Fri, Jun 14, 2019

CCPA Cyber Security - Building the Foundation to Compliance

In 2018, the State of California passed one of the most sweeping privacy and data laws to date called the California Consumer Privacy Act (CCPA). Once this law takes effect on January 1 2020, all-for-profit businesses that fit the following criteria will have to comply with CCPA:

  • Have over $25 million in revenue annually; or
  • Purchase, sell or share over 50,000 records as part of their business (defined as information linked to “consumers, households or devices”); or
  • Have as their primary business the sale of personally identifiable information (PII); and
  • Do business in California, even if they are not based in California and have no physical presence there.

While there are certain exclusions for businesses that already hold regulated data (such as healthcare providers), an enormous number of enterprises who do business in California will be impacted. Complying with CCPA requires an organization to think carefully about how it handles consumer data. Most of the nearly 10,000 words of this law are dedicated to the rights of California citizens, how enterprises should interact with them regarding their data, and how this data will be used.  

Exponential Fines Ahead 

Failure to follow this statute is subject to a fine of up to $7,500 per violation. Furthermore, the act requires organizations to protect the data they have been entrusted with. Specifically, it states that:

"Any consumer whose non-encrypted or non-redacted personal information […] is subject to an unauthorized access and exfiltration, theft or disclosure, as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, may institute a civil action" 

This civil action could result in damages ranging from $100 to $750 per consumer record, per incident – a number that can add up very quickly. While the law does not specifically define “reasonable security,” the California Attorney General did release a report in 2016 entitled California Data Breach Report that provides some guidance on the subject. This report recommended that organizations consider the NIST (800-53 or CSF) or ISO 27001 standards and use the CIS Controls as prioritized guidance. Specifically, as it relates to the CIS Controls, it states that:

"The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet."

While the report from the Office of the Attorney General is not a legal opinion, it does provide some good guidance and resources for organizations to consider.

Responding to the CCPA  

First, you will need to understand your level of exposure to the new law before it takes effect on January 1. This is best done with the aid of outside counsel specializing in data security and privacy, who may work with technical experts to present a complete picture. Your review should cover not only the specific qualification criteria for being covered by the CCPA, but also a thorough review of your consumer data and privacy practices. This review should include determining what types of data you collect, how much data you have and where it resides within your enterprise, whether you track the origin of collected data, how long you retain consumer data, and your ability to comply with retention or deletion requests.

Furthermore, you will need to look at your cyber security posture through the lens of this legislation and recommendations provided by the California Attorney General. While there is still much to be discussed with regards to what is reasonable security, looking at the NIST CSF, ISO 27001, and CIS controls are a great place to start.  

CCPA Exemptions 

In the video below you can hear Jonathan Fairtlough, Managing Director of the Cyber Risk practice at Kroll, along with his colleagues discuss the potential pitfalls of the CCPA. They cover how the financial services entities regulated under the Gramm-Leach-Bliley Act (GLBA) and healthcare entities regulated under the Health Insurance Portability and Accountability Act (HIPAA) may be exempt from the provisions and requirements of the CCPA, but for most organizations the coverage provided by the CCPA exemptions is not complete, and concrete steps will be required to ensure compliance. 

As your organization grows, the challenges of maintaining a good cyber security posture grows as well. Just as you turn to outside counsel regarding your legal exposure, the same needs to be considered for your cyber security posture. Additionally, the California Data Breach Report points to the challenges of securing vendors who may have access to protected data as well.  This challenge, which increases exponentially for each vendor you work with, requires a certain level of expertise beyond what many internal IT departments can handle. Knowing your partners’ cyber security posture is no longer a luxury, but a necessity. As other states consider passing laws like California’s and/or adopt similar language, the likelihood that your organization needs to act increases.

If understanding your legal exposure, your cyber security posture, or the posture of your vendors is something that you want to act on today, please let us know. Data Protection Officer consultancy services offered by Kroll combine elite data privacy law firms, cyber security experts, and the CyberClarity360 platform to help you understand your risks as well as those posed by your third parties. Turn to the experts to accelerate your organization on the path to best practice.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.