Companies must search for PII in all corporate data silos and consider building an automated system to respond to consumer requests, experts say.
Image: Cristian Storto Fotografia Getty Images / iStockphoto
For companies preparing to comply with California's new data protection law, the first challenge is to find out how much data is regulated by law. The next is to collect all of this information in one place.
California Attorney General Xavier Becerra will begin enforcing the California Consumer Protection Act on July 1. Businesses must provide a copy of their personal information to the state's residents and demonstrate that they take reasonable security measures to protect that information.
Christine Lyon, a partner at Morrison & Foerster and a member of the company's global privacy and data security group, said the CCPA establishes a new right that US consumers have never had.
She also said that the data protected by the CCPA contains much more than just an email address and name.
"This makes it difficult for companies because they have a CRM database of personal information, but may have different records about preferences or purchase history and need to get all the relevant information," she said. "It's often in different databases and nobody expected to have to make a copy when these systems were built."
SEE: Cyber security: let's get tactical (free PDF)
Jon Mendoza, the CTO for Technologist, used the example of a seller's digital Rolodex as data that could be regulated by the CCPA.
"You would think that information people use to build relationships – dates of birth or spouse's name – would be harmless, but if you do not back them up and the account is compromised, the employer could be held responsible for the violation," he said.
The CCPA requires companies to acknowledge receipt of requests from consumers and to be willing to respond to requests, not to disclose and even delete data. The CCPA applies to companies with annual sales of $ 25 million and companies that make money by buying or selling personal information.
The law provides for two penalties for mismanagement of consumer data. Individuals can file a class action lawsuit, or the attorney general can file a lawsuit against a company with fines ranging from $ 2,500 to $ 7,500 per violation. Consumers do not have to prove actual harm to receive compensation between $ 100 and $ 750 per violation.
To comply with the law, Mendoza said companies should identify what data is sensitive and then localize it.
"You can't secure something if you don't know where it is," he said.
According to Lyon, companies also need to figure out how to verify the identity of the person requesting the data.
"Companies may be thinking of something that only that person knows, the date of your last transaction, or other information that cannot be easily guessed by someone else," she said.
According to Lyon, some larger companies have built portals and other automated systems to automate consumer requests for personal information.
"Companies that expect big inquiries know that the process should be self-service," she said.
California residents are entitled to a printed or electronic copy of the data report. The electronic copy must be portable and machine-readable.
Lyon also said that there are some ambiguities regarding the precise definition of doing business in California that determine whether a company is subject to the law.
"Merely selling products may not be enough to qualify. It may be more about being there or reaching customers in California," she said.
According to Lyon, compliance with the CCPA will be the greatest challenge for companies in non-regulated industries who have never thought of securing and granting consumer data.
"The more data you have, the more difficult it is to maintain, so there will be a lot of operational changes for companies that have never had to deal with it," she said.
How do I prepare for the CCPA?
The law does not specify what security measures companies should take to protect data. Mendoza therefore recommends that customers comply with the 20 most important CIS security controls. Technologent is a reseller and value-added solution provider specializing in infrastructure, data center, cloud and cybersecurity work.
"Following the top 20 controls sounds easy, but you have to invest and set priorities," he said.
While working with companies preparing to meet the CCPA, Mendoza said he identified three approaches to the new requirements. Some companies are pre-game due to the financial impact of a class action lawsuit.
"When you do business online, you have to keep your customers' trust, and optics play a big part in that," he said.
Another group of companies is doing what they can without spending too much money.
"These companies have not understood the security basics and are rationalizing their sensitive data," he said.
The last group of organizations is waiting and hopes that the law may not apply to their business.
Mendoza recommends companies take these three steps to prepare for consumer data requests:
Streamline corporate data Improve security and data management tools
Inform users of new requirements
"Safety is not necessarily tool-oriented, the tools are only as good as the people who use them," he said.
SEE: Security awareness and training policy (TechRepublic Premium)
Mendoza said that companies also need to include all elements of the supply chain in this data review.
"If you have company information transmitted through partners, it can be confidential
entire supply chain that needs to be considered, "he said.
Lyon expects the data protection law and the new rights it creates to be expanded over the next few years.
"This should encourage companies to think even more carefully about data collection and how long to keep it," she said.
Privacy rights are limited in the United States
Only three states have consumer data protection laws: California, Nevada, and Maine. Fifteen states still have laws pending.
Security.org has a report on data protection rights by state and lists these 15 principles as the most common provisions on digital data protection:
Right to information and information: Consumers should be informed of what information companies or data collectors collect about them, and should be able to access the information or categories of information and to access the names or categories of third parties who receive the shared information to have .
Right to rectification: Consumers should be able to request corrections to outdated or incorrect personal information.
Right to erasure: Under certain conditions, consumers should be able to request the deletion of personal data.
Right to restriction of processing: Consumers should be able to restrict a company's access to their personal data.
Right to data portability: Consumers should be able to request the disclosure of their information in a common file format.
Right of withdrawal for the sale of personal data: Consumers should be able to choose not to have their personal data sold to third parties by the collector.
Right Against Automated Decision Making: Businesses shouldn't make consumer decisions based on a fully automated process that has no human input.
Lawsuit: Consumers should be able to claim civil damages from a company that violates data protection regulations.
Age-based opt-in: By default, companies must strictly register to sell personal data to consumers under a certain age.
Transparency requirements: Companies must inform consumers about their data practices and data protection programs.
Data breach notification: Businesses must notify consumers or enforcement agencies of data breaches or security breaches.
Risk assessment: Organizations must conduct formal risk assessments of their established security and privacy practices.
Non-discrimination: Businesses cannot treat consumers differently if they exercise data protection rights.
Restriction of purpose and processing: Companies may only collect and process consumer data for a specific purpose.
Fiduciary duty: Companies must act in the best interest of the consumer.
The Security.org report found that by April 2020, no state had a law in the books that covered all 15 areas. A draft law pending under New York law covers 12 of the 15 areas.
CCPA only covers eight of the 15 cases and does not address the right to rectification, processing restriction, automated decision-making ban, data breach notification, risk assessment, purpose and processing restrictions, and fiduciary duty.
According to Lyon, advocates of data protection in California have already decided that the CCPA is insufficient and are collecting signatures for a new election initiative to strengthen data protection rights.
Technical messages You can use newsletters
We deliver the best business tech news about the companies, people and products that are revolutionizing the planet.
Sign up today