As California’s privacy legislation goes into effect, it’s time to take stock of your security strategies around data and think about the future. The trend towards greater privacy is set to continue.
The big data grab drove companies to stockpile data, with little thought of how to use it, and even less thought about how to properly secure it. People everywhere are growing more conscious of the data they share, who collects it, and how it is handled. This rising awareness has sparked legislation designed to safeguard sensitive data, but these new laws aren’t just boxes to tick off, they represent an important trend that businesses need to get on board with.
Like the EU’s General Data Protection Legislation (GDPR), the California Consumer Privacy Act (CCPA) is a far-reaching attempt to enshrine new rights for people around their data. Everyone should be able to see what data is being collected, for what purpose, and to decide that they don’t want to share data without penalty.
You could study what the CCPA means for your business and work out how to comply in fire-fighting mode, then wait for the next piece of data legislation. But that’s short-term thinking, and it will cost you more in the long run. The smarter move is to use the CCPA as a springboard to re-examine your data security efforts, fundamentally change the way you collect and use sensitive data and get your house in order.
There are three key areas to consider: how you collect data, how you store data, and how you distribute data.
The tide has changed on sensitive data, and the GDPR and CCPA are just the first couple of waves. It would be safe to assume that regulations will continue to tighten, and more laws will follow. By re-examining the data your business collects and thinking critically about the value it represents, you can decide how much of it is necessary. You may find it is better to stop collecting some kinds of data.
Talk to all key stakeholders about the data your business is collecting. Identify the critical data for your business processes and cross-reference that with all the personal data you collect on people that falls under the CCPA. Consider that any personal data you collect about people and their habits, from email addresses to browsing history to specific preferences, is data that you’re going to have to make accessible on request.
Once you have a map of the data that’s essential to your business, you can start thinking about how to classify, store, move, and protect it.
The potential cost of a data breach is enormous and that’s why companies already have all kinds of security measures in place to protect most of the sensitive data they hold, such as credit card numbers, birth dates, and addresses. Despite this, there are still some kinds of data that may not be as protected as they should be, and there are also times when data is not transferred securely, or when data is used in other environments insecurely.
It’s alarmingly common for data to be unsecured in non-production environments that developers may be working on and testing. There’s an assumption that because these environments are internal they don’t need the same stringent protections as live business environments, but this is a misconception.
All the personal data a company holds must be protected with reasonable security measures. It doesn’t matter if the data is exfiltrated because a contractor is careless, a third-party is compromised, or because your system is hacked from the outside, your business will come under the same scrutiny and is subject to the same penalties.
It’s vital to take measures to secure the data you hold, at rest and in transit, wherever it may be and whatever it is being used for. Assessing the best way to do this is a crucial step. For test environments, for example, it may make more sense to develop a way to generate false data that’s representative of real data and use that instead of real customer data.
Do you know where all of your data is? It’s common to store data in many different warehouses, often spread across countries and different cloud services. It’s also common to share data with third-party vendors and partners. There are solid business reasons for this, but you must be sure to factor in the potential cost of poor security that leads to a data breach.
While the CCPA doesn’t have the same restrictions as GDPR on the flow of data across borders, it’s still prudent to understand where your data resides. It’s also absolutely vital that you ensure your partners share your security standards. This is not something you can afford to take on trust, so do your due diligence. Limit the flow of data where it appears unnecessary and make sure you have a clear picture of where all your data is collected, stored, and moved to for any purpose.
There’s a lot of advice out there that can help you plot your course to a better data security strategy, starting with things like the NIST Cybersecurity Framework or the ISO 27001/2. While it may prove impossible to prevent a data breach, you must be able to show that you have taken reasonable measures to try and protect the data with which you’ve been entrusted. The CCPA could be exactly the motivation you need to improve your data security standards because you will be held accountable.