Companies have only 3 months to adapt to the new rules for data protection brought by CCPA (The California Consumer Privacy Act). Almost all companies process information about their customers, suppliers and employees and the State-wide administrations handle extremely large databases of personal data, for example in health reports or in registers of citizens.
If such organizations don’t adjust their methods of processing this data to the new rules, they are liable to face massive fines. Organisations that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages up to $750 per resident and incident. (Cal. Civ. Code § 1798.150). Should your database contain all 39 million Californian citizens, that works out to just under $30 Billion dollars in damages! …Yes, this is an existential warning.
"The regulation about personal data protection will touch an overwhelming majority of companies." says Matej Zachar, CSO Safetica Technologies. "The changes will affect the entire process from data collection, through their processing, to shredding or deleting them from the system."
The regulation adjusts, among many others, individual’s rights to:
- know what data are processed and for what purpose
- if they are sold and to whom
- say no to selling the data
- access the data
And there are adjustments that affect a company’s customer, for example, when you run an e-shop, it is important to revise the way how you inform the customers about their rights and what legal options you give them. One of the rights of your customers is for instance a right to require irreversible deletion of their personal data from your systems.
In practise this means that companies will have to, among other things, revise contracts, policies and internal documents, so that they comply with the new legislation. In many organizations that have no clearly defined roles for work with data and this will have to change.
I want to know more about CCPA audit
Analysis of internal security
From the security point of view, it is important for companies to thoroughly think about how personal data is worked within their organizations. The next step is to minimise the risk that an intentional or unintentional data leakage will occur. Practically this means there’s a need to start with an analysis of movement of personal data. Mapping out where they are located, who can access them, and how they are manipulated is the base for identification of security weak spots.
‘‘This kind of audit often reveals that there already are incidents going on. When employees share data via public cloud services, or through an unencrypted flash disk, the attacker can very easily access them", explains Matej Zachar, Chief Security Officer at Safetica Technologies. ‘‘Results of such an analysis serve as a base for implementation of further measures. From the CCPA point of view it’s necessary to set rules that will enable prevention of any such incidents.‘‘
The main steps to comply with CCPA
- Find out where your personal information resides by auditing their data flow
- Classify the data
- Secure the personal information:
- Encrypt the data and/or media where they are
- Train employees to ensure that they stay aware for security risks
- Limit the ways data can be handled and/or shared
- Implement DLP solution to protect them against a human error
- Ensure their availability by backing them up on a regular basis
- Be sure to secure the environment against external threats (using antivirus, network security appliances and others)
- Prepare an alternative way for consumers to learn about the privacy implications of the processing, such as toll-free number
- Prepare for users exercising their rights, such as the right to access, to have the personal information deleted or to say no to selling their data
Make the first step towards understanding CCPA- come to our webinar.
I want to handle CCPA. I’ll join you at the webinar!
Are you interested in some more reading?
Safetica DLP and The Gartner Magic Quadrant