CCPA, the recent legal privacy innovation in the US, has introduced a lot of requirements for online businesses. We have previously covered the principle of accountability in both CCPA and GDPR, and how an audit log of all data-related activities as well as handling user rights’ requests is important for CCPA compliance.
But we sometimes get the question “Is your SIEM going to help us with CCPA compliance?” or even “Is SIEM required for CCPA compliance?”. And yes, the answer to any question regarding a particular technology and a legal requirement is “Laws are technologically neutral, so as long as you cover the principal requirements, you should be fine.”, it often comes down to ticking boxes, ease of getting compliant and what’s assumed to be true by auditors and regulators.
How Is SIEM Good For CCPA Compliance?
While GDPR has a broader scope, CCPA takes both the users’ rights and some basic security requirements. While no regulation will spell out a product category, there are three important points that make SIEM a good fit for CCPA compliance.
The first one is accountability – you should be able to prove that you handled personal data and users’ requests properly. And so audit logs (collected by a SIEM or similar solution) are due.
The second one is the requirement to “maintain reasonable security procedures and practices”, as otherwise, the business faces lawsuits and significant losses if a data breach occurs ($750 per consumer per incident can be costly even if you don’t count the reputational damage of a breach):
1798.100. (e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action [..]
Is having a SIEM “reasonable security procedure and practice” – we’d say yes, at least for mid-sized organizations or those that process large amounts of personal data. Log collection and threat detection are considered the best security practices and are included in many security standards. A SIEM may not be required for small business (as it might be unreasonable to expect a small business to make such a security investment), but at least centralized security log collection should be there (which is available through open-source tools as well).
The third point is about breach notification. While CCPA itself doesn’t mandate breach notification, that’s because there’s another California law that does and there’s no point in copy-pasting legal text. But if an organization has to comply with CCPA, it should also comply with the breach notification law.
How is SIEM relevant to breach notification?
Well, it does help discover breaches, but more importantly, due to the alerting and case management functionalities typically found in SIEM products, organizations will have a well-organized audit log of when and how the breach was discovered and what assets and data it affects.
With those three reasons, it’s no wonder that auditors and consultants may be recommending SIEM for CCPA compliance, much like GDPR. Compliance reporting and regulation-specific functionalities in SIEM may further rationalize the adoption. And while the compliance aspect would be the one to drive the adoption, the underlying reason is keeping personal data secure.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.