How Can Organizations Plan for the CCPA?
With the California Consumer Privacy Act (CCPA) set to take effect January 1, 2020, organizations are making plans to ensure they can meet the CCPA requirements. However, ongoing legal challenges and changes continue to be introduced, which makes implementation planning challenging. We have compiled some information and recommendations on what your company can do to get ready for the CCPA requirements.
What is the CCPA?
The CCPA was passed in June of 2018 with the intention of enhancing privacy protections for California residents. The act intents to give people the right to know what personal information is collected about them, and whether it is shared, sold, or otherwise disclosed. It also intends to provide individuals with more control over their personal information, including the right to tell businesses not to share or sell their information. Finally, the CCPA act requires organizations to “implement and maintain reasonable security procedures and practices… to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” and imposes fines and penalties for violations.
What steps can you take now to get ready?
Despite ongoing legal challenges and changes to the legislation, there are plenty of steps that organizations can take now to work towards CCPA compliance and to help ensure they will be ready when the CCPA becomes effective on January 1, 2020. Here’s an overview of where to start:
- Are you subject to the CCPA? First, consider the CCPA’s applicability to your organization. As written now, the act applies to businesses that collect information on California residents and meet one or more of these three provisions:
- Revenue of more than $50 million per year
- Sells the personal information of 100,000 or more consumers annually
- Earns half or more of its annual revenues from selling consumers’ personal information.
However, organizations should keep an eye out for any changes to these applicability provisions and also consider their future plans for revenue growth or the introduction or expansion of any activities involving the collection or sale of personal information covered under the CCPA.
- What personal information do you have? Second, identify what personal information your company collects, stores, and shares. Be sure to include representatives from all departments in this exercise. It is logical to focus on your company’s primary products and services when considering personal information. Then there are obvious users of personal information, such as human resources. But what about your marketing department, sales, or research and development? It is important to cast a wide net internally when identifying the personal information your company collects.
- Where is it? Once you’ve compiled your list of personal information, the next step is to verify where it is stored and transferred. Creating a data flow map can be a valuable exercise in identifying how personal data enters your organization, where it is stored, how it flows within your environment, and how it is shared with external parties. As with the data identification exercise, include all departments who play a role in collecting, processing, storing, sharing, or selling personal information.
How will you support consumers’ rights?
The CCPA gives consumers the right to know what data is collected about them, what information is being sold, and to whom. How will your organization field these inquiries and requests? How will they be processed internally to ensure consumers’ rights are being honored? When making these decisions, consider the role of existing customer service departments and how such requests will be conveyed to responsible business units for processing.
How is the data protected?
The CCPA requires organizations to “implement and maintain reasonable security procedures and practices” for consumer personal information. While this requirement is vague, LMG Security recommends a standard combination of periodic technical testing, a security controls assessment, and regular training to evaluate the organization’s security measures and to serve as evidence of implementation and maintenance.
- Technical testing: External and internal penetration tests are the best way to test your network to identify vulnerabilities and determine how they may be exploited by a malicious actor. Combine penetration tests with other technical testing such as web application security assessments, wireless security testing, network segmentation testing, and attack detection tests to make sure your technical security program is complete and effective.
- Security controls assessment: Align your organization’s security program with a widely accepted security controls framework, such as the NIST Cybersecurity Framework. A comprehensive framework can serve as a checklist of activities you need to have in place to form an effective security program. Conduct regular controls assessments to evaluate your implementation and effectiveness, and to track your organization’s progress over time.
- Training: Implement regular security awareness trainings to ensure all staff understand threats to personal information, reporting requirements, and their roles and responsibilities for the protection of personal information. Supplement regular training with regular security reminder emails and a “security second” at staff meetings. Also consider social engineering testing (i.e., phishing) and targeted follow-up training if needed. Be sure employees are encouraged to ask questions and report any suspicious activity or security concerns.
Even though the CCPA requirements are not fully finalized, there are a lot of steps that companies can take now to plan for effective compliance. Contact LMG Security to help with your CCPA planning and implementation.