In 2018, California recognized that its citizens should have stronger control over their personal information and privacy, and created the California Consumer Privacy Act (CCPA), which gives California citizens several rights with respect to their personal data and its privacy.
As of July 2020, enforcement of the CCPA began in earnest.
Here is a summary of the regulations and what they might mean for your organization (from the CCPA Fact Sheet):
What rights does it confer?
- The right to know what personal information is collected, used, shared, or sold. Both the categories of information, and which specific pieces of personal information.
- The right to have personal information that is held by businesses, and by extension a business’s service provider, deleted.
- The right to direct a business to not sell their personal information.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Who does it cover?
Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
What you need to do to comply?
- Provide notice to consumers before or at the time of data collection.
- Put in place procedures to enable customers to opt-out.
- Respond to requests to know what personal information is held, delete, or opt-out within specified timeframes.
- Verify requests.
- When data is collected, inform consumers about their rights under the CCPA, categories of information collected, how information will be used, and what categories have been shared over the past year.
What penalties can be enforced?
- For noncompliance beyond a 30-day notice period (in which the noncompliance may be cured, if possible), $2500 for non-intentional violations and $7500 for intentional violations.
- If personal information is compromised in a breach, consumers can sue for between $100 to $750, or actual damages if they exceed $750.
The CCPA Is Not Just About Rights – It’s Also About Reasonable Security
Businesses must expect consumers to exercise their rights under the CCPA. One aspect to be considered is the fact that the legislation requires organizations to inform consumers how their information will be used and shared. It also requires organizations to have the capability to store consumer information in an encrypted, safe manner to avoid data leaks. Filtered data access, complete audit trails and reporting, as well as strong data access controls are essential to ensure that customer data stays secure and controlled. With the right processes in place, businesses may be able to survive breaches without making themselves open to litigation.
Unlike GDPR, CCPA is more focused on consumer data protection. This means every consumer, from a shopper buying groceries who provides the supermarket with their contact information for a discount card to enterprise buyers purchasing products and services in bulk from B2B vendors, are covered by it.
Securonix for CCPA: Compliance and Privacy
With tested, comprehensive data privacy capabilities, the Securonix platform is at the forefront of security products that meet CCPA requirements. The Securonix platform is battle-tested, with global deployments across EMEA, APAC, and the Americas. The privacy capabilities of the Securonix platform have also been approved by customer work councils across EMEA and APAC.
A customer may have their activity tied to multiple identifiers, whether based on account names, email addresses, phone numbers, IP address, hostname, and more. This makes it difficult for legacy solutions to find and track disparate activities back to one identity. This can hamper complete data erasure, a CCPA requirement.
The Securonix platform links all user activities to a single global user identity – whether it is a hostname, IP address, phone number, or email address. This enables Securonix to identify, protect – and when needed – delete all related events across multiple devices in one action.
Securonix enforces strong controls on data that can both help you meet CCPA compliance requirements, as well as build consumer confidence regarding information handling.
Securonix provides you with the capability to mask direct identifiers such as a user’s name, account information, their activities, and the resources they use. Only users assigned a Privacy Master role can unmask this information.
Granular Role Based Access Control (RBAC)
Data access can be limited based on the business need, user identity, and type of data being accessed, among other controls. The access control feature allows for you to specify the privileges of – or limitations of – a user, in order to control what shows on each user’s dashboard.
Figure 1: Data Masking and Granular RBAC
Detailed Audit Trails and Log Tampering Reports
The auditing feature captures the activity of users in audit logs and monitors activity indicative of log tampering in order to detect unauthorized attempts to modify or delete logs.
The data masking feature can also be used to apply different levels of privacy controls based on the users you are monitoring. You can selectively import events; mask users based on any HR attribute such as location, title, department, and more; and specify the users on whom to run policies.
Conditional masking allows you to mask the attributes enabled in data masking if the user matches specific conditions. For example, if the user is in the finance department you can control which categories of information is displayed.
Filters also enable you to select events to import and drop for a data source. This allows you to eliminate groups of users from being correlated to identities and drop events for the specified groups of users.
The Securonix platform also features the capability to target policies to only run for specified users and user groups.
Built-in ad hoc reporting capabilities allow you to generate reports on all the personally identifiable information (PII) collected and processed within the Securonix platform.
Data Erasure and Deletion
The data erasure feature removes all direct and linked data for the specified entity, eliminating the need to pore through multiple data sources. It also allows you to completely erase all data linked to a contact or group of contacts based on any identity or HR criteria (such as region, loyalty tier, or title).
Securonix also ensures comprehensive governance capabilities, with an approval workflow process in place to approve deletion requests. The granular RBAC workflow capability allows users to request and approve data access and deletion actions, as applicable. A secure, structured workflow is critical to enable safe data erasure, as well as to exercise control over data usage.
The platform also maintains detailed, complete audit trail of all requests, approvals, and erasures with easy log access to ensure compliance norms are met.
Monitoring CCPA Compliance with Securonix
Along with the support for compliance and privacy provided within the platform, Securonix provides CCPA-specific dashboards and reporting to track CCPA compliance.
Figure 2: CCPA Dashboard View
Securonix can alert on any unauthorized access to sensitive data. Using user behavior analytics, Securonix can establish a baseline pattern of legitimate activities and flag any anomalies that may lead to noncompliance due to data loss or mishandled customer data.
Figure 3: CCPA Compliance Alerts
Securonix also includes built-in functionality for data insights and reporting on key CCPA regulations such as 1798.150(a) (pertaining to the handling of consumer complaints for data handing and remediation of the complaints by organizations) and 1798.140(o) (pertaining to the items of personal information that are protected under the CCPA).
In addition, Securonix also applies peer analysis to monitor access permissions to sensitive data and identifies outliers that need remediation. This ensures access is restricted to when it is actually needed, minimizing the risk of insider threats and data exfiltration that could lead to noncompliance.
With Securonix, CCPA compliance can be achieved efficiently and quickly. With a comprehensive data privacy feature suite, Securonix can help your business achieve CCPA compliance and secure your consumer data, avoiding litigation as well as improving consumer confidence.