Studies and surveys consistently show that cybersecurity and data protection is one of the top five concerns of internal auditors, who worry that their organizations lack the internal resources to deal with security risks. On January 1, 2020, the California Consumer Privacy Act (CCPA) became effective, requiring new data privacy measures at most US organizations. Yet it is estimated that less than 10 percent are fully prepared for compliance with CCPA. Unfortunately, in this case, ignorance is not bliss and may result in hefty fines.
As regulators are recognizing the importance of data privacy and implementing rules to protect consumers’ data, organizations must take appropriate measures to protect their customers and stay compliant. In doing so, they can not only improve their business processes and reduce their business risks, but they can potentially achieve significant cost savings.
The initial steps towards compliance are understanding the regulation and evaluating if and how it impacts your organization. To determine whether CCPA applies, an organization that does any business in California should ask: Do we collect and sell consumer information? Do we generate at least 50 percent of income by selling consumer data? Does the annual revenue exceed $25 million? If the answer to any of these questions is yes, then the organization must comply with CCPA.
The next step toward compliance is evaluating which data, processes and assets are impacted by CCPA. These assets could be in the form of stored data or processes that are associated with the data. The question is, of this data, what needs to be protected?
Once an organization has identified what needs to be protected, it must decide how it will protect the data assets and whether protection measures fulfill its CCPA requirements. The object is not to be simply running a checklist but preserving and protecting the required data. In most cases, businesses will need to hire staff and invest in technology for data discovery and possibly re-architect the workflows to ensure compliance. That will be an added cost, but the cost of non-compliance could be much higher.
Additional technology may be required for data discovery and data mapping. Processes will need to be analyzed to ensure that data access is secured, that the integrity of the data is intact, and that the data availability is certain. It is recommended that organizations employ independent professional services and/or auditors to review the systems and the processes as well as assist with ensuring adequate documentation. Hiring an outside service is also an added cost – but, again, the cost is negligible when compared to potential fines for non-compliance.
Another consideration for greater data protection, security and compliance – at a reduced cost – is to look to the cloud. The adoption of cloud services has reduced the cost of information security, business continuity and privacy protection. The concept of “On-Prem” technology is fading away as businesses realize that they can outsource these responsibilities to cloud service providers instead of maintaining their own data centers and employing large IT staffs. Cloud services are now able to offer heavily secured global data centers to ensure real-time data replication and redundancy. Many businesses that were previously unable to leverage cutting edge technologies due to the high cost are now able to employ them as costs are shared between many subscribers on a public cloud. Those who still are not convinced can utilize a private cloud at higher costs.
Industry associations and government agencies have provided much-needed help in standardizing the compliance measures for CCPA. For instance, the International Information System Security Certification Consortium (ISC) has assisted its members in complying with GDPR in Europe and CCPA by conducting workshops, seminars, webinars and training. ISC has provided opportunities for businesses, legal advisors, and technologists to come together and tackle the problems as a group. The National Institute of Standards and Technology (NIST) and the Information Technology Infrastructure Library (ITIL) has produced valuable guidelines to assist organizations in creating secure and stable systems.
Finally, internal auditors working to achieve CCPA compliance need to achieve “buy-in” from their organization’s CEO, CISO, senior management and boards – who ultimately sign the checks for the CCPA compliance program. A holistic approach to security risk management is the best approach. Here are some best practices to consider:
- Show how your proposed approach aligns with the overall business strategies and objectives.
- Communicate with senior management on areas that directly impact their duties and oversight responsibility.
- Focus on metrics affecting the entire organization, function, business line and geographic region. Demonstrate the long-term results expected from the compliance program.
- Pitches for investments in new technology should be supported by noting changes in industry trends, business operations and customer service lines – as well as the cost-effectiveness of the investment.
- A SWOT (strengths, weaknesses, opportunities, threats) analysis is an effective way to communicate the current state of the information security program.
Always highlight the risks versus rewards aspects of achieving compliance. Present a balanced message that builds credibility and the trust in the boardroom. Stick to the facts, present the data and act as the messenger. While at first it may appear that CCPA compliance is a big cost to swallow, in the long run, a conforming program will reduce the organization’s risk profile, increase its security, protect its reputation – and likely save money.