If you collect personal data from California citizens, you are expected to secure it. The problem is the law offers little direction other than “reasonable security.”
California’s hard-hitting stance on cybersecurity is often a game-changer. And the California Consumer Privacy Act (CCPA) may be the state’s biggest move to date.
The Act became law on June 28, 2018, with amendments in September 2018 and February 2019. It will hold businesses accountable in how they handle the private data of Californians; a group of over 36 million people set to gain unprecedented control and decisive power about which entities have what data and what they’re allowed to do with it.
A snapshot of the CCPA
It’s not only California-based businesses who must comply. Any company who has customers or employees in the state will be affected. The Act is so strict that even if a Californian leaves their home state for a while and is targeted by a business while in another one, that business is still subject to the CCPA.
Affected businesses fall under three categories:
- Those making over $25 million annually,
- Those buying or receiving the data of 50,000 or more consumers, devices, or households for commercial purposes, or
- Those deriving 50 percent or more of their annual income from the sale of customers’ personal information.
January 2020 marks the deadline and the penalties for non-compliance are potentially steep—the CCPA is enforceable both by the Attorney General for the State of California and by private litigants.
March 2019 saw only 14 percent of companies ready to comply. A May update found that number had increased to 55 percent. Even with another 25 percent promising to be ready by July 2020, that’s still one-fifth of California businesses non-compliant well into next year.
Businesses aren’t always the bad guys
It’s easy to assume businesses are being cheap, lazy, or willfully defiant of the CCPA. After all, cybersecurity compliance will be expensive (more than 70 percent say it will cost them over six figures) and the “it’ll never happen to us” attitude around security breaches is all too common.
It’s also a fact that the CCPA isn’t very clear. Even the most well-intentioned business may struggle to implement it. The Act’s vague request that businesses implement “reasonable security” isn’t the kind of set-in-stone guidance people need in order to confidently make a change.
In the absence of hard rules, there are some best practices about what constitutes reasonable cybersecurity, no matter where you are.
A cybersecurity checklist for California companies
The first step is establishing the basics. If your business isn’t implementing strong passwords, multi-factor authentication, firewalls, and anti-virus software, then start now. We also recommend a full hardware and software inventory and regularly upgrading and updating it to benefit security.
Implementing a cybersecurity framework comes next. The steps laid out in the California Data Breach Report of 2016 are a good foundation, especially since the report states that failure to comply with that recommended framework would “constitute a lack of reasonable security.” It was also published specifically to help businesses protect consumers.
The report recommends data encryption on both mobile and fixed location devices with end-to-end encryption being the next step up from there. Their best advice is that businesses implement the 20 steps defined in the Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense.
These steps build on the basics above by extending them with foundational and organizational controls. Foundational security dictates the next 10 recommended steps, a selection of which are: email and web browser protection, data recovery capabilities, wireless access control, and strictly controlling access to data on a “need-to-know” basis.
The organizational controls have four steps:
- Implementing a Security Awareness and Training Program: Performing a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, and using this information to build a baseline education roadmap. Training the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
- Application Software Security: This establishes secure coding practices appropriate to the programming language and development environment being used. It applies static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
- Incident Response and Management: This ensures written incident response plans that define the roles of personnel as well as the phases of incident handling/management. It assembles and maintains information on third-party contact information to be used to report a security incident, such as law enforcement, relevant government departments, vendors, and ISAC partners.
- Penetration Tests and Red Team exercises: These involve establishing a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. The requirement creates a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
The CIS offers a free tool for businesses to check their cybersecurity status and get a working picture of where they need to make improvements to better implement CIS recommendations.
Beyond these security measures lies the unique nature of some data types and the businesses that handle them. Some data is more sensitive and requires that extra degree of awareness and protection regarding its safety. Working with CyberGuard360 will create a security plan that’s tailored to what every business, but especially yours, needs.
Let us help you now while California makes up its mind
Our products like CyberGlass SIEM 2.0 and PIIGuard360 help companies create a compliant and intelligent cybersecurity ecosystem by generating and analyzing real-time report logs for swifter, surer security management decisions. Add to this our employee vulnerability assessment and education services, and businesses have the most powerful data defenses currently available.
At CyberGuard 360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 844-315-9882 or reach us via our contact form.