loader image

How the CCPA Will Change Cybersecurity

Since the California Consumer Privacy Act (CCPA) has gone into effect, recent changes in cybersecurity practices may alter the status quo of security both inside and outside of California. What changes should IT and Cybersecurity leaders expect?

If you are still working to implement and verify your compliance, skip this article and go straight to a policy compliance advisor such as TrustArc, Diligent Compliance, or Securiti. Enforcement of CCPA began July 1st, 2020. If you have already responded to this change in law, or you want to learn more about the CCPA and cybersecurity concerns, read on.

Who must act?

Any business making an annual gross revenue of $25 million or more that collects, sells, or shares personal information from more than 50,000 people or devices in California, or makes more than half of its revenue from selling personal data from California, is required to comply with new standards for data privacy, protection, and transparency. Businesses already regulated by existing data privacy laws, such HIPAA and FCRA, are exempt. Californian customers of these businesses have new rights, including access to a reporting process where Californians can claim damages against a company that breaches their private information.

What changes are required to comply with CCPA?

While the law is pretty specific about consumer privacy rights and consequences for violations, the exact technological requirements that businesses must meet is not as clear. They are expected to maintain “reasonable security.” While the law does not name specific practices or technologies that must be used, legal experts point to California Civil Code as a model for minimum security. Regulators previously working under this code have cited 20 security controls defined by the Center for Internet Security, which regulators characterize as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” While businesses are not required to meet these standards, those who don’t will face penalties if parties damaged by a security breach file a claim.

Most items on the list are practices that most companies already use by necessity. For example, inventory control, account privilege control, and web browser protection. Other requirements are significantly more advanced, such as continuous vulnerability management, penetration testing, and redteaming. These and any items not already being practiced may cost a significant amount to implement. An assessment by Berkeley Economic Advising and Research for the California Attorney General’s Office estimated the total initial cost of reaching compliance at $55 billion.

Affected companies are also required to comply with requests for inspection of collected data from the individuals to which that data pertains. This necessitates authentication and secure transmission of processed data back to the people it was collected from. Recent amendments to the law may require additional action in the future.

How is the state of business cybersecurity likely to change?

Businesses that must comply with the CCPA have to reevaluate their cybersecurity infrastructure. Every minimum security control not already in place will represent some initial and maintenance cost to deploy. As operational costs increase, professionals may expect to see priorities in their organization shift. More emphasis may be placed on training, monitoring, analysis, and auditing tasks, and less attention awarded to other projects. Your team may require additional personnel or resources to keep up with the increased duties required to maintain compliance. Leaders in organizational security may have to help their company demonstrate compliance if plaintiffs claim damages after a security breach.

Most businesses process a mixture of Californian and non-Californian personal information. Many companies may choose to simplify their security plan by extending many security controls to all their customers. In which case, even organizations not required to comply with CCPA may still observe changes in online activity. As many large targets become harder to breach as they ramp up security measures across the board, other organizations may find themselves becoming higher priority targets for threat actors. Even if your organization is not required to make any changes to comply with CCPA, it is still in your best interest to update current practices and search for vulnerable areas to be reinforced.

Here are a few suggestions to improve your security:

  • Identify critical assets and customer data storage. Verify that data storage and processing is secure.
  • Brief your employees about the importance of maintaining good Internet hygiene, detecting and reporting threats, and complying with all company security policy.
  • Maintain compliance with the CIS 20 critical security controls, regardless of regulation. If your organization does not already meet these criteria, this would be a good place to start practicing serious organizational security.
  • As the complexity of your security increases, consider using red teaming or breach and attack simulation to verify that your security controls really work.
  • If your organization is regulated by CCPA, refactor your risk assessment model to include penalties for violating CCPA.
  • If your organization is not regulated by CCPA, refactor your risk assessment model to acknowledge the potential for an increase in cyber attacks.
  • If you are unsure if your organization needs to make changes to comply with CCPA security standards, consult a policy compliance advisor.

There are various other problems with CCPA that experts have acknowledged, including increased difficulty in accessing and transporting data within an organization, and failure to align with popular social and security principles, such as the principle of least privilege and, more generally, building consumer trust. Regardless, companies required to comply must act now to ensure their customers are protected and to avoid legal ramifications in the event of a security breach. Even if you are not required to comply, you should still take proactive measures and follow the recommended guidelines so your company does not become an easy target for cyber attacks and so your customer’s data remains secure.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.