On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect. Authored by the California state government, it has been described by some as "almost GDPR in the U.S." CCPA is the strongest consumer privacy legislation mandated at the state level, and it gives significantly more power to consumers to demand accountability and transparency for how their private data is handled. The CCPA also puts in place costly penalties against organizations that collect data and fail to protect it.
CCPA is, in effect, a national and global law. It covers any security and data problems that happen in the state of California and impact companies conducting business in California. So, for example, a German company that does business in California could find itself liable for costly fines if its website is breached and California customers are affected.
Not Understanding The CCPA Could Cost You Big
The good news? If your organization already complies with the EU’s General Data Protection Regulation, you are 95% of the way toward reaching CCPA compliance. A less-known but critically important piece of the CCPA is that liability for breaches extends to third-party services that web application publishers and operators use. This includes information security companies, payment processors, chatbot operators and any other provider of third-party services.
This is a big deal. In a survey of 230 businesses with a median employee size of roughly 1,000, 32.2% said that 50% of their site code was from third parties, and 22.8% said that 70% of their site code was from third parties. A shocking 8.3% said they had no idea how much of their site code was coming from third parties.
Unfortunately, third-party code makes it much, much harder to police and audit for CCPA vulnerabilities and risks. This is true at multiple levels, including for your third-party information security providers that may be capturing personal information or may control key parts of your site infrastructure, such as digital certificates and DNS records.
Questions to Ask Your Third-Party Service Providers
To protect yourself from liability, ask all third-party service providers for detailed answers to the following questions.
- Do you capture any of our user data?
- How, where and when? Please explain the mechanism.
- If you do capture our user data, what is your own CCPA policy and database access structure?
- Can you provide an easy mechanism for us to access any user data you collect and provide it to our end users as part of a comprehensive CCPA report?
- What are you doing to monitor data privacy laws that other states are likely to enact?
Aside from these questions, there are a number of other steps you can take. First, demand certification information and make it a condition of ongoing business. For SaaS companies, SOC 2 Compliance and/or ISO 270001 is the gold standard. Next, ask them to run a simulated CCPA request process with you. This will help you assess their readiness.
Finally, make sure your security stance for all your public-facing applications is audited and up to date with proper configurations. This will mean not only internal firewalls on databases and malware protection on every user’s device, but also technology specific to guarding web applications. Web application firewalls are table stakes. Make sure they are tuned appropriately.
Most organizations also run static code analysis (SCA). This is crucial to block potential insertion points for breaches. You should also run SCA against any third-party libraries that are open source that you use. For your live applications, consider using newer forms of AI-based anomaly detection to spot when your site has been hijacked and is harvesting user data without you realizing it’s going on.
The good news is that CCPA preparation enforces good basic security hygiene and best practices — and that will result in better protection for your users, your infrastructure and your bottom line.