[BreachExchange] The Next Wave of Data Regulations: How Businesses Can Navigate the California Consumer Privacy Act of 2018

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 1 20:20:12 EDT 2018


The California Consumer Privacy Act of 2018 (CCPA) will take effect on
January 1, 2020, and much like the European Union’s (EU’s) General Data
Protection Regulation (GDPR) scramble earlier this year, organizations have
a lot to do in preparation – or risk paying the price.

For each data breach under the CCPA, an eligible customer can demand up to
$750. For each violation of a CCPA provision, an eligible customer in a
class action can obtain up to $7,500 if the CA Attorney General declines to
prosecute and the business does not address its violations within 30 days.
Imagine you’re a company with 1,000 customers and your customers sue you
for data security breaches totaling $750,000. The following week, your
organization would face a class action lawsuit for privacy violations
totaling $7,500,000.

For some companies that are small enough or do not deal with CA residents,
the CCPA may not apply. But for more than half a million companies that
will be affected, it’s time to get serious about compliance. But that’s
easier said than done. If Capgemini’s recent GDPR Readiness Report is any
indication, most companies will fall into the 85 percent that did not fully
meet the GDPR’s compliance requirements on time.

Customers care about data protection too. According to a recent RSA survey,
69 percent of respondents said they would boycott a company with poor data
protection. In fact, research from Harvard found that after a data breach,
companies with poor data protection practices suffered a 1.5x larger drop
in stock price than firms with better practices. Safeguarding your
consumer’s trust through responsible data practices should be a business

While organizations can build on their GDPR efforts to be in accordance
with new CCPA rules, meeting GDPR laws alone does not mean an organization
is CCPA compliant. For organizations just getting started, this article
will explore the key aspects of the CCPA laws and the tools companies can
use to prepare.

Broader Definition of Personal Information

One of the key differences between GDPR and CCPA is that CCPA has a broader
definition of personal data, linking the definition to data that could
identify not only consumers, but alsohouseholds. As a result, IP addresses
and cookies could be personal data, as well as profiles of people from
combinations of personal and non-personal data.

When new regulations like CCPA come into existence, ensuring compliance
across various datasets becomes a multi-year effort across legal and IT
departments. Think: endless meetings between governance and technical
personnel and thousands or millions of dollars of IT spend. Existing
database policies are written in complex code and require a slew of data
technicians to implement. For each database, technicians have to tag data
as personal data, for instance. Imagine having to propagate these changes
across multiple datasets and databases across your entire company?

Rather than having to write code to filter or mask data to protect personal
information (PI), simple English language options such as a policy engine
can help non-technical employees, such as lawyers or compliance officers,
govern data easily. So, instead of writing Python code, your data
governors, for instance, can tag data – like IP addresses – as personal
data. For example, they can choose easy-to-understand drop-down options
that allow them to mask data columns involving personal details that are
not relevant to them. Tools like this increases your company’s ability to
navigate data regulations quickly, saving time and money.

Furthermore, global policies on unified data layers can help companies
enforce policies across all their data easily. Data unification creates a
virtual data layer for all data, so data users or governors only have to
log onto and create policies on the data layer. No longer do they have to
waste time going into each database manually. These tools propagate
policies across all your databases that match certain rules. As a result,
your technicians no longer have to waste time programming each dataset.

CCPA Consumer Rights

Much like GDPR, the CCPA provides key rights to CA consumers to access,
erase and opt-out of data collection and processing. Below are some of the
specifics under the new regulations:

The Right to Information and Access: Companies must proactively disclose
access rights and the categories of PI, their purposes (and be notified if
companies diverge from that purpose), and categories of third-party buyers
for the prior 12 months. Consumers can also request this data for the
preceding 12 months. This must include communication channels for these
requests, including a toll-free number and online form.
The Right to Portability: This enables businesses to receive PI that is
structured and machine-readable to transmit to other companies.
The Right to Erasure: Businesses must delete PI once they receive the
request to do so, unless data deals with an assortment of conditions, such
as data security, repair errors and compliance.
The Right to Opt-Out of Processing: Consumers can opt-out from the sale or
processing of PI. In their privacy policies and homepages, businesses must
disclose the right to opt-out and provide communication channels such as an
online form and toll-free number, specifically stating “Do not sell my
personal information.”
The Right to Equal Service: Consumers who exercise their privacy rights
will get the same level of service and prices as those that do not, unless
the difference is reasonably related to the value provided by the PI.
Companies can also offer financial incentives to consumers for the sale and
collection of their PI.
Minors: Businesses who sell the data of CA residents under 16 years of age
must get affirmative consent.

Unfortunately, it’s often challenging for businesses to meet these customer
requests for data. Due to hundreds and sometimes thousands of different
databases, organizations often don’t have a single view of their customers,
especially because different departments are collecting customer data
separately. Further compounding delays in meeting data subject requests is
the manual process it takes to access each database. As it relates to CCPA,
if you can’t easily access all customer data, you may not even be sure
you’re giving customers all of their relevant data or know which customers
are CA residents or minors – let alone meet the 45-day deadline to return
data requests.

Data unification is vital to helping companies obtain all existing customer
data easily. By using queries of names and emails, for instance, companies
can find and join all relevant datasets for governors to review before
giving customers access to the data or deleting it. They no longer have to
recreate the wheel to discover which databases have relevant customer

Controlling Access to Third-Parties and Other Users

Businesses that sell PI to third-parties must enter into written agreements
with that party, promising to only use the data for the purpose of the
contract. A third-party that seeks to resell PI must give the original
consumer explicit notice and an opportunity to opt-out of that resale.

Since different databases have varying policies around who can access this
data, it’s highly possible that users and third-parties – like Cambridge
Analytica did – are violating the resale or purpose restrictions of those
databases. Manual systems based on Excel or paper policies make it
difficult to document and audit data user behavior, exposing your business
to additional risk.

To help mitigate these risks, the aforementioned policy engine can help
ensure that only authorized users access the correct data. Based on a
users’ attributes, such as their department or office location, data
personalization capabilities ensure only the right users get access to the
right data. With regards to the CCPA, policy rules can ensure the right
third parties only access data to which consumers consented to sharing.
Additionally, purpose-based restrictions, as the name implies, restrict
data access based on purposes, which can further assist with transparency
and accountability, especially when dealing with highly-sensitive data.

Another solution is to look at data on a single layer – with insight into
all queries and data – enabling companies to document and monitor high-risk
activity. This eliminates the need for data governors to pore through
uncustomized database logs created for debugging across multiple databases,
allowing them to stay on top of high-risk data processing activities. By
accessing and processing data on the data layer, local copies can become a
thing of the past. Self-service tools — like Tableau or Looker — allow data
users to immediately query data and analyze it directly on the virtual data
layer, posing fewer security and legal risks. With tight control over data
access, data has clear provenance, and governors won’t worry whether local
datasets adhere to their original security, purge and audit requirements.

While the prospect of lawsuits related to new data policies and laws can be
daunting for enterprises, the silver lining of data regulations like the
CCPA is that it forces enterprises to take responsibility for how they
access and use data – ensuring data is used ethically and with consumer
consent. Although complying with new regulations is no easy feat, data
governance tools and policies can help usher in a new wave of accurate,
accessible and more secure data processing. Use these laws and tools as an
opportunity to solidify your consumer’s trust and ensure your big data
programs become assets, not liabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181001/ebd7b3ef/attachment.html>

More information about the BreachExchange mailing list