What does the California Consumer Privacy Act (CCPA) mean for Privacy in the US?
Enterprise companies with customer applications on hybrid infrastructures will need to update their data governance capabilities to comply with increasingly stringent privacy laws.
One example impacting companies is the recent California Consumer Privacy Act (CCPA) which includes a broad and sweeping definition of customer personal information (PI). Enterprises must continue to strengthen their privacy and data protection capabilities in response to the CCPA and other privacy regulations.
The California State Assembly passed the CCPA to protect California residents’ personal information and undoubtedly, other states will follow suit. In addition, support for a national law that addresses privacy issues has grown. The CCPA has been compared to the European Union’s General Data Protection Regulation (GDPR). California’s lead along with the signals from other states and national legislation are paving the way for more US GDPR-type laws.
The California Privacy Act significantly impacts the management of consumer data and the potential penalties for exposure of private information related to the citizens of California.
In a summary of the act “Personal information” is broadly defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (NJ Law Journal) A more detailed definition of Personal Information according to CCPA is included at the end of this article.
Companies must provide information to consumers about the personal information that is collected, how that information is used, and how they can opt out. Companies must also delete personal information when requested – including information that may have been shared with third-party contractors. If a company is in violation of the CCPA, consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. The fines are based on customer record which is a significantly higher financial impact than previous regulations. The scope of impact and the tight deadlines for CCPA has security leaders concerned.
HOW WILL CCPA IMPACT YOUR COMPANY?
In a recent survey conducted by PwC companies across the country say they collect personal information on California’s 39.5 million residents. These companies need to review and update their data governance programs to align with the CCPA. “Multinationals that completed the painful GDPR drill earlier this year are trying to do two things better with CCPA: getting an earlier jump on translating legal requirements into technical specifications and adopting a global approach to privacy capabilities.”
There are a number of questions companies need to address regarding privacy of their California customers such as: Should we focus on protecting CA residents’ information or design a program to cover all of our customer data?” “Can we find and delete the appropriate personal data if a customer makes the request?” “How do we delete personal information but remain in compliance with other regulations that require retention of data such as tax and financial information?” or “Do we have a strategy for uniform pricing and servicing of our company’s products even if we do not have personal information on the customer (e.g., the customer requested their personal data to be deleted)”. In other words, if the customer requests their personal data to be deleted, can you still provide appropriate product pricing information to them?
HYBRID PATHWAYS ADVICE TO PREPARE FOR CCPA AND OTHER PRIVACY LAWS
Hybrid Pathways Advice: Identify where all personal information resides within your company.
This may sound easy, but information systems for the past 20-30 years were not designed to track customers individually. “Companies have experienced decades of “silo-based,” application-centric development, in which each system maintained its own version of data and process rules to suit local performance needs.” (Gartner) As technologies and expectations evolved, customer information sprawled throughout the organization. Customer data is both structured and unstructured, and some components of customer records must be retained according to record retention laws. Many companies also share their customer data with third party vendors. In eighteen short months, when a CA resident requests removal of their personal information, your company will need to be able to locate and expunge all personally identifiable information throughout your organization and extended partners.
Hybrid Pathways Advice: Evaluate tools to help manage data.
Enterprise hybrid-cloud infrastructures frequently offer access to native tools that can help track, classify and manage data. However, since many companies utilize multiple cloud platforms, these native tools are often only valuable as short-term solutions. Microsoft Azure Information Protection can be used to classify and protect documents/emails and can be used outside of the Microsoft ecosystem. Amazon Macie can discover, classify and to a limited extent, protect objects within the AWS S3 storage platform. Google offers extensive data tagging capability but currently lacks maturity in centralized detection and classification. See further below for specific recommendations from Hybrid Pathways Security experts.
Going forward, companies will require a solution that can manage customer data across multiple hybrid platforms and very often mainframe systems. Third party tools like Collibra and Informatica can support data governance programs in getting a handle around the data in your databases. To help get a handle on unstructured data or find sensitive data outside of your databases, tools like Veritas Data Insight or Varonis can help with data sensitivity classification.
According to Gartner “By 2020, most data and analytics use cases will require connecting to distributed data sources, leading enterprises to double their investments in metadata management.” The following Gartner Magic Quadrant illustrates some metadata management tools in use today. Note that an effort to implement metadata management and data governance is a 3-5-year journey for enterprises.
Hybrid Pathways Advice: Continue to improve overall data management.
There are several data management maturity models from Gartner, IBM, Stanford and others that provide frameworks to help companies assess and progress in maturity. Companies need to consider the impacts of people, process, infrastructure, metrics, and strategy as well as data governance. The journey for improving data management is an ongoing commitment that is continually evolving based on factors such as technology options, customer expectations, and legislation. It will be important to understand where your company falls in data management maturity overall and how to progress.
Hybrid Pathways Advice: Continue to improve overall information security capabilities.
The CCPA penalties for breach of private information are steep. The basics of protecting your data which includes personally identifiable data have not changed. Beyond identifying and classifying data as discussed above, do the fundamentals for blocking and tackling well:
Move to stronger access management controls in the form of encryption for personal information data at rest and data in transit.
Ensure logical access controls are in place and re-certify the access to that data on an annual basis.
Maintain regular penetration testing and good preventative controls.
Ensure a good incident response program is and plan to conduct exercises to test those capabilities. A great exercise will be testing the response to losing CA resident data. On a side note, another good exercise is to simulate a CA resident personal information data deletion requests.
Hybrid Pathways Specific Recommendations to Improve Data Security
Your company may have tools in place already that can be used to improve data security. If you are using the platforms below, here are a few specific recommendations to enhance your security efforts:
For hybrid Office 365 deployments, utilize Azure Information Protection to classify and protect sensitive data, and leverage tools like Office 365 Data Loss Prevention (DLP) and Microsoft Cloud App Security for visibility and control over that data and its movement within as well as outside of your environment.
Protect Azure blob storage with Azure Storage Service Encryption which is enabled by default with Microsoft managed keys. For additional control leverage customer managed keys and store in Azure Key Vault.
Enable default encryption for AWS S3 Buckets and leverage either KMS managed or customer provided encryption keys.
Leverage Amazon Macie for machine learning to automatically discover, classify and protect sensitive data in AWS S3 buckets.
Google Cloud Platform
Google Cloud Storage is encrypted by default with Google managed keys. For additional control leverage customer supplied keys and store in Google Cloud Key Management Service.
HOW ARE YOU PREPARING FOR NEW PRIVACY LAWS?
Many companies manage personal information of California residents. In addition to CCPA, other US States including Vermont, Ohio, and Colorado have already passed more stringent data privacy and security regulations. Additional national laws pertaining to breach notification and encryption standards were introduced in 2018. Given the effort to update data governance to meet CCPA requirements and the potential for a federal GDPR-type law in the US, it makes sense to extend privacy updates to all customer data. Companies have a limited time to make these updates and should consider planning for more comprehensive controls in order to limit rework and get ahead of consumer expectation.
A Detailed Definition of Personal Information According to CCPA
Personal Information includes:
Identifiers such as a real name, postal address, unique personal identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers
Characteristics protected under CA or federal law (e.g., disability, etc.)
Information included in the CA breach statute: first and last name in combination with any of the following data elements: social security number, driver’s license number, account number, credit or debit card number in combination with any required security code, access code, or password that would permit access into an individual’s financial account, medical information, health insurance information, a user name or email address in combination with a password or security question and answer that would permit access to an online account (here medical information means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional and health insurance information means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history).
Commercial information such as records of personal property, products or services purchases, obtained or considered
Internet or other network activity
Professional/employment related information