedures are and how they differ based on the information involved remains undefined.
But, what we do know is that if your business experiences a data breach and a Californian consumer’s PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures. In addition to fines, the CCPA grants Californian consumers the right to sue you. This is called a private right of action.
While there is still much to be determined as to what “reasonable” means, the onus rests on you, as CISO, to review your infosec program and make sure you’re comfortable you’re doing your best to reach this “reasonable” standard. Looking at the NIST (800-53 or CSF), ISO 27001, and CIS controls are a great place to start.
The bottom line: businesses need to protect their data. Implementing a DLP solution is a necessary step all businesses need to take.
Statutory damages are new for Californian data privacy law.
Now, consumers can sue you for a data breach and they don’t have to show harm, meaning we could see a rise in data privacy class actions.
This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. Because, demonstrating and quantifying damages caused by a data breach can be difficult to show.
With the CCPA, companies are vulnerable to potentially staggering damages in relation to a breach. Of course, this is in addition to revenue loss, damaged reputation, and lost customer trust.
The CCPA allows consumers to seek statutory damages of between $100 and $750 (or actual damages if greater) against a company in the event of a data breach of PI that results from the company’s failure to implement reasonable security procedures. Putting this into context, a data breach affecting the PI of 100 California consumers may result in statutory damages ranging from $10,000 to $75,000, and a data breach affecting the PI of one million California consumers may result in statutory damages ranging from $100 million to $750 million.
These potential statutory damages dwarf almost every previous large data breach settlement in the US, and have the potential to see higher awards than we’ve seen with GDPR.
It’s worth noting, though, that there is a 30-day cure period in which businesses can in some way remedy a data breach after receiving written notice from the consumer. But, because the CCPA doesn’t define “cure,” it’s unclear how a business can successfully “cure” data security violations.
Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions. While cybersecurity ROI is notoriously hard to measure, it’ll no doubt pale in comparison to the cost of a breach.
A couple of things need to happen before a Californian consumer can pursue this private right of action, including:
The GDPR, somewhat similar to the CCPA, is vague when it comes to cybersecurity.
It makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.
This means that companies controlling or processing EU personal data should have implemented comprehensive internal policies and procedures to be in compliance with the GDPR. This likely makes them CCPA-ready, but IT leaders should still review their security programs.
The most important thing to know is that businesses affected by the CCPA will now be responsible for not only knowing what data they hold, but also how it’s controlled. In order to ensure compliance, the first step should be revisiting your cybersecurity program.
And, while it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization.
But, you can empower them to work securely and prevent data loss with Tessian.
To err is human which means your employees may make mistakes that could lead to a potential breach under CCPA.
Traditionally legacy technology has leveraged hardware and software focused on the machine layer to fight cybersecurity risks. This, of course, doesn’t address the biggest problem, though: The Human Element.
Tessian leverages intelligent machine learning to secure the Human Layer in order to understand human relationships and communication patterns. Once Tessian knows what “normal” looks like, Tessian can automatically predict and prevent dangerous activity, including accidental data loss and data exfiltration.
People shouldn’t have to be security experts to do their job. Taking advantage of Tessian solutions can help your organization mitigate your employee’s mistakes and keep them productive which is a key component of a robust security program.