The California Consumer Privacy Act, or CCPA, goes into effect on Jan. 1, 2020. Most mid-sized companies still have no clue about this data privacy legislation or how it will impact their business operations.
We’ll dig into this topic a bit, but recognize that we are not lawyers, and we don’t provide legal advice. Consider this a heads-up that requires further investigation on your part. Talk to your legal, compliance, and governance teams to understand the best path forward.
Compliance is a top-three driver for budgeting and funding cybersecurity-related operations
As we know, compliance is a top-three driver for budgeting and funding cybersecurity-related operations. Despite that fact, when I bring up the subject of compliance, most cybersecurity subject matter experts (SMEs) glaze over like a donut. To them, it seems a boring topic – all they want to know is how it will impact the required baseline operations, service level, and protection that must be delivered by the security operations center (SOC) and related information technology functions.
Well, team, we need to wake up. California has always lead the U.S. in data privacy legislation, and the CCPA is another big step in that direction. The CCPA has wide-ranging implications, not just for California, but for the entire U.S. In many ways, the CCPA is in close alignment with the EU General Data Protection Regulation (GDPR).
If you took a close look at the CCPA already, you understand that you need to make substantial changes to your business processes and the underlying technology infrastructure that supports them. You will need to take decisive steps to increase your data protection capabilities to help ensure that data regulated under CCPA is not breached on your watch. If you do any business in the United States, you do business in California, and will likely need to be compliant.
The CCPA applies to businesses that collect information which is defined as personal information (PI) under the law. You know this movie. This is the same definition, with slightly different edges, that you have heard before with respect to GDPR, HIPAA, and more. PI, PII, etc., – we all know it when we see it. The CCPA is more detailed in spelling out the data, and you will find it includes biometrics, DNA (yes, data in a DNA testing service), olfactory, and other nuances of covered personal information you might not have seen spelled out before.
Three triggers for CCPA compliance
In terms of the specific boundary around applicability, generally speaking, one of the following three conditions would trigger the need for your enterprise to attain compliance under the CCPA. They are:
- Your revenue is $25 million or more; or
- You are using, receiving, selling, or buying the PI of over 50,000 California residents; or
- You derive 50 percent of your annual sales from the business of selling information which includes PI.
So if, for example, your sales team uses an online database with prospect information, these typically have more than 50,000 California employees in them, let alone if they take some of that information and then load it into a CRM for sales prospect and forecasting management. Even if your internal database is 5,000 records, if you use this online database, then likely you must be CCPA compliant. A lot of simple nuances to work through and understand.
Alternately, let us say you have only 500 California customers, but your business is producing $35 million in annual revenue. Does CCPA apply? In my humble opinion, probably, yes, it does.
Failure to comply brings astronomic penalties
Some damages that can be sought by impacted consumers can range from $100 to $750 per incident. Then, in addition, there are uglier penalties that can be levied by the California Attorney General, class action suits, and more. So if you suffer a breach and you have hundreds of thousands to millions of impacted California consumers, the threat to your business will be existential in terms of economic impact. Many millions of dollars in penalties and no mercy. The California Attorney General has been historically very tough with compliance failures.
Note that penalties apply to the breach of “non-encrypted” data. In other words, if data is encrypted and stolen, it may represent a security incident with respect to your internal operating procedures, but not a data breach under CCPA. Encryption becomes your “get out of jail free card.”
Finally, outside of the purview of the cybersecurity team, there are all sorts of processes that the business must establish and follow to let consumers opt-out, provide them with copies of personal information, and much more. Administratively, it is a daunting task that will keep your compliance and governance teams busier than ever.
The moral of the story?
The encryption and protection of your data, as well as your internal networks, servers, and endpoints, is a prime directive to reducing your risk, maintaining compliance with CCPA, and staying out of trouble. We’ll talk more about many of the new and emerging regulations that impact data privacy compliance and, thus, cybersecurity and information technology operations.
Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most sensitive enterprise and government networks.