What the California Consumer Privacy Act Means For You

Do you know where your data is? Your customers will know in 2020 thanks to the new California Consumer Privacy Act (CCPA).

The collection of personal data and the privacy issues surrounding it have been a hot topic the past several years, especially in the security industry. Governments are taking notice and new regulations are appearing. The GDPR in EU countries was a major challenge for companies in 2018. More governments are taking privacy seriously and companies should prepare for changes.

What CCPA Means For You

CCPA is a regulation requiring certain organizations to protect the personal data and privacy of California consumers. It gives consumers the right to tell certain businesses not to share or sell their personal information and holds businesses responsible for safeguarding consumer information.  It gives consumers more control over the information collected about them.  
HackerOne anticipates other states and the federal government to pass similar bills in 2019.

As of now, more than 8 other states, such as New York and Massachusetts, have introduced similar bills. The Trump Administration sought comments last fall through the Commerce Department’s National Telecommunications and Information Administration when it laid out it’s approach to data privacy, therefore we anticipate more guidance, and perhaps even requirements in the upcoming months. More here. 

The CCPA requires certain businesses to disclose and deliver personal information held by them when a consumer of their services requests it. It doesn’t apply to all businesses.  Only those that handle personal information – any information that identifies a consumer or household – of as few as 50,000 devices, individuals or households annually may be subject to the act. But, businesses with revenues of $25 million or more may have compliance obligations no matter how much personal information they collect from Californians.

CCPA’s protections apply to all California residents, regardless of their relationship with an organization (e.g., employees, customers, business leads) or whether their personal information is collected online or offline, and regardless of where the business is located.  The Act also grants California residents the right to request more detailed information about the personal information a business holds specifically about them, and the right to obtain portable copies of their personal information from the business.  The data must be in a useable format for the consumer so they fully understand exactly what data is stored about them. The CCPA gives Californians the right to prohibit a business from selling their personal information, and to request that a business delete their personal information. 

Implementing a process to meet the above requirements may be complicated, as it may involve third-party data brokers and vendors, increasing the risk of error and security breaches. The CCPA also protects consumers in the event of a data breach, giving them a private right of action, in addition to statutory penalties by the California Attorney General. If a business fails to protect personally identifiable information using encryption or redaction, the consumer has the right to take legal action and receive penalties from the offending business if the data gets out. Every business must implement and maintain “reasonable security procedures and practices” or face the potential for class action lawsuits.
 
Personally identifiable information must be protected. The most effective way to protect data is not to store it in the first place. Don’t store any unnecessary data, and make your definition of “unnecessary” as strict as possible. If you must store it, encrypt it using strong encryption algorithms, and restrict access to only those employees who need it to perform their job duties. Additionally, consider implementing effective logging so all data access can be tracked and anomalies detected.

Furthermore, considerations should also be taken when storing data sets which in isolation do not contain PII, however when combed with other company stored data – add enough context to now be classified as PII.

CCPA takes effect on January 1, 2020. Start thinking now about how you’ll verify consumer requests for data, and improve your security procedures for personal information.  The best way to comply with CCPA is to implement the best security practices and avoid data breaches.

Get Ahead Of Vulnerabilities To Get Ahead Of CCPA

Working to meet CCPA’s rapidly-approaching effective date takes effort, money, and cross-organizational teamwork. At this point, if you collect any data on consumers, you should be evaluating whether CCPA applies to you, and how you would comply.
If you have yet to begin working in earnest towards CCPA compliance, do not delay.

If you’re in that bucket, HackerOne can help you:

1. Implement a Vulnerability Disclosure Policy (VDP). This is a great first step towards identifying vulnerabilities well before they turn into breaches.

    
2. Determine whether a bug bounty program is right for you at this time. CCPA requires regular testing and assessing of your systems. A continuous bug bounty program provides incentives to get white-hat hackers to find more bugs such as accidental leaking of customer data, so you’re finding them before they turn into breaches.


CCPA And Other Similar Laws Will Take Effect Soon

January 1, 2020, will be upon us soon. Getting your process in place for identifying and fixing bugs in a controlled manner will help you close more gaps before they can be exploited. Contact us to learn more about how HackerOne can help.