On January 1 of this year, the California Consumer Privacy Act (CCPA) took effect. The law gives consumers new rights to know—and in some cases, to control—how their personal data is used. This imposes new burdens on businesses that collect consumers’ personal information.
What Businesses Need to Comply with CCPA?
First of all, there are certain thresholds that effectively shield some smaller and mid-size businesses from the Act. Who is on the hook for compliance? You have to comply if you’re a for-profit business that “does business” in California, collects consumers’ personal information and exceeds one or more of the following:
- Buy, receive, sell or share personal information from 50,000 or more consumers, households or devices
- Gross annual revenues of more than $25 million
- 50% of more of total annual revenue derived from selling California residents’ personal information
But even if you don’t meet one of those criteria, you still shouldn’t ignore the Act, for reasons we’ll explain. So, keep reading!
If I Don’t Have to Comply, Why Should I Worry?
Even if you don’t fall under CCPA right now, it’s going to impact you sooner or later. It’s the most far-reaching and sweeping privacy law ever passed in the United States. Other states have lined up to follow California’s lead, and have either passed or are considering similar legislation. And according to many observers, the prospect of different states all enacting different rules and standards could lead to a federal privacy law.
Overall, the CCPA and the prospect of similar legislation tell us that there is growing recognition that businesses are responsible for the personal consumer data they hold, that consumers have a say in how that data is used, and that businesses are also responsible for protecting that data against loss or theft.
The CCPA and “Reasonable Security”
One other element of CCPA concerns the responsibility to protect consumers’ personal data from being breached. There are specific monetary penalties of $100-$750 per consumer per incident, or higher if damages can be proven, should data be breached due to the failure of a business to implement “reasonable security”. What constitutes “reasonable security” isn’t defined in the law, but legal experts point to the California 2016 Data Breach Report, where the state’s attorney general wrote:
The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
The CIS Controls are a set of 20 broad categories of actions that, taken together, create a defense-in-depth strategy that mitigates cyberattacks. Each of the 20 controls contains a set of subcontrols, or specific tools and practices. These are prioritized for action based on the size of your organization, your IT resources, and the sensitivity of the information you need to protect. Now that the CCPA is here, it’s clear that any personally identifiable information is considered sensitive. We recommend that any company of any size take a look at the CIS Controls. If you’re at or near one of the thresholds that make you subject to the CCPA, they are required reading.
Of course, at SOCBOX, we use the CIS Controls along with other security frameworks to implement cybersecurity best practices for our clients. If you’d like to take advantage of our services, you can start with a risk assessment. Contact us, email firstname.lastname@example.org, or call 877-284-7789.