Data privacy remains one of the most critical, hotly debated topics of our time. Two of the biggest, most damaging data breaches occurred in just the past couple of years, including the massive 2017 Equifax breach (opens in new tab) and the 2016 Uber hack (opens in new tab) which, to make matters even worse, the company concealed for more than a year. There was also the recent enforcement of the EU’s General Data Protection Regulation (opens in new tab) (GDPR), which lest anyone forget affects any organisation handling the personal data of EU citizens individuals no matter where they are located, meaning even U.S. companies that process the personal data of individuals residing in the EU have to comply.
The California Consumer Privacy Act
This past June, another data privacy milestone occurred when California Governor Jerry Brown signed into law AB 375 (opens in new tab), the California Consumer Privacy Act (CCPA). The statute, seen as one of the toughest privacy laws in the U.S., will require companies to tell California residents what information is being collected and how it’s being used. The California Attorney General’s office will have the authority to enforce the law when it goes into effect in January 2020, with steep fines and/or litigation possible for those who fail to comply.
Much like the GDPR, the CCPA uses a broad definition of personally identifiable information (e.g. IP addresses, geolocation or browsing information [cookies]). It has an exception for personal information “de-identified or in the aggregate consumer information,” however the law doesn’t provide much detail on the identifiers that aren’t subject to scrutiny. The CCPA doesn’t force companies to stop collecting information or provide provisions for consumers to request that companies stop collecting their information, however it does allow consumers to tell companies to delete or stop selling their data. While the CCPA has provisions for allowing people to tell companies to delete or stop selling their information, it does not force companies to stop collecting information or provide provisions for consumers to request companies stop collecting their information.
Key data security and compliance best practices
With just over a year until enforcement, companies need to start preparing for the CCPA today. In fact, rather than simply adhering to AB 375, companies should work to go beyond the law and thoroughly revise all data security controls so they’re prepared for the eventuality of future data regulations. In particular, consider implementing the below best practices:
- Formalise incident response plans: There are a variety of ways to design an incident response plan and many tools available to leverage. What’s most important is formalising a plan that meets the specific needs of your organisation, because research shows (opens in new tab) that having an incident response plan can reduce the cost of a data breach by $14 per record. Consider incorporating an incident response checklist so that no steps are forgotten during stressful events. Run drills of your incident response procedures and analyse performance after the fact to determine what happened and why, what worked well and how you could respond more effectively in future.
- Map out disaster recovery and business continuity processes: The first step in any disaster recovery and business continuity plan should be to take inventory of all assets. To personalise your plan, conduct a full risk assessment and business impact analysis to determine the consequences of disruption, and don’t forget to include any legal and audit ramifications. Also, remember to account for any third party vendors who handle your data, as more often than not, they’ll be unable to protect you from data loss caused by ransomware, sync errors during integrations or human error. To account for this, it’s crucial to have a data backup solution in place to ensure your organisation’s critical data is secure in the event that a data loss event occurs.
- Comply with encryption/data anonymisation for sensitive storage: Encryption and data anonymisation are essential for preventing disclosure of sensitive data (either at rest or in motion) to unauthorised users. Keep in mind, however, that if an encryption key is ever lost or damaged, it may not be possible to recover the encrypted data, so be sure to plan rigorous key management processes, procedures and technologies before implementing any encryption or data anonymisation solutions.
- Employ data-mapping exercises: Data mapping, i.e. the process that shows how data from one system maps to data from another system, is particularly valuable during any ongoing instances of data migration and data integration. Start by conducting a detailed data mapping evolution that identifies all types of data that could be relatable back to a data-subject. On top of that mapping process, work to understand how that data comes into your organisation (encryption, third party vendors, etc.) and how that data is stored.
Until the CCPA goes into effect, there will likely be further refinements made to the law to take into consideration. Also, it’s important to note that the California ruling has set the stage for state legislatures across the country to adopt similar laws in the future, meaning companies could soon have to change their data security practices nationwide. So, start preparing for the looming deadline now. To best ready yourself for the inevitability of additional data privacy laws you should do the following: prioritise data security and compliance best practices such as maintaining formalised incident response plans, design disaster recovery processes, encrypt sensitive data and implement basic data mapping practices. For those organisations ready to get a head start, following a GDPR compliance check-list is a great place to start. Some immediate actions organisations can take include:
- Keep an eye on data: Continue mapping incoming and outgoing data flows, and granularly account for specific data types. Determine what data is solely meeting a processing function, and where your organisation is considered a controller of data.
- Share accountability: Coordinate with platform partners, third-party vendors, SaaS providers, etc. to ensure that the thread of compliance remains unbroken.
- Put the customer at the centre: Work with your customers via surveys and/or focus groups to get a better understanding and acceptance of what compliance means to them. Develop an internal process and solution to meet your customers’ needs while complying with the intent of the regulation.
- Backup your data: GDPR mandates “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”, which is essentially having a reliable backup and quick restore solution. Data loss due to malware, human error or malicious intent is a growing threat (opens in new tab), especially in view of compliance laws like GDPR. Save yourself the stress and hassle with a solid backup and restore solution.
By following these guidelines and preparing in advance for the inevitable increase in data privacy security regulations will not only remove the risk of incurring fines, but improve your organisations overall security posture. There’s nothing to lose, most especially not your critical data.
Brian Rutledge, Principal Security and Compliance Engineer, Spanning (opens in new tab)
Image Credit: David M G / Shutterstock