What is California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CCPA) is a privacy act which becomes effective at the beginning of 2020.

The act aims to help California residents to regain control over their personal data, giving them the rights to:

1. Know what data a business collected on them
2. Right to object to the sale of their personal data
3. Right to sue companies who collected their data without their consent, or companies who allowed their personal data to be stolen
4. Right to delete the data shared with the company
5. Right not to be discriminated against if they requested not to sell their personal information.
6. Right to be informed on the categories of data collected
7. Mandatory opt-in before sale of children’s information
8. Right to know the categories of third parties with whom their data is shared
9. Right to know the categories of sources of information from whom their data was acquired.
10. Right to know the business or commercial purpose of collecting their information.

The three major goals that the California Consumer Privacy Act will strive to accomplish are:

• Ensuring that the California residents have the right to know what information large corporations are collecting about them
• Ensuring the businesses will conform to the consumer preferences not to share or sell their personal information
• Ensuring California residents will have the right to protections against businesses which do not uphold the value of their privacy

Who is bounded to comply with CCPA

Unlike GDPR, not every company that processes personal data of California-based residents is bounded to comply with the act. The scope of this act covers organizations that meet one or more of the following thresholds:

• Have annual gross revenue in excess of US$25 million
• Possess the personal information of 50,000 or more consumers, households, or devices
• Earn more than half of their annual revenue from selling consumers’ personal information

This scope, however, does not underestimate the efforts of the act to significantly improve the control over personal data leaks and increase the information security quality.

Some of the top companies based in the Silicon Valley buy and sell personal data quietly for decades. The Cambridge Analytica scandal is just the tip of the iceberg. It is about time a new analytics company to pop up on the daily newspapers covers.

The CCPA Penalties

The CCPA penalties announced are insignificant compared to the actual brand damage every such scandal is capable of. A fine up to US$7,500 for each intentional violation and US$2,500 for unintentional violations doesn’t sound threateningly to the big fish. The reputational loss, however, might cost billions to companies that allow such black hat practices. And having CCPA in place means that the state will have their budget planned for investigation of personal data breaches, therefore the risk of data breach event being discovered is constantly arising.

Technical Safeguards for CCPA

Having a cybersecurity plan for improving data breach prevention can be a life savior for a company. But even if the organization has taken the best anti-malware and anti-data leakage measures the situation of an employee stealing and selling arrays of personal data still remains on the agenda.

Therefore, every organization needs to revise the technical measures taken to prevent an internal and external data breach, as well as to make sure that there are certain processes and procedures in place covering the action plan in case of such data breach-related events.

The following table is a summary of the effective personal data breach safeguards covering the most common personal data attacks:

 

Personal Data Breach Safeguards
Internal attacks		External attacks
Unmodifiable audit trail	Make sure that every action log is securely kept and can be tracked back	Encrypt Data	Supporting multilevel database encryption in terms of personal data storing
Fraud and anomaly detection	Data leaks wouldn’t normally happen in your employees’ everyday work routine. They will wait when their co-workers are not around. Looking for an anomal activity outside the work hours, or within the lunch break might be the key to achieving a better cybersecurity level of quality.	Keep it on the cloud	Cloud-based solutions allow updated, future-proof safeguards which help organizations outsource IT security  risks from data breach and makes account preferences such as granted tailored account access to certain data types more manageable
Limited access per account	Account access should be limited only to the directories relevant to the user	Confidentiality	Make data available only to those who need access to it
Multi-level data storage encryption	Encrypt HDDs and databases in order to make sure data cannot be breached	Ensure data integrity	Data integrity ensures the information is accurate, valid, and reliable
		Availability	Information, resources, and services are available when needed
		Accountability	Each (trans)action can be attributed to an accountable individual
		Provenance	The origin and history of each piece of information (or each data item) are known and well defined

When it comes to internal data breach events, we should admit that it’s not that simple to cover all security gaps – many company policies allow access to sensitive data from home, others do not limit Internet access at the office. Such strategic decisions, however, are very often an opportunity for a data breach.  

To specify the most common data breach events caused by insiders, we have separated them into different groups according to the channel of transfer affected:

10 most common ways to commit data breach and the most common preventive measures
1. Bulk data export	Setting up anomaly detection alerts
	Data access limitations
	Setting up access logs
2. Sending attached files via e-mail	File / size attachment limitations
	Setting up alerts for anomaly detection of file transfers via email
	Keeping event logs on email deletion/sending
3. Sharing files containing personal data (.xls, .csv, rar) on the cloud	Limited access to cloud storages and websites
	Limited installation rights
4. USB data transfers	Limited / forbidden usage of USB slots
	Keeping track with event logs
5. Bluetooth data transfers	Limited / forbidden usage of Bluetooth
	Keeping track with event logs
6. LAN / Wireless transfers	Forbidden LAN / Wireless transmissions
	Keeping logs  of file transfers
7. Sharing directories with home PCs	Limited access to external facilities
	Setting up anomal activity alerts
8. Access to mobile devices	Limited access to external facilities
	Setting up anomal activity alerts
9. Office facilities left unlocked	Revising internal procedures related to locking facilities
	Encrypting all HDDs
	PII containing database encryption
10. Sharing passwords with other team members, using a shared account, etc	Revising internal procedures related to locking facilities
	Encrypting all HDDs
	PII containing database encryption
	Terminating practices concerning the share of one account between more than one users

Conclusion

CCPA is an important privacy act which is just the beginning of the privacy-related reforms impacting the United States. Even if the Act does not concern every single organization that keeps PII, it is raising awareness across the citizens about how valuable their personal data is, and how important it is to keep it safe. The penalties are not considerable compared to the gross profit of the companies impacted, however, the company reputation is a far more valuable asset nowadays. These factors put together lead to the conclusion that simple measures like the ones covered in this article may lead to positive effects in the long run. The dynamic market allows organizations to take strategic cyber-security decisions in a timely manner, cutting costs from in-house IT development. There is no need to reinvent the wheel since the cybersecurity market is saturated with easy to integrate and at the same time cost-effective solutions.

This is the use case of LogSentinel – we provide a cost-effective cybersecurity solution that is easy to integrate and can provide scalable results from day one, covering the most vulnerable areas of every organization.

To find out more about how LogSentinel can secure your business, contact us today.