What is the California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA) is a privacy act that becomes effective at the beginning of 2020.
The act aims to help California residents to regain control over their personal data, giving them the rights to:
- Know what data a business collected on them
- Right to object to the sale of their personal data
- Right to sue companies who collected their data without their consent, or companies who allowed their personal data to be stolen
- Right to delete the data shared with the company
- Right not to be discriminated against if they requested not to sell their personal information.
- Right to be informed on the categories of data collected
- Mandatory opt-in before sale of children’s information
- Right to know the categories of third parties with whom their data is shared
- Right to know the categories of sources of information from whom their data was acquired.
- Right to know the business or commercial purpose of collecting their information.
The three major goals that the California Consumer Privacy Act will strive to accomplish are:
- Ensuring that the California residents have the right to know what information large corporations are collecting about them
- Ensuring the businesses will conform to the consumer preferences not to share or sell their personal information
- Ensuring California residents will have the right to protections against businesses which do not uphold the value of their privacy
Who is bounded to comply with CCPA
Unlike GDPR, not every company that processes personal data of California-based residents is bounded to comply with the act. The scope of this act covers organizations that meet one or more of the following thresholds:
- Have annual gross revenue in excess of US$25 million
- Possess the personal information of 50,000 or more consumers, households, or devices
- Earn more than half of their annual revenue from selling consumers’ personal information
This scope, however, does not underestimate the efforts of the act to significantly improve the control over personal data leaks and increase the information security quality.
Some of the top companies based in the Silicon Valley buy and sell personal data quietly for decades. The Cambridge Analytica scandal is just the tip of the iceberg. It is about time a new analytics company to pop up on the daily newspapers covers.
The CCPA Penalties
The CCPA penalties announced are insignificant compared to the actual brand damage every such scandal is capable of. A fine up to US$7,500 for each intentional violation and US$2,500 for unintentional violations doesn’t sound threateningly to the big fish. The reputational loss, however, might cost billions to companies that allow such black hat practices. And having CCPA in place means that the state will have their budget planned for investigation of personal data breaches, therefore the risk of data breach event being discovered is constantly arising.
Technical Safeguards for CCPA
Having a cybersecurity plan for improving data breach prevention can be a life savior for a company. But even if the organization has taken the best anti-malware and anti-data leakage measures the situation of an employee stealing and selling arrays of personal data still remains on the agenda.
Therefore, every organization needs to revise the technical measures taken to prevent an internal and external data breach, as well as to make sure that there are certain processes and procedures in place covering the action plan in case of such data breach-related events.
The following table is a summary of the effective personal data breach safeguards covering the most common personal data attacks:
Personal Data Breach Safeguards
| Internal attacks | External attacks | ||
| Unmodifiable audit trail | Make sure that every action log is securely kept and can be tracked back | Encrypt Data | Supporting multilevel database encryption in terms of personal data storing |
| Fraud and anomaly detection | Data leaks wouldn’t normally happen in your employees’ everyday work routine. They will wait when their co-workers are not around. Looking for an anomal activity outside the work hours, or within the lunch break might be the key to achieving a better cybersecurity level of quality. | Keep it on the cloud | Cloud-based solutions allow updated, future-proof safeguards which help organizations outsource IT security risks from data breach and makes account preferences such as granted tailored account access to certain data types more manageable |
| Limited access per account | Account access should be limited only to the directories relevant to the user | Confidentiality | Make data available only to those who need access to it |
| Multi-level data storage encryption | Encrypt HDDs and databases in order to make sure data cannot be breached | Ensure data integrity | Data integrity ensures the information is accurate, valid, and reliable |
| Availability | Information, resources, and services are available when needed | ||
| Accountability | Each (trans)action can be attributed to an accountable individual | ||
| Provenance | The origin and history of each piece of information (or each data item) are known and well defined | ||
When it comes to internal data breach events, we should admit that it’s not that simple to cover all security gaps – many company policies allow access to sensitive data from home, others do not limit Internet access at the office. Such strategic decisions, however, are very often an opportunity for a data breach.
To specify the most common data breach events caused by insiders, we have separated them into different groups according to the channel of transfer affected:
10 most common ways to commit data breach and the most common preventive measures | |
| 1. Bulk data export |
|
| |
| |
| 2. Sending attached files via e-mail |
|
| |
| |
| 3. Sharing files containing personal data (.xls, .csv, .rar) on the cloud |
|
| |
| 4. USB data transfers |
|
| |
| 5. Bluetooth data transfers |
|
| |
| 6. LAN / Wireless transfers |
|
| |
| 7. Sharing directories with home PCs |
|
| |
| 8. Access to mobile devices |
|
| |
| 9. Office facilities left unlocked |
|
| |
| |
| 10. Sharing passwords with other team members, using a shared account, etc |
|
| |
| |
| |
Conclusion
CCPA is an important privacy act which is just the beginning of the privacy-related reforms impacting the United States. Even if the Act does not concern every single organization that keeps PII, it is raising awareness across the citizens about how valuable their personal data is, and how important it is to keep it safe. The penalties are not considerable compared to the gross profit of the companies impacted, however, the company reputation is a far more valuable asset nowadays. These factors put together lead to the conclusion that simple measures like the ones covered in this article may lead to positive effects in the long run. The dynamic market allows organizations to take strategic cyber-security decisions in a timely manner, cutting costs from in-house IT development. There is no need to reinvent the wheel since the cybersecurity market is saturated with easy to integrate and at the same time cost-effective solutions.
This is the use case of LogSentinel – we provide a cost-effective cybersecurity solution that is easy to integrate and can provide scalable results from day one, covering the most vulnerable areas of every organization.
To find out more about how LogSentinel can secure your business, request a free demo today:
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.
