The Global Data Protection Regulation (GDPR) grabbed headlines in the lead-up to its adoption in May 2018—and for good reason. It changed the compliance landscape significantly with measures designed to put the power back in the hands of individuals over how companies gather, store, and disseminate consumer data.
When the California Consumer Privacy Act (CCPA) rolls out in California on January 1, 2020, we’ll see yet another law designed to empower consumers. For any company storing or transmitting data on California citizens, the law brings additional security and privacy responsibilities.
Determining Reasonableness
GDPR and CCPA approach data security differently, but both raise expectations for companies when it comes to how they handle consumer data. GDPR mandates data security as a general obligation, while also spelling out measures to help organizations reach a certain level of security. CCPA does not tackle data cybersecurity or personal data protection with specifics, but requires the implementation and maintenance of “reasonable security procedures and practices.” CCPA doesn’t define “reasonableness” — at least not yet.
Nonetheless, under CCPA, California consumers may pursue private action if their personal information ends up in the hands of an unauthorized individual. And unlike standard data breach cases these days, under CCPA the person bringing the action may not have to prove that harm resulted from the company’s failure to protect their data.
The law provides for damages in civil actions ranging from $100 to $750 per incident per consumer record.
Build the Right Foundation
So, what can your organization do to prove that it meets the reasonable cybersecurity standard needed to defend against legal action under CCPA?
In a 2016 California Data Breach Report, California’s Attorney General encouraged organizations to adopt the Center for Internet Security’s (CIS) 20 critical security controls. The report notes that failing to implement the CIS controls that apply to an organization’s specific environment would qualify as a lack of reasonable security.
Follow these best practices (among others):
- Implement penetration and vulnerability testing to help uncover security gaps before they become a pathway for an attack.
- Monitor network activity to help discover the exfiltration of large blocks of data, indicative of a breach.
- Complete routine patches and software updates to minimize the potential for an attack.
- Limit employee access to only data needed to perform their role to help limit exposure to California resident data and, therefore, the potential for its compromise.
Reasons to Avoid the Waiting Game
Given the lack of a definition for what constitutes a reasonable approach to the protection of consumer data, some organizations may decide to wait to begin their CCPA compliance efforts. Doing so only delays the inevitable.
With GDPR already in force, CCPA on the verge of going live, and many other states considering their own data privacy rules and regulations, organizations should build up their cybersecurity today to ensure they remain in compliance tomorrow.
