The connection between CCPA and GDPR
With the rate of data creation and consumption growing faster than toilet paper in a pandemic (too soon…?), governmental interference was as guaranteed as tax season. We watched as General Data Protection Regulation (GDPR) swept over any organization handling the personal data of individuals living in the EU and instituted wide-ranging privacy requirements that boasted the most significant change in global data privacy law in 20 years. It was only a matter of time before the United States flexed its regulatory muscles to begin matching the EU’s efforts. And it didn’t take long.
Enter the California Consumer Protection Act (CCPA).
Suppose you’re a for-profit organization with customers residing in California (just about every for-profit organization). In that case, you’re required to comply with this new legislation if you either: have more than $25mil in annual revenue, process information for more than 50,000 California residents, or you get more than half of your annual revenues from the sale of personal information. The fines for non-compliance or violation of the CCPA can be costly. But arguably, the most significant potential cost, and the real “hold my beer” moment for CCPA compared to its GDPR model, is that it allows consumers to bring lawsuits against qualifying organizations for misuse of data (not to mention the associated reputational damage). These damage reparations vary depending on whether a court deems the offense ‘intentional’ or ‘unintentional’ violations (the distinction depends upon security efforts). Since experts predict CCPA will be the backbone to a looming federal law, everyone should heed the warning of the future of compliance.
We aren’t just trying to employ scare tactics — CCPA is the real deal. So, what are the internal ramifications of this new legislation, and how do you address it?
Consequences of CCPA
One of the unanticipated potential consequences of CCPA, particularly regarding the current environment, is the heightened business ramifications of incurring a costly data fine during the economic instability of the COVID pandemic. While we’ve recognized a consistent spike in breach attempts, funds (particularly in struggling industries) to keep businesses afloat are scarce. Fines, even as a result of a breach, could have disastrous consequences on organizations’ long-term health.
So, fear of fines, lawsuits, and sustained brand damage incentivizes company boards. But where does the responsibility fall internally?
Well, that’s where the water gets murky. The short answer is: IT teams, primarily Infosec teams, as always!
Already over-worked and likely understaffed, IT teams are now responsible for a potentially massive data protection undertaking. While CCPA has helped justify the necessity for cybersecurity to be considered a business-level initiative, the scale of the project can be challenging to predict. With an estimated 80% of organizational data considered to be unstructured and an unprecedented growth rate of said unstructured data, this regulation feeds on an area of IT security that is difficult to maintain visibility and control. But it isn’t just the unidentified risk potential for data breaches and misconduct putting pressure on organizations. Other departments, such as marketing and product teams that depend upon information from potentially personal data to make business decisions, may no longer be allowed to draw as much insight from it (CIAM teams beware).
What Organizations Must Do Now
Organizations must refine their process for data classification and governance to adequately accommodate consumers’ required ability to control the collection, use, and storage of data. Since CCPA applies to some data outside the regular scope of what’s considered “sensitive,” the intake and classification of data need to change. Furthermore, once the data is ingested, classified, and stored, adequate controls need to be maintained and monitored to ensure that a security event doesn’t occur.
Undertaking a project of this magnitude pulls valuable resources away from other priority projects. Depending on a vendor solution to solve the problem, it can leave you with a big bill, little integration with your existing IT environment, and gaps that leave you vulnerable to attack in entirely new ways. By trusting a partner with extensive knowledge and experience navigating the complexities of CCPA, organizations can accurately determine their compliance obligation and build a scalable security program around it, avoiding common pitfalls and costly remediation costs.
IDMWORKS understands the importance of optimizing CCPA compliance posture to avoid violations and protect brand integrity and consumer confidence. We believe that security initiatives should empower an organization. We optimize your investment by building a foundation that your entire IT environment can benefit from, capable of scaling the governance needs of current and future regulations. We help ensure that technology integrates effectively to take the burden off your IT team rather than creating more work. And we develop efficiencies that benefit other departments and business processes.
CCPA can be a daunting call for compliance, or it can be a catalyst for new efficiency and scalability. Let us help empower the latter.