5 Things Every CISO Should Know About CCPA’s Impact on Their InfoSec Programs

  • 24 April 2020

The California Consumer Privacy Act (or “the CCPA” for short) is California’s new data privacy law that came into effect on January 1, 2020.  

This is the first of its kind in the US, and it’s going to impact your InfoSec program.

 The purpose of this new law from a privacy perspective is to give consumers greater control over their personal information (PI). How? By giving consumers key privacy rights. You may be familiar with some of these rights, including:

  1. The right to know what PI a business is collecting about you 
  2. The right to know what these businesses do with that PI (via a privacy notice)
  3. The right to request access to that data 
  4. The right to have PI deleted 

But, some rights are new, including:

  1. The right to request a business stops “selling” your PI
  2. The right to not be treated differently when making such a request

While it’s essential consumers know their rights, security and compliance leaders need to pay attention, too. After all, failure to comply will result in fines up to $7,500 per violation. 

So, if you’re a CISO, here’s everything you need to know about CCPA.

Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR.

The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options.

What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023.

The CCPA is one of the strictest consumer privacy laws in the US and it’s become the new standard

Unlike Europe, the US doesn’t have a federal consumer privacy law. Instead, the US privacy landscape is made up of a smattering of both state and sectoral laws.

As the CCPA ties enforcement to “California residents”, it may apply to services provided outside of California to Californians. Because it’s virtually impossible to know with absolute certainty who or where your customers are, it can become tricky to determine who you offer CCPA rights to and who you don’t.

The result? Many companies have given CCPA rights to everyone.

“If your business experiences a data breach and a Californian consumer's PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures.”

The CCPA includes an obligation for your infosec program

Indeed, when it comes to security, the CCPA only specifies that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it processes.  

Importantly, though, what those “reasonable” security procedures are and how they differ based on the information involved remains undefined.  

But, what we do know is that if your business experiences a data breach and a Californian consumer’s PI is taken by an unauthorized person, your business could be on the hook for failing to implement reasonable security procedures. In addition to fines, the CCPA grants Californian consumers the right to sue you. This is called a private right of action. 

While there is still much to be determined as to what “reasonable” means, the onus rests on you, as CISO, to review your infosec program and make sure you’re comfortable you’re doing your best to reach this “reasonable” standard. Looking at the NIST (800-53 or CSF), ISO 27001, and CIS controls are a great place to start. 

The bottom line: businesses need to protect their data. Implementing a DLP solution is a necessary step all businesses need to take.

“Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions.”

If a data breach happens on your watch, you may be held responsible for damages

Statutory damages are new for Californian data privacy law. 

Now, consumers can sue you for a data breach and they don’t have to show harm, meaning we could see a rise in data privacy class actions.  

This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. Because, demonstrating and quantifying damages caused by a data breach can be difficult to show.

With the CCPA, companies are vulnerable to potentially staggering damages in relation to a breach. Of course, this is in addition to revenue loss, damaged reputation, and lost customer trust.

The CCPA allows consumers to seek statutory damages of between $100 and $750 (or actual damages if greater) against a company in the event of a data breach of PI that results from the company’s failure to implement reasonable security procedures. Putting this into context, a data breach affecting the PI of 100 California consumers may result in statutory damages ranging from $10,000 to $75,000, and a data breach affecting the PI of one million California consumers may result in statutory damages ranging from $100 million to $750 million. 

These potential statutory damages dwarf almost every previous large data breach settlement in the US, and have the potential to see higher awards than we’ve seen with GDPR.

It’s worth noting, though, that there is a 30-day cure period in which businesses can in some way remedy a data breach after receiving written notice from the consumer.  But, because the CCPA doesn’t define “cure,” it’s unclear how a business can successfully “cure” data security violations. 

Prevention is better than cure. Your best chance of avoiding a breach and/or hefty fines afterward is to ensure your business has ‘reasonable’ security procedures implemented, including policies and other DLP solutions. While cybersecurity ROI is notoriously hard to measure, it’ll no doubt pale in comparison to the cost of a breach. 

Learn how to communicate cybersecurity ROI to your CEO here.

A successful private right of action by a consumer only applies to certain PI

A couple of things need to happen before a Californian consumer can pursue this private right of action, including:

  1. The right only applies to data that is not encrypted or redacted. In other words, de-identified data or encrypted data is not subject to the private right of action or class action lawsuit.  
  2. The right only applies to limited types of PI – not the expansive definition found in the CCPA. This is a much more limited definition of PI than contemplated by the CCPA and, in practice, the majority of businesses’ data stores will not include this level of sensitive data. 
  3. The right does not apply if there has only been unauthorized access to data. There must also be exfiltration. This means that unsecured access to a cloud storage system on its own will not give rise to the right. There must also have been theft and unauthorized disclosures. For example, by an insider threat or nefarious third-party.  
  4. The harm to the consumer must flow from a violation of the business’s duty to implement reasonable security procedures. It will, therefore, be key for businesses to show a documented assessment of their security procedures in light of CCPA and to ensure a robust security program is in place to protect against data loss.

If you are GDPR compliant, your infosec program is likely compliant

The GDPR, somewhat similar to the CCPA, is vague when it comes to cybersecurity. 

It makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. 

This means that companies controlling or processing EU personal data should have implemented comprehensive internal policies and procedures to be in compliance with the GDPR. This likely makes them CCPA-ready, but IT leaders should still review their security programs.

The most important thing to know is that businesses affected by the CCPA will now be responsible for not only knowing what data they hold, but also how it’s controlled. In order to ensure compliance, the first step should be revisiting your cybersecurity program.

And, while it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization.

But, you can empower them to work securely and prevent data loss with Tessian.

“While it may be surprising to some, cybercriminals actually aren’t your biggest threat when it comes to data loss. It’s actually your own employees. After all, it’s your people who control all of the data within your organization.”

Prevent data loss with Tessian

To err is human which means your employees may make mistakes that could lead to a potential breach under CCPA. 

Traditionally legacy technology has leveraged hardware and software focused on the machine layer to fight cybersecurity risks. This, of course, doesn’t address the biggest problem, though: The Human Element. 

Tessian leverages intelligent machine learning to secure the Human Layer in order to understand human relationships and communication patterns. Once Tessian knows what “normal” looks like, Tessian can automatically predict and prevent dangerous activity, including accidental data loss and data exfiltration

People shouldn’t have to be security experts to do their job. Taking advantage of Tessian solutions can help your organization mitigate your employee’s mistakes and keep them productive which is a key component of a robust security program.