The CCPA: Security standards and measures to comply — Part 1
The California Consumer Privacy Act (CCPA) is now operative and the Attorney General can begin enforcement actions against businesses on July 1 of this year. Individuals can and are bringing suit as of January 1, 2020.
This article, for the non security specialist, focuses on the cybersecurity standard small and medium businesses (SMBs) need to meet to satisfy the CCPA and the security controls that can meet that standard.
Even if you believe you are not subject to the CCPA, CrossKey recommends that SMBs still attempt to approach to standard. Why?
First it will help you protect your data and avoid breach, second, the standard is essential to acquire cybersecurity insurance and ensure a claim is paid, and third, in the event of a breach you will need to produce documentation you sought to reach the standard to protect you from litigation from the government or private class actions.
The potential damages
An estimated 500,000 businesses within and outside California are subject to the act and the majority of those are SMBs.
The potential financial damages under the new CCPA dwarf almost every previous data breach settlement in the United States.
Under the CCPA, a data breach affecting the personal information of just 1,000 California consumers may result in damages ranging from $100,000 to $750,000; and a data breach affecting the personal information of one million California consumers may result in damages ranging from $100 million to $750 million.
The first class action under the CCPA has already been filed, seeking millions of dollars in damages through certifying a class of 10,000 affected individuals (Barnes v. Hanna Andersson, LLC ).
Even a breach of the data of a few hundred California consumers could destroy a small or medium business, taking into account associated costs of legal fees, costs of notifying consumers, reputational damage and the internal company bandwidth used.
The standard under the CCPA
Under the CCPA any consumer can sue whose personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information (Sec. 1798.150. (a) (1)).
(The definition of “Personal Information” under the CCPA can be found at the bottom of this article).
The challenge for SMBs is that the CCPA does not define “reasonable security practices and procedures.” While mandatory regulations for the CCPA have to be promulgated by July 1, 2020 it is not yet known whether they will detail the standard.
The definition of reasonableness in the context of cybersecurity has long been a contentious question, even the Federal Trade Commission (FTC) has not settled on a clear test.
Note that in the first class action under the CCPA, the plaintiffs reference “using reasonable and adequate security procedures that are compliant with industry-standard practices” and “applicable laws, regulations, and industry standards relating to data security.” However, the complaint does not detail what those are beyond the Payment Card Industry Data Security Standard (PCI DSS).
California regulators have, however, endorsed certain security measures as providing reasonable security, although they have not codified this to law or regulation.
In February 2016, the California Department of Justice (DOJ) released the California Data Breach Report, a comprehensive overview of data breaches affecting California residents between 2012 and 2015. The Report included the well respected twenty critical security controls published by the Center for Internet Security (CIS).
The DOJ identified the CIS controls as the “starting point of a comprehensive program to provide reasonable security.” Elsewhere the report states the twenty controls are the “minimum level of information security that all organizations that collect or maintain personal information should meet.” While “the failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Although not law, regulation or legal authority per se, the CIS twenty will undoubtedly be one of the frameworks used to establish the standard of reasonableness in private litigation or state enforcement of the CCPA.
CIS is also a logical, user friendly security framework to serve as a start point — or refresher — for any SMB who is concerned about meeting the CCPA standard.
The CIS 20 Controls
The CIS controls are a leading cybersecurity industry framework that attempts to provide a comprehensive, usable framework of controls including policies, procedures, software, hardware and training that can be put in place.
A useful startpoint is that CIS has traditionally grouped its controls into three categories:
- Basic CIS controls: inventory and control of hardware assets and software assets; continuous vulnerability management; controlled use of administrative privileges; and maintenance, monitoring and analysis of audit logs. Note these six together CIS calls the “Cyber Hygiene” controls;
- Foundational CIS controls: email and web browser protections; malware defenses; data recovery capabilities; controlled access based on the need to know/least privilege; account monitoring and control;
- Organizational CIS controls: incident response and management, penetration tests and “red team” exercises (using a variety of means beyond penetration tests to breach your security).
This structure was broadly from simpler to more complex controls. For the items in each category CIS details a series of sub controls which represent more detailed, policies, procedures, software or other tools needed to implement the control. There are eighty of these more detailed subcontrols in all.
To comply with CCPA, however, an SMB should also look at the more recent CIS categorization of controls under three “Implementation Groups.”
These implementation groups correspond broadly to the size, complexity and scale of cybersecurity assets available to your business — the above three groupings do not. So if you adjudge yourself an IG1 company, you will find selected subcontrols applying to you in 18 of the 20 controls.
Be careful though about which IG category to pick, as CIS states that if you are a company protecting sensitive data you may fall into a higher standard implementation group.
Note that the California DOJ refers to all the controls, and does not distinguish between the three Implementation Groups, because CIS introduced the IG structure after the DOJ report was published. Even then, the DOJ stated implementing all the CIS Controls provides only the “minimum” level of information security.
Consequently if you are an SMB of any size who fears you may be out of compliance, at minimum use the longer and more complex list of controls in “Implementation Group 2 (IG2)” with the longer term goal to implement all twenty controls which apply to IG Group 3 business.
Finally there are also the associated CIS Benchmarks: specific configuration recommendations to help secure over 100 technical platforms – including operating systems, mail servers, and mobile devices. This is where the real work is done in implementation with your IT team or security consultants.
Other security frameworks to consider
Companies should also consider other leading industry security frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. While the specific security measures in CIS and NIST overlap, they do not do so completely and both should be read together.
Thus a major risk category arguably not comprehensively addressed by the CIS controls are specific subcontrols ensuring vendor or third-party security. The security of the third party e-commerce platform run by Salesforce is central to the first action filed under the CCPA (see above).
These two frameworks are a sound start point to ensure you are in compliance with the CCPA. Ultimately you also need to look beyond California to other state statutes which may apply to you which have different, if often overlapping standards and controls.
The interrelationship and relative coverage between security frameworks designed for different industries or legislated by different states can be challenging to determine even for seasoned security and compliance professionals.
If you are not sure, get help.
Part 2 will explore the specific CIS twenty controls in more detail.
(The text of the CCPA can be found here: Title 1.81.5. California Consumer Privacy Act of 2018, Section 1798.100, et seq.).
Defintion of Personal Information under the CCPA
(o) (1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.