California’s Attorney General, Xavier Becerra, will begin enforcing the California Consumer Privacy Act (CCPA) starting on July 1. According to the website of the Office of the Attorney General, the “CCPA grants California consumers robust data privacy rights, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors.”
The law took effect on January 1 of 2020, and though businesses pleaded for a COVID-19 extension regarding enforcement, Becerra has insisted on the original date, saying “We’re committed to enforcing the law starting July 1. While the enforcement will begin on July 1, Becerra stated in an interview with Reuters that “we [State of California] will look kindly on those that … demonstrate an effort to comply.” It’s not clear how that demonstration to comply will be assessed, but those organizations that fail to prepare could see steep fines if caught.
The CCPA Requires Being “Mindful of Data Security”
In a public statement, the Attorney General’s office responded to groups seeking forbearance by stressing the importance of data security. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
In fact, the CCPA requires organizations to “Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity.” § 1798.140 The proposed regulation package, which was submitted to the state’s Office of Administrative Law (OAL), includes the following general phrases in various parts of the proposed regulation: “measures” and “reasonable security procedures.”
How to Interpret “Reasonable Security”
As the CCPA does not provide details on what “reasonable security measures” and “reasonable security procedures” mean, how should organizations interpret these phrases?
In 2016, Kamala Harris, who was the California Attorney General at the time, issued a Data Breach Report about the causes of various breaches. The report included a reference to the CIS Top 20, a well-known security controls framework published by the Center for Internet Security (CIS):
The 20 controls in the [CIS]’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
Keep in mind this does not necessarily mean organizations must use the CIS Top 20 or any other published security controls for that matter. As this post points out, other security controls that could be helpful in terms of demonstrating “reasonable security” include the NIST Cybersecurity Framework or the International Organization for Standardization (ISO) 27001 series. While it is not required, many organizations find it helpful to use industry standard guidelines as a base when designing CCPA security policies.
General Security Best Practices Benefit Every Company
In terms of security best practices, which you’ll find included in the security controls frameworks mentioned above, here is a list we at LMG Security have come up with that you might find helpful:
- Monitor Your IT—How do you know if you have a cybersecurity problem in the first place? Monitor your IT infrastructure. This includes network monitoring as well as security software installed on all desktop, mobile devices, and servers. Make sure that you budget for internal staff or a third-party team to monitor alerts.
- Maintain Written Policies and Procedures—Make sure to document your organization’s cybersecurity policies and procedures, then follow them. You can purchase policy templates or have a professional create them for you. Update your policies and procedures routinely.
- Get Insurance—You can’t solve information security issues overnight. Transfer risk to a third party by purchasing cybersecurity insurance. Make sure the policy you select covers your highest-risk scenarios. Have an experienced cybersecurity professional review your policy.
- Prepare for a Breach—Every day, another company gets hacked and makes the news. Plan ahead! Create formal policies and procedures for cybersecurity incident response BEFORE you get hacked. Train your first responders. Conduct tabletop exercises. Studies show that most companies who proactively prepare for a breach sustain much less damage.
- Train Your Staff and Customers—Humans are among the most critical components of your security infrastructure. Conduct cybersecurity awareness training regularly for all of your employees, IT staff, and (yes!) even your customers.
- Assess Your Risk (Often)—Conduct an informal security risk assessment at least annually, to identify your risks and develop a mitigation plan. Use a widely accepted risk assessment and management framework, such as NIST SP 800-30.
- Test Your Security—Does reality match what’s on paper? Conduct technical security testing. This can include penetration tests, vulnerability assessments, web application assessments, social engineering testing, and more.
- Choose and Use a Cybersecurity Controls Framework—The foundation of your cybersecurity program is your controls framework, which also serves as an action checklist for your cybersecurity program. Once you’ve picked a framework, use it! Conduct controls assessments regularly and track your progress over time.
Each organization will have to determine which security measures fit their budget and environment, whether it’s related to compliance with the CCPA or simply to strengthen their cybersecurity posture. If you need guidance on cybersecurity best practices, policies and procedures, consider working with a cybersecurity firm to get expert guidance on developing a written security program mapped to a controls framework, performing risk assessments, and conducting technical testing.
LMG Security has been helping organizations prepare for the challenges of data security, privacy challenges, and changing law and regulations for 11 years. Contact us if you need help.