How will CCPA change the business landscape?

What is California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CCPA) is a privacy act which becomes effective at the beginning of 2020.

The act aims to help California residents to regain control over their personal data, giving them the rights to:

  1. Know what data a business collected on them
  2. Right to object to the sale of their personal data
  3. Right to sue companies who collected their data without their consent, or companies who allowed their personal data to be stolen
  4. Right to delete the data shared with the company
  5. Right not to be discriminated against if they requested not to sell their personal information.
  6. Right to be informed on the categories of data collected
  7. Mandatory opt-in before sale of children’s information
  8. Right to know the categories of third parties with whom their data is shared
  9. Right to know the categories of sources of information from whom their data was acquired.
  10. Right to know the business or commercial purpose of collecting their information.

The three major goals that the California Consumer Privacy Act will strive to accomplish are:

  • Ensuring that the California residents have the right to know what information large corporations are collecting about them
  • Ensuring the businesses will conform to the consumer preferences not to share or sell their personal information
  • Ensuring California residents will have the right to protections against businesses which do not uphold the value of their privacy

Who is bounded to comply with CCPA

Unlike GDPR, not every company who processes personal data of California-based residents is bounded to comply with the act. The scope of this act covers organisations that meet one or more of the following thresholds:

  • Have annual gross revenue in excess of US$25 million
  • Possess the personal information of 50,000 or more consumers, households, or devices
  • Earn more than half of their annual revenue from selling consumers’ personal information

This scope, however, does not underestimate the efforts of the act to significantly improve the control over personal data leaks and increase the information security quality.

Some of the top companies based in the Silicon Valley buy and sell personal data quietly for decades. The Cambridge Analytica scandal is just the top of the iceberg. It is about time a new analytics company to pop up on the daily newspapers covers. ccpa-consumer-privacy-act

The CCPA Penalties

The CCPA penalties announced are insignificant compared to the actual brand damage every such scandal is capable of. A fine up to US$7,500 for each intentional violation and US$2,500 for unintentional violations doesn’t sound threateningly to the big fish. The reputational loss, however, might cost billions to companies that allow such black hat practices. And having CCPA in place means that the state will have their budget planned for investigation of personal data breaches, therefore the risk of data breach event being discovered is constantly arising.

Technical Safeguards for CCPA

Having a cyber security plan for improving data breach prevention can be a life saviour for a company. But even if the organisation has taken the best anti-malware and anti-data leakage measures the situation of an employee stealing and selling arrays of personal data still remains on the agenda.

Therefore, every organisation needs to revise the technical measures taken to prevent internal and external data breach, as well as to make sure that there are certain processes and procedures in place covering the action plan in case of such data breach related events.

The following table is a summary of the effective personal data breach safeguards covering the most common personal data attacks:

 

Personal Data Breach Safeguards

Internal attacks

External attacks

Unmodifiable audit trail

Make sure that every action log is securely kept and can be tracked back

Encrypt Data

Supporting multilevel database encryption in terms of personal data storing

Fraud and anomaly detection

Data leaks wouldn’t normally happen in your employees’ everyday work routine. They will wait when their co-workers are not around. Looking for an anomal activity outside the work hours, or within the lunch break might be the key to achieving a better cyber security level of quality.

Keep it on the cloud

Cloud-based solutions allow updated, future-proof safeguards which help organizations outsource IT security  risks from data breach and makes account preferences such as granted tailored account access to certain data types more manageable

Limited access per account

Account access should be limited only to the directories relevant to the user

Confidentiality

Make data available only to those who need access to it

Multi-level data storage encryption

Encrypt HDDs and databases in order to make sure data cannot be breached

Ensure data integrity

Data integrity ensures the information is accurate, valid, and reliable

Availability

Information, resources, and services are available when needed

Accountability

Each (trans)action can be attributed to an accountable individual

Provenance

The origin and history of each piece of information (or each data item) are known and well defined

When it comes to internal data breach events, we should admit that it’s not that simple to cover all security gaps – many company policies allow access to sensitive data from home, others do not limit Internet access at the office. Such strategic decisions, however, are very often an opportunity for data breach.  

To specify the most common data breach events caused by insiders, we have separated them into different groups according to the channel of transfer affected:

10 most common ways to commit data breach and the most common preventive measures

1. Bulk data export

  • Setting up anomaly detection alerts
  • Data access limitations
  • Setting up access logs

2. Sending attached files via e-mail

  • File / size attachment limitations
  • Setting up alerts for anomaly detection of file transfers via email
  • Keeping event logs on email deletion/sending

3. Sharing files containing personal data (.xls, .csv, rar) on the cloud

  • Limited access to cloud storages and websites
  • Limited installation rights

4. USB data transfers

  • Limited / forbidden usage of USB slots
  • Keeping track with event logs

5. Bluetooth data transfers

  • Limited / forbidden usage of Bluetooth
  • Keeping track with event logs

6. LAN / Wireless transfers

  • Forbidden LAN / Wireless transmissions
  • Keeping logs  of file transfers

7. Sharing directories with home PCs

  • Limited access to external facilities
  • Setting up anomal activity alerts

8. Access to mobile devices

  • Limited access to external facilities
  • Setting up anomal activity alerts

9. Office facilities left unlocked

  • Revising internal procedures related to locking facilities
  • Encrypting all HDDs
  • PII containing database encryption

10. Sharing passwords with other team members, using shared account, etc

  • Revising internal procedures related to locking facilities
  • Encrypting all HDDs
  • PII containing database encryption
  • Terminating practices concerning share of one account between more than one users


Conclusion

CCPA is an important privacy act which is just the beginning of the privacy related reforms impacting the United States. Even if the Act does not concern every single organisation that keeps PII, it is raising awareness across the citizens about how valuable their personal data is, an how important it is to keep it safe. The penalties are not considerable compared to the gross profit of the companies impacted, however, the company reputation is far more valuable asset nowadays. These factors put together lead to the conclusion that simple measures like the ones covered in this article may lead to positive effects in the long run. The dynamic market allows organizations to take strategic cyber-security decisions in a timely manner, cutting costs from in-house IT development. There is no need to reinvent the wheel since the cyber security market is saturated with easy to integrate and at the same time cost-effective solutions.

This is the use case of LogSentinel – we provide a cost-effective cyber security solution which is easy to integrate and can provide scalable results from day one, covering the most vulnerable areas of every organisation.

To find out more about how LogSentinel can secure your business, contact us today.