The first GDRP-like law passed in California, the California Consumer Privacy Act of 2018, which will undoubtedly have a huge impact on tech companies that must now adequately address our privacy concerns. Any business that transacts with people, online or offline, are now responsible for changing its relationship with customers, for the better. That act has three core pillars: people can opt-out of having their data shared or sold, everyone has a fundamental right to know where their personal data is and with whom it is shared, and we all have protection from companies who inadequately protect our data.
The act is clearly aimed at businesses that gather Personally Identifiable Information (PII) (eg., data generated while transacting or browsing on websites), giving consumers full control to opt out of a company’s data collection activities and to be fully informed of what data is gathered about them. Additionally, the loss of PII has severe consequences:
Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
So what are reasonable security procedures and practices to protect PII from being lost? Will we now see an end to the breach-a-day reporting of one or another successful cyberattack? It depends on how companies respond to the new regulations. Companies that opt out of fielding reasonable security architectures must update their cyber risk analysis to account for losses due to potential fines.
Companies that take proactive measures to limit data loss will see a clear return on investment. Given today’s security standards, fines will mount far more than the cost of investing in new data loss security controls.
The language concerning “unauthorized access” is of particular importance for companies to evaluate. Most security technologies that attempt to comply with “reasonable security” rely on access controls that can either be infiltrated or skirted without a lot of effort. This is a serious concern when it comes to third-party risk, but impacts far more than one might think. A vulnerability companies often overlook as part of a data loss strategy are archive data stores, which are as much of a threat of being lost as operational data. Backing up archives and securing them alone with access controls and data encryption will lull security staff into a false sense of security. Access controls are under threat from both malicious insiders, or successful remote attackers who have stolen credentials or sessions. It is very hard to protect against insider threats, just ask Tesla.
It is a very wise and reasonable strategy to embed Allure’s Data Loss Sensors into archive folders to detect breaches as quickly as possible without impacting ongoing business processes. Sensors signal when breach activity is occurring, and alerts provide fast detection with pertinent details to thwart the attack, stop or limit data loss, identify the leaker or adversary, and inform reporting.
Allure Data Loss Sensors within archives are an inexpensive and very easy to deploy means to continuously test your security to ensure the California attorney general and the EU regulators are happy that you are complaint with CCPA and GDPR. Your customers and your executive board will be, too.