The California Consumer Privacy Act (CCPA) went into effect Jan. 1. The law gives California residents the right to know, access and delete their personal data that is stored online, as well as the right to opt out of its sale. But it also allows them to file lawsuits against companies for data breaches of personal information resulting from a failure to implement "reasonable security."
"With the CCPA, companies now face potentially staggering damages in relation to a breach," said Jaime Petenko, counsel in the Wilmington, Del., office of McDermott Will & Emery. "To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing."
Petenko added that the CCPA does not define "reasonable security," but California regulators have endorsed certain security measures in the past, including 20 data security controls published by the Center for Internet Security, a nonprofit cybersecurity resource group in East Greenbush, N.Y.
"Companies should consider including in their information security programs elements from industry-recognized information security frameworks, such as the National Institute of Standards and Technology cybersecurity framework and the International Organization for Standardization's 27001 series," Petenko said.
Contrary to popular belief, however, "reasonable security" procedures are not just about cybersecurity, said Ronald Sarian, senior counsel in the Los Angeles office of Constangy. "They are an all-encompassing information governance plan, and companies must be able to demonstrate that they have robust security postures in order to protect themselves," he said.
"Data privacy is a team sport," Sarian said. "It starts with designating who within your organization will be responsible for information security and analyzing and processing CCPA requests. You must create a dedicated team and system to handle these compliance issues."
A key first step is to conduct a data mapping exercise to determine data flows and the types of personal information collected and maintained, Petenko said. "Companies should also audit their current information security policies and practices to identify areas of risk, gaps in coverage and areas for improvement."
Companies should formally document their policies and procedures in a written information security program that is reviewed regularly, she said. The plan should identify data safeguards and document employee training, vendor management, risk assessments, measures to mitigate risk, an incident response plan and data retention policy.
"Companies will also want to be able to demonstrate that they have actively carried out key elements of their [program], such as conducting security risk assessments and audits on a regular basis, preferably carried out by a qualified third party," Petenko said. "Companies may consider engaging a law firm to oversee a risk assessment or audit by a third party, thereby protecting the results of any assessment or audit under attorney-client privilege."
[SHRM members-only policy: Computer Passwords Policy]
Keeping Your Data Secure
Sarian outlined the following best practice areas which should be included in an information governance program:
Encryption and redaction. "If you encrypt and redact all data containing the covered personal information, it would appear you're safe from liability under the CCPA private right of action," he said.
Network security both from a network and an end-user standpoint. "From a network standpoint this would typically include a firewall, a web application firewall, database segregation and layering, logging, white-hat hacking to plug any holes in the system, and proper on- and off-boarding of employees," Sarian said. "For end users, you would need two-factor or better authentication and a good anti-virus software." None of that will be effective, however, unless all software is routinely patched upon the release of updates, he added.
Physical document safeguards. Hard-copy documentation containing sensitive personal information must be properly secured in a locked room with limited and closely monitored access.
Document retention. Keeping data indefinitely is a common problem. "Unless you're retaining data as required by law, as part of a litigation hold, or for security reasons, it's generally not reasonable to hold onto it," Sarian said. "And the more personal data you retain, the greater your exposure."
E-mail security. A significant percentage of data breaches are initiated by malware planted in e-mail. "The moment you click that link, malware is injected into your system that may well provide a hacker with access," he said. "Phishing is another way to potentially wreak havoc and obtain the personal information, including login credentials, of the user." Train your employees on how to deal with these typical attacks.
Password management. Best practices include changing passwords frequently, requiring separate passwords for different systems, employing lockouts after several unsuccessful login attempts, and notifying users of any suspicious activity.