Understanding Cyber Risk Under CCPA

Digital circuits and a locked padlock

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, ushering in a new era of uncertainty for businesses worldwide. Like its predecessor from the EU, the General Data Protection Regulation (GDPR), requirements laid out in the CCPA create radical new standards for both data privacy and data security. 

While the new privacy law applies specifically to any business serving or employing California residents, it’s important to note that, according to the International Association of Privacy Professionals, “State-level momentum for comprehensive privacy bills is at an all-time high.” 

As of January 2020, 17 states have either introduced privacy bills, passed related legislation, or created a task force to address data protection and control.

Companies have largely prepared by taking inventory of their user data and reexamining their relationship to third-party processors, but many industry insiders believe that it’s the statute’s cybersecurity components that will have the biggest impact on businesses moving forward. 

As the regulatory environment continues to shift, what can business leaders do to address the cybersecurity components of data privacy legislation?

Data privacy vs. data security in the CCPA

The CCPA creates “opt-out” rights for California-based citizens, which require companies to provide those users with a transparent view into the data those companies have access to and a simple way to prevent the collection and sale of that data to third party processors. One common way third parties collect personally identifiable information (PII) is through cookies placed by analytics software, embedded content, widgets, or behavioral advertising vendors. 

These regulations address the concept of data privacy, or the policies that organizations must have in place to restrict access to information. 

The provisions related to consumer data breaches, however, relate more closely to security, or the procedures that enforce those data privacy requirements.

CCPA creates a private right of action for California consumers whose data is accessed by unauthorized users - essentially opening the door to punitive litigation in cases when a company cannot prove that it met a “reasonable” standard of security against cyber attacks. 

This means that U.S. companies have a new compelling reason to create a culture of cybersecurity within their organizations and to invest in operational improvements that protect against data breaches.

Finding opportunity in ambiguity

Article 32 of GDPR details technical and operational security practices that must be followed in order to meet the “reasonable” standard of consumer data protection. 

The statute lists concrete security standards that all relevant companies should meet (including data encryption, proof of infrastructure reliability, and documented security testing procedures), and has been enforced against organizations who fail to meet expectations.

The CCPA, however, provides no such specificity in its discussion of cybersecurity beyond the range of financial penalties companies may face in the event of a breach (up to $7500 per compromised record - yikes). 

While the law’s relative vagueness may not do much in the way of creating a standard roadmap to cybersecurity excellence, it does create positive change in three important ways:

(1) Companies have an increased incentive to invest in security best practices.

While no business leader wants to endure the reputational damage and risk to their bottom line that accompanies a data breach, understanding where an organization stands on the security spectrum can be an expensive process. 

That being said, the passing of CCPA has led to an absolute explosion of investment in cybersecurity. A 2019 PricewaterhouseCoopers study found that 43% of companies with at least $1 billion in revenues spent over $10 million on data security preparation before CCPA went into effect, with 20% spending over $100 million. 

This signals a willingness among corporate boards and executive leadership to invest in widespread organizational change and security technology as data privacy legislation continues to evolve.

The steps those companies have taken to prepare for CCPA read similarly to a text from “cybersecurity 101:” a list of simple-yet-powerful measures that every company should take, regardless of the legislative environment in which they operate. 

Measures like creating access control policies, enforcing multifactor authentication, conducting penetration tests, requiring software updates, and investing in employee training aren’t cutting edge by any means. But they are powerful ways for companies to protect their customers and their business from cyber attacks and to ensure they meet the vague standard of “reasonable” defense against data breaches.

(2) Business leaders will adapt their security strategies to address advances in technology.

For some, the list of cybersecurity best practices detailed above can read like a checklist: Once a company encrypts all of their incoming and outgoing data, creates a few access control policies, and updates their software, the arduous journey to "100% security" is complete, right?

This line of thinking is exactly what legislation like CCPA is trying to combat. Cybersecurity professionals everywhere agree that data security requires an ongoing commitment, defined by consistent monitoring, measurement, testing, and improvement. 

According to research from PwC, companies impacted by CCPA are deploying third-party monitoring and encryption software at significantly higher rates than for GDPR. That means we’ll likely see an increase in the adoption of software solutions that can automate the network monitoring and ongoing testing required to ensure that sensitive data is protected from new threats. Opportunities for consultants specializing in holistic operational change and cybersecurity leadership are also likely to improve. 

Ultimately, making security a part of a company’s growth plan will not only benefit compliant companies and their vendor teams, but it will also create a more secure world for consumers at large.

(3) Companies will better understand the cyber risk in their supply chain.

Companies will not be able to achieve compliance with CCPA’s cybersecurity requirements without examining their partners, vendors, and service providers.

A 2018 study by Opus and the Ponemon Institute found that 59% of breaches worldwide originate with a third party, but only half of all companies reported making third party relationship management a priority.

Now that companies are facing steep financial penalties for data breaches that impact California residents, business leaders are reconsidering where vendor management falls in their list of priorities.

In response to CCPA’s passing, companies of every size are not only auditing their own cybersecurity measures, but they're also conducting analyses of their vendors’ security practices. This effort will necessitate a change in the relationship between vendors and their business customers, as they now share more of the risk in the event of a data breach.

Establishing a process for safeguarding data that is shared with third parties shows regulators and consumers that companies have taken steps to mitigate this type of risk. 

As an added benefit, this exercise also helps companies meet the CCPA requirement that companies understand and document what data is stored where.

Looking ahead

For all of its complexity, the CCPA sends a clear signal to American and multinational businesses that data privacy and cybersecurity aren’t trends that are likely to fade away with time. 

While this statute and others like it were passed in the spirit of giving consumers more control over their data, business leaders who also consider its cybersecurity requirements will be better positioned for success in today’s technology-driven world.

Disclaimer: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user, or browser.